Shared CFG: add defaulted getWhileElse/getForeachElse/getCatchType to AstSig

Adds three new defaulted signature predicates to the shared CFG library:

- getWhileElse / getForeachElse: `else` block of a while/for loop, if
  any (used by Python's `while-else` / `for-else` constructs).
- getCatchType: type expression of a catch clause, if any (used by
  Python's `except SomeExpr:` where the catch type is a runtime
  expression that needs CFG evaluation).

Each predicate defaults to `none()`, so behaviour is unchanged for any
language that doesn't override it (verified by re-running
java/ql/test/library-tests/controlflow/).

The Make0 succession rules are extended:
- WhileStmt/ForeachStmt: route the loop-exit edge through the else
  block before reaching the after-position.
- CatchClause: route the matching-evaluation through the type
  expression (if present) before reaching the after-value position.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.37
+version: 0.4.38-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.29
+version: 0.6.30-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

cpp/ql/lib/DefaultOptions.qll

@@ -30,8 +30,6 @@ class Options extends string {
   predicate overrideReturnsNull(Call call) {
     // Used in CVS:
     call.(FunctionCall).getTarget().hasGlobalName("Xstrdup")
-    or
-    CustomOptions::overrideReturnsNull(call) // old Options.qll
   }
 
   /**
@@ -45,8 +43,6 @@ class Options extends string {
     // Used in CVS:
     call.(FunctionCall).getTarget().hasGlobalName("Xstrdup") and
     nullValue(call.getArgument(0))
-    or
-    CustomOptions::returnsNull(call) // old Options.qll
   }
 
   /**
@@ -65,8 +61,6 @@ class Options extends string {
     f.hasGlobalOrStdName([
         "exit", "_exit", "_Exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
       ])
-    or
-    CustomOptions::exits(f) // old Options.qll
   }
 
   /**
@@ -79,8 +73,7 @@ class Options extends string {
    * runtime, the program's behavior is undefined)
    */
   predicate exprExits(Expr e) {
-    e.(AssumeExpr).getChild(0).(CompileTimeConstantInt).getIntValue() = 0 or
+    e.(AssumeExpr).getChild(0).(CompileTimeConstantInt).getIntValue() = 0
-    CustomOptions::exprExits(e) // old Options.qll
   }
 
   /**
@@ -88,10 +81,7 @@ class Options extends string {
    *
    * By default holds only for `fgets`.
    */
-  predicate alwaysCheckReturnValue(Function f) {
+  predicate alwaysCheckReturnValue(Function f) { f.hasGlobalOrStdName("fgets") }
-    f.hasGlobalOrStdName("fgets") or
-    CustomOptions::alwaysCheckReturnValue(f) // old Options.qll
-  }
 
   /**
    * Holds if it is reasonable to ignore the return value of function
@@ -107,8 +97,6 @@ class Options extends string {
     // common way of sleeping using select:
     fc.getTarget().hasGlobalName("select") and
     fc.getArgument(0).getValue() = "0"
-    or
-    CustomOptions::okToIgnoreReturnValue(fc) // old Options.qll
   }
 }
 

cpp/ql/lib/Options.qll

@@ -98,57 +98,3 @@ class CustomMutexType extends MutexType {
    */
   override predicate unlockAccess(FunctionCall fc, Expr arg) { none() }
 }
-
-/**
- * DEPRECATED: customize `CustomOptions.overrideReturnsNull` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate overrideReturnsNull(Call call) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.returnsNull` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate returnsNull(Call call) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.exits` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate exits(Function f) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.exprExits` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate exprExits(Expr e) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.alwaysCheckReturnValue` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate alwaysCheckReturnValue(Function f) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.okToIgnoreReturnValue` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate okToIgnoreReturnValue(FunctionCall fc) { none() }

cpp/ql/lib/change-notes/2026-05-27-deprecated-removal.md

@@ -0,0 +1,15 @@
+---
+category: breaking
+---
+* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
+* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
+* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.
+* Removed the deprecated `exprExits` predicate from `Options.qll`. Use `CustomOptions.exprExits` instead.
+* Removed the deprecated `alwaysCheckReturnValue` predicate from `Options.qll`. Use `CustomOptions.alwaysCheckReturnValue` instead.
+* Removed the deprecated `okToIgnoreReturnValue` predicate from `Options.qll`. Use `CustomOptions.okToIgnoreReturnValue` instead.
+* Removed the deprecated `semmle.code.cpp.Member`. Import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly.
+* Removed the deprecated `UnknownDefaultLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `UnknownExprLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `UnknownStmtLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `TemplateParameter` class. Use `TypeTemplateParameter` instead.
+* Support for class resolution across link targets has been removed for databases which were created with CodeQL versions before 1.23.0.

cpp/ql/lib/cpp.qll

@@ -32,7 +32,6 @@ import semmle.code.cpp.Class
 import semmle.code.cpp.Struct
 import semmle.code.cpp.Union
 import semmle.code.cpp.Enum
-import semmle.code.cpp.Member
 import semmle.code.cpp.Field
 import semmle.code.cpp.Function
 import semmle.code.cpp.MemberFunction

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 10.2.0
+version: 10.2.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Location.qll

@@ -148,28 +148,3 @@ class UnknownLocation extends Location {
     this.getFile().getAbsolutePath() = "" and locations_default(this, _, 0, 0, 0, 0)
   }
 }
-
-/**
- * A dummy location which is used when something doesn't have a location in
- * the source code but needs to have a `Location` associated with it.
- *
- * DEPRECATED: use `UnknownLocation`
- */
-deprecated class UnknownDefaultLocation extends UnknownLocation { }
-
-/**
- * A dummy location which is used when an expression doesn't have a
- * location in the source code but needs to have a `Location` associated
- * with it.
- *
- * DEPRECATED: use `UnknownLocation`
- */
-deprecated class UnknownExprLocation extends UnknownLocation { }
-
-/**
- * A dummy location which is used when a statement doesn't have a location
- * in the source code but needs to have a `Location` associated with it.
- *
- * DEPRECATED: use `UnknownLocation`
- */
-deprecated class UnknownStmtLocation extends UnknownLocation { }

cpp/ql/lib/semmle/code/cpp/Member.qll

@@ -1,6 +0,0 @@
-/**
- * DEPRECATED: import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly as required.
- */
-
-import semmle.code.cpp.Element
-import semmle.code.cpp.Type

cpp/ql/lib/semmle/code/cpp/TemplateParameter.qll

@@ -35,13 +35,6 @@ class NonTypeTemplateParameter extends Literal, TemplateParameterImpl {
   override string getAPrimaryQlClass() { result = "NonTypeTemplateParameter" }
 }
 
-/**
- * A C++ `typename` (or `class`) template parameter.
- *
- * DEPRECATED: Use `TypeTemplateParameter` instead.
- */
-deprecated class TemplateParameter = TypeTemplateParameter;
-
 /**
  * A C++ `typename` (or `class`) template parameter.
  *

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -276,6 +276,45 @@ private predicate isClassConstructedFrom(Class c, Class templateClass) {
   not c.isConstructedFrom(_) and c = templateClass
 }
 
+/** Gets the fully templated version of `c`. */
+private Class getFullyTemplatedClassOld(Class c) {
+  not c.isFromUninstantiatedTemplate(_) and
+  isClassConstructedFrom(c, result)
+}
+
+private TemplateClass getOriginalClassTemplate(TemplateClass tc) {
+  result = tc.getOriginalTemplate()
+  or
+  not exists(tc.getOriginalTemplate()) and
+  result = tc
+}
+
+/** Gets the fully templated version of `c`. */
+private Class getFullyTemplatedClassNew(Class c) {
+  not c.isFromUninstantiatedTemplate(_) and
+  exists(Class mid |
+    c.isConstructedFrom(mid)
+    or
+    not c.isConstructedFrom(_) and c = mid
+  |
+    result = getOriginalClassTemplate(mid)
+    or
+    not mid instanceof TemplateClass and mid = result
+  )
+}
+
+/** Gets the fully templated version of `c`. */
+private Class getFullyTemplatedClass(Class c) {
+  // The `Class::getOriginalTemplate` predicate was introduced in CodeQL
+  // version 2.25.6 and the upgrade script leaves the
+  // `class_template_generated_from` extensionals empty if the database
+  // was generated with an older extractor. So we use the old implementation
+  // if the `class_template_generated_from` extensional is empty.
+  if class_template_generated_from(_, _)
+  then result = getFullyTemplatedClassNew(c)
+  else result = getFullyTemplatedClassOld(c)
+}
+
 /**
  * Holds if `f` is an instantiation of a function template `templateFunc`, or
  * holds with `f = templateFunc` if `f` is not an instantiation of any function
@@ -292,7 +331,7 @@ private predicate isFunctionConstructedFrom(Function f, Function templateFunc) {
 }
 
 /** Gets the fully templated version of `f`. */
-Function getFullyTemplatedFunction(Function f) {
+private Function getFullyTemplatedFunctionOld(Function f) {
   not f.isFromUninstantiatedTemplate(_) and
   (
     exists(Class c, Class templateClass, int i |
@@ -306,13 +345,46 @@ Function getFullyTemplatedFunction(Function f) {
   )
 }
 
+private TemplateFunction getOriginalFunctionTemplate(TemplateFunction tf) {
+  result = tf.getOriginalTemplate()
+  or
+  not exists(tf.getOriginalTemplate()) and
+  result = tf
+}
+
+/** Gets the fully templated version of `f`. */
+private Function getFullyTemplatedFunctionNew(Function f) {
+  not f.isFromUninstantiatedTemplate(_) and
+  exists(Function mid |
+    f.isConstructedFrom(mid)
+    or
+    not f.isConstructedFrom(_) and f = mid
+  |
+    result = getOriginalFunctionTemplate(mid)
+    or
+    not mid instanceof TemplateFunction and mid = result
+  )
+}
+
+/** Gets the fully templated version of `f`. */
+Function getFullyTemplatedFunction(Function f) {
+  // The `Function::getOriginalTemplate` predicate was introduced in CodeQL
+  // version 2.25.6 and the upgrade script leaves the
+  // `function_template_generated_from` extensionals empty if the database
+  // was generated with an older extractor. So we use the old implementation
+  // if the `function_template_generated_from` extensional is empty.
+  if function_template_generated_from(_, _)
+  then result = getFullyTemplatedFunctionNew(f)
+  else result = getFullyTemplatedFunctionOld(f)
+}
+
 /** Prefixes `const` to `s` if `t` is const, or returns `s` otherwise. */
 bindingset[s, t]
 private string withConst(string s, Type t) {
   if t.isConst() then result = "const " + s else result = s
 }
 
-/** Prefixes `volatile` to `s` if `t` is const, or returns `s` otherwise. */
+/** Prefixes `volatile` to `s` if `t` is volatile, or returns `s` otherwise. */
 bindingset[s, t]
 private string withVolatile(string s, Type t) {
   if t.isVolatile() then result = "volatile " + s else result = s
@@ -490,7 +562,7 @@ pragma[nomagic]
 private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining) {
   // If there is a declaring type then we start by expanding the function templates
   exists(Class template |
-    isClassConstructedFrom(f.getDeclaringType(), template) and
+    template = getFullyTemplatedClass(f.getDeclaringType()) and
     remaining = getNumberOfSupportedClassTemplateArguments(template) and
     result = getTypeNameWithoutFunctionTemplates(f, n, 0)
   )
@@ -502,7 +574,7 @@ private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining
   or
   exists(string mid, TypeTemplateParameter tp, Class template |
     mid = getTypeNameWithoutClassTemplates(f, n, remaining + 1) and
-    isClassConstructedFrom(f.getDeclaringType(), template) and
+    template = getFullyTemplatedClass(f.getDeclaringType()) and
     tp = getSupportedClassTemplateArgument(template, remaining)
   |
     result = mid.replaceAll(tp.getName(), "class:" + remaining.toString())

cpp/ql/lib/semmle/code/cpp/internal/ResolveClass.qll

@@ -1,59 +1,5 @@
 import semmle.code.cpp.Type
 
-/** For upgraded databases without mangled name info. */
-pragma[noinline]
-private string getTopLevelClassName(@usertype c) {
-  not mangled_name(_, _, _) and
-  isClass(c) and
-  usertypes(c, result, _) and
-  not namespacembrs(_, c) and // not in a namespace
-  not member(_, _, c) and // not in some structure
-  not class_instantiation(c, _) // not a template instantiation
-}
-
-/**
- * For upgraded databases without mangled name info.
- * Holds if `d` is a unique complete class named `name`.
- */
-pragma[noinline]
-private predicate existsCompleteWithName(string name, @usertype d) {
-  not mangled_name(_, _, _) and
-  is_complete(d) and
-  name = getTopLevelClassName(d) and
-  onlyOneCompleteClassExistsWithName(name)
-}
-
-/** For upgraded databases without mangled name info. */
-pragma[noinline]
-private predicate onlyOneCompleteClassExistsWithName(string name) {
-  not mangled_name(_, _, _) and
-  strictcount(@usertype c | is_complete(c) and getTopLevelClassName(c) = name) = 1
-}
-
-/**
- * For upgraded databases without mangled name info.
- * Holds if `c` is an incomplete class named `name`.
- */
-pragma[noinline]
-private predicate existsIncompleteWithName(string name, @usertype c) {
-  not mangled_name(_, _, _) and
-  not is_complete(c) and
-  name = getTopLevelClassName(c)
-}
-
-/**
- * For upgraded databases without mangled name info.
- * Holds if `c` is an incomplete class, and there exists a unique complete class `d`
- * with the same name.
- */
-private predicate oldHasCompleteTwin(@usertype c, @usertype d) {
-  not mangled_name(_, _, _) and
-  exists(string name |
-    existsIncompleteWithName(name, c) and
-    existsCompleteWithName(name, d)
-  )
-}
-
 pragma[noinline]
 private @mangledname getClassMangledName(@usertype c) {
   isClass(c) and
@@ -103,10 +49,7 @@ private module Cached {
   @usertype resolveClass(@usertype c) {
     hasCompleteTwin(c, result)
     or
-    oldHasCompleteTwin(c, result)
-    or
     not hasCompleteTwin(c, _) and
-    not oldHasCompleteTwin(c, _) and
     result = c
   }
 

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.6.4
+version: 1.6.5-dev
 groups:
   - cpp
   - queries

cpp/ql/test/library-tests/dataflow/external-models/flow.expected

@@ -51,13 +51,16 @@ models
 | 50 | Summary: ; ; false; ymlStepGenerated; ; ; Argument[0]; ReturnValue; taint; df-generated |
 | 51 | Summary: ; ; false; ymlStepManual; ; ; Argument[0]; ReturnValue; taint; manual |
 | 52 | Summary: ; ; false; ymlStepManual_with_body; ; ; Argument[0]; ReturnValue; taint; manual |
-| 53 | Summary: Azure::Core::IO; BodyStream; true; Read; ; ; Argument[-1]; Argument[*0]; taint; manual |
+| 53 | Summary: ; TemplateClass1; true; templateFunction2<U,V>; (U,V); ; Argument[1]; ReturnValue; value; manual |
-| 54 | Summary: Azure::Core::IO; BodyStream; true; ReadToCount; ; ; Argument[-1]; Argument[*0]; taint; manual |
+| 54 | Summary: ; TemplateClass1<T>; false; templateFunction<U>; (T,U); ; Argument[0]; ReturnValue; value; manual |
-| 55 | Summary: Azure::Core::IO; BodyStream; true; ReadToEnd; ; ; Argument[-1]; ReturnValue.Element; taint; manual |
+| 55 | Summary: ; TemplateClass2<T,U>; true; function; (U,T); ; Argument[1]; ReturnValue; value; manual |
-| 56 | Summary: Azure; Nullable; true; Value; ; ; Argument[-1]; ReturnValue[*]; taint; manual |
+| 56 | Summary: Azure::Core::IO; BodyStream; true; Read; ; ; Argument[-1]; Argument[*0]; taint; manual |
-| 57 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
+| 57 | Summary: Azure::Core::IO; BodyStream; true; ReadToCount; ; ; Argument[-1]; Argument[*0]; taint; manual |
+| 58 | Summary: Azure::Core::IO; BodyStream; true; ReadToEnd; ; ; Argument[-1]; ReturnValue.Element; taint; manual |
+| 59 | Summary: Azure; Nullable; true; Value; ; ; Argument[-1]; ReturnValue[*]; taint; manual |
+| 60 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
 edges
-| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:57 |
+| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:60 |
 | asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:91:7:91:17 | recv_buffer | provenance | Src:MaD:32  |
 | asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:93:29:93:39 | *recv_buffer | provenance | Src:MaD:32 Sink:MaD:2 |
 | asio_streams.cpp:97:37:97:44 | call to source | asio_streams.cpp:98:7:98:14 | send_str | provenance | TaintFunction |
@@ -66,24 +69,24 @@ edges
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:101:7:101:17 | send_buffer | provenance |  |
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:2 |
 | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance |  |
-| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:57 |
+| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:60 |
-| azure.cpp:62:10:62:14 | [summary param] this in Value | azure.cpp:62:10:62:14 | [summary] to write: ReturnValue[*] in Value | provenance | MaD:56 |
+| azure.cpp:62:10:62:14 | [summary param] this in Value | azure.cpp:62:10:62:14 | [summary] to write: ReturnValue[*] in Value | provenance | MaD:59 |
-| azure.cpp:113:16:113:19 | [summary param] this in Read | azure.cpp:113:16:113:19 | [summary param] *0 in Read [Return] | provenance | MaD:53 |
+| azure.cpp:113:16:113:19 | [summary param] this in Read | azure.cpp:113:16:113:19 | [summary param] *0 in Read [Return] | provenance | MaD:56 |
-| azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | azure.cpp:114:16:114:26 | [summary param] *0 in ReadToCount [Return] | provenance | MaD:54 |
+| azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | azure.cpp:114:16:114:26 | [summary param] *0 in ReadToCount [Return] | provenance | MaD:57 |
-| azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue.Element in ReadToEnd | provenance | MaD:55 |
+| azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue.Element in ReadToEnd | provenance | MaD:58 |
 | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue.Element in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue in ReadToEnd [element] | provenance |  |
 | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:253:48:253:60 | *call to GetBodyStream | provenance | Src:MaD:29  |
 | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:257:5:257:8 | *resp | provenance |  |
 | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:262:5:262:8 | *resp | provenance |  |
 | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:266:38:266:41 | *resp | provenance |  |
 | azure.cpp:257:5:257:8 | *resp | azure.cpp:113:16:113:19 | [summary param] this in Read | provenance |  |
-| azure.cpp:257:5:257:8 | *resp | azure.cpp:257:16:257:21 | Read output argument | provenance | MaD:53 |
+| azure.cpp:257:5:257:8 | *resp | azure.cpp:257:16:257:21 | Read output argument | provenance | MaD:56 |
 | azure.cpp:257:16:257:21 | Read output argument | azure.cpp:258:10:258:16 | * ... | provenance |  |
 | azure.cpp:262:5:262:8 | *resp | azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | provenance |  |
-| azure.cpp:262:5:262:8 | *resp | azure.cpp:262:23:262:28 | ReadToCount output argument | provenance | MaD:54 |
+| azure.cpp:262:5:262:8 | *resp | azure.cpp:262:23:262:28 | ReadToCount output argument | provenance | MaD:57 |
 | azure.cpp:262:23:262:28 | ReadToCount output argument | azure.cpp:263:10:263:16 | * ... | provenance |  |
 | azure.cpp:266:38:266:41 | *resp | azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | provenance |  |
-| azure.cpp:266:38:266:41 | *resp | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance | MaD:55 |
+| azure.cpp:266:38:266:41 | *resp | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance | MaD:58 |
 | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance |  |
 | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | azure.cpp:267:10:267:12 | vec [element] | provenance |  |
 | azure.cpp:267:10:267:12 | vec [element] | azure.cpp:267:10:267:12 | vec | provenance |  |
@@ -100,11 +103,11 @@ edges
 | azure.cpp:281:68:281:84 | *call to ExtractBodyStream | azure.cpp:281:68:281:84 | *call to ExtractBodyStream | provenance | Src:MaD:26  |
 | azure.cpp:281:68:281:84 | *call to ExtractBodyStream | azure.cpp:282:21:282:23 | *call to get | provenance |  |
 | azure.cpp:282:21:282:23 | *call to get | azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | provenance |  |
-| azure.cpp:282:21:282:23 | *call to get | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance | MaD:55 |
+| azure.cpp:282:21:282:23 | *call to get | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance | MaD:58 |
 | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | azure.cpp:282:10:282:38 | call to ReadToEnd | provenance |  |
 | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance |  |
 | azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:62:10:62:14 | [summary param] this in Value | provenance |  |
-| azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:289:63:289:65 | call to Value | provenance | MaD:56 |
+| azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:289:63:289:65 | call to Value | provenance | MaD:59 |
 | azure.cpp:289:32:289:40 | call to GetHeader | azure.cpp:289:24:289:56 | call to GetHeader | provenance |  |
 | azure.cpp:289:32:289:40 | call to GetHeader | azure.cpp:289:32:289:40 | call to GetHeader | provenance | Src:MaD:30  |
 | azure.cpp:289:63:289:65 | call to Value | azure.cpp:289:63:289:65 | call to Value | provenance |  |
@@ -180,6 +183,39 @@ edges
 | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | test.cpp:119:10:119:11 | y2 | provenance | Sink:MaD:1 |
 | test.cpp:118:44:118:44 | *x | test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | provenance |  |
 | test.cpp:118:44:118:44 | *x | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | provenance | MaD:48 |
+| test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | test.cpp:125:5:125:20 | [summary] to write: ReturnValue in templateFunction | provenance | MaD:54 |
+| test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | test.cpp:128:5:128:21 | [summary] to write: ReturnValue in templateFunction2 | provenance | MaD:53 |
+| test.cpp:133:10:133:18 | call to ymlSource | test.cpp:133:10:133:18 | call to ymlSource | provenance | Src:MaD:25  |
+| test.cpp:133:10:133:18 | call to ymlSource | test.cpp:134:45:134:45 | x | provenance |  |
+| test.cpp:134:13:134:43 | call to templateFunction | test.cpp:134:13:134:43 | call to templateFunction | provenance |  |
+| test.cpp:134:13:134:43 | call to templateFunction | test.cpp:135:10:135:10 | y | provenance | Sink:MaD:1 |
+| test.cpp:134:45:134:45 | x | test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | provenance |  |
+| test.cpp:134:45:134:45 | x | test.cpp:134:13:134:43 | call to templateFunction | provenance | MaD:54 |
+| test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | provenance | MaD:55 |
+| test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | provenance | MaD:55 |
+| test.cpp:146:10:146:18 | call to ymlSource | test.cpp:146:10:146:18 | call to ymlSource | provenance | Src:MaD:25  |
+| test.cpp:146:10:146:18 | call to ymlSource | test.cpp:148:26:148:26 | x | provenance |  |
+| test.cpp:148:10:148:27 | call to function | test.cpp:148:10:148:27 | call to function | provenance |  |
+| test.cpp:148:10:148:27 | call to function | test.cpp:149:10:149:10 | z | provenance | Sink:MaD:1 |
+| test.cpp:148:26:148:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | provenance |  |
+| test.cpp:148:26:148:26 | x | test.cpp:148:10:148:27 | call to function | provenance | MaD:55 |
+| test.cpp:155:10:155:18 | call to ymlSource | test.cpp:155:10:155:18 | call to ymlSource | provenance | Src:MaD:25  |
+| test.cpp:155:10:155:18 | call to ymlSource | test.cpp:157:26:157:26 | x | provenance |  |
+| test.cpp:157:13:157:20 | call to function | test.cpp:157:13:157:20 | call to function | provenance |  |
+| test.cpp:157:13:157:20 | call to function | test.cpp:158:10:158:10 | z | provenance | Sink:MaD:1 |
+| test.cpp:157:26:157:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | provenance |  |
+| test.cpp:157:26:157:26 | x | test.cpp:157:13:157:20 | call to function | provenance | MaD:55 |
+| test.cpp:164:34:164:34 | x | test.cpp:165:69:165:69 | x | provenance |  |
+| test.cpp:165:12:165:64 | call to templateFunction2 | test.cpp:164:7:164:7 | *templateFunction3 | provenance |  |
+| test.cpp:165:12:165:64 | call to templateFunction2 | test.cpp:165:12:165:64 | call to templateFunction2 | provenance |  |
+| test.cpp:165:69:165:69 | x | test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | provenance |  |
+| test.cpp:165:69:165:69 | x | test.cpp:165:12:165:64 | call to templateFunction2 | provenance | MaD:53 |
+| test.cpp:170:10:170:18 | call to ymlSource | test.cpp:170:10:170:18 | call to ymlSource | provenance | Src:MaD:25  |
+| test.cpp:170:10:170:18 | call to ymlSource | test.cpp:172:51:172:51 | x | provenance |  |
+| test.cpp:172:13:172:44 | call to templateFunction3 | test.cpp:172:13:172:44 | call to templateFunction3 | provenance |  |
+| test.cpp:172:13:172:44 | call to templateFunction3 | test.cpp:173:10:173:10 | y | provenance | Sink:MaD:1 |
+| test.cpp:172:51:172:51 | x | test.cpp:164:34:164:34 | x | provenance |  |
+| test.cpp:172:51:172:51 | x | test.cpp:172:13:172:44 | call to templateFunction3 | provenance | MaD:53 |
 | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | provenance | MaD:33 |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:22:15:22:29 | *call to GetCommandLineA | provenance | Src:MaD:3  |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:24:8:24:11 | * ... | provenance |  |
@@ -483,6 +519,43 @@ nodes
 | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | semmle.label | call to callWithNonTypeTemplate |
 | test.cpp:118:44:118:44 | *x | semmle.label | *x |
 | test.cpp:119:10:119:11 | y2 | semmle.label | y2 |
+| test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | semmle.label | [summary param] 0 in templateFunction |
+| test.cpp:125:5:125:20 | [summary] to write: ReturnValue in templateFunction | semmle.label | [summary] to write: ReturnValue in templateFunction |
+| test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | semmle.label | [summary param] 1 in templateFunction2 |
+| test.cpp:128:5:128:21 | [summary] to write: ReturnValue in templateFunction2 | semmle.label | [summary] to write: ReturnValue in templateFunction2 |
+| test.cpp:133:10:133:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:133:10:133:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:134:13:134:43 | call to templateFunction | semmle.label | call to templateFunction |
+| test.cpp:134:13:134:43 | call to templateFunction | semmle.label | call to templateFunction |
+| test.cpp:134:45:134:45 | x | semmle.label | x |
+| test.cpp:135:10:135:10 | y | semmle.label | y |
+| test.cpp:140:4:140:11 | [summary param] 1 in function | semmle.label | [summary param] 1 in function |
+| test.cpp:140:4:140:11 | [summary param] 1 in function | semmle.label | [summary param] 1 in function |
+| test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | semmle.label | [summary] to write: ReturnValue in function |
+| test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | semmle.label | [summary] to write: ReturnValue in function |
+| test.cpp:146:10:146:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:146:10:146:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:148:10:148:27 | call to function | semmle.label | call to function |
+| test.cpp:148:10:148:27 | call to function | semmle.label | call to function |
+| test.cpp:148:26:148:26 | x | semmle.label | x |
+| test.cpp:149:10:149:10 | z | semmle.label | z |
+| test.cpp:155:10:155:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:155:10:155:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:157:13:157:20 | call to function | semmle.label | call to function |
+| test.cpp:157:13:157:20 | call to function | semmle.label | call to function |
+| test.cpp:157:26:157:26 | x | semmle.label | x |
+| test.cpp:158:10:158:10 | z | semmle.label | z |
+| test.cpp:164:7:164:7 | *templateFunction3 | semmle.label | *templateFunction3 |
+| test.cpp:164:34:164:34 | x | semmle.label | x |
+| test.cpp:165:12:165:64 | call to templateFunction2 | semmle.label | call to templateFunction2 |
+| test.cpp:165:12:165:64 | call to templateFunction2 | semmle.label | call to templateFunction2 |
+| test.cpp:165:69:165:69 | x | semmle.label | x |
+| test.cpp:170:10:170:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:170:10:170:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:172:13:172:44 | call to templateFunction3 | semmle.label | call to templateFunction3 |
+| test.cpp:172:13:172:44 | call to templateFunction3 | semmle.label | call to templateFunction3 |
+| test.cpp:172:51:172:51 | x | semmle.label | x |
+| test.cpp:173:10:173:10 | y | semmle.label | y |
 | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | semmle.label | [summary param] *0 in CommandLineToArgvA |
 | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | semmle.label | [summary] to write: ReturnValue[**] in CommandLineToArgvA |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | semmle.label | *call to GetCommandLineA |
@@ -688,6 +761,11 @@ subpaths
 | test.cpp:25:35:25:35 | x | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | test.cpp:25:11:25:33 | call to ymlStepManual_with_body |
 | test.cpp:32:41:32:41 | x | test.cpp:7:47:7:52 | value2 | test.cpp:7:5:7:30 | *ymlStepGenerated_with_body | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body |
 | test.cpp:118:44:118:44 | *x | test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | test.cpp:111:3:111:25 | [summary] to write: ReturnValue in callWithNonTypeTemplate | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate |
+| test.cpp:134:45:134:45 | x | test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | test.cpp:125:5:125:20 | [summary] to write: ReturnValue in templateFunction | test.cpp:134:13:134:43 | call to templateFunction |
+| test.cpp:148:26:148:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | test.cpp:148:10:148:27 | call to function |
+| test.cpp:157:26:157:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | test.cpp:157:13:157:20 | call to function |
+| test.cpp:165:69:165:69 | x | test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | test.cpp:128:5:128:21 | [summary] to write: ReturnValue in templateFunction2 | test.cpp:165:12:165:64 | call to templateFunction2 |
+| test.cpp:172:51:172:51 | x | test.cpp:164:34:164:34 | x | test.cpp:164:7:164:7 | *templateFunction3 | test.cpp:172:13:172:44 | call to templateFunction3 |
 | windows.cpp:27:36:27:38 | *cmd | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA |
 | windows.cpp:537:40:537:41 | *& ... | windows.cpp:473:17:473:37 | [summary param] *1 in RtlCopyVolatileMemory | windows.cpp:473:17:473:37 | [summary param] *0 in RtlCopyVolatileMemory [Return] | windows.cpp:537:27:537:37 | RtlCopyVolatileMemory output argument |
 | windows.cpp:542:38:542:39 | *& ... | windows.cpp:479:17:479:35 | [summary param] *1 in RtlCopyDeviceMemory | windows.cpp:479:17:479:35 | [summary param] *0 in RtlCopyDeviceMemory [Return] | windows.cpp:542:25:542:35 | RtlCopyDeviceMemory output argument |

cpp/ql/test/library-tests/dataflow/external-models/flow.ext.yml

@@ -19,3 +19,6 @@ extensions:
       - ["", "", False, "ymlStepGenerated_with_body", "", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
       - ["", "", False, "callWithArgument", "", "", "Argument[1]", "Argument[0].Parameter[0]", "value", "manual"]
       - ["", "", False, "callWithNonTypeTemplate<T>", "(const T &)", "", "Argument[*0]", "ReturnValue", "value", "manual"]
+      - ["", "TemplateClass1<T>", False, "templateFunction<U>", "(T,U)", "", "Argument[0]", "ReturnValue", "value", "manual"]
+      - ["", "TemplateClass1", True, "templateFunction2<U,V>", "(U,V)", "", "Argument[1]", "ReturnValue", "value", "manual"]
+      - ["", "TemplateClass2<T,U>", True, "function", "(U,T)", "", "Argument[1]", "ReturnValue", "value", "manual"]

cpp/ql/test/library-tests/dataflow/external-models/sinks.expected

@@ -15,3 +15,7 @@
 | test.cpp:89:11:89:11 | y | test-sink |
 | test.cpp:116:10:116:11 | y1 | test-sink |
 | test.cpp:119:10:119:11 | y2 | test-sink |
+| test.cpp:135:10:135:10 | y | test-sink |
+| test.cpp:149:10:149:10 | z | test-sink |
+| test.cpp:158:10:158:10 | z | test-sink |
+| test.cpp:173:10:173:10 | y | test-sink |

cpp/ql/test/library-tests/dataflow/external-models/sources.expected

@@ -9,6 +9,10 @@
 | test.cpp:56:8:56:16 | call to ymlSource | local |
 | test.cpp:94:10:94:18 | call to ymlSource | local |
 | test.cpp:114:10:114:18 | call to ymlSource | local |
+| test.cpp:133:10:133:18 | call to ymlSource | local |
+| test.cpp:146:10:146:18 | call to ymlSource | local |
+| test.cpp:155:10:155:18 | call to ymlSource | local |
+| test.cpp:170:10:170:18 | call to ymlSource | local |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | local |
 | windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | local |
 | windows.cpp:39:36:39:38 | GetEnvironmentVariableA output argument | local |

cpp/ql/test/library-tests/dataflow/external-models/test.cpp

@@ -118,3 +118,57 @@ void test_callWithNonTypeTemplate() {
 	int y2 = callWithNonTypeTemplate<int, 10>(x);
 	ymlSink(y2); // $ ir
 }
+
+template<class T>
+struct TemplateClass1 {
+  template<class U>
+  U templateFunction(T, U);
+
+	template<class U, class V>
+  V templateFunction2(U, V);
+};
+
+void test_template_function_in_template_class() {
+	TemplateClass1<int> b;
+	int x = ymlSource();
+	auto y = b.templateFunction<unsigned long>(x, 0UL);
+	ymlSink(y); // $ ir
+}
+
+template<class S, class T>
+struct TemplateClass2 {
+	T function(T, S);
+};
+
+template<class V> using PartialInstantiationOfTemplateClass2 = TemplateClass2<int, V>;
+
+void test_partial_class_instantiation() {
+	int x = ymlSource();
+	PartialInstantiationOfTemplateClass2<unsigned long> y;
+	int z = y.function(0UL, x);
+	ymlSink(z); // $ ir
+}
+
+template<class V> struct DeriveFromFromPartialTemplateInstantiation : TemplateClass2<int, V> { };
+
+void test_inheritance() {
+	int x = ymlSource();
+	DeriveFromFromPartialTemplateInstantiation<long> y;
+	auto z = y.function(0L, x);
+	ymlSink(z); // $ ir
+}
+
+template<class T>
+struct Class1 : TemplateClass1<T> {
+  template<class U>
+  int templateFunction3(U u, int x) {
+    return TemplateClass1<T>::template templateFunction2<U, int>(u, x);
+  }
+};
+
+void test_class1() {
+	int x = ymlSource();
+	Class1<int> c;
+	auto y = c.templateFunction3<unsigned long>(0UL, x);
+	ymlSink(y); // $ ir
+}

cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected

@@ -27383,54 +27383,55 @@ getParameterTypeName
 | stl.h:91:24:91:33 | operator++ | 0 | int |
 | stl.h:95:44:95:44 | back_inserter | 0 | func:0 & |
 | stl.h:95:44:95:44 | back_inserter | 0 | func:0 & |
-| stl.h:148:3:148:14 | basic_string | 0 | const class:2 & |
+| stl.h:147:12:147:23 | basic_string | 0 | const class:2 & |
-| stl.h:149:33:149:44 | basic_string | 0 | const class:0 * |
+| stl.h:148:3:148:14 | basic_string | 0 | const class:0 * |
-| stl.h:149:33:149:44 | basic_string | 1 | const class:2 & |
+| stl.h:148:3:148:14 | basic_string | 1 | const class:2 & |
-| stl.h:151:16:151:20 | c_str | 0 | func:0 |
+| stl.h:149:33:149:44 | basic_string | 0 | func:0 |
-| stl.h:151:16:151:20 | c_str | 1 | func:0 |
+| stl.h:149:33:149:44 | basic_string | 1 | func:0 |
-| stl.h:151:16:151:20 | c_str | 2 | const class:2 & |
+| stl.h:149:33:149:44 | basic_string | 2 | const class:2 & |
+| stl.h:165:8:165:16 | push_back | 0 | class:0 |
 | stl.h:173:13:173:22 | operator[] | 0 | size_type |
 | stl.h:175:13:175:14 | at | 0 | size_type |
-| stl.h:176:35:176:44 | operator+= | 0 | size_type |
+| stl.h:176:35:176:44 | operator+= | 0 | const func:0 & |
-| stl.h:176:35:176:44 | operator+= | 0 | size_type |
+| stl.h:176:35:176:44 | operator+= | 0 | const func:0 & |
-| stl.h:177:17:177:26 | operator+= | 0 | const func:0 & |
+| stl.h:177:17:177:26 | operator+= | 0 | const class:0 * |
-| stl.h:178:17:178:22 | append | 0 | const class:0 * |
+| stl.h:178:17:178:22 | append | 0 | const basic_string & |
-| stl.h:179:17:179:22 | append | 0 | const basic_string & |
+| stl.h:179:17:179:22 | append | 0 | const class:0 * |
-| stl.h:180:17:180:22 | append | 0 | const class:0 * |
+| stl.h:180:17:180:22 | append | 0 | size_type |
-| stl.h:181:47:181:52 | append | 0 | size_type |
+| stl.h:180:17:180:22 | append | 1 | class:0 |
-| stl.h:181:47:181:52 | append | 1 | class:0 |
+| stl.h:181:47:181:52 | append | 0 | func:0 |
-| stl.h:182:17:182:22 | assign | 0 | func:0 |
+| stl.h:181:47:181:52 | append | 1 | func:0 |
-| stl.h:182:17:182:22 | assign | 1 | func:0 |
+| stl.h:182:17:182:22 | assign | 0 | const basic_string & |
-| stl.h:183:17:183:22 | assign | 0 | const basic_string & |
+| stl.h:183:17:183:22 | assign | 0 | size_type |
-| stl.h:184:47:184:52 | assign | 0 | size_type |
+| stl.h:183:17:183:22 | assign | 1 | class:0 |
-| stl.h:184:47:184:52 | assign | 1 | class:0 |
+| stl.h:184:47:184:52 | assign | 0 | func:0 |
-| stl.h:185:17:185:22 | insert | 0 | func:0 |
+| stl.h:184:47:184:52 | assign | 1 | func:0 |
-| stl.h:185:17:185:22 | insert | 1 | func:0 |
+| stl.h:185:17:185:22 | insert | 0 | size_type |
+| stl.h:185:17:185:22 | insert | 1 | const basic_string & |
 | stl.h:186:17:186:22 | insert | 0 | size_type |
-| stl.h:186:17:186:22 | insert | 1 | const basic_string & |
+| stl.h:186:17:186:22 | insert | 1 | size_type |
+| stl.h:186:17:186:22 | insert | 2 | class:0 |
 | stl.h:187:17:187:22 | insert | 0 | size_type |
-| stl.h:187:17:187:22 | insert | 1 | size_type |
+| stl.h:187:17:187:22 | insert | 1 | const class:0 * |
-| stl.h:187:17:187:22 | insert | 2 | class:0 |
+| stl.h:188:12:188:17 | insert | 0 | const_iterator |
-| stl.h:188:12:188:17 | insert | 0 | size_type |
+| stl.h:188:12:188:17 | insert | 1 | size_type |
-| stl.h:188:12:188:17 | insert | 1 | const class:0 * |
+| stl.h:188:12:188:17 | insert | 2 | class:0 |
 | stl.h:189:42:189:47 | insert | 0 | const_iterator |
-| stl.h:189:42:189:47 | insert | 1 | size_type |
+| stl.h:189:42:189:47 | insert | 1 | func:0 |
-| stl.h:189:42:189:47 | insert | 2 | class:0 |
+| stl.h:189:42:189:47 | insert | 2 | func:0 |
-| stl.h:190:17:190:23 | replace | 0 | const_iterator |
+| stl.h:190:17:190:23 | replace | 0 | size_type |
-| stl.h:190:17:190:23 | replace | 1 | func:0 |
+| stl.h:190:17:190:23 | replace | 1 | size_type |
-| stl.h:190:17:190:23 | replace | 2 | func:0 |
+| stl.h:190:17:190:23 | replace | 2 | const basic_string & |
 | stl.h:191:17:191:23 | replace | 0 | size_type |
 | stl.h:191:17:191:23 | replace | 1 | size_type |
-| stl.h:191:17:191:23 | replace | 2 | const basic_string & |
+| stl.h:191:17:191:23 | replace | 2 | size_type |
-| stl.h:192:13:192:16 | copy | 0 | size_type |
+| stl.h:191:17:191:23 | replace | 3 | class:0 |
+| stl.h:192:13:192:16 | copy | 0 | class:0 * |
 | stl.h:192:13:192:16 | copy | 1 | size_type |
 | stl.h:192:13:192:16 | copy | 2 | size_type |
-| stl.h:192:13:192:16 | copy | 3 | class:0 |
+| stl.h:194:16:194:21 | substr | 0 | size_type |
-| stl.h:193:8:193:12 | clear | 0 | class:0 * |
+| stl.h:194:16:194:21 | substr | 1 | size_type |
-| stl.h:193:8:193:12 | clear | 1 | size_type |
+| stl.h:195:8:195:11 | swap | 0 | basic_string & |
-| stl.h:193:8:193:12 | clear | 2 | size_type |
-| stl.h:195:8:195:11 | swap | 0 | size_type |
-| stl.h:195:8:195:11 | swap | 1 | size_type |
 | stl.h:198:94:198:102 | operator+ | 0 | const basic_string & |
 | stl.h:198:94:198:102 | operator+ | 1 | const basic_string & |
 | stl.h:199:94:199:102 | operator+ | 0 | const basic_string & |

cpp/ql/test/library-tests/friends/loop/friends.expected

@@ -1,14 +1,14 @@
-| file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:26 | E<D> |
 | file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:26 | E<T> |
-| file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:26 | F<D> |
+| file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:29 | E<D> |
 | file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:26 | F<T> |
-| file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:26 | E<C> |
+| file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:29 | F<D> |
 | file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:26 | E<T> |
-| file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:26 | F<D> |
+| file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:29 | E<C> |
 | file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:26 | F<T> |
-| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<C> |
+| file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:29 | F<D> |
-| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<D> |
 | file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<T> |
+| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:29 | E<C> |
+| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:29 | E<D> |
 | loop.cpp:6:5:6:5 | E<T>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | loop.cpp:7:5:7:5 | E<T>'s friend | loop.cpp:7:36:7:36 | F<U> |
 | loop.cpp:11:5:11:5 | F<T>'s friend | loop.cpp:11:36:11:36 | E<U> |

csharp/extractor/Semmle.Extraction.CSharp/CodeAnalysisExtensions/SymbolExtensions.cs

@@ -664,7 +664,7 @@ namespace Semmle.Extraction.CSharp
                 // Find the (possibly unbound) original extension method that maps to this implementation (if any).
                 var unboundDeclaration = extensions.SelectMany(e => e.GetMembers())
                     .OfType<IMethodSymbol>()
-                    .FirstOrDefault(m => SymbolEqualityComparer.Default.Equals(m.AssociatedExtensionImplementation, method.ConstructedFrom));
+                    .FirstOrDefault(m => SymbolEqualityComparer.Default.Equals(m.AssociatedExtensionImplementation?.ConstructedFrom, method.ConstructedFrom));
 
                 var isFullyConstructed = method.IsBoundGenericMethod();
                 if (isFullyConstructed && unboundDeclaration?.ContainingType is INamedTypeSymbol extensionType)

csharp/extractor/Semmle.Extraction.CSharp/Entities/Accessor.cs

@@ -69,6 +69,7 @@ namespace Semmle.Extraction.CSharp.Entities
             }
 
             Overrides(trapFile);
+            ExtractRefReturn(trapFile, Symbol, this);
 
             if (Symbol.FromSource() && !HasBody)
             {

csharp/paket.dependencies

@@ -4,7 +4,7 @@ source https://api.nuget.org/v3/index.json
 # behave like nuget in choosing transitive dependency versions
 strategy: max
 
-nuget Basic.CompilerLog.Util 0.9.25
+nuget Basic.CompilerLog.Util 0.9.39
 nuget Mono.Posix.NETStandard
 nuget Newtonsoft.Json
 nuget NuGet.Versioning
@@ -12,7 +12,7 @@ nuget xunit
 nuget xunit.runner.visualstudio
 nuget xunit.runner.utility
 nuget Microsoft.NET.Test.Sdk
-nuget Microsoft.CodeAnalysis.CSharp 5.0.0
+nuget Microsoft.CodeAnalysis.CSharp 5.3.0
-nuget Microsoft.CodeAnalysis 5.0.0
+nuget Microsoft.CodeAnalysis 5.3.0
-nuget Microsoft.Build 18.0.2
+nuget Microsoft.Build 18.6.3
 nuget Microsoft.VisualStudio.SolutionPersistence

csharp/paket.lock

@@ -3,45 +3,42 @@ STRATEGY: MAX
 RESTRICTION: == net10.0
 NUGET
   remote: https://api.nuget.org/v3/index.json
-    Basic.CompilerLog.Util (0.9.25)
+    Basic.CompilerLog.Util (0.9.39)
       MessagePack (>= 3.1.4)
-      Microsoft.Bcl.Memory (>= 9.0.10)
+      Microsoft.Bcl.Memory (>= 10.0.7)
       Microsoft.CodeAnalysis (>= 4.8)
       Microsoft.CodeAnalysis.CSharp (>= 4.8)
       Microsoft.CodeAnalysis.VisualBasic (>= 4.8)
-      Microsoft.Extensions.ObjectPool (>= 9.0.10)
+      Microsoft.Extensions.ObjectPool (>= 10.0.7)
-      MSBuild.StructuredLogger (>= 2.3.71)
+      MSBuild.StructuredLogger (>= 2.3.178)
-      NaturalSort.Extension (>= 4.4)
-      NuGet.Versioning (>= 6.14)
     Humanizer.Core (3.0.10)
-    MessagePack (3.1.4)
+    MessagePack (3.1.6)
-      MessagePack.Annotations (>= 3.1.4)
+      MessagePack.Annotations (>= 3.1.6)
-      MessagePackAnalyzer (>= 3.1.4)
+      MessagePackAnalyzer (>= 3.1.6)
       Microsoft.NET.StringTools (>= 17.11.4)
-    MessagePack.Annotations (3.1.4)
+    MessagePack.Annotations (3.1.6)
-    MessagePackAnalyzer (3.1.4)
+    MessagePackAnalyzer (3.1.6)
     Microsoft.Bcl.AsyncInterfaces (10.0.8)
     Microsoft.Bcl.Memory (10.0.8)
-    Microsoft.Build (18.0.2)
+    Microsoft.Build (18.6.3)
-      Microsoft.Build.Framework (>= 18.0.2)
+      Microsoft.Build.Framework (>= 18.6.3)
-      Microsoft.NET.StringTools (>= 18.0.2)
+      System.Configuration.ConfigurationManager (>= 10.0.3)
-      System.Configuration.ConfigurationManager (>= 9.0)
+      System.Diagnostics.EventLog (>= 10.0.3)
-      System.Diagnostics.EventLog (>= 9.0)
+      System.Reflection.MetadataLoadContext (>= 10.0.3)
-      System.Reflection.MetadataLoadContext (>= 9.0)
+      System.Security.Cryptography.ProtectedData (>= 10.0.3)
-      System.Security.Cryptography.ProtectedData (>= 9.0.6)
+    Microsoft.Build.Framework (18.6.3)
-    Microsoft.Build.Framework (18.4)
+      Microsoft.NET.StringTools (>= 18.6.3)
-    Microsoft.Build.Utilities.Core (18.4)
+    Microsoft.Build.Utilities.Core (18.6.3)
-      Microsoft.Build.Framework (>= 18.4)
+      Microsoft.Build.Framework (>= 18.6.3)
-      Microsoft.NET.StringTools (>= 18.4)
+      System.Configuration.ConfigurationManager (>= 10.0.3)
-      System.Configuration.ConfigurationManager (>= 10.0.1)
+      System.Diagnostics.EventLog (>= 10.0.3)
-      System.Diagnostics.EventLog (>= 10.0.1)
+      System.Security.Cryptography.ProtectedData (>= 10.0.3)
-      System.Security.Cryptography.ProtectedData (>= 10.0.1)
+    Microsoft.CodeAnalysis (5.3)
-    Microsoft.CodeAnalysis (5.0)
       Humanizer.Core (>= 2.14.1)
       Microsoft.Bcl.AsyncInterfaces (>= 9.0)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
-      Microsoft.CodeAnalysis.CSharp.Workspaces (5.0)
+      Microsoft.CodeAnalysis.CSharp.Workspaces (5.3)
-      Microsoft.CodeAnalysis.VisualBasic.Workspaces (5.0)
+      Microsoft.CodeAnalysis.VisualBasic.Workspaces (5.3)
       System.Buffers (>= 4.6)
       System.Collections.Immutable (>= 9.0)
       System.Composition (>= 9.0)
@@ -54,36 +51,36 @@ NUGET
       System.Threading.Channels (>= 8.0)
       System.Threading.Tasks.Extensions (>= 4.6)
     Microsoft.CodeAnalysis.Analyzers (5.3)
-    Microsoft.CodeAnalysis.Common (5.0)
+    Microsoft.CodeAnalysis.Common (5.3)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
-    Microsoft.CodeAnalysis.CSharp (5.0)
+    Microsoft.CodeAnalysis.CSharp (5.3)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
-      Microsoft.CodeAnalysis.Common (5.0)
+      Microsoft.CodeAnalysis.Common (5.3)
-    Microsoft.CodeAnalysis.CSharp.Workspaces (5.0)
+    Microsoft.CodeAnalysis.CSharp.Workspaces (5.3)
       Humanizer.Core (>= 2.14.1)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
-      Microsoft.CodeAnalysis.Common (5.0)
+      Microsoft.CodeAnalysis.Common (5.3)
-      Microsoft.CodeAnalysis.CSharp (5.0)
+      Microsoft.CodeAnalysis.CSharp (5.3)
-      Microsoft.CodeAnalysis.Workspaces.Common (5.0)
+      Microsoft.CodeAnalysis.Workspaces.Common (5.3)
       System.Composition (>= 9.0)
-    Microsoft.CodeAnalysis.VisualBasic (5.0)
+    Microsoft.CodeAnalysis.VisualBasic (5.3)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
-      Microsoft.CodeAnalysis.Common (5.0)
+      Microsoft.CodeAnalysis.Common (5.3)
-    Microsoft.CodeAnalysis.VisualBasic.Workspaces (5.0)
+    Microsoft.CodeAnalysis.VisualBasic.Workspaces (5.3)
       Humanizer.Core (>= 2.14.1)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
-      Microsoft.CodeAnalysis.Common (5.0)
+      Microsoft.CodeAnalysis.Common (5.3)
-      Microsoft.CodeAnalysis.VisualBasic (5.0)
+      Microsoft.CodeAnalysis.VisualBasic (5.3)
-      Microsoft.CodeAnalysis.Workspaces.Common (5.0)
+      Microsoft.CodeAnalysis.Workspaces.Common (5.3)
       System.Composition (>= 9.0)
-    Microsoft.CodeAnalysis.Workspaces.Common (5.0)
+    Microsoft.CodeAnalysis.Workspaces.Common (5.3)
       Humanizer.Core (>= 2.14.1)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
-      Microsoft.CodeAnalysis.Common (5.0)
+      Microsoft.CodeAnalysis.Common (5.3)
       System.Composition (>= 9.0)
     Microsoft.CodeCoverage (18.5.1)
     Microsoft.Extensions.ObjectPool (10.0.8)
-    Microsoft.NET.StringTools (18.4)
+    Microsoft.NET.StringTools (18.6.3)
     Microsoft.NET.Test.Sdk (18.5.1)
       Microsoft.CodeCoverage (>= 18.5.1)
       Microsoft.TestPlatform.TestHost (>= 18.5.1)
@@ -97,7 +94,6 @@ NUGET
     MSBuild.StructuredLogger (2.3.204)
       Microsoft.Build.Framework (>= 17.5)
       Microsoft.Build.Utilities.Core (>= 17.5)
-    NaturalSort.Extension (4.4.1)
     Newtonsoft.Json (13.0.4)
     NuGet.Versioning (7.6)
     System.Buffers (4.6.1)

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.68
+version: 1.7.69-dev
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.68
+version: 1.7.69-dev
 groups:
   - csharp
   - solorigate

csharp/ql/integration-tests/posix/standalone_dependencies_executing_runtime/Assemblies.expected

@@ -22,7 +22,6 @@
 | [...]/csharp/tools/[...]/Microsoft.Win32.Primitives.dll |
 | [...]/csharp/tools/[...]/Microsoft.Win32.Registry.dll |
 | [...]/csharp/tools/[...]/Mono.Posix.NETStandard.dll |
-| [...]/csharp/tools/[...]/NaturalSort.Extension.dll |
 | [...]/csharp/tools/[...]/Newtonsoft.Json.dll |
 | [...]/csharp/tools/[...]/NuGet.Versioning.dll |
 | [...]/csharp/tools/[...]/StructuredLogger.dll |

csharp/ql/lib/change-notes/2026-05-19-properties-indexers-refreturn.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved call target resolution for ref-return properties and indexers.

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 6.0.2
+version: 6.0.3-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/lib/semmle/code/csharp/exprs/Call.qll

@@ -766,7 +766,16 @@ class PropertyCall extends AccessorCall, PropertyAccessExpr {
   }
 
   override Accessor getWriteTarget() {
-    this instanceof AssignableWrite and result = this.getProperty().getSetter()
+    this instanceof AssignableWrite and
+    exists(Property p | p = this.getProperty() |
+      result = p.getSetter()
+      or
+      result =
+        any(Getter g |
+          g = p.getGetter() and
+          g.getAnnotatedReturnType().isRef()
+        )
+    )
   }
 
   override Expr getArgument(int i) {
@@ -801,7 +810,16 @@ class IndexerCall extends AccessorCall, IndexerAccessExpr {
   }
 
   override Accessor getWriteTarget() {
-    this instanceof AssignableWrite and result = this.getIndexer().getSetter()
+    this instanceof AssignableWrite and
+    exists(Indexer i | i = this.getIndexer() |
+      result = i.getSetter()
+      or
+      result =
+        any(Getter g |
+          g = i.getGetter() and
+          g.getAnnotatedReturnType().isRef()
+        )
+    )
   }
 
   override Expr getArgument(int i) {

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.7.4
+version: 1.7.5-dev
 groups:
   - csharp
   - queries

csharp/ql/test/library-tests/csharp8/NullableRefTypes.expected

@@ -227,7 +227,7 @@ returnTypes
 | NullableRefTypes.cs:107:26:107:36 | ReturnsRef5 | readonly MyClass! |
 | NullableRefTypes.cs:108:26:108:36 | ReturnsRef6 | readonly MyClass! |
 | NullableRefTypes.cs:110:10:110:20 | Parameters1 | Void! |
-| NullableRefTypes.cs:113:32:113:44 | get_RefProperty | MyClass! |
+| NullableRefTypes.cs:113:32:113:44 | get_RefProperty | ref MyClass! |
 | NullableRefTypes.cs:116:7:116:23 | <object initializer> | Void |
 | NullableRefTypes.cs:116:7:116:23 | ToStringWithTypes | Void! |
 | NullableRefTypes.cs:136:7:136:24 | <object initializer> | Void |

csharp/ql/test/library-tests/encoding/SBCS.cs

@@ -1,4 +1,4 @@
-class SBCS
+class SBCS
 {
-    string sbcs = "<22>";
+    string sbcs = "<22>";
 }

csharp/ql/test/library-tests/indexers/Indexers13.expected

@@ -0,0 +1,4 @@
+| indexers.cs:24:21:24:24 | Item | indexers.cs:62:22:62:29 | access to indexer | indexers.cs:26:13:26:15 | get_Item |
+| indexers.cs:24:21:24:24 | Item | indexers.cs:65:25:65:32 | access to indexer | indexers.cs:34:13:34:15 | set_Item |
+| indexers.cs:143:24:143:27 | Item | indexers.cs:156:13:156:16 | access to indexer | indexers.cs:145:13:145:15 | get_Item |
+| indexers.cs:143:24:143:27 | Item | indexers.cs:157:21:157:24 | access to indexer | indexers.cs:145:13:145:15 | get_Item |

csharp/ql/test/library-tests/indexers/Indexers13.ql

@@ -0,0 +1,8 @@
+import csharp
+
+from IndexerCall ic, Indexer i, Accessor target
+where
+  ic.getIndexer() = i and
+  ic.getTarget() = target and
+  i.fromSource()
+select i, ic, target

csharp/ql/test/library-tests/indexers/PrintAst.expected

@@ -360,3 +360,57 @@ indexers.cs:
 #  130|         4: [BlockStmt] {...}
 #  130|           0: [ReturnStmt] return ...;
 #  130|             0: [IntLiteral] 0
+#  134|   5: [RefStruct] S
+#  136|     6: [Field] x
+#  136|       -1: [TypeMention] int
+#  138|     7: [InstanceConstructor] S
+#-----|       2: (Parameters)
+#  138|         0: [Parameter] v
+#  138|           -1: [TypeMention] int
+#  139|       4: [BlockStmt] {...}
+#  140|         0: [ExprStmt] ...;
+#  140|           0: [AssignExpr] ... = ...
+#  140|             0: [FieldAccess] access to field x
+#  140|             1: [RefExpr] ref ...
+#  140|               0: [ParameterAccess] access to parameter v
+#  143|     8: [Indexer] Item
+#  143|       -1: [TypeMention] int
+#-----|       1: (Parameters)
+#  143|         0: [Parameter] i
+#  143|           -1: [TypeMention] int
+#  145|       3: [Getter] get_Item
+#-----|         2: (Parameters)
+#  143|           0: [Parameter] i
+#  145|         4: [BlockStmt] {...}
+#  145|           0: [ReturnStmt] return ...;
+#  145|             0: [RefExpr] ref ...
+#  145|               0: [FieldAccess] access to field x
+#  149|   6: [Class] TestRefReturns
+#  151|     6: [Method] M
+#  151|       -1: [TypeMention] Void
+#  152|       4: [BlockStmt] {...}
+#  153|         0: [LocalVariableDeclStmt] ... ...;
+#  153|           0: [LocalVariableDeclAndInitExpr] Int32 a = ...
+#  153|             -1: [TypeMention] int
+#  153|             0: [LocalVariableAccess] access to local variable a
+#  153|             1: [IntLiteral] 0
+#  155|         1: [LocalVariableDeclStmt] ... ...;
+#  155|           0: [LocalVariableDeclAndInitExpr] S s = ...
+#  155|             -1: [TypeMention] S
+#  155|             0: [LocalVariableAccess] access to local variable s
+#  155|             1: [ObjectCreation] object creation of type S
+#  155|               -1: [TypeMention] S
+#  155|               0: [LocalVariableAccess] access to local variable a
+#  156|         2: [ExprStmt] ...;
+#  156|           0: [AssignExpr] ... = ...
+#  156|             0: [IndexerCall] access to indexer
+#  156|               -1: [LocalVariableAccess] access to local variable s
+#  156|               0: [IntLiteral] 0
+#  156|             1: [IntLiteral] 1
+#  157|         3: [LocalVariableDeclStmt] ... ...;
+#  157|           0: [LocalVariableDeclAndInitExpr] Int32 x = ...
+#  157|             -1: [TypeMention] int
+#  157|             0: [LocalVariableAccess] access to local variable x
+#  157|             1: [IndexerCall] access to indexer
+#  157|               -1: [LocalVariableAccess] access to local variable s
+#  157|               0: [IntLiteral] 0

csharp/ql/test/library-tests/indexers/indexers.cs

@@ -130,4 +130,31 @@ namespace Indexers
             get { return 0; }
         }
     }
+
+    public ref struct S
+    {
+        private ref int x;
+
+        public S(ref int v)
+        {
+            x = ref v;
+        }
+
+        public ref int this[int i]
+        {
+            get { return ref x; }
+        }
+    }
+
+    public class TestRefReturns
+    {
+        public void M()
+        {
+            int a = 0;
+
+            S s = new S(ref a);
+            s[0] = 1;
+            var x = s[0];
+        }
+    }
 }

csharp/ql/test/library-tests/properties/PrintAst.expected

@@ -246,3 +246,50 @@ properties.cs:
 #  133|               0: [FieldAccess] access to field Prop.field
 #  133|               1: [ParameterAccess] access to parameter value
 #  130|     7: [Field] Prop.field
+#  137|   11: [RefStruct] S
+#  139|     6: [Field] x
+#  139|       -1: [TypeMention] int
+#  141|     7: [InstanceConstructor] S
+#-----|       2: (Parameters)
+#  141|         0: [Parameter] v
+#  141|           -1: [TypeMention] int
+#  142|       4: [BlockStmt] {...}
+#  143|         0: [ExprStmt] ...;
+#  143|           0: [AssignExpr] ... = ...
+#  143|             0: [FieldAccess] access to field x
+#  143|             1: [RefExpr] ref ...
+#  143|               0: [ParameterAccess] access to parameter v
+#  146|     8: [Property] Prop
+#  146|       -1: [TypeMention] int
+#  148|       3: [Getter] get_Prop
+#  148|         4: [BlockStmt] {...}
+#  148|           0: [ReturnStmt] return ...;
+#  148|             0: [RefExpr] ref ...
+#  148|               0: [FieldAccess] access to field x
+#  152|   12: [Class] TestRefReturns
+#  154|     6: [Method] M
+#  154|       -1: [TypeMention] Void
+#  155|       4: [BlockStmt] {...}
+#  156|         0: [LocalVariableDeclStmt] ... ...;
+#  156|           0: [LocalVariableDeclAndInitExpr] Int32 a = ...
+#  156|             -1: [TypeMention] int
+#  156|             0: [LocalVariableAccess] access to local variable a
+#  156|             1: [IntLiteral] 0
+#  158|         1: [LocalVariableDeclStmt] ... ...;
+#  158|           0: [LocalVariableDeclAndInitExpr] S s = ...
+#  158|             -1: [TypeMention] S
+#  158|             0: [LocalVariableAccess] access to local variable s
+#  158|             1: [ObjectCreation] object creation of type S
+#  158|               -1: [TypeMention] S
+#  158|               0: [LocalVariableAccess] access to local variable a
+#  159|         2: [ExprStmt] ...;
+#  159|           0: [AssignExpr] ... = ...
+#  159|             0: [PropertyCall] access to property Prop
+#  159|               -1: [LocalVariableAccess] access to local variable s
+#  159|             1: [IntLiteral] 1
+#  160|         3: [LocalVariableDeclStmt] ... ...;
+#  160|           0: [LocalVariableDeclAndInitExpr] Int32 x = ...
+#  160|             -1: [TypeMention] int
+#  160|             0: [LocalVariableAccess] access to local variable x
+#  160|             1: [PropertyCall] access to property Prop
+#  160|               -1: [LocalVariableAccess] access to local variable s

csharp/ql/test/library-tests/properties/Properties17.expected

@@ -1,5 +1,6 @@
 | Prop.field |
 | caption |
 | next |
+| x |
 | y |
 | z |

csharp/ql/test/library-tests/properties/Properties19.expected

@@ -0,0 +1,8 @@
+| properties.cs:12:23:12:29 | Caption | properties.cs:29:13:29:28 | access to property Caption | properties.cs:17:13:17:15 | set_Caption |
+| properties.cs:12:23:12:29 | Caption | properties.cs:30:24:30:39 | access to property Caption | properties.cs:15:13:15:15 | get_Caption |
+| properties.cs:57:20:57:20 | X | properties.cs:61:13:61:13 | access to property X | properties.cs:57:37:57:39 | set_X |
+| properties.cs:58:20:58:20 | Y | properties.cs:62:13:62:13 | access to property Y | properties.cs:58:37:58:39 | set_Y |
+| properties.cs:70:28:70:28 | X | properties.cs:82:46:82:51 | access to property X | properties.cs:70:32:70:34 | get_X |
+| properties.cs:71:28:71:28 | Y | properties.cs:83:39:83:44 | access to property Y | properties.cs:74:13:74:15 | set_Y |
+| properties.cs:146:24:146:27 | Prop | properties.cs:159:13:159:18 | access to property Prop | properties.cs:148:13:148:15 | get_Prop |
+| properties.cs:146:24:146:27 | Prop | properties.cs:160:21:160:26 | access to property Prop | properties.cs:148:13:148:15 | get_Prop |

csharp/ql/test/library-tests/properties/Properties19.ql

@@ -0,0 +1,8 @@
+import csharp
+
+from PropertyCall pc, Property p, Accessor target
+where
+  pc.getProperty() = p and
+  pc.getTarget() = target and
+  p.fromSource()
+select p, pc, target

csharp/ql/test/library-tests/properties/properties.cs

@@ -133,4 +133,31 @@ namespace Properties
             set { field = value; }
         }
     }
+
+    public ref struct S
+    {
+        private ref int x;
+
+        public S(ref int v)
+        {
+            x = ref v;
+        }
+
+        public ref int Prop
+        {
+            get { return ref x; }
+        }
+    }
+
+    public class TestRefReturns
+    {
+        public void M()
+        {
+            int a = 0;
+
+            S s = new S(ref a);
+            s.Prop = 1;
+            var x = s.Prop;
+        }
+    }
 }

csharp/ql/test/query-tests/Telemetry/DatabaseQuality/IsNotOkayCall.expected

@@ -1,3 +1,2 @@
 | Quality.cs:26:19:26:26 | access to indexer | Call without target $@. | Quality.cs:26:19:26:26 | access to indexer | access to indexer |
 | Quality.cs:29:21:29:27 | access to indexer | Call without target $@. | Quality.cs:29:21:29:27 | access to indexer | access to indexer |
-| Quality.cs:32:9:32:21 | access to indexer | Call without target $@. | Quality.cs:32:9:32:21 | access to indexer | access to indexer |

csharp/ql/test/query-tests/Telemetry/DatabaseQuality/NoTarget.expected

@@ -9,6 +9,5 @@
 | Quality.cs:23:9:23:30 | delegate call | Call without target $@. | Quality.cs:23:9:23:30 | delegate call | delegate call |
 | Quality.cs:26:19:26:26 | access to indexer | Call without target $@. | Quality.cs:26:19:26:26 | access to indexer | access to indexer |
 | Quality.cs:29:21:29:27 | access to indexer | Call without target $@. | Quality.cs:29:21:29:27 | access to indexer | access to indexer |
-| Quality.cs:32:9:32:21 | access to indexer | Call without target $@. | Quality.cs:32:9:32:21 | access to indexer | access to indexer |
 | Quality.cs:38:16:38:26 | access to property MyProperty2 | Call without target $@. | Quality.cs:38:16:38:26 | access to property MyProperty2 | access to property MyProperty2 |
 | Quality.cs:50:20:50:26 | object creation of type T | Call without target $@. | Quality.cs:50:20:50:26 | object creation of type T | object creation of type T |

csharp/ql/test/query-tests/Telemetry/DatabaseQuality/Quality.cs

@@ -29,7 +29,7 @@ public class Test
         var slice = sp[..3];        // TODO: this is not an indexer call, but rather a `sp.Slice(0, 3)` call.
 
         Span<byte> guidBytes = stackalloc byte[16];
-        guidBytes[08] = 1;          // TODO: this indexer call has no target, because the target is a `ref` returning getter.
+        guidBytes[08] = 1;
 
         new MyList([new(), new Test()]);
     }

go/ql/consistency-queries/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.51
+version: 1.0.52-dev
 groups:
   - go
   - queries

go/ql/lib/change-notes/2026-06-01-non-returning-functions.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* More logging functions are now recognized as not returning or panicking.

go/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 7.1.2
+version: 7.1.3-dev
 groups: go
 dbscheme: go.dbscheme
 extractor: go

go/ql/lib/semmle/go/Concepts.qll

@@ -413,17 +413,13 @@ private class ExternalLoggerCall extends LoggerCall::Range, DataFlow::CallNode {
   }
 }
 
-/**
+private class HeuristicLoggerFunction extends Method {
- * A call to an interface that looks like a logger. It is common to use a
+  string logFunctionPrefix;
- * locally-defined interface for logging to make it easy to changing logging
+
- * library.
+  HeuristicLoggerFunction() {
- */
+    exists(string tp, string name |
-private class HeuristicLoggerCall extends LoggerCall::Range, DataFlow::CallNode {
+      this.hasQualifiedName(_, tp, name) and
-  HeuristicLoggerCall() {
+      this.getReceiverBaseType().getUnderlyingType() instanceof InterfaceType
-    exists(Method m, string tp, string logFunctionPrefix, string name |
-      m = this.getTarget() and
-      m.hasQualifiedName(_, tp, name) and
-      m.getReceiverBaseType().getUnderlyingType() instanceof InterfaceType
     |
       tp.regexpMatch(".*[lL]ogger") and
       logFunctionPrefix =
@@ -435,6 +431,19 @@ private class HeuristicLoggerCall extends LoggerCall::Range, DataFlow::CallNode
     )
   }
 
+  override predicate mayReturnNormally() { logFunctionPrefix != "Fatal" }
+
+  override predicate mustPanic() { logFunctionPrefix = "Panic" }
+}
+
+/**
+ * A call to an interface that looks like a logger. It is common to use a
+ * locally-defined interface for logging to make it easy to change logging
+ * library.
+ */
+private class HeuristicLoggerCall extends LoggerCall::Range, DataFlow::CallNode {
+  HeuristicLoggerCall() { this.getTarget() instanceof HeuristicLoggerFunction }
+
   override DataFlow::Node getAMessageComponent() { result = this.getASyntacticArgument() }
 }
 

go/ql/lib/semmle/go/frameworks/Glog.qll

@@ -12,17 +12,37 @@ import go
  * forks.
  */
 module Glog {
+  /** Gets a package name for `glog` or `klog` (which is a fork). */
+  string packagePath() {
+    result =
+      package([
+          "github.com/golang/glog", "gopkg.in/glog", "k8s.io/klog", "github.com/barakmich/glog"
+        ], "")
+  }
+
   private class GlogFunction extends Function {
     int firstPrintedArg;
+    string format;
+    string level;
 
     GlogFunction() {
-      exists(string pkg, string fn, string level |
+      exists(string pkg, string context, int nContextArgs, string depth, int nDepthArgs, string fn |
-        pkg = package(["github.com/golang/glog", "gopkg.in/glog", "k8s.io/klog"], "") and
+        pkg = packagePath() and
         level = ["Error", "Exit", "Fatal", "Info", "Warning"] and
         (
-          fn = level + ["", "f", "ln"] and firstPrintedArg = 0
+          context = "" and nContextArgs = 0
           or
-          fn = level + "Depth" and firstPrintedArg = 1
+          context = "Context" and nContextArgs = 1
+        ) and
+        (
+          depth = "" and nDepthArgs = 0
+          or
+          depth = "Depth" and nDepthArgs = 1
+        ) and
+        format = ["", "f", "ln"] and
+        (
+          fn = level + context + depth + format and
+          firstPrintedArg = nContextArgs + nDepthArgs
         )
       |
         this.hasQualifiedName(pkg, fn)
@@ -35,10 +55,15 @@ module Glog {
      * Gets the index of the first argument that may be output, including a format string if one is present.
      */
     int getFirstPrintedArg() { result = firstPrintedArg }
+
+    /** Holds if this function takes a format string. */
+    predicate formatter() { format = "f" }
+
+    override predicate mayReturnNormally() { level != "Fatal" and level != "Exit" }
   }
 
   private class StringFormatter extends StringOps::Formatting::Range instanceof GlogFunction {
-    StringFormatter() { this.getName().matches("%f") }
+    StringFormatter() { this.formatter() }
 
     override int getFormatStringIndex() { result = super.getFirstPrintedArg() }
   }

go/ql/lib/semmle/go/frameworks/Logrus.qll

@@ -28,6 +28,12 @@ module Logrus {
         this.(Method).hasQualifiedName(packagePath(), ["Entry", "Logger"], name)
       )
     }
+
+    override predicate mayReturnNormally() {
+      not exists(string level, string suffix | level = ["Fatal", "Panic"] |
+        this.getName() = level + suffix
+      )
+    }
   }
 
   private class StringFormatters extends StringOps::Formatting::Range instanceof LogFunction {

go/ql/lib/semmle/go/frameworks/Zap.qll

@@ -47,7 +47,7 @@ module Zap {
   }
 
   /** A Zap logging function which always panics. */
-  private class FatalLogMethod extends Method {
+  private class FatalLogMethod extends ZapFunction {
     FatalLogMethod() {
       this.hasQualifiedName(packagePath(), "Logger", "Fatal")
       or
@@ -58,7 +58,7 @@ module Zap {
   }
 
   /** A Zap logging function which always panics. */
-  private class MustPanicLogMethod extends Method {
+  private class MustPanicLogMethod extends ZapFunction {
     MustPanicLogMethod() {
       this.hasQualifiedName(packagePath(), "Logger", "Panic")
       or

go/ql/lib/semmle/go/frameworks/stdlib/Log.qll

@@ -29,18 +29,37 @@ module Log {
   }
 
   private class LogFormatter extends StringOps::Formatting::Range instanceof LogFunction {
-    LogFormatter() { this.getName() = ["Fatalf", "Panicf", "Printf"] }
+    LogFormatter() { this.getName() = ["Fatalf", "Panicf", "Printf", "Panic", "Panicf", "Panicln"] }
 
     override int getFormatStringIndex() { result = 0 }
   }
 
   /** A fatal log function, which calls `os.Exit`. */
   private class FatalLogFunction extends Function {
-    FatalLogFunction() { this.hasQualifiedName("log", ["Fatal", "Fatalf", "Fatalln"]) }
+    FatalLogFunction() {
+      exists(string fn | fn = ["Fatal", "Fatalf", "Fatalln"] |
+        this.hasQualifiedName("log", fn)
+        or
+        this.(Method).hasQualifiedName("log", "Logger", fn)
+      )
+    }
 
     override predicate mayReturnNormally() { none() }
   }
 
+  /** A log function which must panic. */
+  private class PanicLogFunction extends Function {
+    PanicLogFunction() {
+      exists(string fn | fn = ["Panic", "Panicf", "Panicln"] |
+        this.hasQualifiedName("log", fn)
+        or
+        this.(Method).hasQualifiedName("log", "Logger", fn)
+      )
+    }
+
+    override predicate mustPanic() { any() }
+  }
+
   // These models are not implemented using Models-as-Data because they represent reverse flow.
   private class FunctionModels extends TaintTracking::FunctionModel {
     FunctionInput inp;
@@ -63,30 +82,6 @@ module Log {
     FunctionOutput outp;
 
     MethodModels() {
-      // signature: func (*Logger) Fatal(v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Fatal") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Fatalf(format string, v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Fatalf") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Fatalln(v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Fatalln") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Panic(v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Panic") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Panicf(format string, v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Panicf") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Panicln(v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Panicln") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
       // signature: func (*Logger) Print(v ...interface{})
       this.hasQualifiedName("log", "Logger", "Print") and
       (inp.isParameter(_) and outp.isReceiver())

go/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.6.4
+version: 1.6.5-dev
 groups:
   - go
   - queries

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go

@@ -1,54 +1,181 @@
-//go:generate depstubber -vendor github.com/golang/glog "" Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln
+//go:generate depstubber -vendor github.com/golang/glog Level,Verbose Error,ErrorContext,ErrorContextDepth,ErrorContextDepthf,ErrorContextf,ErrorDepth,ErrorDepthf,Errorf,Errorln,Exit,ExitContext,ExitContextDepth,ExitContextDepthf,ExitContextf,ExitDepth,ExitDepthf,Exitf,Exitln,Fatal,FatalContext,FatalContextDepth,FatalContextDepthf,FatalContextf,FatalDepth,FatalDepthf,Fatalf,Fatalln,Info,InfoContext,InfoContextDepth,InfoContextDepthf,InfoContextf,InfoDepth,InfoDepthf,Infof,Infoln,V,VDepth,Warning,WarningContext,WarningContextDepth,WarningContextDepthf,WarningContextf,WarningDepth,WarningDepthf,Warningf,Warningln
-//go:generate depstubber -vendor k8s.io/klog "" Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln
+//go:generate depstubber -vendor k8s.io/klog Level,Verbose Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,V,Warning,WarningDepth,Warningf,Warningln
 
 package main
 
 import (
+	"context"
+
 	"github.com/golang/glog"
 	"k8s.io/klog"
 )
 
-func glogTest() {
+func glogTest(selector int) {
-	glog.Error(text)           // $ logger=text
+	ctx := context.Background()
-	glog.ErrorDepth(0, text)   // $ logger=text
+
-	glog.Errorf(fmt, text)     // $ logger=fmt logger=text
+	glog.Error(text)                           // $ logger=text
-	glog.Errorln(text)         // $ logger=text
+	glog.ErrorContext(ctx, text)               // $ logger=text
-	glog.Exit(text)            // $ logger=text
+	glog.ErrorContextDepth(ctx, 0, text)       // $ logger=text
-	glog.ExitDepth(0, text)    // $ logger=text
+	glog.ErrorContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
-	glog.Exitf(fmt, text)      // $ logger=fmt logger=text
+	glog.ErrorContextf(ctx, fmt, text)         // $ logger=fmt logger=text
-	glog.Exitln(text)          // $ logger=text
+	glog.ErrorDepth(0, text)                   // $ logger=text
-	glog.Fatal(text)           // $ logger=text
+	glog.ErrorDepthf(0, fmt, text)             // $ logger=fmt logger=text
-	glog.FatalDepth(0, text)   // $ logger=text
+	glog.Errorf(fmt, text)                     // $ logger=fmt logger=text
-	glog.Fatalf(fmt, text)     // $ logger=fmt logger=text
+	glog.Errorln(text)                         // $ logger=text
-	glog.Fatalln(text)         // $ logger=text
+	if selector == 1 {
-	glog.Info(text)            // $ logger=text
+		glog.Exit(text) // $ logger=text
-	glog.InfoDepth(0, text)    // $ logger=text
+	}
-	glog.Infof(fmt, text)      // $ logger=fmt logger=text
+	if selector == 2 {
-	glog.Infoln(text)          // $ logger=text
+		glog.ExitContext(ctx, text) // $ logger=text
-	glog.Warning(text)         // $ logger=text
+	}
-	glog.WarningDepth(0, text) // $ logger=text
+	if selector == 3 {
-	glog.Warningf(fmt, text)   // $ logger=fmt logger=text
+		glog.ExitContextDepth(ctx, 0, text) // $ logger=text
-	glog.Warningln(text)       // $ logger=text
+	}
+	if selector == 4 {
+		glog.ExitContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 5 {
+		glog.ExitContextf(ctx, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 6 {
+		glog.ExitDepth(0, text) // $ logger=text
+	}
+	if selector == 7 {
+		glog.ExitDepthf(0, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 8 {
+		glog.Exitf(fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 9 {
+		glog.Exitln(text) // $ logger=text
+	}
+	if selector == 10 {
+		glog.Fatal(text) // $ logger=text
+	}
+	if selector == 11 {
+		glog.FatalContext(ctx, text) // $ logger=text
+	}
+	if selector == 12 {
+		glog.FatalContextDepth(ctx, 0, text) // $ logger=text
+	}
+	if selector == 13 {
+		glog.FatalContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 14 {
+		glog.FatalContextf(ctx, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 15 {
+		glog.FatalDepth(0, text) // $ logger=text
+	}
+	if selector == 16 {
+		glog.FatalDepthf(0, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 17 {
+		glog.Fatalf(fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 18 {
+		glog.Fatalln(text) // $ logger=text
+	}
+	glog.Info(text)                              // $ logger=text
+	glog.InfoContext(ctx, text)                  // $ logger=text
+	glog.InfoContextDepth(ctx, 0, text)          // $ logger=text
+	glog.InfoContextDepthf(ctx, 0, fmt, text)    // $ logger=fmt logger=text
+	glog.InfoContextf(ctx, fmt, text)            // $ logger=fmt logger=text
+	glog.InfoDepth(0, text)                      // $ logger=text
+	glog.InfoDepthf(0, fmt, text)                // $ logger=fmt logger=text
+	glog.Infof(fmt, text)                        // $ logger=fmt logger=text
+	glog.Infoln(text)                            // $ logger=text
+	glog.Warning(text)                           // $ logger=text
+	glog.WarningContext(ctx, text)               // $ logger=text
+	glog.WarningContextDepth(ctx, 0, text)       // $ logger=text
+	glog.WarningContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	glog.WarningContextf(ctx, fmt, text)         // $ logger=fmt logger=text
+	glog.WarningDepth(0, text)                   // $ logger=text
+	glog.WarningDepthf(0, fmt, text)             // $ logger=fmt logger=text
+	glog.Warningf(fmt, text)                     // $ logger=fmt logger=text
+	glog.Warningln(text)                         // $ logger=text
+
+	glog.V(0).Info(text)                           // $ logger=text
+	glog.V(0).InfoContext(ctx, text)               // $ logger=text
+	glog.V(0).InfoContextDepth(ctx, 0, text)       // $ logger=text
+	glog.V(0).InfoContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	glog.V(0).InfoContextf(ctx, fmt, text)         // $ logger=fmt logger=text
+	glog.V(0).InfoDepth(0, text)                   // $ logger=text
+	glog.V(0).InfoDepthf(0, fmt, text)             // $ logger=fmt logger=text
+	glog.V(0).Infof(fmt, text)                     // $ logger=fmt logger=text
+	glog.V(0).Infoln(text)                         // $ logger=text
+	glog.VDepth(0, 0).Info(text)                   // $ logger=text
 
 	// components corresponding to the format specifier "%T" are not considered vulnerable
-	glog.Errorf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.ErrorContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
-	glog.Exitf("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.ErrorContextf(ctx, "%s: found type %T", text, v)         // $ logger="%s: found type %T" logger=text type-logger=v
-	glog.Fatalf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.ErrorDepthf(0, "%s: found type %T", text, v)             // $ logger="%s: found type %T" logger=text type-logger=v
-	glog.Infof("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.Errorf("%s: found type %T", text, v)                     // $ logger="%s: found type %T" logger=text type-logger=v
-	glog.Warningf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	if selector == 19 {
+		glog.ExitContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 20 {
+		glog.ExitContextf(ctx, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 21 {
+		glog.ExitDepthf(0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 22 {
+		glog.Exitf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 23 {
+		glog.FatalContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 24 {
+		glog.FatalContextf(ctx, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 25 {
+		glog.FatalDepthf(0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 26 {
+		glog.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	glog.InfoContextDepthf(ctx, 0, "%s: found type %T", text, v)      // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.InfoContextf(ctx, "%s: found type %T", text, v)              // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.InfoDepthf(0, "%s: found type %T", text, v)                  // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.Infof("%s: found type %T", text, v)                          // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.WarningContextDepthf(ctx, 0, "%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.WarningContextf(ctx, "%s: found type %T", text, v)           // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.WarningDepthf(0, "%s: found type %T", text, v)               // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.Warningf("%s: found type %T", text, v)                       // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.V(0).InfoContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.V(0).InfoContextf(ctx, "%s: found type %T", text, v)         // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.V(0).InfoDepthf(0, "%s: found type %T", text, v)             // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.V(0).Infof("%s: found type %T", text, v)                     // $ logger="%s: found type %T" logger=text type-logger=v
 
-	klog.Error(text)           // $ logger=text
+	klog.Error(text)         // $ logger=text
-	klog.ErrorDepth(0, text)   // $ logger=text
+	klog.ErrorDepth(0, text) // $ logger=text
-	klog.Errorf(fmt, text)     // $ logger=fmt logger=text
+	klog.Errorf(fmt, text)   // $ logger=fmt logger=text
-	klog.Errorln(text)         // $ logger=text
+	klog.Errorln(text)       // $ logger=text
-	klog.Exit(text)            // $ logger=text
+	if selector == 27 {
-	klog.ExitDepth(0, text)    // $ logger=text
+		klog.Exit(text) // $ logger=text
-	klog.Exitf(fmt, text)      // $ logger=fmt logger=text
+	}
-	klog.Exitln(text)          // $ logger=text
+	if selector == 28 {
-	klog.Fatal(text)           // $ logger=text
+		klog.ExitDepth(0, text) // $ logger=text
-	klog.FatalDepth(0, text)   // $ logger=text
+	}
-	klog.Fatalf(fmt, text)     // $ logger=fmt logger=text
+	if selector == 29 {
-	klog.Fatalln(text)         // $ logger=text
+		klog.Exitf(fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 30 {
+		klog.Exitln(text) // $ logger=text
+	}
+	if selector == 31 {
+		klog.Fatal(text) // $ logger=text
+	}
+	if selector == 32 {
+		klog.FatalDepth(0, text) // $ logger=text
+	}
+	if selector == 33 {
+		klog.Fatalf(fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 34 {
+		klog.Fatalln(text) // $ logger=text
+	}
 	klog.Info(text)            // $ logger=text
 	klog.InfoDepth(0, text)    // $ logger=text
 	klog.Infof(fmt, text)      // $ logger=fmt logger=text
@@ -57,11 +184,19 @@ func glogTest() {
 	klog.WarningDepth(0, text) // $ logger=text
 	klog.Warningf(fmt, text)   // $ logger=fmt logger=text
 	klog.Warningln(text)       // $ logger=text
+	klog.V(0).Info(text)       // $ logger=text
+	klog.V(0).Infof(fmt, text) // $ logger=fmt logger=text
+	klog.V(0).Infoln(text)     // $ logger=text
 
 	// components corresponding to the format specifier "%T" are not considered vulnerable
-	klog.Errorf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
+	klog.Errorf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
-	klog.Exitf("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text type-logger=v
+	if selector == 35 {
-	klog.Fatalf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
+		klog.Exitf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
-	klog.Infof("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text type-logger=v
+	}
-	klog.Warningf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	if selector == 36 {
+		klog.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	klog.Infof("%s: found type %T", text, v)      // $ logger="%s: found type %T" logger=text type-logger=v
+	klog.Warningf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
+	klog.V(0).Infof("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
 }

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/go.mod

@@ -3,7 +3,7 @@ module codeql-go-tests/concepts/loggercall
 go 1.15
 
 require (
-	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
+	github.com/golang/glog v1.2.5
 	github.com/sirupsen/logrus v1.7.0
 	k8s.io/klog v1.0.0
 )

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/main.go

@@ -6,5 +6,6 @@ const text = "test"
 var v []byte
 
 func main() {
+	glogTest(len(v))
 	stdlib()
 }

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/github.com/golang/glog/stub.go

@@ -2,47 +2,125 @@
 // This is a simple stub for github.com/golang/glog, strictly for use in testing.
 
 // See the LICENSE file for information about the licensing of the original library.
-// Source: github.com/golang/glog (exports: ; functions: Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln)
+// Source: github.com/golang/glog (exports: Level,Verbose; functions: Error,ErrorContext,ErrorContextDepth,ErrorContextDepthf,ErrorContextf,ErrorDepth,ErrorDepthf,Errorf,Errorln,Exit,ExitContext,ExitContextDepth,ExitContextDepthf,ExitContextf,ExitDepth,ExitDepthf,Exitf,Exitln,Fatal,FatalContext,FatalContextDepth,FatalContextDepthf,FatalContextf,FatalDepth,FatalDepthf,Fatalf,Fatalln,Info,InfoContext,InfoContextDepth,InfoContextDepthf,InfoContextf,InfoDepth,InfoDepthf,Infof,Infoln,V,VDepth,Warning,WarningContext,WarningContextDepth,WarningContextDepthf,WarningContextf,WarningDepth,WarningDepthf,Warningf,Warningln)
 
 // Package glog is a stub of github.com/golang/glog, generated by depstubber.
 package glog
 
+import "context"
+
+type Level int32
+
+type Verbose bool
+
 func Error(_ ...interface{}) {}
 
+func ErrorContext(_ context.Context, _ ...interface{}) {}
+
+func ErrorContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func ErrorContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func ErrorContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func ErrorDepth(_ int, _ ...interface{}) {}
 
+func ErrorDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Errorf(_ string, _ ...interface{}) {}
 
 func Errorln(_ ...interface{}) {}
 
 func Exit(_ ...interface{}) {}
 
+func ExitContext(_ context.Context, _ ...interface{}) {}
+
+func ExitContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func ExitContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func ExitContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func ExitDepth(_ int, _ ...interface{}) {}
 
+func ExitDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Exitf(_ string, _ ...interface{}) {}
 
 func Exitln(_ ...interface{}) {}
 
 func Fatal(_ ...interface{}) {}
 
+func FatalContext(_ context.Context, _ ...interface{}) {}
+
+func FatalContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func FatalContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func FatalContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func FatalDepth(_ int, _ ...interface{}) {}
 
+func FatalDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Fatalf(_ string, _ ...interface{}) {}
 
 func Fatalln(_ ...interface{}) {}
 
 func Info(_ ...interface{}) {}
 
+func InfoContext(_ context.Context, _ ...interface{}) {}
+
+func InfoContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func InfoContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func InfoContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func InfoDepth(_ int, _ ...interface{}) {}
 
+func InfoDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Infof(_ string, _ ...interface{}) {}
 
 func Infoln(_ ...interface{}) {}
 
+func V(_ Level) Verbose { return false }
+
+func VDepth(_ int, _ Level) Verbose { return false }
+
 func Warning(_ ...interface{}) {}
 
+func WarningContext(_ context.Context, _ ...interface{}) {}
+
+func WarningContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func WarningContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func WarningContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func WarningDepth(_ int, _ ...interface{}) {}
 
+func WarningDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Warningf(_ string, _ ...interface{}) {}
 
 func Warningln(_ ...interface{}) {}
+
+func (_ Verbose) Info(_ ...interface{}) {}
+
+func (_ Verbose) InfoContext(_ context.Context, _ ...interface{}) {}
+
+func (_ Verbose) InfoContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func (_ Verbose) InfoContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func (_ Verbose) InfoContextf(_ context.Context, _ string, _ ...interface{}) {}
+
+func (_ Verbose) InfoDepth(_ int, _ ...interface{}) {}
+
+func (_ Verbose) InfoDepthf(_ int, _ string, _ ...interface{}) {}
+
+func (_ Verbose) Infof(_ string, _ ...interface{}) {}
+
+func (_ Verbose) Infoln(_ ...interface{}) {}

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/k8s.io/klog/stub.go

@@ -2,11 +2,15 @@
 // This is a simple stub for k8s.io/klog, strictly for use in testing.
 
 // See the LICENSE file for information about the licensing of the original library.
-// Source: k8s.io/klog (exports: ; functions: Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln)
+// Source: k8s.io/klog (exports: Level,Verbose; functions: Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,V,Warning,WarningDepth,Warningf,Warningln)
 
 // Package klog is a stub of k8s.io/klog, generated by depstubber.
 package klog
 
+type Level int32
+
+type Verbose bool
+
 func Error(_ ...interface{}) {}
 
 func ErrorDepth(_ int, _ ...interface{}) {}
@@ -39,6 +43,8 @@ func Infof(_ string, _ ...interface{}) {}
 
 func Infoln(_ ...interface{}) {}
 
+func V(_ Level) Verbose { return false }
+
 func Warning(_ ...interface{}) {}
 
 func WarningDepth(_ int, _ ...interface{}) {}
@@ -46,3 +52,9 @@ func WarningDepth(_ int, _ ...interface{}) {}
 func Warningf(_ string, _ ...interface{}) {}
 
 func Warningln(_ ...interface{}) {}
+
+func (_ Verbose) Info(_ ...interface{}) {}
+
+func (_ Verbose) Infof(_ string, _ ...interface{}) {}
+
+func (_ Verbose) Infoln(_ ...interface{}) {}

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/modules.txt

@@ -1,4 +1,4 @@
-# github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
+# github.com/golang/glog v1.2.5
 ## explicit
 github.com/golang/glog
 # github.com/sirupsen/logrus v1.7.0

go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.expected

@@ -1,11 +1,21 @@
-| file://:0:0:0:0 | Exit | package os |
+| file://:0:0:0:0 | Exit | os.Exit |
-| file://:0:0:0:0 | Fatal | package log |
+| file://:0:0:0:0 | Fatal | log.Fatal |
-| file://:0:0:0:0 | Fatalf | package log |
+| file://:0:0:0:0 | Fatal | log.Logger.Fatal |
-| file://:0:0:0:0 | Fatalln | package log |
+| file://:0:0:0:0 | Fatalf | log.Fatalf |
-| noretfunctions.go:8:6:8:12 | isNoRet | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Fatalf | log.Logger.Fatalf |
-| noretfunctions.go:20:6:20:22 | noRetUsesLogFatal | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Fatalln | log.Fatalln |
-| noretfunctions.go:24:6:24:23 | noRetUsesLogFatalf | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Fatalln | log.Logger.Fatalln |
-| stmts7.go:10:6:10:15 | canRecover | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Panic | log.Logger.Panic |
-| stmts.go:10:6:10:10 | test5 | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Panic | log.Panic |
-| stmts.go:46:6:46:10 | test6 | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Panicf | log.Logger.Panicf |
-| stmts.go:112:6:112:10 | test9 | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Panicf | log.Panicf |
+| file://:0:0:0:0 | Panicln | log.Logger.Panicln |
+| file://:0:0:0:0 | Panicln | log.Panicln |
+| file://:0:0:0:0 | panic | panic |
+| noretfunctions.go:8:6:8:12 | isNoRet | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.isNoRet |
+| noretfunctions.go:20:6:20:22 | noRetUsesLogFatal | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.noRetUsesLogFatal |
+| noretfunctions.go:24:6:24:23 | noRetUsesLogFatalf | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.noRetUsesLogFatalf |
+| stmts7.go:10:6:10:15 | canRecover | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.canRecover |
+| stmts.go:10:6:10:10 | test5 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.test5 |
+| stmts.go:46:6:46:10 | test6 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.test6 |
+| stmts.go:112:6:112:10 | test9 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.test9 |

go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.ql

@@ -2,4 +2,4 @@ import go
 
 from Function f
 where not f.mayReturnNormally()
-select f, f.getPackage()
+select f, f.getQualifiedName()

go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Log.go

@@ -15,62 +15,6 @@ func TaintStepTest_LogNew_B0I0O0(sourceCQL interface{}) interface{} {
 	return intoWriter414
 }
 
-func TaintStepTest_LogLoggerFatal_B0I0O0(sourceCQL interface{}) interface{} {
-	fromInterface518 := sourceCQL.(interface{})
-	var intoLogger650 log.Logger
-	intoLogger650.Fatal(fromInterface518)
-	return intoLogger650
-}
-
-func TaintStepTest_LogLoggerFatalf_B0I0O0(sourceCQL interface{}) interface{} {
-	fromString784 := sourceCQL.(string)
-	var intoLogger957 log.Logger
-	intoLogger957.Fatalf(fromString784, nil)
-	return intoLogger957
-}
-
-func TaintStepTest_LogLoggerFatalf_B0I1O0(sourceCQL interface{}) interface{} {
-	fromInterface520 := sourceCQL.(interface{})
-	var intoLogger443 log.Logger
-	intoLogger443.Fatalf("", fromInterface520)
-	return intoLogger443
-}
-
-func TaintStepTest_LogLoggerFatalln_B0I0O0(sourceCQL interface{}) interface{} {
-	fromInterface127 := sourceCQL.(interface{})
-	var intoLogger483 log.Logger
-	intoLogger483.Fatalln(fromInterface127)
-	return intoLogger483
-}
-
-func TaintStepTest_LogLoggerPanic_B0I0O0(sourceCQL interface{}) interface{} {
-	fromInterface989 := sourceCQL.(interface{})
-	var intoLogger982 log.Logger
-	intoLogger982.Panic(fromInterface989)
-	return intoLogger982
-}
-
-func TaintStepTest_LogLoggerPanicf_B0I0O0(sourceCQL interface{}) interface{} {
-	fromString417 := sourceCQL.(string)
-	var intoLogger584 log.Logger
-	intoLogger584.Panicf(fromString417, nil)
-	return intoLogger584
-}
-
-func TaintStepTest_LogLoggerPanicf_B0I1O0(sourceCQL interface{}) interface{} {
-	fromInterface991 := sourceCQL.(interface{})
-	var intoLogger881 log.Logger
-	intoLogger881.Panicf("", fromInterface991)
-	return intoLogger881
-}
-
-func TaintStepTest_LogLoggerPanicln_B0I0O0(sourceCQL interface{}) interface{} {
-	fromInterface186 := sourceCQL.(interface{})
-	var intoLogger284 log.Logger
-	intoLogger284.Panicln(fromInterface186)
-	return intoLogger284
-}
-
 func TaintStepTest_LogLoggerPrint_B0I0O0(sourceCQL interface{}) interface{} {
 	fromInterface908 := sourceCQL.(interface{})
 	var intoLogger137 log.Logger
@@ -125,46 +69,6 @@ func RunAllTaints_Log() {
 		out := TaintStepTest_LogNew_B0I0O0(source)
 		sink(0, out)
 	}
-	{
-		source := newSource(1)
-		out := TaintStepTest_LogLoggerFatal_B0I0O0(source)
-		sink(1, out)
-	}
-	{
-		source := newSource(2)
-		out := TaintStepTest_LogLoggerFatalf_B0I0O0(source)
-		sink(2, out)
-	}
-	{
-		source := newSource(3)
-		out := TaintStepTest_LogLoggerFatalf_B0I1O0(source)
-		sink(3, out)
-	}
-	{
-		source := newSource(4)
-		out := TaintStepTest_LogLoggerFatalln_B0I0O0(source)
-		sink(4, out)
-	}
-	{
-		source := newSource(5)
-		out := TaintStepTest_LogLoggerPanic_B0I0O0(source)
-		sink(5, out)
-	}
-	{
-		source := newSource(6)
-		out := TaintStepTest_LogLoggerPanicf_B0I0O0(source)
-		sink(6, out)
-	}
-	{
-		source := newSource(7)
-		out := TaintStepTest_LogLoggerPanicf_B0I1O0(source)
-		sink(7, out)
-	}
-	{
-		source := newSource(8)
-		out := TaintStepTest_LogLoggerPanicln_B0I0O0(source)
-		sink(8, out)
-	}
 	{
 		source := newSource(9)
 		out := TaintStepTest_LogLoggerPrint_B0I0O0(source)

go/ql/test/query-tests/Security/CWE-117/CONSISTENCY/DataFlowConsistency.expected

@@ -3,9 +3,9 @@ reverseRead
 | LogInjection.go:33:14:33:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
 | LogInjection.go:34:18:34:20 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
 | LogInjection.go:35:14:35:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:447:14:447:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:551:14:551:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:455:14:455:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:559:14:559:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:463:14:463:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:567:14:567:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:498:14:498:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:602:14:602:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:499:14:499:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:603:14:603:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:724:12:724:14 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:828:12:828:14 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |

go/ql/test/query-tests/Security/CWE-117/LogInjection.go

@@ -49,22 +49,22 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		log.Printf(formatString, username, password)          // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
 		log.Println("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
 
-		if testFlag == "true" {
+		if testFlag == "1" {
 			log.Fatal("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
 		}
-		if testFlag == "true" {
+		if testFlag == "2" {
 			log.Fatalf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
 		}
-		if testFlag == "true" {
+		if testFlag == "3" {
 			log.Fatalln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
 		}
-		if testFlag == "true" {
+		if testFlag == "4" {
 			log.Panic("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
 		}
-		if testFlag == "true" {
+		if testFlag == "5" {
 			log.Panicf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
 		}
-		if testFlag == "true" {
+		if testFlag == "6" {
 			log.Panicln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
 		}
 
@@ -72,12 +72,24 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger.Print("user is logged in:", username, password)   // $ hasTaintFlow="username" hasTaintFlow="password"
 		logger.Printf(formatString, username, password)          // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
 		logger.Println("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
-		logger.Fatal("user is logged in:", username, password)   // $ hasTaintFlow="username" hasTaintFlow="password"
+		if testFlag == "7" {
-		logger.Fatalf(formatString, username, password)          // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
+			logger.Fatal("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
-		logger.Fatalln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
+		}
-		logger.Panic("user is logged in:", username, password)   // $ hasTaintFlow="username" hasTaintFlow="password"
+		if testFlag == "8" {
-		logger.Panicf(formatString, username, password)          // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
+			logger.Fatalf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
-		logger.Panicln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
+		}
+		if testFlag == "9" {
+			logger.Fatalln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
+		}
+		if testFlag == "10" {
+			logger.Panic("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
+		}
+		if testFlag == "11" {
+			logger.Panicf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
+		}
+		if testFlag == "12" {
+			logger.Panicln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
+		}
 	}
 	// k8s.io/klog
 	{
@@ -91,12 +103,24 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		klog.Error(username)     // $ hasTaintFlow="username"
 		klog.Errorf(username)    // $ hasTaintFlow="username"
 		klog.Errorln(username)   // $ hasTaintFlow="username"
-		klog.Fatal(username)     // $ hasTaintFlow="username"
+		if testFlag == "77" {
-		klog.Fatalf(username)    // $ hasTaintFlow="username"
+			klog.Fatal(username) // $ hasTaintFlow="username"
-		klog.Fatalln(username)   // $ hasTaintFlow="username"
+		}
-		klog.Exit(username)      // $ hasTaintFlow="username"
+		if testFlag == "78" {
-		klog.Exitf(username)     // $ hasTaintFlow="username"
+			klog.Fatalf(username) // $ hasTaintFlow="username"
-		klog.Exitln(username)    // $ hasTaintFlow="username"
+		}
+		if testFlag == "79" {
+			klog.Fatalln(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "80" {
+			klog.Exit(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "81" {
+			klog.Exitf(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "82" {
+			klog.Exitln(username) // $ hasTaintFlow="username"
+		}
 	}
 	// astaxie/beego
 	{
@@ -161,14 +185,30 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		glog.ErrorDepth(0, username) // $ hasTaintFlow="username"
 		glog.Errorf(username)        // $ hasTaintFlow="username"
 		glog.Errorln(username)       // $ hasTaintFlow="username"
-		glog.Fatal(username)         // $ hasTaintFlow="username"
+		if testFlag == "83" {
-		glog.FatalDepth(0, username) // $ hasTaintFlow="username"
+			glog.Fatal(username) // $ hasTaintFlow="username"
-		glog.Fatalf(username)        // $ hasTaintFlow="username"
+		}
-		glog.Fatalln(username)       // $ hasTaintFlow="username"
+		if testFlag == "84" {
-		glog.Exit(username)          // $ hasTaintFlow="username"
+			glog.FatalDepth(0, username) // $ hasTaintFlow="username"
-		glog.ExitDepth(0, username)  // $ hasTaintFlow="username"
+		}
-		glog.Exitf(username)         // $ hasTaintFlow="username"
+		if testFlag == "85" {
-		glog.Exitln(username)        // $ hasTaintFlow="username"
+			glog.Fatalf(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "86" {
+			glog.Fatalln(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "87" {
+			glog.Exit(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "88" {
+			glog.ExitDepth(0, username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "89" {
+			glog.Exitf(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "90" {
+			glog.Exitln(username) // $ hasTaintFlow="username"
+		}
 
 	}
 	// sirupsen/logrus
@@ -179,26 +219,42 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger := logrus.New()
 		entry := logrus.NewEntry(logger)
 
-		logrus.Debug(username)         // $ hasTaintFlow="username"
+		logrus.Debug(username)      // $ hasTaintFlow="username"
-		logrus.Debugf(username, "")    // $ hasTaintFlow="username"
+		logrus.Debugf(username, "") // $ hasTaintFlow="username"
-		logrus.Debugf("", username)    // $ hasTaintFlow="username"
+		logrus.Debugf("", username) // $ hasTaintFlow="username"
-		logrus.Debugln(username)       // $ hasTaintFlow="username"
+		logrus.Debugln(username)    // $ hasTaintFlow="username"
-		logrus.Error(username)         // $ hasTaintFlow="username"
+		logrus.Error(username)      // $ hasTaintFlow="username"
-		logrus.Errorf(username, "")    // $ hasTaintFlow="username"
+		logrus.Errorf(username, "") // $ hasTaintFlow="username"
-		logrus.Errorf("", username)    // $ hasTaintFlow="username"
+		logrus.Errorf("", username) // $ hasTaintFlow="username"
-		logrus.Errorln(username)       // $ hasTaintFlow="username"
+		logrus.Errorln(username)    // $ hasTaintFlow="username"
-		logrus.Fatal(username)         // $ hasTaintFlow="username"
+		if testFlag == "13" {
-		logrus.Fatalf(username, "")    // $ hasTaintFlow="username"
+			logrus.Fatal(username) // $ hasTaintFlow="username"
-		logrus.Fatalf("", username)    // $ hasTaintFlow="username"
+		}
-		logrus.Fatalln(username)       // $ hasTaintFlow="username"
+		if testFlag == "14" {
-		logrus.Info(username)          // $ hasTaintFlow="username"
+			logrus.Fatalf(username, "") // $ hasTaintFlow="username"
-		logrus.Infof(username, "")     // $ hasTaintFlow="username"
+		}
-		logrus.Infof("", username)     // $ hasTaintFlow="username"
+		if testFlag == "15" {
-		logrus.Infoln(username)        // $ hasTaintFlow="username"
+			logrus.Fatalf("", username) // $ hasTaintFlow="username"
-		logrus.Panic(username)         // $ hasTaintFlow="username"
+		}
-		logrus.Panicf(username, "")    // $ hasTaintFlow="username"
+		if testFlag == "16" {
-		logrus.Panicf("", username)    // $ hasTaintFlow="username"
+			logrus.Fatalln(username) // $ hasTaintFlow="username"
-		logrus.Panicln(username)       // $ hasTaintFlow="username"
+		}
+		logrus.Info(username)      // $ hasTaintFlow="username"
+		logrus.Infof(username, "") // $ hasTaintFlow="username"
+		logrus.Infof("", username) // $ hasTaintFlow="username"
+		logrus.Infoln(username)    // $ hasTaintFlow="username"
+		if testFlag == "17" {
+			logrus.Panic(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "18" {
+			logrus.Panicf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "19" {
+			logrus.Panicf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "20" {
+			logrus.Panicln(username) // $ hasTaintFlow="username"
+		}
 		logrus.Print(username)         // $ hasTaintFlow="username"
 		logrus.Printf(username, "")    // $ hasTaintFlow="username"
 		logrus.Printf("", username)    // $ hasTaintFlow="username"
@@ -220,30 +276,46 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logrus.WithField("", username) // $ hasTaintFlow="username"
 		logrus.WithFields(fields)      // $ hasTaintFlow="fields"
 
-		entry.Debug(username)         // $ hasTaintFlow="username"
+		entry.Debug(username)      // $ hasTaintFlow="username"
-		entry.Debugf(username, "")    // $ hasTaintFlow="username"
+		entry.Debugf(username, "") // $ hasTaintFlow="username"
-		entry.Debugf("", username)    // $ hasTaintFlow="username"
+		entry.Debugf("", username) // $ hasTaintFlow="username"
-		entry.Debugln(username)       // $ hasTaintFlow="username"
+		entry.Debugln(username)    // $ hasTaintFlow="username"
-		entry.Error(username)         // $ hasTaintFlow="username"
+		entry.Error(username)      // $ hasTaintFlow="username"
-		entry.Errorf(username, "")    // $ hasTaintFlow="username"
+		entry.Errorf(username, "") // $ hasTaintFlow="username"
-		entry.Errorf("", username)    // $ hasTaintFlow="username"
+		entry.Errorf("", username) // $ hasTaintFlow="username"
-		entry.Errorln(username)       // $ hasTaintFlow="username"
+		entry.Errorln(username)    // $ hasTaintFlow="username"
-		entry.Fatal(username)         // $ hasTaintFlow="username"
+		if testFlag == "21" {
-		entry.Fatalf(username, "")    // $ hasTaintFlow="username"
+			entry.Fatal(username) // $ hasTaintFlow="username"
-		entry.Fatalf("", username)    // $ hasTaintFlow="username"
+		}
-		entry.Fatalln(username)       // $ hasTaintFlow="username"
+		if testFlag == "22" {
-		entry.Info(username)          // $ hasTaintFlow="username"
+			entry.Fatalf(username, "") // $ hasTaintFlow="username"
-		entry.Infof(username, "")     // $ hasTaintFlow="username"
+		}
-		entry.Infof("", username)     // $ hasTaintFlow="username"
+		if testFlag == "23" {
-		entry.Infoln(username)        // $ hasTaintFlow="username"
+			entry.Fatalf("", username) // $ hasTaintFlow="username"
-		entry.Log(0, username)        // $ hasTaintFlow="username"
+		}
-		entry.Logf(0, username, "")   // $ hasTaintFlow="username"
+		if testFlag == "24" {
-		entry.Logf(0, "", username)   // $ hasTaintFlow="username"
+			entry.Fatalln(username) // $ hasTaintFlow="username"
-		entry.Logln(0, username)      // $ hasTaintFlow="username"
+		}
-		entry.Panic(username)         // $ hasTaintFlow="username"
+		entry.Info(username)        // $ hasTaintFlow="username"
-		entry.Panicf(username, "")    // $ hasTaintFlow="username"
+		entry.Infof(username, "")   // $ hasTaintFlow="username"
-		entry.Panicf("", username)    // $ hasTaintFlow="username"
+		entry.Infof("", username)   // $ hasTaintFlow="username"
-		entry.Panicln(username)       // $ hasTaintFlow="username"
+		entry.Infoln(username)      // $ hasTaintFlow="username"
+		entry.Log(0, username)      // $ hasTaintFlow="username"
+		entry.Logf(0, username, "") // $ hasTaintFlow="username"
+		entry.Logf(0, "", username) // $ hasTaintFlow="username"
+		entry.Logln(0, username)    // $ hasTaintFlow="username"
+		if testFlag == "25" {
+			entry.Panic(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "26" {
+			entry.Panicf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "27" {
+			entry.Panicf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "28" {
+			entry.Panicln(username) // $ hasTaintFlow="username"
+		}
 		entry.Print(username)         // $ hasTaintFlow="username"
 		entry.Printf(username, "")    // $ hasTaintFlow="username"
 		entry.Printf("", username)    // $ hasTaintFlow="username"
@@ -265,30 +337,46 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		entry.WithField("", username) // $ hasTaintFlow="username"
 		entry.WithFields(fields)      // $ hasTaintFlow="fields"
 
-		logger.Debug(username)         // $ hasTaintFlow="username"
+		logger.Debug(username)      // $ hasTaintFlow="username"
-		logger.Debugf(username, "")    // $ hasTaintFlow="username"
+		logger.Debugf(username, "") // $ hasTaintFlow="username"
-		logger.Debugf("", username)    // $ hasTaintFlow="username"
+		logger.Debugf("", username) // $ hasTaintFlow="username"
-		logger.Debugln(username)       // $ hasTaintFlow="username"
+		logger.Debugln(username)    // $ hasTaintFlow="username"
-		logger.Error(username)         // $ hasTaintFlow="username"
+		logger.Error(username)      // $ hasTaintFlow="username"
-		logger.Errorf(username, "")    // $ hasTaintFlow="username"
+		logger.Errorf(username, "") // $ hasTaintFlow="username"
-		logger.Errorf("", username)    // $ hasTaintFlow="username"
+		logger.Errorf("", username) // $ hasTaintFlow="username"
-		logger.Errorln(username)       // $ hasTaintFlow="username"
+		logger.Errorln(username)    // $ hasTaintFlow="username"
-		logger.Fatal(username)         // $ hasTaintFlow="username"
+		if testFlag == "29" {
-		logger.Fatalf(username, "")    // $ hasTaintFlow="username"
+			logger.Fatal(username) // $ hasTaintFlow="username"
-		logger.Fatalf("", username)    // $ hasTaintFlow="username"
+		}
-		logger.Fatalln(username)       // $ hasTaintFlow="username"
+		if testFlag == "30" {
-		logger.Info(username)          // $ hasTaintFlow="username"
+			logger.Fatalf(username, "") // $ hasTaintFlow="username"
-		logger.Infof(username, "")     // $ hasTaintFlow="username"
+		}
-		logger.Infof("", username)     // $ hasTaintFlow="username"
+		if testFlag == "31" {
-		logger.Infoln(username)        // $ hasTaintFlow="username"
+			logger.Fatalf("", username) // $ hasTaintFlow="username"
-		logger.Log(0, username)        // $ hasTaintFlow="username"
+		}
-		logger.Logf(0, username, "")   // $ hasTaintFlow="username"
+		if testFlag == "32" {
-		logger.Logf(0, "", username)   // $ hasTaintFlow="username"
+			logger.Fatalln(username) // $ hasTaintFlow="username"
-		logger.Logln(0, username)      // $ hasTaintFlow="username"
+		}
-		logger.Panic(username)         // $ hasTaintFlow="username"
+		logger.Info(username)        // $ hasTaintFlow="username"
-		logger.Panicf(username, "")    // $ hasTaintFlow="username"
+		logger.Infof(username, "")   // $ hasTaintFlow="username"
-		logger.Panicf("", username)    // $ hasTaintFlow="username"
+		logger.Infof("", username)   // $ hasTaintFlow="username"
-		logger.Panicln(username)       // $ hasTaintFlow="username"
+		logger.Infoln(username)      // $ hasTaintFlow="username"
+		logger.Log(0, username)      // $ hasTaintFlow="username"
+		logger.Logf(0, username, "") // $ hasTaintFlow="username"
+		logger.Logf(0, "", username) // $ hasTaintFlow="username"
+		logger.Logln(0, username)    // $ hasTaintFlow="username"
+		if testFlag == "33" {
+			logger.Panic(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "34" {
+			logger.Panicf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "35" {
+			logger.Panicf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "36" {
+			logger.Panicln(username) // $ hasTaintFlow="username"
+		}
 		logger.Print(username)         // $ hasTaintFlow="username"
 		logger.Printf(username, "")    // $ hasTaintFlow="username"
 		logger.Printf("", username)    // $ hasTaintFlow="username"
@@ -311,26 +399,42 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger.WithFields(fields)      // $ hasTaintFlow="fields"
 
 		var fieldlogger logrus.FieldLogger = entry
-		fieldlogger.Debug(username)         // $ hasTaintFlow="username"
+		fieldlogger.Debug(username)      // $ hasTaintFlow="username"
-		fieldlogger.Debugf(username, "")    // $ hasTaintFlow="username"
+		fieldlogger.Debugf(username, "") // $ hasTaintFlow="username"
-		fieldlogger.Debugf("", username)    // $ hasTaintFlow="username"
+		fieldlogger.Debugf("", username) // $ hasTaintFlow="username"
-		fieldlogger.Debugln(username)       // $ hasTaintFlow="username"
+		fieldlogger.Debugln(username)    // $ hasTaintFlow="username"
-		fieldlogger.Error(username)         // $ hasTaintFlow="username"
+		fieldlogger.Error(username)      // $ hasTaintFlow="username"
-		fieldlogger.Errorf(username, "")    // $ hasTaintFlow="username"
+		fieldlogger.Errorf(username, "") // $ hasTaintFlow="username"
-		fieldlogger.Errorf("", username)    // $ hasTaintFlow="username"
+		fieldlogger.Errorf("", username) // $ hasTaintFlow="username"
-		fieldlogger.Errorln(username)       // $ hasTaintFlow="username"
+		fieldlogger.Errorln(username)    // $ hasTaintFlow="username"
-		fieldlogger.Fatal(username)         // $ hasTaintFlow="username"
+		if testFlag == "37" {
-		fieldlogger.Fatalf(username, "")    // $ hasTaintFlow="username"
+			fieldlogger.Fatal(username) // $ hasTaintFlow="username"
-		fieldlogger.Fatalf("", username)    // $ hasTaintFlow="username"
+		}
-		fieldlogger.Fatalln(username)       // $ hasTaintFlow="username"
+		if testFlag == "38" {
-		fieldlogger.Info(username)          // $ hasTaintFlow="username"
+			fieldlogger.Fatalf(username, "") // $ hasTaintFlow="username"
-		fieldlogger.Infof(username, "")     // $ hasTaintFlow="username"
+		}
-		fieldlogger.Infof("", username)     // $ hasTaintFlow="username"
+		if testFlag == "39" {
-		fieldlogger.Infoln(username)        // $ hasTaintFlow="username"
+			fieldlogger.Fatalf("", username) // $ hasTaintFlow="username"
-		fieldlogger.Panic(username)         // $ hasTaintFlow="username"
+		}
-		fieldlogger.Panicf(username, "")    // $ hasTaintFlow="username"
+		if testFlag == "40" {
-		fieldlogger.Panicf("", username)    // $ hasTaintFlow="username"
+			fieldlogger.Fatalln(username) // $ hasTaintFlow="username"
-		fieldlogger.Panicln(username)       // $ hasTaintFlow="username"
+		}
+		fieldlogger.Info(username)      // $ hasTaintFlow="username"
+		fieldlogger.Infof(username, "") // $ hasTaintFlow="username"
+		fieldlogger.Infof("", username) // $ hasTaintFlow="username"
+		fieldlogger.Infoln(username)    // $ hasTaintFlow="username"
+		if testFlag == "41" {
+			fieldlogger.Panic(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "42" {
+			fieldlogger.Panicf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "43" {
+			fieldlogger.Panicf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "44" {
+			fieldlogger.Panicln(username) // $ hasTaintFlow="username"
+		}
 		fieldlogger.Print(username)         // $ hasTaintFlow="username"
 		fieldlogger.Printf(username, "")    // $ hasTaintFlow="username"
 		fieldlogger.Printf("", username)    // $ hasTaintFlow="username"
@@ -366,11 +470,11 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger.DPanic(username) // $ hasTaintFlow="username"
 		logger.Debug(username)  // $ hasTaintFlow="username"
 		logger.Error(username)  // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "45" {
 			logger.Fatal(username) // $ hasTaintFlow="username"
 		}
 		logger.Info(username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "46" {
 			logger.Panic(username) // $ hasTaintFlow="username"
 		}
 		logger.Warn(username)        // $ hasTaintFlow="username"
@@ -382,33 +486,33 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		sLogger.DPanic(username) // $ hasTaintFlow="username"
 		sLogger.Debug(username)  // $ hasTaintFlow="username"
 		sLogger.Error(username)  // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "47" {
 			sLogger.Fatal(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Info(username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "48" {
 			sLogger.Panic(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Warn(username)    // $ hasTaintFlow="username"
 		sLogger.DPanicf(username) // $ hasTaintFlow="username"
 		sLogger.Debugf(username)  // $ hasTaintFlow="username"
 		sLogger.Errorf(username)  // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "49" {
 			sLogger.Fatalf(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Infof(username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "50" {
 			sLogger.Panicf(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Warnf(username)   // $ hasTaintFlow="username"
 		sLogger.DPanicw(username) // $ hasTaintFlow="username"
 		sLogger.Debugw(username)  // $ hasTaintFlow="username"
 		sLogger.Errorw(username)  // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "51" {
 			sLogger.Fatalw(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Infow(username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "52" {
 			sLogger.Panicw(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Warnw(username) // $ hasTaintFlow="username"
@@ -515,10 +619,10 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		verbose.Infof("user %q logged in.\n", username)
 		klog.Infof("user %q logged in.\n", username)
 		klog.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "53" {
 			klog.Fatalf("user %q logged in.\n", username)
 		}
-		if testFlag == " true" {
+		if testFlag == "54" {
 			klog.Exitf("user %q logged in.\n", username)
 		}
 	}
@@ -534,10 +638,10 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 
 		glog.Infof("user %q logged in.\n", username)
 		glog.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "55" {
 			glog.Fatalf("user %q logged in.\n", username)
 		}
-		if testFlag == " true" {
+		if testFlag == "56" {
 			glog.Exitf("user %q logged in.\n", username)
 		}
 	}
@@ -545,11 +649,11 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 	{
 		logrus.Debugf("user %q logged in.\n", username)
 		logrus.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "57" {
 			logrus.Fatalf("user %q logged in.\n", username)
 		}
 		logrus.Infof("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "58" {
 			logrus.Panicf("user %q logged in.\n", username)
 		}
 		logrus.Printf("user %q logged in.\n", username)
@@ -561,12 +665,12 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		entry := logrus.WithFields(fields)
 		entry.Debugf("user %q logged in.\n", username)
 		entry.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "59" {
 			entry.Fatalf("user %q logged in.\n", username)
 		}
 		entry.Infof("user %q logged in.\n", username)
 		entry.Logf(0, "user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "60" {
 			entry.Panicf("user %q logged in.\n", username)
 		}
 		entry.Printf("user %q logged in.\n", username)
@@ -577,12 +681,12 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger := entry.Logger
 		logger.Debugf("user %q logged in.\n", username)
 		logger.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "61" {
 			logger.Fatalf("user %q logged in.\n", username)
 		}
 		logger.Infof("user %q logged in.\n", username)
 		logger.Logf(0, "user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "62" {
 			logger.Panicf("user %q logged in.\n", username)
 		}
 		logger.Printf("user %q logged in.\n", username)
@@ -603,11 +707,11 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		sLogger.DPanicf("user %q logged in.\n", username)
 		sLogger.Debugf("user %q logged in.\n", username)
 		sLogger.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "63" {
 			sLogger.Fatalf("user %q logged in.\n", username)
 		}
 		sLogger.Infof("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "64" {
 			sLogger.Panicf("user %q logged in.\n", username)
 		}
 		sLogger.Warnf("user %q logged in.\n", username)
@@ -620,10 +724,10 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		verbose.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		klog.Infof("user %#q logged in.\n", username)    // $ hasTaintFlow="username"
 		klog.Errorf("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "65" {
 			klog.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
-		if testFlag == " true" {
+		if testFlag == "66" {
 			klog.Exitf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 	}
@@ -639,10 +743,10 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 
 		glog.Infof("user %#q logged in.\n", username)  // $ hasTaintFlow="username"
 		glog.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "67" {
 			glog.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
-		if testFlag == " true" {
+		if testFlag == "68" {
 			glog.Exitf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 	}
@@ -650,11 +754,11 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 	{
 		logrus.Debugf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		logrus.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "69" {
 			logrus.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		logrus.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "70" {
 			logrus.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		logrus.Printf("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
@@ -666,12 +770,12 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		entry := logrus.WithFields(fields)
 		entry.Debugf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		entry.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "71" {
 			entry.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		entry.Infof("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
 		entry.Logf(0, "user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "72" {
 			entry.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		entry.Printf("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
@@ -682,12 +786,12 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger := entry.Logger
 		logger.Debugf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		logger.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "73" {
 			logger.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		logger.Infof("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
 		logger.Logf(0, "user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "74" {
 			logger.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		logger.Printf("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
@@ -708,11 +812,11 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		sLogger.DPanicf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		sLogger.Debugf("user %#q logged in.\n", username)  // $ hasTaintFlow="username"
 		sLogger.Errorf("user %#q logged in.\n", username)  // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "75" {
 			sLogger.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		sLogger.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "76" {
 			sLogger.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		sLogger.Warnf("user %#q logged in.\n", username) // $ hasTaintFlow="username"

go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected

@@ -37,22 +37,22 @@
 | passwords.go:26:14:26:23 | selection of password | passwords.go:26:14:26:23 | selection of password | passwords.go:26:14:26:23 | selection of password | $@ flows to a logging call. | passwords.go:26:14:26:23 | selection of password | Sensitive data returned by an access to password |
 | passwords.go:27:14:27:26 | call to getPassword | passwords.go:27:14:27:26 | call to getPassword | passwords.go:27:14:27:26 | call to getPassword | $@ flows to a logging call. | passwords.go:27:14:27:26 | call to getPassword | Sensitive data returned by a call to getPassword |
 | passwords.go:28:14:28:28 | call to getPassword | passwords.go:28:14:28:28 | call to getPassword | passwords.go:28:14:28:28 | call to getPassword | $@ flows to a logging call. | passwords.go:28:14:28:28 | call to getPassword | Sensitive data returned by a call to getPassword |
-| passwords.go:32:12:32:19 | password | passwords.go:21:2:21:9 | definition of password | passwords.go:32:12:32:19 | password | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:33:13:33:20 | password | passwords.go:21:2:21:9 | definition of password | passwords.go:33:13:33:20 | password | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:34:14:34:35 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:34:14:34:35 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:36:14:36:35 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:36:14:36:35 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:39:14:39:17 | obj1 | passwords.go:37:13:37:13 | x | passwords.go:39:14:39:17 | obj1 | $@ flows to a logging call. | passwords.go:37:13:37:13 | x | Sensitive data returned by an access to password |
+| passwords.go:41:14:41:17 | obj1 | passwords.go:39:13:39:13 | x | passwords.go:41:14:41:17 | obj1 | $@ flows to a logging call. | passwords.go:39:13:39:13 | x | Sensitive data returned by an access to password |
-| passwords.go:44:14:44:17 | obj2 | passwords.go:21:2:21:9 | definition of password | passwords.go:44:14:44:17 | obj2 | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:46:14:46:17 | obj2 | passwords.go:21:2:21:9 | definition of password | passwords.go:46:14:46:17 | obj2 | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:51:14:51:27 | fixed_password | passwords.go:50:2:50:15 | definition of fixed_password | passwords.go:51:14:51:27 | fixed_password | $@ flows to a logging call. | passwords.go:50:2:50:15 | definition of fixed_password | Sensitive data returned by an access to fixed_password |
+| passwords.go:53:14:53:27 | fixed_password | passwords.go:52:2:52:15 | definition of fixed_password | passwords.go:53:14:53:27 | fixed_password | $@ flows to a logging call. | passwords.go:52:2:52:15 | definition of fixed_password | Sensitive data returned by an access to fixed_password |
-| passwords.go:89:14:89:26 | utilityObject | passwords.go:87:16:87:36 | call to make | passwords.go:89:14:89:26 | utilityObject | $@ flows to a logging call. | passwords.go:87:16:87:36 | call to make | Sensitive data returned by an access to passwordSet |
+| passwords.go:91:14:91:26 | utilityObject | passwords.go:89:16:89:36 | call to make | passwords.go:91:14:91:26 | utilityObject | $@ flows to a logging call. | passwords.go:89:16:89:36 | call to make | Sensitive data returned by an access to passwordSet |
-| passwords.go:92:23:92:28 | secret | passwords.go:21:2:21:9 | definition of password | passwords.go:92:23:92:28 | secret | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:94:23:94:28 | secret | passwords.go:21:2:21:9 | definition of password | passwords.go:94:23:94:28 | secret | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:102:15:102:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:102:15:102:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:104:15:104:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:104:15:104:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:108:16:108:41 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:108:16:108:41 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:110:16:110:41 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:110:16:110:41 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:113:15:113:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:113:15:113:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:115:15:115:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:115:15:115:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:117:14:117:45 | ...+... | passwords.go:116:6:116:14 | definition of password1 | passwords.go:117:14:117:45 | ...+... | $@ flows to a logging call. | passwords.go:116:6:116:14 | definition of password1 | Sensitive data returned by an access to password1 |
+| passwords.go:119:14:119:45 | ...+... | passwords.go:118:6:118:14 | definition of password1 | passwords.go:119:14:119:45 | ...+... | $@ flows to a logging call. | passwords.go:118:6:118:14 | definition of password1 | Sensitive data returned by an access to password1 |
-| passwords.go:127:14:127:19 | config | passwords.go:21:2:21:9 | definition of password | passwords.go:127:14:127:19 | config | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:129:14:129:19 | config | passwords.go:21:2:21:9 | definition of password | passwords.go:129:14:129:19 | config | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:127:14:127:19 | config | passwords.go:121:13:121:14 | x3 | passwords.go:127:14:127:19 | config | $@ flows to a logging call. | passwords.go:121:13:121:14 | x3 | Sensitive data returned by an access to password |
+| passwords.go:129:14:129:19 | config | passwords.go:123:13:123:14 | x3 | passwords.go:129:14:129:19 | config | $@ flows to a logging call. | passwords.go:123:13:123:14 | x3 | Sensitive data returned by an access to password |
-| passwords.go:127:14:127:19 | config | passwords.go:124:13:124:25 | call to getPassword | passwords.go:127:14:127:19 | config | $@ flows to a logging call. | passwords.go:124:13:124:25 | call to getPassword | Sensitive data returned by a call to getPassword |
+| passwords.go:129:14:129:19 | config | passwords.go:126:13:126:25 | call to getPassword | passwords.go:129:14:129:19 | config | $@ flows to a logging call. | passwords.go:126:13:126:25 | call to getPassword | Sensitive data returned by a call to getPassword |
-| passwords.go:128:14:128:21 | selection of x | passwords.go:21:2:21:9 | definition of password | passwords.go:128:14:128:21 | selection of x | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:130:14:130:21 | selection of x | passwords.go:21:2:21:9 | definition of password | passwords.go:130:14:130:21 | selection of x | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:129:14:129:21 | selection of y | passwords.go:124:13:124:25 | call to getPassword | passwords.go:129:14:129:21 | selection of y | $@ flows to a logging call. | passwords.go:124:13:124:25 | call to getPassword | Sensitive data returned by a call to getPassword |
+| passwords.go:131:14:131:21 | selection of y | passwords.go:126:13:126:25 | call to getPassword | passwords.go:131:14:131:21 | selection of y | $@ flows to a logging call. | passwords.go:126:13:126:25 | call to getPassword | Sensitive data returned by a call to getPassword |
 | protobuf.go:14:14:14:35 | call to GetDescription | protobuf.go:9:2:9:9 | definition of password | protobuf.go:14:14:14:35 | call to GetDescription | $@ flows to a logging call. | protobuf.go:9:2:9:9 | definition of password | Sensitive data returned by an access to password |
 edges
 | klog.go:21:3:26:3 | range statement[1] | klog.go:22:27:22:33 | headers | provenance |  |
@@ -82,95 +82,15 @@ edges
 | main.go:53:11:53:18 | password | main.go:54:12:54:19 | password | provenance |  |
 | main.go:53:11:53:18 | password | main.go:54:12:54:19 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:56:11:56:18 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:56:11:56:18 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:59:18:59:25 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:59:18:59:25 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:62:12:62:19 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:62:12:62:19 | password | provenance | Sink:MaD:7 |
 | main.go:54:12:54:19 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:68:11:68:18 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:68:11:68:18 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:74:12:74:19 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
 | main.go:54:12:54:19 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:77:13:77:20 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
 | main.go:54:12:54:19 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:59:18:59:25 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:59:18:59:25 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:62:12:62:19 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:62:12:62:19 | password | provenance | Sink:MaD:7 |
-| main.go:56:11:56:18 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:56:11:56:18 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:56:11:56:18 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:62:12:62:19 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:62:12:62:19 | password | provenance | Sink:MaD:7 |
-| main.go:59:18:59:25 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:59:18:59:25 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:59:18:59:25 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:62:12:62:19 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:62:12:62:19 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:65:13:65:20 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:65:13:65:20 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:68:11:68:18 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:68:11:68:18 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:71:18:71:25 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:71:18:71:25 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:71:18:71:25 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:71:18:71:25 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:71:18:71:25 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:71:18:71:25 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:74:12:74:19 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:74:12:74:19 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:74:12:74:19 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:74:12:74:19 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:77:13:77:20 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:77:13:77:20 | password | main.go:80:17:80:24 | password | provenance |  |
 | main.go:80:17:80:24 | password | main.go:82:12:82:19 | password | provenance |  |
 | main.go:80:17:80:24 | password | main.go:83:17:83:24 | password | provenance |  |
 | main.go:80:17:80:24 | password | main.go:86:19:86:26 | password | provenance |  |
@@ -182,46 +102,46 @@ edges
 | passwords.go:8:12:8:12 | definition of x | passwords.go:9:14:9:14 | x | provenance |  |
 | passwords.go:21:2:21:9 | definition of password | passwords.go:25:14:25:21 | password | provenance |  |
 | passwords.go:21:2:21:9 | definition of password | passwords.go:30:8:30:15 | password | provenance |  |
-| passwords.go:21:2:21:9 | definition of password | passwords.go:32:12:32:19 | password | provenance |  |
+| passwords.go:21:2:21:9 | definition of password | passwords.go:33:13:33:20 | password | provenance |  |
-| passwords.go:21:2:21:9 | definition of password | passwords.go:34:28:34:35 | password | provenance |  |
+| passwords.go:21:2:21:9 | definition of password | passwords.go:36:28:36:35 | password | provenance |  |
 | passwords.go:30:8:30:15 | password | passwords.go:8:12:8:12 | definition of x | provenance |  |
-| passwords.go:34:28:34:35 | password | passwords.go:34:14:34:35 | ...+... | provenance | Config |
+| passwords.go:36:28:36:35 | password | passwords.go:36:14:36:35 | ...+... | provenance | Config |
-| passwords.go:34:28:34:35 | password | passwords.go:42:6:42:13 | password | provenance |  |
+| passwords.go:36:28:36:35 | password | passwords.go:44:6:44:13 | password | provenance |  |
-| passwords.go:36:10:38:2 | struct literal | passwords.go:39:14:39:17 | obj1 | provenance |  |
+| passwords.go:38:10:40:2 | struct literal | passwords.go:41:14:41:17 | obj1 | provenance |  |
-| passwords.go:37:13:37:13 | x | passwords.go:36:10:38:2 | struct literal | provenance | Config |
+| passwords.go:39:13:39:13 | x | passwords.go:38:10:40:2 | struct literal | provenance | Config |
-| passwords.go:41:10:43:2 | struct literal | passwords.go:44:14:44:17 | obj2 | provenance |  |
+| passwords.go:43:10:45:2 | struct literal | passwords.go:46:14:46:17 | obj2 | provenance |  |
-| passwords.go:42:6:42:13 | password | passwords.go:41:10:43:2 | struct literal | provenance | Config |
+| passwords.go:44:6:44:13 | password | passwords.go:43:10:45:2 | struct literal | provenance | Config |
-| passwords.go:42:6:42:13 | password | passwords.go:48:11:48:18 | password | provenance |  |
+| passwords.go:44:6:44:13 | password | passwords.go:50:11:50:18 | password | provenance |  |
-| passwords.go:48:11:48:18 | password | passwords.go:92:23:92:28 | secret | provenance |  |
+| passwords.go:50:11:50:18 | password | passwords.go:94:23:94:28 | secret | provenance |  |
-| passwords.go:48:11:48:18 | password | passwords.go:102:33:102:40 | password | provenance |  |
+| passwords.go:50:11:50:18 | password | passwords.go:104:33:104:40 | password | provenance |  |
-| passwords.go:48:11:48:18 | password | passwords.go:108:34:108:41 | password | provenance |  |
+| passwords.go:50:11:50:18 | password | passwords.go:110:34:110:41 | password | provenance |  |
-| passwords.go:48:11:48:18 | password | passwords.go:113:33:113:40 | password | provenance |  |
+| passwords.go:50:11:50:18 | password | passwords.go:115:33:115:40 | password | provenance |  |
-| passwords.go:48:11:48:18 | password | passwords.go:123:13:123:20 | password | provenance |  |
+| passwords.go:50:11:50:18 | password | passwords.go:125:13:125:20 | password | provenance |  |
-| passwords.go:50:2:50:15 | definition of fixed_password | passwords.go:51:14:51:27 | fixed_password | provenance |  |
+| passwords.go:52:2:52:15 | definition of fixed_password | passwords.go:53:14:53:27 | fixed_password | provenance |  |
-| passwords.go:86:19:88:2 | struct literal | passwords.go:89:14:89:26 | utilityObject | provenance |  |
+| passwords.go:88:19:90:2 | struct literal | passwords.go:91:14:91:26 | utilityObject | provenance |  |
-| passwords.go:87:16:87:36 | call to make | passwords.go:86:19:88:2 | struct literal | provenance | Config |
+| passwords.go:89:16:89:36 | call to make | passwords.go:88:19:90:2 | struct literal | provenance | Config |
-| passwords.go:102:33:102:40 | password | passwords.go:102:15:102:40 | ...+... | provenance | Config |
+| passwords.go:104:33:104:40 | password | passwords.go:104:15:104:40 | ...+... | provenance | Config |
-| passwords.go:102:33:102:40 | password | passwords.go:108:34:108:41 | password | provenance |  |
+| passwords.go:104:33:104:40 | password | passwords.go:110:34:110:41 | password | provenance |  |
-| passwords.go:102:33:102:40 | password | passwords.go:113:33:113:40 | password | provenance |  |
+| passwords.go:104:33:104:40 | password | passwords.go:115:33:115:40 | password | provenance |  |
-| passwords.go:102:33:102:40 | password | passwords.go:123:13:123:20 | password | provenance |  |
+| passwords.go:104:33:104:40 | password | passwords.go:125:13:125:20 | password | provenance |  |
-| passwords.go:108:34:108:41 | password | passwords.go:108:16:108:41 | ...+... | provenance | Config |
+| passwords.go:110:34:110:41 | password | passwords.go:110:16:110:41 | ...+... | provenance | Config |
-| passwords.go:108:34:108:41 | password | passwords.go:113:33:113:40 | password | provenance |  |
+| passwords.go:110:34:110:41 | password | passwords.go:115:33:115:40 | password | provenance |  |
-| passwords.go:108:34:108:41 | password | passwords.go:123:13:123:20 | password | provenance |  |
+| passwords.go:110:34:110:41 | password | passwords.go:125:13:125:20 | password | provenance |  |
-| passwords.go:113:33:113:40 | password | passwords.go:113:15:113:40 | ...+... | provenance | Config |
+| passwords.go:115:33:115:40 | password | passwords.go:115:15:115:40 | ...+... | provenance | Config |
-| passwords.go:113:33:113:40 | password | passwords.go:123:13:123:20 | password | provenance |  |
+| passwords.go:115:33:115:40 | password | passwords.go:125:13:125:20 | password | provenance |  |
-| passwords.go:116:6:116:14 | definition of password1 | passwords.go:117:28:117:36 | password1 | provenance |  |
+| passwords.go:118:6:118:14 | definition of password1 | passwords.go:119:28:119:36 | password1 | provenance |  |
-| passwords.go:117:28:117:36 | password1 | passwords.go:117:28:117:45 | call to String | provenance | Config |
+| passwords.go:119:28:119:36 | password1 | passwords.go:119:28:119:45 | call to String | provenance | Config |
-| passwords.go:117:28:117:45 | call to String | passwords.go:117:14:117:45 | ...+... | provenance | Config |
+| passwords.go:119:28:119:45 | call to String | passwords.go:119:14:119:45 | ...+... | provenance | Config |
-| passwords.go:120:12:125:2 | struct literal | passwords.go:127:14:127:19 | config | provenance |  |
+| passwords.go:122:12:127:2 | struct literal | passwords.go:129:14:129:19 | config | provenance |  |
-| passwords.go:120:12:125:2 | struct literal [x] | passwords.go:128:14:128:19 | config [x] | provenance |  |
+| passwords.go:122:12:127:2 | struct literal [x] | passwords.go:130:14:130:19 | config [x] | provenance |  |
-| passwords.go:120:12:125:2 | struct literal [y] | passwords.go:129:14:129:19 | config [y] | provenance |  |
+| passwords.go:122:12:127:2 | struct literal [y] | passwords.go:131:14:131:19 | config [y] | provenance |  |
-| passwords.go:121:13:121:14 | x3 | passwords.go:120:12:125:2 | struct literal | provenance | Config |
+| passwords.go:123:13:123:14 | x3 | passwords.go:122:12:127:2 | struct literal | provenance | Config |
-| passwords.go:123:13:123:20 | password | passwords.go:120:12:125:2 | struct literal | provenance | Config |
+| passwords.go:125:13:125:20 | password | passwords.go:122:12:127:2 | struct literal | provenance | Config |
-| passwords.go:123:13:123:20 | password | passwords.go:120:12:125:2 | struct literal [x] | provenance |  |
+| passwords.go:125:13:125:20 | password | passwords.go:122:12:127:2 | struct literal [x] | provenance |  |
-| passwords.go:124:13:124:25 | call to getPassword | passwords.go:120:12:125:2 | struct literal | provenance | Config |
+| passwords.go:126:13:126:25 | call to getPassword | passwords.go:122:12:127:2 | struct literal | provenance | Config |
-| passwords.go:124:13:124:25 | call to getPassword | passwords.go:120:12:125:2 | struct literal [y] | provenance |  |
+| passwords.go:126:13:126:25 | call to getPassword | passwords.go:122:12:127:2 | struct literal [y] | provenance |  |
-| passwords.go:128:14:128:19 | config [x] | passwords.go:128:14:128:21 | selection of x | provenance |  |
+| passwords.go:130:14:130:19 | config [x] | passwords.go:130:14:130:21 | selection of x | provenance |  |
-| passwords.go:129:14:129:19 | config [y] | passwords.go:129:14:129:21 | selection of y | provenance |  |
+| passwords.go:131:14:131:19 | config [y] | passwords.go:131:14:131:21 | selection of y | provenance |  |
 | protobuf.go:9:2:9:9 | definition of password | protobuf.go:12:22:12:29 | password | provenance |  |
 | protobuf.go:12:2:12:6 | implicit dereference [postupdate] [Description] | protobuf.go:12:2:12:6 | query [postupdate] [pointer, Description] | provenance |  |
 | protobuf.go:12:2:12:6 | query [postupdate] [pointer, Description] | protobuf.go:14:14:14:18 | query [pointer, Description] | provenance |  |
@@ -274,20 +194,12 @@ nodes
 | main.go:54:12:54:19 | password | semmle.label | password |
 | main.go:54:12:54:19 | password | semmle.label | password |
 | main.go:56:11:56:18 | password | semmle.label | password |
-| main.go:56:11:56:18 | password | semmle.label | password |
-| main.go:59:18:59:25 | password | semmle.label | password |
 | main.go:59:18:59:25 | password | semmle.label | password |
 | main.go:62:12:62:19 | password | semmle.label | password |
-| main.go:62:12:62:19 | password | semmle.label | password |
-| main.go:65:13:65:20 | password | semmle.label | password |
 | main.go:65:13:65:20 | password | semmle.label | password |
 | main.go:68:11:68:18 | password | semmle.label | password |
-| main.go:68:11:68:18 | password | semmle.label | password |
-| main.go:71:18:71:25 | password | semmle.label | password |
 | main.go:71:18:71:25 | password | semmle.label | password |
 | main.go:74:12:74:19 | password | semmle.label | password |
-| main.go:74:12:74:19 | password | semmle.label | password |
-| main.go:77:13:77:20 | password | semmle.label | password |
 | main.go:77:13:77:20 | password | semmle.label | password |
 | main.go:79:14:79:21 | password | semmle.label | password |
 | main.go:80:17:80:24 | password | semmle.label | password |
@@ -308,43 +220,43 @@ nodes
 | passwords.go:27:14:27:26 | call to getPassword | semmle.label | call to getPassword |
 | passwords.go:28:14:28:28 | call to getPassword | semmle.label | call to getPassword |
 | passwords.go:30:8:30:15 | password | semmle.label | password |
-| passwords.go:32:12:32:19 | password | semmle.label | password |
+| passwords.go:33:13:33:20 | password | semmle.label | password |
-| passwords.go:34:14:34:35 | ...+... | semmle.label | ...+... |
+| passwords.go:36:14:36:35 | ...+... | semmle.label | ...+... |
-| passwords.go:34:28:34:35 | password | semmle.label | password |
+| passwords.go:36:28:36:35 | password | semmle.label | password |
-| passwords.go:36:10:38:2 | struct literal | semmle.label | struct literal |
+| passwords.go:38:10:40:2 | struct literal | semmle.label | struct literal |
-| passwords.go:37:13:37:13 | x | semmle.label | x |
+| passwords.go:39:13:39:13 | x | semmle.label | x |
-| passwords.go:39:14:39:17 | obj1 | semmle.label | obj1 |
+| passwords.go:41:14:41:17 | obj1 | semmle.label | obj1 |
-| passwords.go:41:10:43:2 | struct literal | semmle.label | struct literal |
+| passwords.go:43:10:45:2 | struct literal | semmle.label | struct literal |
-| passwords.go:42:6:42:13 | password | semmle.label | password |
+| passwords.go:44:6:44:13 | password | semmle.label | password |
-| passwords.go:44:14:44:17 | obj2 | semmle.label | obj2 |
+| passwords.go:46:14:46:17 | obj2 | semmle.label | obj2 |
-| passwords.go:48:11:48:18 | password | semmle.label | password |
+| passwords.go:50:11:50:18 | password | semmle.label | password |
-| passwords.go:50:2:50:15 | definition of fixed_password | semmle.label | definition of fixed_password |
+| passwords.go:52:2:52:15 | definition of fixed_password | semmle.label | definition of fixed_password |
-| passwords.go:51:14:51:27 | fixed_password | semmle.label | fixed_password |
+| passwords.go:53:14:53:27 | fixed_password | semmle.label | fixed_password |
-| passwords.go:86:19:88:2 | struct literal | semmle.label | struct literal |
+| passwords.go:88:19:90:2 | struct literal | semmle.label | struct literal |
-| passwords.go:87:16:87:36 | call to make | semmle.label | call to make |
+| passwords.go:89:16:89:36 | call to make | semmle.label | call to make |
-| passwords.go:89:14:89:26 | utilityObject | semmle.label | utilityObject |
+| passwords.go:91:14:91:26 | utilityObject | semmle.label | utilityObject |
-| passwords.go:92:23:92:28 | secret | semmle.label | secret |
+| passwords.go:94:23:94:28 | secret | semmle.label | secret |
-| passwords.go:102:15:102:40 | ...+... | semmle.label | ...+... |
+| passwords.go:104:15:104:40 | ...+... | semmle.label | ...+... |
-| passwords.go:102:33:102:40 | password | semmle.label | password |
+| passwords.go:104:33:104:40 | password | semmle.label | password |
-| passwords.go:108:16:108:41 | ...+... | semmle.label | ...+... |
+| passwords.go:110:16:110:41 | ...+... | semmle.label | ...+... |
-| passwords.go:108:34:108:41 | password | semmle.label | password |
+| passwords.go:110:34:110:41 | password | semmle.label | password |
-| passwords.go:113:15:113:40 | ...+... | semmle.label | ...+... |
+| passwords.go:115:15:115:40 | ...+... | semmle.label | ...+... |
-| passwords.go:113:33:113:40 | password | semmle.label | password |
+| passwords.go:115:33:115:40 | password | semmle.label | password |
-| passwords.go:116:6:116:14 | definition of password1 | semmle.label | definition of password1 |
+| passwords.go:118:6:118:14 | definition of password1 | semmle.label | definition of password1 |
-| passwords.go:117:14:117:45 | ...+... | semmle.label | ...+... |
+| passwords.go:119:14:119:45 | ...+... | semmle.label | ...+... |
-| passwords.go:117:28:117:36 | password1 | semmle.label | password1 |
+| passwords.go:119:28:119:36 | password1 | semmle.label | password1 |
-| passwords.go:117:28:117:45 | call to String | semmle.label | call to String |
+| passwords.go:119:28:119:45 | call to String | semmle.label | call to String |
-| passwords.go:120:12:125:2 | struct literal | semmle.label | struct literal |
+| passwords.go:122:12:127:2 | struct literal | semmle.label | struct literal |
-| passwords.go:120:12:125:2 | struct literal [x] | semmle.label | struct literal [x] |
+| passwords.go:122:12:127:2 | struct literal [x] | semmle.label | struct literal [x] |
-| passwords.go:120:12:125:2 | struct literal [y] | semmle.label | struct literal [y] |
+| passwords.go:122:12:127:2 | struct literal [y] | semmle.label | struct literal [y] |
-| passwords.go:121:13:121:14 | x3 | semmle.label | x3 |
+| passwords.go:123:13:123:14 | x3 | semmle.label | x3 |
-| passwords.go:123:13:123:20 | password | semmle.label | password |
+| passwords.go:125:13:125:20 | password | semmle.label | password |
-| passwords.go:124:13:124:25 | call to getPassword | semmle.label | call to getPassword |
+| passwords.go:126:13:126:25 | call to getPassword | semmle.label | call to getPassword |
-| passwords.go:127:14:127:19 | config | semmle.label | config |
+| passwords.go:129:14:129:19 | config | semmle.label | config |
-| passwords.go:128:14:128:19 | config [x] | semmle.label | config [x] |
+| passwords.go:130:14:130:19 | config [x] | semmle.label | config [x] |
-| passwords.go:128:14:128:21 | selection of x | semmle.label | selection of x |
+| passwords.go:130:14:130:21 | selection of x | semmle.label | selection of x |
-| passwords.go:129:14:129:19 | config [y] | semmle.label | config [y] |
+| passwords.go:131:14:131:19 | config [y] | semmle.label | config [y] |
-| passwords.go:129:14:129:21 | selection of y | semmle.label | selection of y |
+| passwords.go:131:14:131:21 | selection of y | semmle.label | selection of y |
 | protobuf.go:9:2:9:9 | definition of password | semmle.label | definition of password |
 | protobuf.go:12:2:12:6 | implicit dereference [postupdate] [Description] | semmle.label | implicit dereference [postupdate] [Description] |
 | protobuf.go:12:2:12:6 | query [postupdate] [pointer, Description] | semmle.label | query [postupdate] [pointer, Description] |

go/ql/test/query-tests/Security/CWE-312/passwords.go

@@ -16,7 +16,7 @@ func redact(kind, value string) string {
 	return value
 }
 
-func test() {
+func test(selector int) {
 	name := "user"
 	password := "P@ssw0rd" // $ Source
 	x := "horsebatterystapleincorrect"
@@ -29,7 +29,9 @@ func test() {
 
 	myLog(password)
 
-	log.Panic(password) // $ Alert
+	if selector == 1 {
+		log.Panic(password) // $ Alert
+	}
 
 	log.Println(name + ", " + password) // $ Alert
 

java/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 9.1.2
+version: 9.1.3-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java

java/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.11.4
+version: 1.11.5-dev
 groups:
   - java
   - queries

javascript/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 2.7.2
+version: 2.7.3-dev
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript

javascript/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 2.3.11
+version: 2.3.12-dev
 groups:
   - javascript
   - queries

misc/suite-helpers/qlpack.yml

@@ -1,4 +1,4 @@
 name: codeql/suite-helpers
-version: 1.0.51
+version: 1.0.52-dev
 groups: shared
 warnOnImplicitThis: true

python/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/python-all
-version: 7.1.2
+version: 7.1.3-dev
 groups: python
 dbscheme: semmlecode.python.dbscheme
 extractor: python

python/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/python-queries
-version: 1.8.4
+version: 1.8.5-dev
 groups:
   - python
   - queries

python/ql/test/library-tests/ControlFlow/evaluation-order/AllLiveReachable.ql

@@ -0,0 +1,17 @@
+/**
+ * Checks that every live (non-dead) annotation in the test function's
+ * own scope is reachable from the function entry in the CFG.
+ * Annotations in nested scopes (generators, async, lambdas, comprehensions)
+ * have separate CFGs and are excluded from this check.
+ */
+
+import OldCfgImpl
+
+private module Utils = EvalOrderCfgUtils<OldCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, TestFunction f
+where allLiveReachable(a, f)
+select a, "Unreachable live annotation; entry of $@ does not reach this node", f, f.getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/AnnotationHasCfgNode.expected

@@ -0,0 +1 @@
+

python/ql/test/library-tests/ControlFlow/evaluation-order/AnnotationHasCfgNode.ql

@@ -0,0 +1,14 @@
+/**
+ * Checks that every timer annotation has a corresponding CFG node.
+ */
+
+import OldCfgImpl
+
+private module Utils = EvalOrderCfgUtils<OldCfg>;
+
+private import Utils::CfgTests
+
+from TimerAnnotation ann
+where annotationWithoutCfgNode(ann)
+select ann, "Annotation in $@ has no CFG node", ann.getTestFunction(),
+  ann.getTestFunction().getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/BasicBlockAnnotationGap.ql

@@ -0,0 +1,21 @@
+/**
+ * Checks that within a basic block, if a node is annotated then its
+ * successor is also annotated (or excluded). A gap in annotations
+ * within a basic block indicates a missing annotation, since there
+ * are no branches to justify the gap.
+ *
+ * Nodes with exceptional successors are excluded, as the exception
+ * edge leaves the basic block and the normal successor may be dead.
+ */
+
+import OldCfgImpl
+
+private module Utils = EvalOrderCfgUtils<OldCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, CfgNode succ
+where basicBlockAnnotationGap(a, succ)
+select a, "Annotated node followed by unannotated $@ in the same basic block", succ,
+  succ.getNode().toString()

python/ql/test/library-tests/ControlFlow/evaluation-order/BasicBlockOrdering.expected

@@ -0,0 +1,14 @@
+| test_boolean.py:9:10:9:43 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:9:59:9:59 | IntegerLiteral | timestamp 2 | test_boolean.py:9:19:9:19 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:15:10:15:43 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:15:50:15:50 | IntegerLiteral | timestamp 1 | test_boolean.py:15:20:15:20 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:21:10:21:42 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:21:49:21:49 | IntegerLiteral | timestamp 1 | test_boolean.py:21:19:21:19 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:27:10:27:34 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:27:50:27:50 | IntegerLiteral | timestamp 2 | test_boolean.py:27:20:27:20 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:40:10:40:61 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:40:86:40:86 | IntegerLiteral | timestamp 3 | test_boolean.py:40:16:40:16 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:46:10:46:61 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:46:86:46:86 | IntegerLiteral | timestamp 3 | test_boolean.py:46:16:46:16 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:52:10:52:95 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:52:120:52:120 | IntegerLiteral | timestamp 4 | test_boolean.py:52:20:52:20 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:52:10:52:95 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:52:120:52:120 | IntegerLiteral | timestamp 4 | test_boolean.py:52:63:52:63 | IntegerLiteral | timestamp 2 |
+| test_boolean.py:52:11:52:47 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:52:63:52:63 | IntegerLiteral | timestamp 2 | test_boolean.py:52:20:52:20 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:64:10:64:52 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:64:59:64:59 | IntegerLiteral | timestamp 6 | test_boolean.py:64:17:64:17 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:64:10:64:52 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:64:59:64:59 | IntegerLiteral | timestamp 6 | test_boolean.py:64:27:64:27 | IntegerLiteral | timestamp 2 |
+| test_boolean.py:76:10:76:51 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:76:58:76:58 | IntegerLiteral | timestamp 6 | test_boolean.py:76:17:76:17 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:76:10:76:51 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:76:58:76:58 | IntegerLiteral | timestamp 6 | test_boolean.py:76:27:76:27 | IntegerLiteral | timestamp 2 |
+| test_if.py:96:9:96:29 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_if.py:96:36:96:36 | IntegerLiteral | timestamp 4 | test_if.py:96:15:96:15 | IntegerLiteral | timestamp 2 |

python/ql/test/library-tests/ControlFlow/evaluation-order/BasicBlockOrdering.ql

@@ -0,0 +1,16 @@
+/**
+ * Checks that within a single basic block, annotations appear in
+ * increasing minimum-timestamp order.
+ */
+
+import OldCfgImpl
+
+private module Utils = EvalOrderCfgUtils<OldCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, TimerCfgNode b, int minA, int minB
+where basicBlockOrdering(a, b, minA, minB)
+select a, "Basic block ordering: $@ appears before $@", a.getTimestampExpr(minA),
+  "timestamp " + minA, b.getTimestampExpr(minB), "timestamp " + minB

python/ql/test/library-tests/ControlFlow/evaluation-order/ConsecutiveTimestamps.expected

@@ -0,0 +1,12 @@
+| test_boolean.py:9:26:9:27 | IntegerLiteral | $@ in $@ has no consecutive successor (expected 2) | test_boolean.py:9:33:9:33 | IntegerLiteral | Timestamp 1 | test_boolean.py:7:1:7:27 | Function test_and_both_sides | test_and_both_sides |
+| test_boolean.py:15:10:15:14 | False | $@ in $@ has no consecutive successor (expected 1) | test_boolean.py:15:20:15:20 | IntegerLiteral | Timestamp 0 | test_boolean.py:13:1:13:30 | Function test_and_short_circuit | test_and_short_circuit |
+| test_boolean.py:21:10:21:13 | True | $@ in $@ has no consecutive successor (expected 1) | test_boolean.py:21:19:21:19 | IntegerLiteral | Timestamp 0 | test_boolean.py:19:1:19:29 | Function test_or_short_circuit | test_or_short_circuit |
+| test_boolean.py:27:26:27:27 | IntegerLiteral | $@ in $@ has no consecutive successor (expected 2) | test_boolean.py:27:33:27:33 | IntegerLiteral | Timestamp 1 | test_boolean.py:25:1:25:26 | Function test_or_both_sides | test_or_both_sides |
+| test_boolean.py:40:45:40:45 | IntegerLiteral | $@ in $@ has no consecutive successor (expected 3) | test_boolean.py:40:51:40:51 | IntegerLiteral | Timestamp 2 | test_boolean.py:38:1:38:24 | Function test_chained_and | test_chained_and |
+| test_boolean.py:46:44:46:45 | IntegerLiteral | $@ in $@ has no consecutive successor (expected 3) | test_boolean.py:46:51:46:51 | IntegerLiteral | Timestamp 2 | test_boolean.py:44:1:44:23 | Function test_chained_or | test_chained_or |
+| test_boolean.py:52:11:52:47 | BoolExpr | $@ in $@ has no consecutive successor (expected 3) | test_boolean.py:52:63:52:63 | IntegerLiteral | Timestamp 2 | test_boolean.py:50:1:50:25 | Function test_mixed_and_or | test_mixed_and_or |
+| test_boolean.py:52:27:52:31 | False | $@ in $@ has no consecutive successor (expected 2) | test_boolean.py:52:37:52:37 | IntegerLiteral | Timestamp 1 | test_boolean.py:50:1:50:25 | Function test_mixed_and_or | test_mixed_and_or |
+| test_boolean.py:52:78:52:79 | IntegerLiteral | $@ in $@ has no consecutive successor (expected 4) | test_boolean.py:52:85:52:85 | IntegerLiteral | Timestamp 3 | test_boolean.py:50:1:50:25 | Function test_mixed_and_or | test_mixed_and_or |
+| test_if.py:95:9:95:13 | False | $@ in $@ has no consecutive successor (expected 2) | test_if.py:95:19:95:19 | IntegerLiteral | Timestamp 1 | test_if.py:93:1:93:34 | Function test_if_compound_condition | test_if_compound_condition |
+| test_if.py:96:9:96:29 | BoolExpr | $@ in $@ has no consecutive successor (expected 5) | test_if.py:96:36:96:36 | IntegerLiteral | Timestamp 4 | test_if.py:93:1:93:34 | Function test_if_compound_condition | test_if_compound_condition |
+| test_if.py:96:22:96:22 | y | $@ in $@ has no consecutive successor (expected 4) | test_if.py:96:28:96:28 | IntegerLiteral | Timestamp 3 | test_if.py:93:1:93:34 | Function test_if_compound_condition | test_if_compound_condition |

python/ql/test/library-tests/ControlFlow/evaluation-order/ConsecutiveTimestamps.ql

@@ -0,0 +1,24 @@
+/**
+ * Checks that consecutive annotated nodes have consecutive timestamps:
+ * for each annotation with timestamp `a`, some CFG node for that annotation
+ * must have a next annotation containing `a + 1`.
+ *
+ * Handles CFG splitting (e.g., finally blocks duplicated for normal/exceptional
+ * flow) by checking that at least one split has the required successor.
+ *
+ * Only applies to functions where all annotations are in the function's
+ * own scope (excludes tests with generators, async, comprehensions, or
+ * lambdas that have annotations in nested scopes).
+ */
+
+import OldCfgImpl
+
+private module Utils = EvalOrderCfgUtils<OldCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerAnnotation ann, int a
+where consecutiveTimestamps(ann, a)
+select ann, "$@ in $@ has no consecutive successor (expected " + (a + 1) + ")",
+  ann.getTimestampExpr(a), "Timestamp " + a, ann.getTestFunction(), ann.getTestFunction().getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/ContiguousTimestamps.ql

@@ -0,0 +1,17 @@
+/**
+ * Checks that timestamps form a contiguous sequence {0, 1, ..., max}
+ * within each test function. Every integer in the range must appear
+ * in at least one annotation (live or dead).
+ */
+
+import TimerUtils
+
+from TestFunction f, int missing, int maxTs, TimerAnnotation maxAnn
+where
+  maxTs = max(TimerAnnotation a | a.getTestFunction() = f | a.getATimestamp()) and
+  maxAnn.getTestFunction() = f and
+  maxAnn.getATimestamp() = maxTs and
+  missing = [0 .. maxTs] and
+  not exists(TimerAnnotation a | a.getTestFunction() = f and a.getATimestamp() = missing)
+select f, "Missing timestamp " + missing + " (max is $@)", maxAnn.getTimestampExpr(maxTs),
+  maxTs.toString()

python/ql/test/library-tests/ControlFlow/evaluation-order/MissingAnnotations.ql

@@ -0,0 +1,15 @@
+/**
+ * Finds expressions in test functions that lack a timer annotation
+ * and are not part of the timer mechanism or otherwise excluded.
+ * An empty result means every annotatable expression is covered.
+ */
+
+import python
+import TimerUtils
+
+from TestFunction f, Expr e
+where
+  e.getScope().getEnclosingScope*() = f and
+  not isTimerMechanism(e, f) and
+  not isUnannotatable(e)
+select e, "Missing annotation in $@", f, f.getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/NeverReachable.expected

@@ -0,0 +1,2 @@
+| test_match.py:159:13:159:13 | IntegerLiteral | Node annotated with t.never is reachable in $@ | test_match.py:151:1:151:42 | Function test_match_exhaustive_return_first | test_match_exhaustive_return_first |
+| test_match.py:172:13:172:13 | IntegerLiteral | Node annotated with t.never is reachable in $@ | test_match.py:164:1:164:45 | Function test_match_exhaustive_return_wildcard | test_match_exhaustive_return_wildcard |

python/ql/test/library-tests/ControlFlow/evaluation-order/NeverReachable.ql

@@ -0,0 +1,16 @@
+/**
+ * Checks that expressions annotated with `t.never` either have no CFG
+ * node, or if they do, that the node is not reachable from its scope's
+ * entry (including within the same basic block).
+ */
+
+import OldCfgImpl
+
+private module Utils = EvalOrderCfgUtils<OldCfg>;
+
+private import Utils::CfgTests
+
+from TimerAnnotation ann
+where neverReachable(ann)
+select ann, "Node annotated with t.never is reachable in $@", ann.getTestFunction(),
+  ann.getTestFunction().getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/NoBackwardFlow.expected

@@ -0,0 +1,11 @@
+| test_boolean.py:9:10:9:43 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:9:59:9:59 | IntegerLiteral | 2 | test_boolean.py:9:10:9:13 | ControlFlowNode for True | True | test_boolean.py:9:19:9:19 | IntegerLiteral | 0 |
+| test_boolean.py:15:10:15:43 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:15:50:15:50 | IntegerLiteral | 1 | test_boolean.py:15:10:15:14 | ControlFlowNode for False | False | test_boolean.py:15:20:15:20 | IntegerLiteral | 0 |
+| test_boolean.py:21:10:21:42 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:21:49:21:49 | IntegerLiteral | 1 | test_boolean.py:21:10:21:13 | ControlFlowNode for True | True | test_boolean.py:21:19:21:19 | IntegerLiteral | 0 |
+| test_boolean.py:27:10:27:34 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:27:50:27:50 | IntegerLiteral | 2 | test_boolean.py:27:10:27:14 | ControlFlowNode for False | False | test_boolean.py:27:20:27:20 | IntegerLiteral | 0 |
+| test_boolean.py:40:10:40:61 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:40:86:40:86 | IntegerLiteral | 3 | test_boolean.py:40:10:40:10 | ControlFlowNode for IntegerLiteral | IntegerLiteral | test_boolean.py:40:16:40:16 | IntegerLiteral | 0 |
+| test_boolean.py:46:10:46:61 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:46:86:46:86 | IntegerLiteral | 3 | test_boolean.py:46:10:46:10 | ControlFlowNode for IntegerLiteral | IntegerLiteral | test_boolean.py:46:16:46:16 | IntegerLiteral | 0 |
+| test_boolean.py:52:10:52:95 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:52:120:52:120 | IntegerLiteral | 4 | test_boolean.py:52:11:52:47 | ControlFlowNode for BoolExpr | BoolExpr | test_boolean.py:52:63:52:63 | IntegerLiteral | 2 |
+| test_boolean.py:52:11:52:47 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:52:63:52:63 | IntegerLiteral | 2 | test_boolean.py:52:11:52:14 | ControlFlowNode for True | True | test_boolean.py:52:20:52:20 | IntegerLiteral | 0 |
+| test_boolean.py:64:10:64:52 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:64:59:64:59 | IntegerLiteral | 6 | test_boolean.py:64:11:64:11 | ControlFlowNode for f | f | test_boolean.py:64:17:64:17 | IntegerLiteral | 0 |
+| test_boolean.py:76:10:76:51 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:76:58:76:58 | IntegerLiteral | 6 | test_boolean.py:76:11:76:11 | ControlFlowNode for f | f | test_boolean.py:76:17:76:17 | IntegerLiteral | 0 |
+| test_if.py:96:9:96:29 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_if.py:96:36:96:36 | IntegerLiteral | 4 | test_if.py:96:9:96:9 | ControlFlowNode for x | x | test_if.py:96:15:96:15 | IntegerLiteral | 2 |

python/ql/test/library-tests/ControlFlow/evaluation-order/NoBackwardFlow.ql

@@ -0,0 +1,17 @@
+/**
+ * Checks that time never flows backward between consecutive timer annotations
+ * in the CFG. For each pair of consecutive annotated nodes (A -> B), there must
+ * exist timestamps a in A and b in B with a < b.
+ */
+
+import OldCfgImpl
+
+private module Utils = EvalOrderCfgUtils<OldCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, TimerCfgNode b, int minA, int maxB
+where noBackwardFlow(a, b, minA, maxB)
+select a, "Backward flow: $@ flows to $@ (max timestamp $@)", a.getTimestampExpr(minA),
+  minA.toString(), b, b.getNode().toString(), b.getTimestampExpr(maxB), maxB.toString()

python/ql/test/library-tests/ControlFlow/evaluation-order/NoBasicBlock.expected

@@ -0,0 +1 @@
+

python/ql/test/library-tests/ControlFlow/evaluation-order/NoBasicBlock.ql

@@ -0,0 +1,14 @@
+/**
+ * Checks that every annotated CFG node belongs to a basic block.
+ */
+
+import OldCfgImpl
+
+private module Utils = EvalOrderCfgUtils<OldCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from CfgNode n, TestFunction f
+where noBasicBlock(n, f)
+select n, "CFG node in $@ does not belong to any basic block", f, f.getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/NoSharedReachable.ql

@@ -0,0 +1,16 @@
+/**
+ * Checks that two annotations sharing a timestamp value are on
+ * mutually exclusive CFG paths (neither can reach the other).
+ */
+
+import OldCfgImpl
+
+private module Utils = EvalOrderCfgUtils<OldCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, TimerCfgNode b, int ts
+where noSharedReachable(a, b, ts)
+select a, "Shared timestamp $@ but this node reaches $@", a.getTimestampExpr(ts), ts.toString(), b,
+  b.getNode().toString()

python/ql/test/library-tests/ControlFlow/evaluation-order/OldCfgImpl.qll

@@ -0,0 +1,16 @@
+/**
+ * Implementation of the evaluation-order CFG signature using the existing
+ * Python control flow graph.
+ */
+
+private import python as PY
+import TimerUtils
+
+/** Existing Python CFG implementation of the evaluation-order signature. */
+module OldCfg implements EvalOrderCfgSig {
+  class CfgNode = PY::ControlFlowNode;
+
+  class BasicBlock = PY::BasicBlock;
+
+  CfgNode scopeGetEntryNode(PY::Scope s) { result = s.getEntryNode() }
+}

python/ql/test/library-tests/ControlFlow/evaluation-order/StrictForward.expected

@@ -0,0 +1,11 @@
+| test_boolean.py:9:10:9:43 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:9:59:9:59 | IntegerLiteral | timestamp 2 | test_boolean.py:9:19:9:19 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:15:10:15:43 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:15:50:15:50 | IntegerLiteral | timestamp 1 | test_boolean.py:15:20:15:20 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:21:10:21:42 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:21:49:21:49 | IntegerLiteral | timestamp 1 | test_boolean.py:21:19:21:19 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:27:10:27:34 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:27:50:27:50 | IntegerLiteral | timestamp 2 | test_boolean.py:27:20:27:20 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:40:10:40:61 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:40:86:40:86 | IntegerLiteral | timestamp 3 | test_boolean.py:40:16:40:16 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:46:10:46:61 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:46:86:46:86 | IntegerLiteral | timestamp 3 | test_boolean.py:46:16:46:16 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:52:10:52:95 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:52:120:52:120 | IntegerLiteral | timestamp 4 | test_boolean.py:52:63:52:63 | IntegerLiteral | timestamp 2 |
+| test_boolean.py:52:11:52:47 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:52:63:52:63 | IntegerLiteral | timestamp 2 | test_boolean.py:52:20:52:20 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:64:10:64:52 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:64:59:64:59 | IntegerLiteral | timestamp 6 | test_boolean.py:64:17:64:17 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:76:10:76:51 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:76:58:76:58 | IntegerLiteral | timestamp 6 | test_boolean.py:76:17:76:17 | IntegerLiteral | timestamp 0 |
+| test_if.py:96:9:96:29 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_if.py:96:36:96:36 | IntegerLiteral | timestamp 4 | test_if.py:96:15:96:15 | IntegerLiteral | timestamp 2 |

python/ql/test/library-tests/ControlFlow/evaluation-order/StrictForward.ql

@@ -0,0 +1,17 @@
+/**
+ * Stronger version of NoBackwardFlow: for consecutive annotated nodes
+ * A -> B that both have a single timestamp (non-loop code) and B does
+ * NOT dominate A (forward edge), requires max(A) < min(B).
+ */
+
+import OldCfgImpl
+
+private module Utils = EvalOrderCfgUtils<OldCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, TimerCfgNode b, int maxA, int minB
+where strictForward(a, b, maxA, minB)
+select a, "Strict forward violation: $@ flows to $@", a.getTimestampExpr(maxA), "timestamp " + maxA,
+  b.getTimestampExpr(minB), "timestamp " + minB