Ruby: sort TRAP output

Merge pull request #10031 from jketema/block-assign
C++: Handle block assignments
2026-05-18 05:07:06 +02:00 · 2022-08-15 10:54:38 +01:00 · 2022-08-15 10:29:23 +01:00 · 2022-08-15 10:39:17 +02:00 · 2022-08-13 15:09:06 +02:00 · 2022-08-13 01:01:30 +02:00
187 changed files with 10637 additions and 1488 deletions
--- a/.github/workflows/ql-for-ql-build.yml
+++ b/.github/workflows/ql-for-ql-build.yml
@@ -40,6 +40,7 @@ jobs:
          "${CODEQL}" pack create
          cd .codeql/pack/codeql/ql/0.0.0
          zip "${PACKZIP}" -r .
+          rm -rf *
        env:
          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
          PACKZIP: ${{ runner.temp }}/query-pack.zip
@@ -117,6 +118,7 @@ jobs:
          fi
          cd pack
          zip -rq ../codeql-ql.zip .
+          rm -rf *
      - uses: actions/upload-artifact@v3
        with:
          name: codeql-ql-pack
--- a/cpp/downgrades/73af5058c6899dcdb05754c27ca966aeb3a68c94/exprs.ql
+++ b/cpp/downgrades/73af5058c6899dcdb05754c27ca966aeb3a68c94/exprs.ql
@@ -0,0 +1,13 @@
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Location extends @location_expr {
+  string toString() { none() }
+}
+
+from Expr expr, int kind, int kind_new, Location location
+where
+  exprs(expr, kind, location) and
+  if expr instanceof @blockassignexpr then kind_new = 0 else kind_new = kind
+select expr, kind_new, location
--- a/cpp/downgrades/73af5058c6899dcdb05754c27ca966aeb3a68c94/old.dbscheme
+++ b/cpp/downgrades/73af5058c6899dcdb05754c27ca966aeb3a68c94/old.dbscheme
--- a/cpp/downgrades/73af5058c6899dcdb05754c27ca966aeb3a68c94/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/73af5058c6899dcdb05754c27ca966aeb3a68c94/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/73af5058c6899dcdb05754c27ca966aeb3a68c94/upgrade.properties
+++ b/cpp/downgrades/73af5058c6899dcdb05754c27ca966aeb3a68c94/upgrade.properties
@@ -0,0 +1,3 @@
+description: Support block assignment
+compatibility: partial
+exprs.rel: run exprs.qlo
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,15 +1,3 @@
-## 0.3.3
-
-### New Features
-
-* Added a predicate `getValueConstant` to `AttributeArgument` that yields the argument value as an `Expr` when the value is a constant expression.
-* A new class predicate `MustFlowConfiguration::allowInterproceduralFlow` has been added to the `semmle.code.cpp.ir.dataflow.MustFlow` library. The new predicate can be overridden to disable interprocedural flow.
-* Added subclasses of `BuiltInOperations` for `__builtin_bit_cast`, `__builtin_shuffle`, `__has_unique_object_representations`, `__is_aggregate`, and `__is_assignable`.
-
-### Major Analysis Improvements
-
-* The IR dataflow library now includes flow through global variables. This enables new findings in many scenarios.
-
 ## 0.3.2

 ### Bug Fixes
--- a/cpp/ql/lib/change-notes/2022-06-23-global-var-flow.md
+++ b/cpp/ql/lib/change-notes/2022-06-23-global-var-flow.md
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* The IR dataflow library now includes flow through global variables. This enables new findings in many scenarios.
--- a/cpp/ql/lib/change-notes/2022-07-26-additional-builtin-support.md
+++ b/cpp/ql/lib/change-notes/2022-07-26-additional-builtin-support.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added subclasses of `BuiltInOperations` for `__builtin_bit_cast`, `__builtin_shuffle`, `__has_unique_object_representations`, `__is_aggregate`, and `__is_assignable`.
--- a/cpp/ql/lib/change-notes/2022-08-02-must-flow-local-only-flow.md
+++ b/cpp/ql/lib/change-notes/2022-08-02-must-flow-local-only-flow.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* A new class predicate `MustFlowConfiguration::allowInterproceduralFlow` has been added to the `semmle.code.cpp.ir.dataflow.MustFlow` library. The new predicate can be overridden to disable interprocedural flow.
--- a/cpp/ql/lib/change-notes/2022-08-10-constant-attribute-argument-support.md
+++ b/cpp/ql/lib/change-notes/2022-08-10-constant-attribute-argument-support.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a predicate `getValueConstant` to `AttributeArgument` that yields the argument value as an `Expr` when the value is a constant expression.
--- a/cpp/ql/lib/change-notes/2022-08-12-block-assignment-support.md
+++ b/cpp/ql/lib/change-notes/2022-08-12-block-assignment-support.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a `BlockAssignExpr` class, which models a `memcpy`-like operation used in compiler generated copy/move constructors and assignment operations.
--- a/cpp/ql/lib/change-notes/released/0.3.3.md
+++ b/cpp/ql/lib/change-notes/released/0.3.3.md
@@ -1,11 +0,0 @@
-## 0.3.3
-
-### New Features
-
-* Added a predicate `getValueConstant` to `AttributeArgument` that yields the argument value as an `Expr` when the value is a constant expression.
-* A new class predicate `MustFlowConfiguration::allowInterproceduralFlow` has been added to the `semmle.code.cpp.ir.dataflow.MustFlow` library. The new predicate can be overridden to disable interprocedural flow.
-* Added subclasses of `BuiltInOperations` for `__builtin_bit_cast`, `__builtin_shuffle`, `__has_unique_object_representations`, `__is_aggregate`, and `__is_assignable`.
-
-### Major Analysis Improvements
-
-* The IR dataflow library now includes flow through global variables. This enables new findings in many scenarios.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.3
+lastReleaseVersion: 0.3.2
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.3.3
+version: 0.3.3-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/Specifier.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Specifier.qll
@@ -256,7 +256,7 @@ class AttributeArgument extends Element, @attribute_arg {

  /**
   * Gets the text for the value of this argument, if its value is
-   * a constant or token.
+   * a constant or a token.
   */
  string getValueText() {
    if underlyingElement(this) instanceof @attribute_arg_constant_expr
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/BasicBlocks.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/BasicBlocks.qll
@@ -231,7 +231,7 @@ class BasicBlock extends ControlFlowNodeBase {
    exists(Function f | f.getBlock() = this)
    or
    exists(TryStmt t, BasicBlock tryblock |
-      // a `Handler` preceeds the `CatchBlock`, and is always the beginning
+      // a `Handler` precedes the `CatchBlock`, and is always the beginning
      // of a new `BasicBlock` (see `primitive_basic_block_entry_node`).
      this.(Handler).getTryStmt() = t and
      tryblock.isReachable() and
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
      else cc instanceof CallContextAny
    ) and
    sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
  }

  predicate isAtSink() {
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
      else cc instanceof CallContextAny
    ) and
    sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
  }

  predicate isAtSink() {
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
      else cc instanceof CallContextAny
    ) and
    sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
  }

  predicate isAtSink() {
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
      else cc instanceof CallContextAny
    ) and
    sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
  }

  predicate isAtSink() {
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
      else cc instanceof CallContextAny
    ) and
    sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
  }

  predicate isAtSink() {
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Assignment.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Assignment.qll
@@ -47,6 +47,20 @@ class AssignExpr extends Assignment, @assignexpr {
  override string toString() { result = "... = ..." }
 }

+/**
+ * A compiler generated assignment operation that may occur in a compiler generated
+ * copy/move constructor or assignment operator, and which functions like `memcpy`
+ * where the size argument is based on the type of the rvalue of the assignment.
+ */
+class BlockAssignExpr extends Assignment, @blockassignexpr {
+  override string getOperator() { result = "=" }
+
+  override string getAPrimaryQlClass() { result = "BlockAssignExpr" }
+
+  /** Gets a textual representation of this assignment. */
+  override string toString() { result = "... = ..." }
+}
+
 /**
 * A non-overloaded binary assignment operation other than `=`.
 *
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
      else cc instanceof CallContextAny
    ) and
    sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
  }

  predicate isAtSink() {
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
      else cc instanceof CallContextAny
    ) and
    sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
  }

  predicate isAtSink() {
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
      else cc instanceof CallContextAny
    ) and
    sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
  }

  predicate isAtSink() {
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
      else cc instanceof CallContextAny
    ) and
    sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
  }

  predicate isAtSink() {
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
@@ -1450,8 +1450,6 @@ class TranslatedAssignExpr extends TranslatedNonConstantExpr {
      result = this.getLeftOperand().getResult()
  }

-  abstract Instruction getStoredValue();
-
  final TranslatedExpr getLeftOperand() {
    result = getTranslatedExpr(expr.getLValue().getFullyConverted())
  }
@@ -1493,6 +1491,75 @@ class TranslatedAssignExpr extends TranslatedNonConstantExpr {
  }
 }

+class TranslatedBlockAssignExpr extends TranslatedNonConstantExpr {
+  override BlockAssignExpr expr;
+
+  final override TranslatedElement getChild(int id) {
+    id = 0 and result = this.getLeftOperand()
+    or
+    id = 1 and result = this.getRightOperand()
+  }
+
+  final override Instruction getFirstInstruction() {
+    // The operand evaluation order should since block assignments behave like memcpy.
+    result = this.getLeftOperand().getFirstInstruction()
+  }
+
+  final override Instruction getResult() { result = this.getInstruction(AssignmentStoreTag()) }
+
+  final TranslatedExpr getLeftOperand() {
+    result = getTranslatedExpr(expr.getLValue().getFullyConverted())
+  }
+
+  final TranslatedExpr getRightOperand() {
+    result = getTranslatedExpr(expr.getRValue().getFullyConverted())
+  }
+
+  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
+    tag = LoadTag() and
+    result = this.getInstruction(AssignmentStoreTag()) and
+    kind instanceof GotoEdge
+    or
+    tag = AssignmentStoreTag() and
+    result = this.getParent().getChildSuccessor(this) and
+    kind instanceof GotoEdge
+  }
+
+  override Instruction getChildSuccessor(TranslatedElement child) {
+    child = this.getLeftOperand() and
+    result = this.getRightOperand().getFirstInstruction()
+    or
+    child = this.getRightOperand() and
+    result = this.getInstruction(LoadTag())
+  }
+
+  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
+    tag = LoadTag() and
+    opcode instanceof Opcode::Load and
+    resultType = getTypeForPRValue(expr.getRValue().getType())
+    or
+    tag = AssignmentStoreTag() and
+    opcode instanceof Opcode::Store and
+    // The frontend specifies that the relevant type is the one of the source.
+    resultType = getTypeForPRValue(expr.getRValue().getType())
+  }
+
+  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = LoadTag() and
+    operandTag instanceof AddressOperandTag and
+    result = this.getRightOperand().getResult()
+    or
+    tag = AssignmentStoreTag() and
+    (
+      operandTag instanceof AddressOperandTag and
+      result = this.getLeftOperand().getResult()
+      or
+      operandTag instanceof StoreValueOperandTag and
+      result = this.getInstruction(LoadTag())
+    )
+  }
+}
+
 class TranslatedAssignOperation extends TranslatedNonConstantExpr {
  override AssignOperation expr;

--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll
@@ -218,7 +218,7 @@ private class CallAllocationExpr extends AllocationExpr, FunctionCall {
      exists(target.getReallocPtrArg()) and
      this.getArgument(target.getSizeArg()).getValue().toInt() = 0
    ) and
-    // these are modelled directly (and more accurately), avoid duplication
+    // these are modeled directly (and more accurately), avoid duplication
    not exists(NewOrNewArrayExpr new | new.getAllocatorCall() = this)
  }

--- a/cpp/ql/lib/semmle/code/cpp/security/Overflow.qll
+++ b/cpp/ql/lib/semmle/code/cpp/security/Overflow.qll
@@ -50,7 +50,7 @@ VariableAccess varUse(LocalScopeVariable v) { result = v.getAnAccess() }
 * Holds if `e` potentially overflows and `use` is an operand of `e` that is not guarded.
 */
 predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {
-  // Since `e` is guarenteed to be a `BinaryArithmeticOperation`, a `UnaryArithmeticOperation` or
+  // Since `e` is guaranteed to be a `BinaryArithmeticOperation`, a `UnaryArithmeticOperation` or
  // an `AssignArithmeticOperation` by the other constraints in this predicate, we know that
  // `convertedExprMightOverflowPositively` will have a result even when `e` is not analyzable
  // by `SimpleRangeAnalysis`.
@@ -80,7 +80,7 @@ predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {
 * Holds if `e` potentially underflows and `use` is an operand of `e` that is not guarded.
 */
 predicate missingGuardAgainstUnderflow(Operation e, VariableAccess use) {
-  // Since `e` is guarenteed to be a `BinaryArithmeticOperation`, a `UnaryArithmeticOperation` or
+  // Since `e` is guaranteed to be a `BinaryArithmeticOperation`, a `UnaryArithmeticOperation` or
  // an `AssignArithmeticOperation` by the other constraints in this predicate, we know that
  // `convertedExprMightOverflowNegatively` will have a result even when `e` is not analyzable
  // by `SimpleRangeAnalysis`.
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme
@@ -1302,7 +1302,7 @@ funbind(

@assign_op_expr = @assign_arith_expr | @assign_bitwise_expr

-@assign_expr = @assignexpr | @assign_op_expr
+@assign_expr = @assignexpr | @assign_op_expr | @blockassignexpr

 /*
  case @allocator.form of
@@ -1660,6 +1660,7 @@ case @expr.kind of
 | 332 = @hasuniqueobjectrepresentations
 | 333 = @builtinbitcast
 | 334 = @builtinshuffle
+| 335 = @blockassignexpr
 ;

@var_args_expr = @vastartexpr
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
--- a/cpp/ql/lib/upgrades/34549c3b0937002f11037d01822ebe99442c1402/old.dbscheme
+++ b/cpp/ql/lib/upgrades/34549c3b0937002f11037d01822ebe99442c1402/old.dbscheme
--- a/cpp/ql/lib/upgrades/34549c3b0937002f11037d01822ebe99442c1402/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/upgrades/34549c3b0937002f11037d01822ebe99442c1402/semmlecode.cpp.dbscheme
--- a/cpp/ql/lib/upgrades/34549c3b0937002f11037d01822ebe99442c1402/upgrade.properties
+++ b/cpp/ql/lib/upgrades/34549c3b0937002f11037d01822ebe99442c1402/upgrade.properties
@@ -0,0 +1,2 @@
+description: Support block assignment
+compatibility: backwards
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,9 +1,3 @@
-## 0.3.2
-
-### Minor Analysis Improvements
-
-* The query `cpp/bad-strncpy-size` now covers more `strncpy`-like functions than before, including `strxfrm`(`_l`), `wcsxfrm`(`_l`), and `stpncpy`. Users of this query may see an increase in results.
-
 ## 0.3.1

 ## 0.3.0
--- a/Typos/AssignWhereCompareMeant.ql
+++ b/Typos/AssignWhereCompareMeant.ql
@@ -68,7 +68,7 @@ class BooleanControllingAssignmentInExpr extends BooleanControllingAssignment {
    // if((a = b) && use_value(a)) { ... }
    // ```
    // where the assignment is meant to update the value of `a` before it's used in some other boolean
-    // subexpression that is guarenteed to be evaluate _after_ the assignment.
+    // subexpression that is guaranteed to be evaluate _after_ the assignment.
    this.isParenthesised() and
    exists(LogicalAndExpr parent, Variable var, VariableAccess access |
      var = this.getLValue().(VariableAccess).getTarget() and
--- a/Typos/inconsistentLoopDirection.ql
+++ b/Typos/inconsistentLoopDirection.ql
@@ -51,7 +51,7 @@ predicate illDefinedDecrForStmt(
    (
      upperBound(initialCondition) < lowerBound(terminalCondition) and
      (
-        // exclude cases where the loop counter is `unsigned` (where wrapping behaviour can be used deliberately)
+        // exclude cases where the loop counter is `unsigned` (where wrapping behavior can be used deliberately)
        v.getUnspecifiedType().(IntegralType).isSigned() or
        initialCondition.getValue().toInt() = 0
      )
--- a/cpp/ql/src/Metrics/Internal/IRConsistency.ql
+++ b/cpp/ql/src/Metrics/Internal/IRConsistency.ql
@@ -0,0 +1,37 @@
+/**
+ * @name Count IR inconsistencies
+ * @description Counts the various IR inconsistencies that may occur.
+ *              This query is for internal use only and may change without notice.
+ * @kind table
+ * @id cpp/count-ir-inconsistencies
+ */
+
+import cpp
+import semmle.code.cpp.ir.implementation.aliased_ssa.IR
+import semmle.code.cpp.ir.implementation.aliased_ssa.IRConsistency as IRConsistency
+
+select count(Instruction i | IRConsistency::missingOperand(i, _, _, _) | i) as missingOperand,
+  count(Instruction i | IRConsistency::unexpectedOperand(i, _, _, _) | i) as unexpectedOperand,
+  count(Instruction i | IRConsistency::duplicateOperand(i, _, _, _) | i) as duplicateOperand,
+  count(PhiInstruction i | IRConsistency::missingPhiOperand(i, _, _, _) | i) as missingPhiOperand,
+  count(Operand o | IRConsistency::missingOperandType(o, _, _, _) | o) as missingOperandType,
+  count(ChiInstruction i | IRConsistency::duplicateChiOperand(i, _, _, _) | i) as duplicateChiOperand,
+  count(Instruction i | IRConsistency::sideEffectWithoutPrimary(i, _, _, _) | i) as sideEffectWithoutPrimary,
+  count(Instruction i | IRConsistency::instructionWithoutSuccessor(i, _, _, _) | i) as instructionWithoutSuccessor,
+  count(Instruction i | IRConsistency::ambiguousSuccessors(i, _, _, _) | i) as ambiguousSuccessors,
+  count(Instruction i | IRConsistency::unexplainedLoop(i, _, _, _) | i) as unexplainedLoop,
+  count(PhiInstruction i | IRConsistency::unnecessaryPhiInstruction(i, _, _, _) | i) as unnecessaryPhiInstruction,
+  count(Instruction i | IRConsistency::memoryOperandDefinitionIsUnmodeled(i, _, _, _) | i) as memoryOperandDefinitionIsUnmodeled,
+  count(Operand o | IRConsistency::operandAcrossFunctions(o, _, _, _, _, _) | o) as operandAcrossFunctions,
+  count(IRFunction f | IRConsistency::containsLoopOfForwardEdges(f, _) | f) as containsLoopOfForwardEdges,
+  count(IRBlock i | IRConsistency::lostReachability(i, _, _, _) | i) as lostReachability,
+  count(string m | IRConsistency::backEdgeCountMismatch(_, m) | m) as backEdgeCountMismatch,
+  count(Operand o | IRConsistency::useNotDominatedByDefinition(o, _, _, _) | o) as useNotDominatedByDefinition,
+  count(SwitchInstruction i | IRConsistency::switchInstructionWithoutDefaultEdge(i, _, _, _) | i) as switchInstructionWithoutDefaultEdge,
+  count(Instruction i | IRConsistency::notMarkedAsConflated(i, _, _, _) | i) as notMarkedAsConflated,
+  count(Instruction i | IRConsistency::wronglyMarkedAsConflated(i, _, _, _) | i) as wronglyMarkedAsConflated,
+  count(MemoryOperand o | IRConsistency::invalidOverlap(o, _, _, _) | o) as invalidOverlap,
+  count(Instruction i | IRConsistency::nonUniqueEnclosingIRFunction(i, _, _, _) | i) as nonUniqueEnclosingIRFunction,
+  count(FieldAddressInstruction i | IRConsistency::fieldAddressOnNonPointer(i, _, _, _) | i) as fieldAddressOnNonPointer,
+  count(Instruction i | IRConsistency::thisArgumentIsNonPointer(i, _, _, _) | i) as thisArgumentIsNonPointer,
+  count(Instruction i | IRConsistency::nonUniqueIRVariable(i, _, _, _) | i) as nonUniqueIRVariable
--- a/cpp/ql/src/change-notes/2021-08-10-use-strcpyfunction-in-bad-strncpy-size.md
+++ b/cpp/ql/src/change-notes/2021-08-10-use-strcpyfunction-in-bad-strncpy-size.md
@@ -1,5 +1,4 @@
-## 0.3.2
-
-### Minor Analysis Improvements
-
+---
+category: minorAnalysis
+---
 * The query `cpp/bad-strncpy-size` now covers more `strncpy`-like functions than before, including `strxfrm`(`_l`), `wcsxfrm`(`_l`), and `stpncpy`. Users of this query may see an increase in results.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.2
+lastReleaseVersion: 0.3.1
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.3.2
+version: 0.3.2-dev
 groups: 
  - cpp
  - queries
--- a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
+++ b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
@@ -13975,6 +13975,168 @@ ir.cpp:
 # 1815|                 Type = [IntType] int
 # 1815|                 ValueCategory = prvalue(load)
 # 1817|     getStmt(8): [ReturnStmt] return ...
+# 1834| [CopyAssignmentOperator] block_assignment::A& block_assignment::A::operator=(block_assignment::A const&)
+# 1834|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const A &
+# 1834| [MoveAssignmentOperator] block_assignment::A& block_assignment::A::operator=(block_assignment::A&&)
+# 1834|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] A &&
+#-----|   getEntryPoint(): [BlockStmt] { ... }
+#-----|     getStmt(0): [ExprStmt] ExprStmt
+#-----|       getExpr(): [BlockAssignExpr] ... = ...
+#-----|           Type = [VoidType] void
+#-----|           ValueCategory = prvalue
+#-----|         getLValue(): [PointerFieldAccess] e
+#-----|             Type = [ArrayType] enum <unnamed>[1]
+#-----|             ValueCategory = lvalue
+#-----|           getQualifier(): [ThisExpr] this
+#-----|               Type = [PointerType] A *
+#-----|               ValueCategory = prvalue(load)
+#-----|         getRValue(): [ReferenceFieldAccess] e
+#-----|             Type = [ArrayType] enum <unnamed>[1]
+#-----|             ValueCategory = lvalue
+#-----|           getQualifier(): [VariableAccess] (unnamed parameter 0)
+#-----|               Type = [RValueReferenceType] A &&
+#-----|               ValueCategory = prvalue(load)
+#-----|           getQualifier().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
+#-----|               Type = [Class] A
+#-----|               ValueCategory = lvalue
+#-----|     getStmt(1): [ReturnStmt] return ...
+#-----|       getExpr(): [PointerDereferenceExpr] * ...
+#-----|           Type = [Class] A
+#-----|           ValueCategory = lvalue
+#-----|         getOperand(): [ThisExpr] this
+#-----|             Type = [PointerType] A *
+#-----|             ValueCategory = prvalue(load)
+#-----|       getExpr().getFullyConverted(): [ReferenceToExpr] (reference to)
+#-----|           Type = [LValueReferenceType] A &
+#-----|           ValueCategory = prvalue
+# 1834| [Constructor] void block_assignment::A::A()
+# 1834|   <params>: 
+# 1834| [CopyConstructor] void block_assignment::A::A(block_assignment::A const&)
+# 1834|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const A &
+# 1834| [MoveConstructor] void block_assignment::A::A(block_assignment::A&&)
+# 1834|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] A &&
+# 1836| [VirtualFunction] void block_assignment::A::f()
+# 1836|   <params>: 
+# 1839| [CopyAssignmentOperator] block_assignment::B& block_assignment::B::operator=(block_assignment::B const&)
+# 1839|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const B &
+# 1839| [MoveAssignmentOperator] block_assignment::B& block_assignment::B::operator=(block_assignment::B&&)
+# 1839|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] B &&
+#-----|   getEntryPoint(): [BlockStmt] { ... }
+#-----|     getStmt(0): [ExprStmt] ExprStmt
+# 1839|       getExpr(): [FunctionCall] call to operator=
+# 1839|           Type = [LValueReferenceType] A &
+# 1839|           ValueCategory = prvalue
+# 1839|         getQualifier(): [ThisExpr] this
+# 1839|             Type = [PointerType] B *
+# 1839|             ValueCategory = prvalue(load)
+# 1839|         getArgument(0): [PointerDereferenceExpr] * ...
+# 1839|             Type = [Class] A
+# 1839|             ValueCategory = xvalue
+# 1839|           getOperand(): [AddressOfExpr] & ...
+# 1839|               Type = [PointerType] B *
+# 1839|               ValueCategory = prvalue
+# 1839|             getOperand(): [VariableAccess] (unnamed parameter 0)
+# 1839|                 Type = [RValueReferenceType] B &&
+# 1839|                 ValueCategory = prvalue(load)
+#-----|             getOperand().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
+#-----|                 Type = [Struct] B
+#-----|                 ValueCategory = lvalue
+#-----|           getOperand().getFullyConverted(): [CStyleCast] (A *)...
+#-----|               Conversion = [BaseClassConversion] base class conversion
+#-----|               Type = [PointerType] A *
+#-----|               ValueCategory = prvalue
+#-----|         getQualifier().getFullyConverted(): [CStyleCast] (A *)...
+#-----|             Conversion = [BaseClassConversion] base class conversion
+#-----|             Type = [PointerType] A *
+#-----|             ValueCategory = prvalue
+#-----|         getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
+#-----|             Type = [LValueReferenceType] A &
+#-----|             ValueCategory = prvalue
+#-----|       getExpr().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
+#-----|           Type = [Class] A
+#-----|           ValueCategory = lvalue
+#-----|     getStmt(1): [ReturnStmt] return ...
+#-----|       getExpr(): [PointerDereferenceExpr] * ...
+#-----|           Type = [Struct] B
+#-----|           ValueCategory = lvalue
+#-----|         getOperand(): [ThisExpr] this
+#-----|             Type = [PointerType] B *
+#-----|             ValueCategory = prvalue(load)
+#-----|       getExpr().getFullyConverted(): [ReferenceToExpr] (reference to)
+#-----|           Type = [LValueReferenceType] B &
+#-----|           ValueCategory = prvalue
+# 1839| [CopyConstructor] void block_assignment::B::B(block_assignment::B const&)
+# 1839|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const B &
+# 1839| [MoveConstructor] void block_assignment::B::B(block_assignment::B&&)
+# 1839|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] B &&
+# 1840| [Constructor] void block_assignment::B::B(block_assignment::A*)
+# 1840|   <params>: 
+# 1840|     getParameter(0): [Parameter] (unnamed parameter 0)
+# 1840|         Type = [PointerType] A *
+# 1843| [TopLevelFunction] void block_assignment::foo()
+# 1843|   <params>: 
+# 1843|   getEntryPoint(): [BlockStmt] { ... }
+# 1844|     getStmt(0): [DeclStmt] declaration
+# 1844|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of v
+# 1844|           Type = [Struct] B
+# 1844|         getVariable().getInitializer(): [Initializer] initializer for v
+# 1844|           getExpr(): [ConstructorCall] call to B
+# 1844|               Type = [VoidType] void
+# 1844|               ValueCategory = prvalue
+# 1844|             getArgument(0): [Literal] 0
+# 1844|                 Type = [IntType] int
+# 1844|                 Value = [Literal] 0
+# 1844|                 ValueCategory = prvalue
+# 1844|             getArgument(0).getFullyConverted(): [CStyleCast] (A *)...
+# 1844|                 Conversion = [IntegralToPointerConversion] integral to pointer conversion
+# 1844|                 Type = [PointerType] A *
+# 1844|                 Value = [CStyleCast] 0
+# 1844|                 ValueCategory = prvalue
+# 1845|     getStmt(1): [ExprStmt] ExprStmt
+# 1845|       getExpr(): [FunctionCall] call to operator=
+# 1845|           Type = [LValueReferenceType] B &
+# 1845|           ValueCategory = prvalue
+# 1845|         getQualifier(): [VariableAccess] v
+# 1845|             Type = [Struct] B
+# 1845|             ValueCategory = lvalue
+# 1845|         getArgument(0): [ConstructorCall] call to B
+# 1845|             Type = [VoidType] void
+# 1845|             ValueCategory = prvalue
+# 1845|           getArgument(0): [Literal] 0
+# 1845|               Type = [IntType] int
+# 1845|               Value = [Literal] 0
+# 1845|               ValueCategory = prvalue
+# 1845|           getArgument(0).getFullyConverted(): [CStyleCast] (A *)...
+# 1845|               Conversion = [IntegralToPointerConversion] integral to pointer conversion
+# 1845|               Type = [PointerType] A *
+# 1845|               Value = [CStyleCast] 0
+# 1845|               ValueCategory = prvalue
+# 1845|         getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
+# 1845|             Type = [LValueReferenceType] B &
+# 1845|             ValueCategory = prvalue
+# 1845|           getExpr(): [TemporaryObjectExpr] temporary object
+# 1845|               Type = [Struct] B
+# 1845|               ValueCategory = lvalue
+# 1845|       getExpr().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
+# 1845|           Type = [Struct] B
+# 1845|           ValueCategory = lvalue
+# 1846|     getStmt(2): [ReturnStmt] return ...
 perf-regression.cpp:
 #    4| [CopyAssignmentOperator] Big& Big::operator=(Big const&)
 #    4|   <params>: 
--- a/cpp/ql/test/library-tests/ir/ir/ir.cpp
+++ b/cpp/ql/test/library-tests/ir/ir/ir.cpp
@@ -1830,4 +1830,20 @@ char *global_string = "global string";

 int global_6 = global_2;

+namespace block_assignment {
+    class A {
+        enum {} e[1];
+        virtual void f();
+    };
+    
+    struct B : A {
+        B(A *);
+    };
+
+    void foo() {
+        B v(0);
+        v = 0;
+    }
+}
+
 // semmle-extractor-options: -std=c++17 --clang
--- a/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
+++ b/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
@@ -674,6 +674,10 @@
 | file://:0:0:0:0 | Address | &:r0_1 |
 | file://:0:0:0:0 | Address | &:r0_1 |
 | file://:0:0:0:0 | Address | &:r0_1 |
+| file://:0:0:0:0 | Address | &:r0_1 |
+| file://:0:0:0:0 | Address | &:r0_1 |
+| file://:0:0:0:0 | Address | &:r0_1 |
+| file://:0:0:0:0 | Address | &:r0_1 |
 | file://:0:0:0:0 | Address | &:r0_2 |
 | file://:0:0:0:0 | Address | &:r0_3 |
 | file://:0:0:0:0 | Address | &:r0_3 |
@@ -694,6 +698,13 @@
 | file://:0:0:0:0 | Address | &:r0_3 |
 | file://:0:0:0:0 | Address | &:r0_3 |
 | file://:0:0:0:0 | Address | &:r0_3 |
+| file://:0:0:0:0 | Address | &:r0_3 |
+| file://:0:0:0:0 | Address | &:r0_3 |
+| file://:0:0:0:0 | Address | &:r0_3 |
+| file://:0:0:0:0 | Address | &:r0_3 |
+| file://:0:0:0:0 | Address | &:r0_5 |
+| file://:0:0:0:0 | Address | &:r0_5 |
+| file://:0:0:0:0 | Address | &:r0_5 |
 | file://:0:0:0:0 | Address | &:r0_5 |
 | file://:0:0:0:0 | Address | &:r0_5 |
 | file://:0:0:0:0 | Address | &:r0_5 |
@@ -702,6 +713,10 @@
 | file://:0:0:0:0 | Address | &:r0_5 |
 | file://:0:0:0:0 | Address | &:r0_6 |
 | file://:0:0:0:0 | Address | &:r0_7 |
+| file://:0:0:0:0 | Address | &:r0_7 |
+| file://:0:0:0:0 | Address | &:r0_8 |
+| file://:0:0:0:0 | Address | &:r0_8 |
+| file://:0:0:0:0 | Address | &:r0_8 |
 | file://:0:0:0:0 | Address | &:r0_8 |
 | file://:0:0:0:0 | Address | &:r0_8 |
 | file://:0:0:0:0 | Address | &:r0_8 |
@@ -711,10 +726,15 @@
 | file://:0:0:0:0 | Address | &:r0_10 |
 | file://:0:0:0:0 | Address | &:r0_11 |
 | file://:0:0:0:0 | Address | &:r0_11 |
+| file://:0:0:0:0 | Address | &:r0_11 |
 | file://:0:0:0:0 | Address | &:r0_13 |
 | file://:0:0:0:0 | Address | &:r0_15 |
 | file://:0:0:0:0 | Address | &:r0_15 |
 | file://:0:0:0:0 | Address | &:r0_15 |
+| file://:0:0:0:0 | Address | &:r0_15 |
+| file://:0:0:0:0 | Address | &:r0_16 |
+| file://:0:0:0:0 | Address | &:r0_16 |
+| file://:0:0:0:0 | Address | &:r0_17 |
 | file://:0:0:0:0 | Address | &:r0_18 |
 | file://:0:0:0:0 | Address | &:r0_18 |
 | file://:0:0:0:0 | Address | &:r0_19 |
@@ -722,6 +742,7 @@
 | file://:0:0:0:0 | Arg(0) | 0:r0_6 |
 | file://:0:0:0:0 | Arg(0) | 0:r0_8 |
 | file://:0:0:0:0 | Arg(0) | 0:r0_8 |
+| file://:0:0:0:0 | Arg(0) | 0:r0_8 |
 | file://:0:0:0:0 | Arg(0) | 0:r0_15 |
 | file://:0:0:0:0 | Arg(0) | 0:r0_15 |
 | file://:0:0:0:0 | CallTarget | func:r0_1 |
@@ -734,8 +755,12 @@
 | file://:0:0:0:0 | ChiPartial | partial:m0_8 |
 | file://:0:0:0:0 | ChiPartial | partial:m0_11 |
 | file://:0:0:0:0 | ChiPartial | partial:m0_11 |
+| file://:0:0:0:0 | ChiPartial | partial:m0_11 |
+| file://:0:0:0:0 | ChiPartial | partial:m0_13 |
+| file://:0:0:0:0 | ChiPartial | partial:m0_13 |
 | file://:0:0:0:0 | ChiTotal | total:m0_3 |
 | file://:0:0:0:0 | ChiTotal | total:m0_4 |
+| file://:0:0:0:0 | ChiTotal | total:m0_4 |
 | file://:0:0:0:0 | ChiTotal | total:m754_8 |
 | file://:0:0:0:0 | ChiTotal | total:m763_8 |
 | file://:0:0:0:0 | ChiTotal | total:m1043_10 |
@@ -743,6 +768,8 @@
 | file://:0:0:0:0 | ChiTotal | total:m1688_3 |
 | file://:0:0:0:0 | ChiTotal | total:m1716_8 |
 | file://:0:0:0:0 | ChiTotal | total:m1716_19 |
+| file://:0:0:0:0 | ChiTotal | total:m1834_8 |
+| file://:0:0:0:0 | ChiTotal | total:m1839_8 |
 | file://:0:0:0:0 | Left | r0_2 |
 | file://:0:0:0:0 | Left | r0_4 |
 | file://:0:0:0:0 | Left | r0_7 |
@@ -756,6 +783,9 @@
 | file://:0:0:0:0 | Load | m0_2 |
 | file://:0:0:0:0 | Load | m0_2 |
 | file://:0:0:0:0 | Load | m0_2 |
+| file://:0:0:0:0 | Load | m0_2 |
+| file://:0:0:0:0 | Load | m0_2 |
+| file://:0:0:0:0 | Load | m0_2 |
 | file://:0:0:0:0 | Load | m745_6 |
 | file://:0:0:0:0 | Load | m754_6 |
 | file://:0:0:0:0 | Load | m763_6 |
@@ -763,6 +793,10 @@
 | file://:0:0:0:0 | Load | m1466_4 |
 | file://:0:0:0:0 | Load | m1685_9 |
 | file://:0:0:0:0 | Load | m1714_7 |
+| file://:0:0:0:0 | Load | m1834_6 |
+| file://:0:0:0:0 | Load | m1834_6 |
+| file://:0:0:0:0 | Load | m1839_6 |
+| file://:0:0:0:0 | Load | ~m0_4 |
 | file://:0:0:0:0 | Load | ~m1444_6 |
 | file://:0:0:0:0 | Load | ~m1712_10 |
 | file://:0:0:0:0 | Load | ~m1712_14 |
@@ -779,6 +813,8 @@
 | file://:0:0:0:0 | SideEffect | m0_4 |
 | file://:0:0:0:0 | SideEffect | m0_4 |
 | file://:0:0:0:0 | SideEffect | m0_4 |
+| file://:0:0:0:0 | SideEffect | m0_4 |
+| file://:0:0:0:0 | SideEffect | m0_14 |
 | file://:0:0:0:0 | SideEffect | m1078_23 |
 | file://:0:0:0:0 | SideEffect | m1078_23 |
 | file://:0:0:0:0 | SideEffect | m1084_23 |
@@ -788,6 +824,7 @@
 | file://:0:0:0:0 | SideEffect | ~m0_4 |
 | file://:0:0:0:0 | SideEffect | ~m0_4 |
 | file://:0:0:0:0 | SideEffect | ~m0_4 |
+| file://:0:0:0:0 | SideEffect | ~m0_4 |
 | file://:0:0:0:0 | SideEffect | ~m96_8 |
 | file://:0:0:0:0 | SideEffect | ~m754_8 |
 | file://:0:0:0:0 | SideEffect | ~m763_8 |
@@ -797,6 +834,7 @@
 | file://:0:0:0:0 | SideEffect | ~m1077_8 |
 | file://:0:0:0:0 | SideEffect | ~m1240_4 |
 | file://:0:0:0:0 | SideEffect | ~m1447_6 |
+| file://:0:0:0:0 | SideEffect | ~m1839_8 |
 | file://:0:0:0:0 | StoreValue | r0_1 |
 | file://:0:0:0:0 | StoreValue | r0_1 |
 | file://:0:0:0:0 | StoreValue | r0_1 |
@@ -810,8 +848,11 @@
 | file://:0:0:0:0 | StoreValue | r0_6 |
 | file://:0:0:0:0 | StoreValue | r0_7 |
 | file://:0:0:0:0 | StoreValue | r0_9 |
+| file://:0:0:0:0 | StoreValue | r0_12 |
 | file://:0:0:0:0 | StoreValue | r0_13 |
 | file://:0:0:0:0 | StoreValue | r0_13 |
+| file://:0:0:0:0 | StoreValue | r0_19 |
+| file://:0:0:0:0 | StoreValue | r0_20 |
 | file://:0:0:0:0 | StoreValue | r0_22 |
 | file://:0:0:0:0 | StoreValue | r0_22 |
 | file://:0:0:0:0 | Unary | r0_1 |
@@ -824,18 +865,27 @@
 | file://:0:0:0:0 | Unary | r0_6 |
 | file://:0:0:0:0 | Unary | r0_6 |
 | file://:0:0:0:0 | Unary | r0_6 |
+| file://:0:0:0:0 | Unary | r0_6 |
+| file://:0:0:0:0 | Unary | r0_6 |
+| file://:0:0:0:0 | Unary | r0_7 |
 | file://:0:0:0:0 | Unary | r0_7 |
 | file://:0:0:0:0 | Unary | r0_7 |
 | file://:0:0:0:0 | Unary | r0_7 |
 | file://:0:0:0:0 | Unary | r0_8 |
 | file://:0:0:0:0 | Unary | r0_9 |
 | file://:0:0:0:0 | Unary | r0_9 |
+| file://:0:0:0:0 | Unary | r0_9 |
+| file://:0:0:0:0 | Unary | r0_10 |
 | file://:0:0:0:0 | Unary | r0_10 |
 | file://:0:0:0:0 | Unary | r0_10 |
 | file://:0:0:0:0 | Unary | r0_11 |
 | file://:0:0:0:0 | Unary | r0_12 |
 | file://:0:0:0:0 | Unary | r0_14 |
 | file://:0:0:0:0 | Unary | r0_14 |
+| file://:0:0:0:0 | Unary | r0_17 |
+| file://:0:0:0:0 | Unary | r0_18 |
+| file://:0:0:0:0 | Unary | r0_18 |
+| file://:0:0:0:0 | Unary | r0_19 |
 | file://:0:0:0:0 | Unary | r0_20 |
 | file://:0:0:0:0 | Unary | r0_20 |
 | file://:0:0:0:0 | Unary | r0_21 |
@@ -8504,6 +8554,93 @@
 | ir.cpp:1831:16:1831:23 | ChiTotal | total:m1831_2 |
 | ir.cpp:1831:16:1831:23 | Load | ~m1831_2 |
 | ir.cpp:1831:16:1831:23 | StoreValue | r1831_5 |
+| ir.cpp:1834:11:1834:11 | Address | &:r1834_5 |
+| ir.cpp:1834:11:1834:11 | Address | &:r1834_5 |
+| ir.cpp:1834:11:1834:11 | Address | &:r1834_7 |
+| ir.cpp:1834:11:1834:11 | Address | &:r1834_7 |
+| ir.cpp:1834:11:1834:11 | Address | &:r1834_10 |
+| ir.cpp:1834:11:1834:11 | ChiPartial | partial:m1834_3 |
+| ir.cpp:1834:11:1834:11 | ChiTotal | total:m1834_2 |
+| ir.cpp:1834:11:1834:11 | Load | m0_20 |
+| ir.cpp:1834:11:1834:11 | Load | m1834_6 |
+| ir.cpp:1834:11:1834:11 | SideEffect | m0_14 |
+| ir.cpp:1834:11:1834:11 | SideEffect | m1834_3 |
+| ir.cpp:1839:12:1839:12 | Address | &:r1839_5 |
+| ir.cpp:1839:12:1839:12 | Address | &:r1839_5 |
+| ir.cpp:1839:12:1839:12 | Address | &:r1839_7 |
+| ir.cpp:1839:12:1839:12 | Address | &:r1839_7 |
+| ir.cpp:1839:12:1839:12 | Address | &:r1839_9 |
+| ir.cpp:1839:12:1839:12 | Address | &:r1839_12 |
+| ir.cpp:1839:12:1839:12 | Address | &:r1839_20 |
+| ir.cpp:1839:12:1839:12 | Arg(this) | this:r0_5 |
+| ir.cpp:1839:12:1839:12 | CallTarget | func:r1839_11 |
+| ir.cpp:1839:12:1839:12 | ChiPartial | partial:m1839_3 |
+| ir.cpp:1839:12:1839:12 | ChiPartial | partial:m1839_17 |
+| ir.cpp:1839:12:1839:12 | ChiTotal | total:m1839_2 |
+| ir.cpp:1839:12:1839:12 | ChiTotal | total:m1839_4 |
+| ir.cpp:1839:12:1839:12 | Load | m0_2 |
+| ir.cpp:1839:12:1839:12 | Load | m0_21 |
+| ir.cpp:1839:12:1839:12 | Load | m1839_6 |
+| ir.cpp:1839:12:1839:12 | Load | m1839_6 |
+| ir.cpp:1839:12:1839:12 | SideEffect | m0_12 |
+| ir.cpp:1839:12:1839:12 | SideEffect | ~m1839_4 |
+| ir.cpp:1839:12:1839:12 | SideEffect | ~m1839_18 |
+| ir.cpp:1839:12:1839:12 | Unary | r1839_10 |
+| ir.cpp:1839:12:1839:12 | Unary | r1839_13 |
+| ir.cpp:1839:12:1839:12 | Unary | r1839_14 |
+| ir.cpp:1839:12:1839:12 | Unary | r1839_15 |
+| ir.cpp:1839:12:1839:12 | Unary | r1839_16 |
+| ir.cpp:1843:10:1843:12 | ChiPartial | partial:m1843_3 |
+| ir.cpp:1843:10:1843:12 | ChiTotal | total:m1843_2 |
+| ir.cpp:1843:10:1843:12 | SideEffect | ~m1845_18 |
+| ir.cpp:1844:11:1844:11 | Address | &:r1844_1 |
+| ir.cpp:1844:11:1844:11 | Address | &:r1844_1 |
+| ir.cpp:1844:11:1844:11 | Arg(this) | this:r1844_1 |
+| ir.cpp:1844:13:1844:13 | Address | &:r1844_4 |
+| ir.cpp:1844:13:1844:13 | Address | &:r1844_4 |
+| ir.cpp:1844:13:1844:13 | Arg(0) | 0:r1844_4 |
+| ir.cpp:1844:13:1844:13 | ChiPartial | partial:m1844_11 |
+| ir.cpp:1844:13:1844:13 | ChiTotal | total:m1844_7 |
+| ir.cpp:1844:13:1844:13 | SideEffect | ~m1844_7 |
+| ir.cpp:1844:13:1844:14 | CallTarget | func:r1844_3 |
+| ir.cpp:1844:13:1844:14 | ChiPartial | partial:m1844_6 |
+| ir.cpp:1844:13:1844:14 | ChiPartial | partial:m1844_9 |
+| ir.cpp:1844:13:1844:14 | ChiTotal | total:m1843_4 |
+| ir.cpp:1844:13:1844:14 | ChiTotal | total:m1844_2 |
+| ir.cpp:1844:13:1844:14 | SideEffect | ~m1843_4 |
+| ir.cpp:1845:9:1845:9 | Address | &:r1845_1 |
+| ir.cpp:1845:9:1845:9 | Address | &:r1845_1 |
+| ir.cpp:1845:9:1845:9 | Arg(this) | this:r1845_1 |
+| ir.cpp:1845:9:1845:9 | ChiPartial | partial:m1845_21 |
+| ir.cpp:1845:9:1845:9 | ChiTotal | total:m1844_10 |
+| ir.cpp:1845:9:1845:9 | SideEffect | m1844_10 |
+| ir.cpp:1845:11:1845:11 | CallTarget | func:r1845_2 |
+| ir.cpp:1845:11:1845:11 | ChiPartial | partial:m1845_17 |
+| ir.cpp:1845:11:1845:11 | ChiTotal | total:m1845_14 |
+| ir.cpp:1845:11:1845:11 | SideEffect | ~m1845_14 |
+| ir.cpp:1845:11:1845:11 | Unary | r1845_16 |
+| ir.cpp:1845:13:1845:13 | Address | &:r1845_3 |
+| ir.cpp:1845:13:1845:13 | Address | &:r1845_3 |
+| ir.cpp:1845:13:1845:13 | Address | &:r1845_6 |
+| ir.cpp:1845:13:1845:13 | Address | &:r1845_6 |
+| ir.cpp:1845:13:1845:13 | Address | &:r1845_15 |
+| ir.cpp:1845:13:1845:13 | Address | &:r1845_15 |
+| ir.cpp:1845:13:1845:13 | Arg(0) | 0:r1845_6 |
+| ir.cpp:1845:13:1845:13 | Arg(0) | 0:r1845_15 |
+| ir.cpp:1845:13:1845:13 | Arg(this) | this:r1845_3 |
+| ir.cpp:1845:13:1845:13 | CallTarget | func:r1845_5 |
+| ir.cpp:1845:13:1845:13 | ChiPartial | partial:m1845_8 |
+| ir.cpp:1845:13:1845:13 | ChiPartial | partial:m1845_11 |
+| ir.cpp:1845:13:1845:13 | ChiPartial | partial:m1845_13 |
+| ir.cpp:1845:13:1845:13 | ChiPartial | partial:m1845_23 |
+| ir.cpp:1845:13:1845:13 | ChiTotal | total:m1844_12 |
+| ir.cpp:1845:13:1845:13 | ChiTotal | total:m1845_4 |
+| ir.cpp:1845:13:1845:13 | ChiTotal | total:m1845_9 |
+| ir.cpp:1845:13:1845:13 | ChiTotal | total:m1845_12 |
+| ir.cpp:1845:13:1845:13 | SideEffect | ~m1844_12 |
+| ir.cpp:1845:13:1845:13 | SideEffect | ~m1845_9 |
+| ir.cpp:1845:13:1845:13 | SideEffect | ~m1845_12 |
+| ir.cpp:1845:13:1845:13 | Unary | r1845_3 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_7 |
--- a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
@@ -9797,6 +9797,123 @@ ir.cpp:
 # 1831|     v1831_8(void)       = AliasedUse                : ~m?
 # 1831|     v1831_9(void)       = ExitFunction              : 

+# 1834| block_assignment::A& block_assignment::A::operator=(block_assignment::A&&)
+# 1834|   Block 0
+# 1834|     v1834_1(void)                   = EnterFunction                                : 
+# 1834|     mu1834_2(unknown)               = AliasedDefinition                            : 
+# 1834|     mu1834_3(unknown)               = InitializeNonLocal                           : 
+# 1834|     r1834_4(glval<unknown>)         = VariableAddress[#this]                       : 
+# 1834|     mu1834_5(glval<A>)              = InitializeParameter[#this]                   : &:r1834_4
+# 1834|     r1834_6(glval<A>)               = Load[#this]                                  : &:r1834_4, ~m?
+# 1834|     mu1834_7(A)                     = InitializeIndirection[#this]                 : &:r1834_6
+#-----|     r0_1(glval<A &&>)               = VariableAddress[(unnamed parameter 0)]       : 
+#-----|     mu0_2(A &&)                     = InitializeParameter[(unnamed parameter 0)]   : &:r0_1
+#-----|     r0_3(A &&)                      = Load[(unnamed parameter 0)]                  : &:r0_1, ~m?
+#-----|     mu0_4(unknown)                  = InitializeIndirection[(unnamed parameter 0)] : &:r0_3
+#-----|     r0_5(glval<unknown>)            = VariableAddress[#this]                       : 
+#-----|     r0_6(A *)                       = Load[#this]                                  : &:r0_5, ~m?
+#-----|     r0_7(glval<enum <unnamed>[1]>)  = FieldAddress[e]                              : r0_6
+#-----|     r0_8(glval<A &&>)               = VariableAddress[(unnamed parameter 0)]       : 
+#-----|     r0_9(A &&)                      = Load[(unnamed parameter 0)]                  : &:r0_8, ~m?
+#-----|     r0_10(glval<A>)                 = CopyValue                                    : r0_9
+#-----|     r0_11(glval<enum <unnamed>[1]>) = FieldAddress[e]                              : r0_10
+#-----|     r0_12(enum <unnamed>[1])        = Load[?]                                      : &:r0_11, ~m?
+#-----|     mu0_13(enum <unnamed>[1])       = Store[?]                                     : &:r0_7, r0_12
+#-----|     r0_14(glval<A &>)               = VariableAddress[#return]                     : 
+#-----|     r0_15(glval<unknown>)           = VariableAddress[#this]                       : 
+#-----|     r0_16(A *)                      = Load[#this]                                  : &:r0_15, ~m?
+#-----|     r0_17(glval<A>)                 = CopyValue                                    : r0_16
+#-----|     r0_18(A &)                      = CopyValue                                    : r0_17
+#-----|     mu0_19(A &)                     = Store[#return]                               : &:r0_14, r0_18
+# 1834|     v1834_8(void)                   = ReturnIndirection[#this]                     : &:r1834_6, ~m?
+#-----|     v0_20(void)                     = ReturnIndirection[(unnamed parameter 0)]     : &:r0_3, ~m?
+# 1834|     r1834_9(glval<A &>)             = VariableAddress[#return]                     : 
+# 1834|     v1834_10(void)                  = ReturnValue                                  : &:r1834_9, ~m?
+# 1834|     v1834_11(void)                  = AliasedUse                                   : ~m?
+# 1834|     v1834_12(void)                  = ExitFunction                                 : 
+
+# 1839| block_assignment::B& block_assignment::B::operator=(block_assignment::B&&)
+# 1839|   Block 0
+# 1839|     v1839_1(void)            = EnterFunction                                : 
+# 1839|     mu1839_2(unknown)        = AliasedDefinition                            : 
+# 1839|     mu1839_3(unknown)        = InitializeNonLocal                           : 
+# 1839|     r1839_4(glval<unknown>)  = VariableAddress[#this]                       : 
+# 1839|     mu1839_5(glval<B>)       = InitializeParameter[#this]                   : &:r1839_4
+# 1839|     r1839_6(glval<B>)        = Load[#this]                                  : &:r1839_4, ~m?
+# 1839|     mu1839_7(B)              = InitializeIndirection[#this]                 : &:r1839_6
+#-----|     r0_1(glval<B &&>)        = VariableAddress[(unnamed parameter 0)]       : 
+#-----|     mu0_2(B &&)              = InitializeParameter[(unnamed parameter 0)]   : &:r0_1
+#-----|     r0_3(B &&)               = Load[(unnamed parameter 0)]                  : &:r0_1, ~m?
+#-----|     mu0_4(unknown)           = InitializeIndirection[(unnamed parameter 0)] : &:r0_3
+# 1839|     r1839_8(glval<unknown>)  = VariableAddress[#this]                       : 
+# 1839|     r1839_9(B *)             = Load[#this]                                  : &:r1839_8, ~m?
+#-----|     r0_5(A *)                = ConvertToNonVirtualBase[B : A]               : r1839_9
+# 1839|     r1839_10(glval<unknown>) = FunctionAddress[operator=]                   : 
+# 1839|     r1839_11(glval<B &&>)    = VariableAddress[(unnamed parameter 0)]       : 
+# 1839|     r1839_12(B &&)           = Load[(unnamed parameter 0)]                  : &:r1839_11, ~m?
+#-----|     r0_6(glval<B>)           = CopyValue                                    : r1839_12
+# 1839|     r1839_13(B *)            = CopyValue                                    : r0_6
+#-----|     r0_7(A *)                = ConvertToNonVirtualBase[B : A]               : r1839_13
+# 1839|     r1839_14(glval<A>)       = CopyValue                                    : r0_7
+#-----|     r0_8(A &)                = CopyValue                                    : r1839_14
+# 1839|     r1839_15(A &)            = Call[operator=]                              : func:r1839_10, this:r0_5, 0:r0_8
+# 1839|     mu1839_16(unknown)       = ^CallSideEffect                              : ~m?
+#-----|     v0_9(void)               = ^IndirectReadSideEffect[-1]                  : &:r0_5, ~m?
+#-----|     v0_10(void)              = ^BufferReadSideEffect[0]                     : &:r0_8, ~m?
+#-----|     mu0_11(A)                = ^IndirectMayWriteSideEffect[-1]              : &:r0_5
+#-----|     mu0_12(unknown)          = ^BufferMayWriteSideEffect[0]                 : &:r0_8
+#-----|     r0_13(glval<A>)          = CopyValue                                    : r1839_15
+#-----|     r0_14(glval<B &>)        = VariableAddress[#return]                     : 
+#-----|     r0_15(glval<unknown>)    = VariableAddress[#this]                       : 
+#-----|     r0_16(B *)               = Load[#this]                                  : &:r0_15, ~m?
+#-----|     r0_17(glval<B>)          = CopyValue                                    : r0_16
+#-----|     r0_18(B &)               = CopyValue                                    : r0_17
+#-----|     mu0_19(B &)              = Store[#return]                               : &:r0_14, r0_18
+# 1839|     v1839_17(void)           = ReturnIndirection[#this]                     : &:r1839_6, ~m?
+#-----|     v0_20(void)              = ReturnIndirection[(unnamed parameter 0)]     : &:r0_3, ~m?
+# 1839|     r1839_18(glval<B &>)     = VariableAddress[#return]                     : 
+# 1839|     v1839_19(void)           = ReturnValue                                  : &:r1839_18, ~m?
+# 1839|     v1839_20(void)           = AliasedUse                                   : ~m?
+# 1839|     v1839_21(void)           = ExitFunction                                 : 
+
+# 1843| void block_assignment::foo()
+# 1843|   Block 0
+# 1843|     v1843_1(void)           = EnterFunction                   : 
+# 1843|     mu1843_2(unknown)       = AliasedDefinition               : 
+# 1843|     mu1843_3(unknown)       = InitializeNonLocal              : 
+# 1844|     r1844_1(glval<B>)       = VariableAddress[v]              : 
+# 1844|     mu1844_2(B)             = Uninitialized[v]                : &:r1844_1
+# 1844|     r1844_3(glval<unknown>) = FunctionAddress[B]              : 
+# 1844|     r1844_4(A *)            = Constant[0]                     : 
+# 1844|     v1844_5(void)           = Call[B]                         : func:r1844_3, this:r1844_1, 0:r1844_4
+# 1844|     mu1844_6(unknown)       = ^CallSideEffect                 : ~m?
+# 1844|     v1844_7(void)           = ^BufferReadSideEffect[0]        : &:r1844_4, ~m?
+# 1844|     mu1844_8(B)             = ^IndirectMayWriteSideEffect[-1] : &:r1844_1
+# 1844|     mu1844_9(unknown)       = ^BufferMayWriteSideEffect[0]    : &:r1844_4
+# 1845|     r1845_1(glval<B>)       = VariableAddress[v]              : 
+# 1845|     r1845_2(glval<unknown>) = FunctionAddress[operator=]      : 
+# 1845|     r1845_3(glval<B>)       = VariableAddress[#temp1845:13]   : 
+# 1845|     mu1845_4(B)             = Uninitialized[#temp1845:13]     : &:r1845_3
+# 1845|     r1845_5(glval<unknown>) = FunctionAddress[B]              : 
+# 1845|     r1845_6(A *)            = Constant[0]                     : 
+# 1845|     v1845_7(void)           = Call[B]                         : func:r1845_5, this:r1845_3, 0:r1845_6
+# 1845|     mu1845_8(unknown)       = ^CallSideEffect                 : ~m?
+# 1845|     v1845_9(void)           = ^BufferReadSideEffect[0]        : &:r1845_6, ~m?
+# 1845|     mu1845_10(B)            = ^IndirectMayWriteSideEffect[-1] : &:r1845_3
+# 1845|     mu1845_11(unknown)      = ^BufferMayWriteSideEffect[0]    : &:r1845_6
+# 1845|     r1845_12(B &)           = CopyValue                       : r1845_3
+# 1845|     r1845_13(B &)           = Call[operator=]                 : func:r1845_2, this:r1845_1, 0:r1845_12
+# 1845|     mu1845_14(unknown)      = ^CallSideEffect                 : ~m?
+# 1845|     v1845_15(void)          = ^IndirectReadSideEffect[-1]     : &:r1845_1, ~m?
+# 1845|     v1845_16(void)          = ^BufferReadSideEffect[0]        : &:r1845_12, ~m?
+# 1845|     mu1845_17(B)            = ^IndirectMayWriteSideEffect[-1] : &:r1845_1
+# 1845|     mu1845_18(unknown)      = ^BufferMayWriteSideEffect[0]    : &:r1845_12
+# 1845|     r1845_19(glval<B>)      = CopyValue                       : r1845_13
+# 1846|     v1846_1(void)           = NoOp                            : 
+# 1843|     v1843_4(void)           = ReturnVoid                      : 
+# 1843|     v1843_5(void)           = AliasedUse                      : ~m?
+# 1843|     v1843_6(void)           = ExitFunction                    : 
+
 perf-regression.cpp:
 #    6| void Big::Big()
 #    6|   Block 0
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,5 +1,3 @@
-## 1.2.3
-
 ## 1.2.2

 ## 1.2.1
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.2.3.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.2.3.md
@@ -1 +0,0 @@
-## 1.2.3
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.2.3
+lastReleaseVersion: 1.2.2
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.2.3
+version: 1.2.3-dev
 groups:
    - csharp
    - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,5 +1,3 @@
-## 1.2.3
-
 ## 1.2.2

 ## 1.2.1
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.2.3.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.2.3.md
@@ -1 +0,0 @@
-## 1.2.3
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.2.3
+lastReleaseVersion: 1.2.2
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.2.3
+version: 1.2.3-dev
 groups:
    - csharp
    - solorigate
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,5 +1,3 @@
-## 0.3.3
-
 ## 0.3.2

 ## 0.3.1
--- a/csharp/ql/lib/change-notes/released/0.3.3.md
+++ b/csharp/ql/lib/change-notes/released/0.3.3.md
@@ -1 +0,0 @@
-## 0.3.3
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.3
+lastReleaseVersion: 0.3.2
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 0.3.3
+version: 0.3.3-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
@@ -1288,7 +1288,7 @@ module Statements {
    }

    final override predicate first(ControlFlowElement first) {
-      // Unlike most other statements, `foreach` statements are not modelled in
+      // Unlike most other statements, `foreach` statements are not modeled in
      // pre-order, because we use the `foreach` node itself to represent the
      // emptiness test that determines whether to execute the loop body
      first(this.getIterableExpr(), first)
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
      else cc instanceof CallContextAny
    ) and
    sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
  }

  predicate isAtSink() {
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
      else cc instanceof CallContextAny
    ) and
    sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
  }

  predicate isAtSink() {
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
      else cc instanceof CallContextAny
    ) and
    sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
  }

  predicate isAtSink() {
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
      else cc instanceof CallContextAny
    ) and
    sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
  }

  predicate isAtSink() {
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
      else cc instanceof CallContextAny
    ) and
    sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
  }

  predicate isAtSink() {
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplForContentDataFlow.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplForContentDataFlow.qll
@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
      else cc instanceof CallContextAny
    ) and
    sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
  }

  predicate isAtSink() {
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll
@@ -149,7 +149,7 @@ private module Cached {
    // Taint members
    readStep(nodeFrom, any(TaintedMember m).(FieldOrProperty).getContent(), nodeTo)
    or
-    // Although flow through collections is modelled precisely using stores/reads, we still
+    // Although flow through collections is modeled precisely using stores/reads, we still
    // allow flow out of a _tainted_ collection. This is needed in order to support taint-
    // tracking configurations where the source is a collection
    readStep(nodeFrom, TElementContent(), nodeTo)
--- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll
@@ -889,7 +889,7 @@ private class YamlDotNetDeserializerDeserializeMethodSink extends ConstructorOrS
 }

 /** Newtonsoft.Json.JsonConvert */
-private class NewtonsoftJsonConvertDeserializeObjectMethodSink extends ConstructorOrStaticMethodSink {
+private class NewtonsoftJsonConvertDeserializeObjectMethodSink extends Sink {
  NewtonsoftJsonConvertDeserializeObjectMethodSink() {
    exists(MethodCall mc, Method m |
      m = mc.getTarget() and
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,5 +1,3 @@
-## 0.3.2
-
 ## 0.3.1

 ## 0.3.0
--- a/csharp/ql/src/change-notes/2022-08-11-unsafe-deserialization.md
+++ b/csharp/ql/src/change-notes/2022-08-11-unsafe-deserialization.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `cs/unsafe-deserialization-untrusted-input` is not reporting on all calls of `JsonConvert.DeserializeObject` any longer, it only covers cases that explicitly use unsafe serialization settings.
--- a/csharp/ql/src/change-notes/released/0.3.2.md
+++ b/csharp/ql/src/change-notes/released/0.3.2.md
@@ -1 +0,0 @@
-## 0.3.2
--- a/csharp/ql/src/codeql-pack.release.yml
+++ b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.2
+lastReleaseVersion: 0.3.1
--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 0.3.2
+version: 0.3.2-dev
 groups: 
  - csharp
  - queries
--- a/Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/Test.cs
+++ b/Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/Test.cs
@@ -0,0 +1,27 @@
+using Newtonsoft;
+using Newtonsoft.Json;
+using System.Web.UI.WebControls;
+
+class Test
+{
+    public static object Deserialize1(TextBox data)
+    {
+        return JsonConvert.DeserializeObject(data.Text, new JsonSerializerSettings
+        {
+            TypeNameHandling = TypeNameHandling.None // OK
+        });
+    }
+
+    public static object Deserialize2(TextBox data)
+    {
+        return JsonConvert.DeserializeObject(data.Text, new JsonSerializerSettings
+        {
+            TypeNameHandling = TypeNameHandling.Auto // BAD
+        });
+    }
+
+    public static object Deserialize(TextBox data)
+    {
+        return JsonConvert.DeserializeObject(data.Text); // OK, not checking if JsonSerializerSettings is set globally with unsafe settings
+    }
+}
--- a/Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/UnsafeDeserializationUntrustedInput.expected
+++ b/Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/UnsafeDeserializationUntrustedInput.expected
@@ -0,0 +1,21 @@
+edges
+| ../../../../resources/stubs/Newtonsoft.Json/13.0.1/Newtonsoft.Json.cs:930:20:930:20 | 4 : Int32 | Test.cs:19:32:19:52 | access to constant Auto : Int32 |
+| Test.cs:9:46:9:49 | access to parameter data : TextBox | Test.cs:9:46:9:54 | access to property Text |
+| Test.cs:17:46:17:49 | access to parameter data : TextBox | Test.cs:17:46:17:54 | access to property Text |
+| Test.cs:19:32:19:52 | access to constant Auto : Int32 | Test.cs:17:57:20:9 | object creation of type JsonSerializerSettings |
+| Test.cs:19:32:19:52 | access to constant Auto : TypeNameHandling | Test.cs:17:57:20:9 | object creation of type JsonSerializerSettings |
+| Test.cs:25:46:25:49 | access to parameter data : TextBox | Test.cs:25:46:25:54 | access to property Text |
+nodes
+| ../../../../resources/stubs/Newtonsoft.Json/13.0.1/Newtonsoft.Json.cs:930:20:930:20 | 4 : Int32 | semmle.label | 4 : Int32 |
+| Test.cs:9:46:9:49 | access to parameter data : TextBox | semmle.label | access to parameter data : TextBox |
+| Test.cs:9:46:9:54 | access to property Text | semmle.label | access to property Text |
+| Test.cs:17:46:17:49 | access to parameter data : TextBox | semmle.label | access to parameter data : TextBox |
+| Test.cs:17:46:17:54 | access to property Text | semmle.label | access to property Text |
+| Test.cs:17:57:20:9 | object creation of type JsonSerializerSettings | semmle.label | object creation of type JsonSerializerSettings |
+| Test.cs:19:32:19:52 | access to constant Auto : Int32 | semmle.label | access to constant Auto : Int32 |
+| Test.cs:19:32:19:52 | access to constant Auto : TypeNameHandling | semmle.label | access to constant Auto : TypeNameHandling |
+| Test.cs:25:46:25:49 | access to parameter data : TextBox | semmle.label | access to parameter data : TextBox |
+| Test.cs:25:46:25:54 | access to property Text | semmle.label | access to property Text |
+subpaths
+#select
+| Test.cs:17:46:17:54 | access to property Text | Test.cs:17:46:17:49 | access to parameter data : TextBox | Test.cs:17:46:17:54 | access to property Text | $@ flows to unsafe deserializer. | Test.cs:17:46:17:49 | access to parameter data : TextBox | User-provided data |
--- a/Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/UnsafeDeserializationUntrustedInput.qlref
+++ b/Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/UnsafeDeserializationUntrustedInput.qlref
@@ -0,0 +1 @@
+Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql
--- a/Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/options
+++ b/Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/options
@@ -0,0 +1 @@
+semmle-extractor-options: /nostdlib /noconfig --load-sources-from-project:${testdir}/../../../../resources/stubs/Newtonsoft.Json/13.0.1/Newtonsoft.Json.csproj ${testdir}/../../../../resources/stubs/System.Web.cs
--- a/csharp/ql/test/resources/stubs/Newtonsoft.Json/13.0.1/Newtonsoft.Json.cs
+++ b/csharp/ql/test/resources/stubs/Newtonsoft.Json/13.0.1/Newtonsoft.Json.cs
--- a/go/ql/lib/CHANGELOG.md
+++ b/go/ql/lib/CHANGELOG.md
@@ -1,5 +1,3 @@
-## 0.2.3
-
 ## 0.2.2

 ## 0.2.1
--- a/go/ql/lib/change-notes/released/0.2.3.md
+++ b/go/ql/lib/change-notes/released/0.2.3.md
@@ -1 +0,0 @@
-## 0.2.3
--- a/go/ql/lib/codeql-pack.release.yml
+++ b/go/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.2.3
+lastReleaseVersion: 0.2.2
--- a/go/ql/lib/qlpack.yml
+++ b/go/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 0.2.3
+version: 0.2.3-dev
 groups: go
 dbscheme: go.dbscheme
 extractor: go
--- a/go/ql/lib/semmle/go/Expr.qll
+++ b/go/ql/lib/semmle/go/Expr.qll
@@ -1671,7 +1671,7 @@ class MulExpr extends @mulexpr, ArithmeticBinaryExpr {
 }

 /**
- * A divison or quotient expression using `/`.
+ * A division or quotient expression using `/`.
 *
 * Examples:
 *
--- a/go/ql/lib/semmle/go/dataflow/FlowSummary.qll
+++ b/go/ql/lib/semmle/go/dataflow/FlowSummary.qll
@@ -1,5 +1,5 @@
 /**
- * Provides classes and predicates for definining flow summaries.
+ * Provides classes and predicates for defining flow summaries.
 */

 import go
--- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImplCommon.qll
+++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImplCommon.qll
@@ -280,7 +280,7 @@ cached
 private module Cached {
  /**
   * If needed, call this predicate from `DataFlowImplSpecific.qll` in order to
-   * force a stage-dependency on the `DataFlowImplCommon.qll` stage and therby
+   * force a stage-dependency on the `DataFlowImplCommon.qll` stage and thereby
   * collapsing the two stages.
   */
  cached
--- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll
+++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll
@@ -110,7 +110,7 @@ predicate jumpStep(Node n1, Node n2) {
 * value of `node1`.
 */
 predicate storeStep(Node node1, Content c, Node node2) {
-  // a write `(*p).f = rhs` is modelled as two store steps: `rhs` is flows into field `f` of `(*p)`,
+  // a write `(*p).f = rhs` is modeled as two store steps: `rhs` is flows into field `f` of `(*p)`,
  // which in turn flows into the pointer content of `p`
  exists(Write w, Field f, DataFlow::Node base, DataFlow::Node rhs | w.writesField(base, f, rhs) |
    node1 = rhs and
--- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowUtil.qll
+++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowUtil.qll
@@ -269,7 +269,7 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
  }

  /**
-   * Holds if `guard` markes a point in the control-flow graph where this node
+   * Holds if `guard` marks a point in the control-flow graph where this node
   * is known to validate `nd`, which is represented by `ap`.
   *
   * This predicate exists to enforce a good join order in `getAGuardedNode`.
@@ -280,7 +280,7 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
  }

  /**
-   * Holds if `guard` markes a point in the control-flow graph where this node
+   * Holds if `guard` marks a point in the control-flow graph where this node
   * is known to validate `nd`.
   */
  private predicate guards(Node g, ControlFlow::ConditionGuardNode guard, Node nd) {
--- a/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll
+++ b/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll
@@ -149,7 +149,7 @@ module NetHttp {
      )
      or
      exists(TaintTracking::FunctionModel model |
-        // A modelled function conveying taint from some input to the response writer,
+        // A modeled function conveying taint from some input to the response writer,
        // e.g. `io.Copy(responseWriter, someTaintedReader)`
        model.taintStep(this, responseWriter) and
        responseWriter.getType().implements("net/http", "ResponseWriter")
--- a/go/ql/lib/semmle/go/security/ExternalAPIs.qll
+++ b/go/ql/lib/semmle/go/security/ExternalAPIs.qll
@@ -65,7 +65,7 @@ class ExternalAPIDataNode extends DataFlow::Node {
      this = call.getReceiver() and
      i = -1
    ) and
-    // Not defined in the code that is being analysed
+    // Not defined in the code that is being analyzed
    not exists(call.getACallee().getBody()) and
    // Not a function pointer, unless it's declared at package scope
    not isProbableLocalFunctionPointer(call) and
@@ -124,7 +124,7 @@ Package getAPackageWithFunctionModels() {
 Package getAPackageWithModels() {
  result = getAPackageWithFunctionModels()
  or
-  // An incomplete list of packages which have been modelled but do not have any function models
+  // An incomplete list of packages which have been modeled but do not have any function models
  result.getPath() in [
      Logrus::packagePath(), GolangOrgXNetWebsocket::packagePath(), GorillaWebsocket::packagePath()
    ]
--- a/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll
+++ b/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll
@@ -98,7 +98,7 @@ class ConversionWithoutBoundsCheckConfig extends TaintTracking::Configuration {
      ) and
      // `effectiveBitSize` could be any value between 0 and 64, but we
      // can round it up to the nearest size of an integer type without
-      // changing behaviour.
+      // changing behavior.
      sourceBitSize = min(int b | b in [0, 8, 16, 32, 64] and b >= effectiveBitSize)
    )
  }
--- a/go/ql/lib/semmle/go/security/Xss.qll
+++ b/go/ql/lib/semmle/go/security/Xss.qll
@@ -14,7 +14,7 @@ module SharedXss {
    /**
     * Gets the kind of vulnerability to report in the alert message.
     *
-     * Defaults to `Cross-site scripting`, but may be overriden for sinks
+     * Defaults to `Cross-site scripting`, but may be overridden for sinks
     * that do not allow script injection, but injection of other undesirable HTML elements.
     */
    string getVulnerabilityKind() { result = "Cross-site scripting" }
--- a/go/ql/src/CHANGELOG.md
+++ b/go/ql/src/CHANGELOG.md
@@ -1,9 +1,3 @@
-## 0.2.3
-
-### Minor Analysis Improvements
-
-* The query `go/path-injection` no longer considers user-controlled numeric or boolean-typed data as potentially dangerous.
-
 ## 0.2.2

 ## 0.2.1
--- a/go/ql/src/change-notes/2022-08-02-path-injection-sanitizer.md
+++ b/go/ql/src/change-notes/2022-08-02-path-injection-sanitizer.md
@@ -1,5 +1,4 @@
-## 0.2.3
-
-### Minor Analysis Improvements
-
+---
+category: minorAnalysis
+---
 * The query `go/path-injection` no longer considers user-controlled numeric or boolean-typed data as potentially dangerous.
--- a/go/ql/src/codeql-pack.release.yml
+++ b/go/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.2.3
+lastReleaseVersion: 0.2.2
--- a/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.ql
+++ b/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.ql
@@ -20,9 +20,9 @@ from
 where
  // there should be a flow between source and the operand sink
  config.hasFlowPath(source, operand) and
-  // both the operand should belong to the same comparision expression
+  // both the operand should belong to the same comparison expression
  operand.getNode().asExpr() = comp.getAnOperand() and
-  // get the ConditionGuardNode corresponding to the comparision expr.
+  // get the ConditionGuardNode corresponding to the comparison expr.
  guard.getCondition() = comp and
  // the sink `sensitiveSink` should be sensitive,
  isSensitive(sensitiveSink, classification) and
--- a/go/ql/src/qlpack.yml
+++ b/go/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 0.2.3
+version: 0.2.3-dev
 groups:
  - go
  - queries
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,10 +1,3 @@
-## 0.3.3
-
-### Minor Analysis Improvements
-
-* Improved analysis of the Android class `AsyncTask` so that data can properly flow through its methods according to the life-cycle steps described here: https://developer.android.com/reference/android/os/AsyncTask#the-4-steps.
-* Added a data-flow model for the `setProperty` method of `java.util.Properties`. Additional results may be found where relevant data is stored in and then retrieved from a `Properties` instance.
-
 ## 0.3.2

 ### New Features
--- a/java/ql/lib/change-notes/2022-08-03-properties.md
+++ b/java/ql/lib/change-notes/2022-08-03-properties.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added a data-flow model for the `setProperty` method of `java.util.Properties`. Additional results may be found where relevant data is stored in and then retrieved from a `Properties` instance.
--- a/java/ql/lib/change-notes/2022-08-05-asynctask-improvements.md
+++ b/java/ql/lib/change-notes/2022-08-05-asynctask-improvements.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved analysis of the Android class `AsyncTask` so that data can properly flow through its methods according to the life-cycle steps described here: https://developer.android.com/reference/android/os/AsyncTask#the-4-steps.
--- a/java/ql/lib/change-notes/released/0.3.3.md
+++ b/java/ql/lib/change-notes/released/0.3.3.md
@@ -1,6 +0,0 @@
-## 0.3.3
-
-### Minor Analysis Improvements
-
-* Improved analysis of the Android class `AsyncTask` so that data can properly flow through its methods according to the life-cycle steps described here: https://developer.android.com/reference/android/os/AsyncTask#the-4-steps.
-* Added a data-flow model for the `setProperty` method of `java.util.Properties`. Additional results may be found where relevant data is stored in and then retrieved from a `Properties` instance.
--- a/java/ql/lib/codeql-pack.release.yml
+++ b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.3
+lastReleaseVersion: 0.3.2
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 0.3.3
+version: 0.3.3-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Nick Rolfe	ccda5fa451	Ruby: sort TRAP output	2022-08-15 10:54:38 +01:00
Mathias Vorreiter Pedersen	dfde5712a3	Merge pull request #10031 from jketema/block-assign C++: Handle block assignments	2022-08-15 10:29:23 +01:00
Anders Schack-Mulligen	a3fb54c9de	Merge pull request #10007 from aschackmull/dataflow/source-node-identity Dataflow: Fix identification of source PathNodes in the presence of source-to-source flow	2022-08-15 10:39:17 +02:00
Jeroen Ketema	40334a21ce	C++: add upgrade and downgrade scripts	2022-08-13 15:09:06 +02:00
Jeroen Ketema	cac6bd57ab	C++: Update DB scheme stats file	2022-08-13 01:01:30 +02:00
Jeroen Ketema	0449d914c4	C++: Add change note	2022-08-12 18:43:24 +02:00
Jeroen Ketema	4d76fd198e	C++: Handle block assignments in the IR	2022-08-12 18:43:23 +02:00
Jeroen Ketema	5c905b76b4	C++: Expose block assignment operations in the QL library	2022-08-12 18:43:23 +02:00
Jeroen Ketema	ebf8161f1b	C++: Add block assignment expression to the database schema These can under some circumstances be generated by the frontend as part of compiler generated copy constructors and assignment operators.	2022-08-12 18:43:23 +02:00
Jeroen Ketema	e1b1657cdd	C++: Remove unused abstract predicate	2022-08-12 18:43:23 +02:00
Jeroen Ketema	de142b276d	C++: Add IR test that exposes a gap in the extractor output	2022-08-12 18:43:23 +02:00
Tamás Vajk	1d56330baa	Merge pull request #9782 from tamasvajk/cs/newtonsoft-deserialization C#: Fix unsafe deserialization with `JsonConvert.DeserializeObject`	2022-08-12 14:46:41 +02:00
Tamas Vajk	740265dc38	Add change note	2022-08-11 13:32:49 +02:00
Erik Krogh Kristensen	73df8e4c7d	Merge pull request #9832 from erik-krogh/misspellings Fix lots of misspellings	2022-08-11 12:43:26 +02:00
Jeroen Ketema	2a9af11727	Merge pull request #10021 from jketema/consistency C++: Add internal metrics query for IR consistency	2022-08-11 12:39:22 +02:00
Geoffrey White	2ee1979546	Merge pull request #10014 from geoffw0/inlinetaint Swift: Add an inline expectations test for taint flow	2022-08-11 11:18:18 +01:00
Geoffrey White	1dcc44ff2f	Swift: taintedFromLine -> tainted.	2022-08-11 11:01:05 +01:00
Rasmus Wriedt Larsen	ff23f8ef86	Merge pull request #9855 from tausbn/python-fix-bad-scope_entry_transfer-join Python: Fix bad join in scope entry transfer	2022-08-11 11:55:51 +02:00
Jeroen Ketema	5259025c67	Merge pull request #10020 from jketema/jketema/minor C++: Improve QLDoc based on earlier review	2022-08-11 11:45:59 +02:00
Jeroen Ketema	c89592cda7	C++: Add internal metrics query for IR consistency	2022-08-11 11:39:52 +02:00
Jeroen Ketema	faaf1ec30d	C++: Improve QLDoc based on earlier review	2022-08-11 11:31:21 +02:00
Tamas Vajk	7a406d8e41	C#: Fix unsafe deserialization with `JsonConvert.DeserializeObject` Remove false positives when `JsonConvert.DeserializeObject` is called with not necessarily unsafe settings.	2022-08-11 11:00:46 +02:00
Tamas Vajk	6e6bd208b1	C#: Add test case for `JsonConvert.DeserializeObject` in unsafe deserialization tests	2022-08-11 11:00:23 +02:00
Tamas Vajk	548d7ac37d	C#: Regenerate Newtonsoft.Json test stub The newly generated stubs contain the actual values of enum constants.	2022-08-11 10:52:48 +02:00
erik-krogh	a5239bc1e8	fix one more misspelling in swift	2022-08-11 10:27:20 +02:00
erik-krogh	eb6c2882f9	cleanup pack in QL-for-QL	2022-08-11 10:22:32 +02:00
Erik Krogh Kristensen	803e079dab	fix accidental typo Co-authored-by: Chris Smowton <smowton@github.com>	2022-08-10 23:23:32 +02:00
Erik Krogh Kristensen	a66229ee9d	update the expected output of the misspelling test	2022-08-10 23:21:41 +02:00
Erik Krogh Kristensen	887f6557ed	fix common misspellings throughout github/codeql	2022-08-10 23:21:41 +02:00
Erik Krogh Kristensen	db614bda29	generalize the ql/misspelling query to work on all kinds of comments	2022-08-10 23:21:41 +02:00
Geoffrey White	d16a7754e1	Swift: Take out common code.	2022-08-10 19:04:01 +01:00
Geoffrey White	d7f50eafae	Swift: Minor fixes.	2022-08-10 19:03:52 +01:00
Geoffrey White	11f45cf20c	Swift: Add expectation annotations.	2022-08-10 18:53:45 +01:00
Geoffrey White	c2ee5fe258	Swift: Add inlineExpectations test.	2022-08-10 18:47:46 +01:00
Anders Schack-Mulligen	abad133ab5	Dataflow: Fix identification of source PathNodes in the presence of source-to-source flow.	2022-08-10 15:02:56 +02:00
Taus	87960b6e42	Python: Fix bad join in scope entry transfer How it started: ``` Tuple counts for Base::BaseFlow::scope_entry_value_transfer_from_earlier#f76ef5bb#ffff/4@f2af49f5 after 18s: 1526390 ~0% {3} r1 = JOIN Base::BaseFlow::scope_entry_value_transfer_from_earlier#f76ef5bb#ffff#shared WITH Essa::EssaVariable::getScope#dispred#f0820431#ff ON FIRST 1 OUTPUT Rhs.1 'pred_scope', Lhs.0 'pred_var', Lhs.1 7798319 ~0% {4} r2 = JOIN r1 WITH Scope::Scope::precedes#dispred#f0820431#ff ON FIRST 1 OUTPUT Rhs.1 'succ_scope', Lhs.1 'pred_var', Lhs.2, Lhs.0 'pred_scope' 5427334 ~0% {4} r3 = JOIN Base::BaseFlow::scope_entry_value_transfer_from_earlier#f76ef5bb#ffff#shared#1 WITH Scope::Scope::precedes#dispred#f0820431#ff ON FIRST 1 OUTPUT Lhs.1 'pred_var', Lhs.2, Lhs.0 'pred_scope', Rhs.1 'succ_scope' 5426883 ~0% {4} r4 = r3 AND NOT Base::BaseFlow::scope_entry_value_transfer_from_earlier#f76ef5bb#ffff#antijoin_rhs(Lhs.0 'pred_var', Lhs.1, Lhs.2 'pred_scope', Lhs.3) 5426883 ~0% {5} r5 = SCAN r4 OUTPUT In.3, "__init__", In.0 'pred_var', In.1, In.2 'pred_scope' 2002084 ~0% {4} r6 = JOIN r5 WITH Scope::Scope::getName#dispred#f0820431#fb ON FIRST 2 OUTPUT Lhs.0, Lhs.2 'pred_var', Lhs.3, Lhs.4 'pred_scope' 39293988 ~2% {4} r7 = JOIN r6 WITH Scope::Scope::precedes#dispred#f0820431#ff ON FIRST 1 OUTPUT Rhs.1 'succ_scope', Lhs.1 'pred_var', Lhs.2, Lhs.3 'pred_scope' 47092307 ~0% {4} r8 = r2 UNION r7 94173236 ~7% {5} r9 = JOIN r8 WITH Essa::ScopeEntryDefinition::getScope#dispred#f0820431#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.2, Rhs.1 'succ_def', Lhs.1 'pred_var', Lhs.3 'pred_scope', Lhs.0 'succ_scope' 599441 ~1% {4} r10 = JOIN r9 WITH Essa::TEssaNodeDefinition#24e22a14#ffff_03#join_rhs ON FIRST 2 OUTPUT Lhs.2 'pred_var', Lhs.3 'pred_scope', Lhs.1 'succ_def', Lhs.4 'succ_scope' return r10 ``` How it ended: ``` Tuple counts for Base::essa_var_scope#f76ef5bb#fff/3@20fd243c after 153ms: 1526390 ~0% {2} r1 = JOIN Essa::EssaDefinition::getSourceVariable#dispred#f0820431#ff WITH Base::BaseFlow::reaches_exit#f76ef5bb#f ON FIRST 1 OUTPUT Lhs.0 'pred_var', Lhs.1 'var' 1526390 ~5% {3} r2 = JOIN r1 WITH Essa::EssaVariable::getScope#dispred#f0820431#ff ON FIRST 1 OUTPUT Lhs.1 'var', Rhs.1 'pred_scope', Lhs.0 'pred_var' return r2 ``` ``` Tuple counts for Base::scope_entry_def_scope#f76ef5bb#fff/3@34224fid after 40ms: 581249 ~1% {3} r1 = JOIN Essa::TEssaNodeDefinition#24e22a14#ffff_30#join_rhs WITH Essa::ScopeEntryDefinition::getScope#dispred#f0820431#ff ON FIRST 1 OUTPUT Lhs.1 'var', Rhs.1 'succ_scope', Lhs.0 'succ_def' return r1 ``` ``` Tuple counts for Base::scope_entry_value_transfer_through_init#f76ef5bb#ffff#shared/5@cb3c45lu after 76ms: 471230 ~0% {3} r1 = JOIN Variables::GlobalVariable#class#3aa06bbf#f WITH Base::scope_entry_def_scope#f76ef5bb#fff ON FIRST 1 OUTPUT Rhs.1 'arg1', Lhs.0 'arg0', Rhs.2 'arg2' 313791 ~2% {5} r2 = JOIN r1 WITH Base::step_through_init#f76ef5bb#fff ON FIRST 1 OUTPUT Lhs.1 'arg0', Lhs.0 'arg1', Lhs.2 'arg2', Rhs.1 'arg3', Rhs.2 'arg4' return r2 ``` ``` Tuple counts for Base::scope_entry_value_transfer_through_init#f76ef5bb#ffff#antijoin_rhs/5@886d8bvr after 67ms: 508926 ~0% {6} r1 = JOIN Base::scope_entry_value_transfer_through_init#f76ef5bb#ffff#shared WITH Exprs::Name::defines#dispred#f0820431#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.4 'arg4', Lhs.0 'arg0', Lhs.1 'arg1', Lhs.2 'arg2', Lhs.3 'arg3' 25 ~46% {5} r2 = JOIN r1 WITH Exprs::Expr::getScope#dispred#f0820431#ff ON FIRST 2 OUTPUT Lhs.2 'arg0', Lhs.3 'arg1', Lhs.4 'arg2', Lhs.5 'arg3', Lhs.1 'arg4' return r2 ``` ``` Tuple counts for Base::scope_entry_value_transfer_through_init#f76ef5bb#ffff/4@87ec703f after 80ms: 313774 ~2% {5} r1 = Base::scope_entry_value_transfer_through_init#f76ef5bb#ffff#shared AND NOT Base::scope_entry_value_transfer_through_init#f76ef5bb#ffff#antijoin_rhs(Lhs.0, Lhs.1 'succ_scope', Lhs.2 'succ_def', Lhs.3 'pred_scope', Lhs.4) 313774 ~0% {4} r2 = SCAN r1 OUTPUT In.3 'pred_scope', In.0, In.1 'succ_scope', In.2 'succ_def' 313774 ~4% {4} r3 = JOIN r2 WITH @py_scope#f ON FIRST 1 OUTPUT Lhs.1, Lhs.0 'pred_scope', Lhs.2 'succ_scope', Lhs.3 'succ_def' 313778 ~0% {4} r4 = JOIN r3 WITH Base::essa_var_scope#f76ef5bb#fff ON FIRST 2 OUTPUT Rhs.2 'pred_var', Lhs.1 'pred_scope', Lhs.3 'succ_def', Lhs.2 'succ_scope' return r4 ``` ``` Tuple counts for Base::step_through_init#f76ef5bb#fff/3@7ba1ee1c after 17ms: 11763 ~0% {1} r1 = JOIN Scope::Scope::precedes#dispred#f0820431#ff#join_rhs WITH Scope::Scope::getName#dispred#f0820431#fb_10#join_rhs ON FIRST 1 OUTPUT Rhs.1 'init' 196671 ~4% {2} r2 = JOIN r1 WITH Scope::Scope::precedes#dispred#f0820431#ff ON FIRST 1 OUTPUT Lhs.0 'init', Rhs.1 'succ_scope' 196671 ~6% {3} r3 = JOIN r2 WITH Scope::Scope::precedes#dispred#f0820431#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.1 'succ_scope', Rhs.1 'pred_scope', Lhs.0 'init' return r3 ``` ``` Tuple counts for Base::BaseFlow::scope_entry_value_transfer_from_earlier#f76ef5bb#ffff/4@4892f93f after 426ms: 1526390 ~0% {3} r1 = SCAN Base::essa_var_scope#f76ef5bb#fff OUTPUT In.1, In.0, In.2 'pred_var' 7798319 ~0% {4} r2 = JOIN r1 WITH Scope::Scope::precedes#dispred#f0820431#ff ON FIRST 1 OUTPUT Lhs.1, Rhs.1 'succ_scope', Rhs.0, Lhs.2 'pred_var' 285663 ~3% {4} r3 = JOIN r2 WITH Base::scope_entry_def_scope#f76ef5bb#fff ON FIRST 2 OUTPUT Lhs.3 'pred_var', Lhs.2 'pred_scope', Rhs.2 'succ_def', Lhs.1 'succ_scope' 599441 ~1% {4} r4 = Base::scope_entry_value_transfer_through_init#f76ef5bb#ffff UNION r3 return r4 ``` It's possible this could be improved even further, but I think this is good enough. (I'm not entirely happy with how many helper predicates I ended up needing, but it was the only way I could get the joins to happen in a semi-sensible order.)	2022-07-19 13:46:55 +00:00
				`@@ -0,0 +1 @@`
				`Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql`
				`@@ -0,0 +1 @@`
				`semmle-extractor-options: /nostdlib /noconfig --load-sources-from-project:${testdir}/../../../../resources/stubs/Newtonsoft.Json/13.0.1/Newtonsoft.Json.csproj ${testdir}/../../../../resources/stubs/System.Web.cs`