Merge pull request #20955 from github/release-prep/2.23.7

Release preparation for version 2.23.7

.gitattributes

@@ -82,9 +82,6 @@
 /csharp/paket.main.bzl linguist-generated=true
 /csharp/paket.main_extension.bzl linguist-generated=true
 
-# ripunzip tool
-/misc/ripunzip/ripunzip-* filter=lfs diff=lfs merge=lfs -text
-
 # swift prebuilt resources
 /swift/third_party/resources/*.zip filter=lfs diff=lfs merge=lfs -text
 /swift/third_party/resources/*.tar.zst filter=lfs diff=lfs merge=lfs -text

.github/workflows/build-ripunzip.yml

@@ -1,74 +0,0 @@
-name: Build runzip
-
-on:
-  workflow_dispatch:
-    inputs:
-      ripunzip-version:
-        description: "what reference to checktout from google/runzip"
-        required: false
-        default: v2.0.2
-      openssl-version:
-        description: "what reference to checkout from openssl/openssl for Linux"
-        required: false
-        default: openssl-3.5.0
-
-jobs:
-  build:
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu-22.04, macos-13, windows-2022]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          repository: google/ripunzip
-          ref: ${{ inputs.ripunzip-version }}
-      # we need to avoid ripunzip dynamically linking into libssl
-      # see https://github.com/sfackler/rust-openssl/issues/183
-      - if: runner.os == 'Linux'
-        name: checkout openssl
-        uses: actions/checkout@v5
-        with:
-          repository: openssl/openssl
-          path: openssl
-          ref: ${{ inputs.openssl-version }}
-      - if: runner.os == 'Linux'
-        name: build and install openssl with fPIC
-        shell: bash
-        working-directory: openssl
-        run: |
-          ./config -fPIC --prefix=$HOME/.local --openssldir=$HOME/.local/ssl
-          make -j $(nproc)
-          make install_sw -j $(nproc)
-      - if: runner.os == 'Linux'
-        name: build (linux)
-        shell: bash
-        run: |
-          env OPENSSL_LIB_DIR=$HOME/.local/lib64 OPENSSL_INCLUDE_DIR=$HOME/.local/include OPENSSL_STATIC=yes cargo build --release
-          mv target/release/ripunzip ripunzip-linux
-      - if: runner.os == 'Windows'
-        name: build (windows)
-        shell: bash
-        run: |
-          cargo build --release
-          mv target/release/ripunzip ripunzip-windows
-      - name: build (macOS)
-        if: runner.os == 'macOS'
-        shell: bash
-        run: |
-          rustup target install x86_64-apple-darwin
-          rustup target install aarch64-apple-darwin
-          cargo build --target x86_64-apple-darwin --release
-          cargo build --target aarch64-apple-darwin --release
-          lipo -create -output ripunzip-macos \
-            -arch x86_64 target/x86_64-apple-darwin/release/ripunzip \
-            -arch arm64 target/aarch64-apple-darwin/release/ripunzip
-      - uses: actions/upload-artifact@v4
-        with:
-          name: ripunzip-${{ runner.os }}
-          path: ripunzip-*
-      - name: Check built binary
-        shell: bash
-        run: |
-          ./ripunzip-* --version

CODEOWNERS

@@ -5,19 +5,29 @@
 /actions/ @github/codeql-dynamic
 /cpp/ @github/codeql-c-analysis
 /csharp/ @github/codeql-csharp
-/csharp/autobuilder/Semmle.Autobuild.Cpp @github/codeql-c-extractor
-/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests @github/codeql-c-extractor
+/csharp/autobuilder/Semmle.Autobuild.Cpp @github/codeql-c-extractor @github/code-scanning-language-coverage
+/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests @github/codeql-c-extractor @github/code-scanning-language-coverage
 /go/ @github/codeql-go
+/go/codeql-tools/ @github/codeql-go @github/code-scanning-language-coverage
+/go/downgrades/ @github/codeql-go @github/code-scanning-language-coverage
+/go/extractor/ @github/codeql-go @github/code-scanning-language-coverage
+/go/extractor-smoke-test/ @github/codeql-go @github/code-scanning-language-coverage
+/go/ql/test/extractor-tests/ @github/codeql-go @github/code-scanning-language-coverage
 /java/ @github/codeql-java
 /javascript/ @github/codeql-javascript
+/javascript/extractor/ @github/codeql-javascript @github/code-scanning-language-coverage
 /python/ @github/codeql-python
+/python/extractor/ @github/codeql-python @github/code-scanning-language-coverage
 /ql/ @github/codeql-ql-for-ql-reviewers
 /ruby/ @github/codeql-ruby
+/ruby/extractor/ @github/codeql-ruby @github/code-scanning-language-coverage
 /rust/ @github/codeql-rust
+/rust/extractor/ @github/codeql-rust @github/code-scanning-language-coverage
 /shared/ @github/codeql-shared-libraries-reviewers
 /swift/ @github/codeql-swift
+/swift/extractor/ @github/codeql-swift @github/code-scanning-language-coverage
 /misc/codegen/ @github/codeql-swift
-/java/kotlin-extractor/ @github/codeql-kotlin
+/java/kotlin-extractor/ @github/codeql-kotlin @github/code-scanning-language-coverage
 /java/ql/test-kotlin1/ @github/codeql-kotlin
 /java/ql/test-kotlin2/ @github/codeql-kotlin
 

MODULE.bazel

@@ -23,7 +23,7 @@ bazel_dep(name = "rules_shell", version = "0.5.0")
 bazel_dep(name = "bazel_skylib", version = "1.8.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
-bazel_dep(name = "fmt", version = "10.0.0")
+bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
 bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
 bazel_dep(name = "rules_dotnet", version = "0.19.2-codeql.1")
@@ -269,24 +269,16 @@ go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")
 use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
 
-lfs_archive = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_archive")
+ripunzip_archive = use_repo_rule("//misc/ripunzip:ripunzip.bzl", "ripunzip_archive")
 
-lfs_archive(
-    name = "ripunzip-linux",
-    src = "//misc/ripunzip:ripunzip-Linux.zip",
-    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
-)
-
-lfs_archive(
-    name = "ripunzip-windows",
-    src = "//misc/ripunzip:ripunzip-Windows.zip",
-    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
-)
-
-lfs_archive(
-    name = "ripunzip-macos",
-    src = "//misc/ripunzip:ripunzip-macOS.zip",
-    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
+# go to https://github.com/GoogleChrome/ripunzip/releases to find latest version and corresponding sha256s
+ripunzip_archive(
+    name = "ripunzip",
+    sha256_linux = "ee0e8a957687a5dc3a66b2a4b25883bf762df4c9c07f0651af527a32a405054b",
+    sha256_macos_arm = "8a88eea54eac232d162a72a42065e0429b82dbf4f05e9642915dff9d7a81f846",
+    sha256_macos_intel = "4457a18bfcc5feabe09f5ea3d1157128e07b4873392cb404a870e611924abf64",
+    sha256_windows = "66d0c1375301bf5ab815348048f43b110631d3fa7200acd50d50a8ed8655ca62",
+    version = "2.0.3",
 )
 
 register_toolchains(

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,15 @@
+## 0.4.23
+
+No user-facing changes.
+
+## 0.4.22
+
+No user-facing changes.
+
+## 0.4.21
+
+No user-facing changes.
+
 ## 0.4.20
 
 No user-facing changes.

actions/ql/lib/change-notes/released/0.4.21.md

@@ -0,0 +1,3 @@
+## 0.4.21
+
+No user-facing changes.

actions/ql/lib/change-notes/released/0.4.22.md

@@ -0,0 +1,3 @@
+## 0.4.22
+
+No user-facing changes.

actions/ql/lib/change-notes/released/0.4.23.md

@@ -0,0 +1,3 @@
+## 0.4.23
+
+No user-facing changes.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.20
+lastReleaseVersion: 0.4.23

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.20
+version: 0.4.23
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,15 @@
+## 0.6.15
+
+No user-facing changes.
+
+## 0.6.14
+
+No user-facing changes.
+
+## 0.6.13
+
+No user-facing changes.
+
 ## 0.6.12
 
 No user-facing changes.

actions/ql/src/change-notes/released/0.6.13.md

@@ -0,0 +1,3 @@
+## 0.6.13
+
+No user-facing changes.

actions/ql/src/change-notes/released/0.6.14.md

@@ -0,0 +1,3 @@
+## 0.6.14
+
+No user-facing changes.

actions/ql/src/change-notes/released/0.6.15.md

@@ -0,0 +1,3 @@
+## 0.6.15
+
+No user-facing changes.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.12
+lastReleaseVersion: 0.6.15

actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql

@@ -1,5 +1,5 @@
 /**
- * @name Artifact Poisoning (Path Traversal).
+ * @name Artifact Poisoning (Path Traversal)
  * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps.
  * @kind problem
  * @problem.severity error

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.12
+version: 0.6.15
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

config/identical-files.json

@@ -276,5 +276,12 @@
   "Python model summaries test extension": [
     "python/ql/test/library-tests/dataflow/model-summaries/InlineTaintTest.ext.yml",
     "python/ql/test/library-tests/dataflow/model-summaries/NormalDataflowTest.ext.yml"
+  ],
+  "XML discard predicates": [
+    "javascript/ql/lib/semmle/javascript/internal/OverlayXml.qll",
+    "java/ql/lib/semmle/code/java/internal/OverlayXml.qll",
+    "go/ql/lib/semmle/go/internal/OverlayXml.qll",
+    "python/ql/lib/semmle/python/internal/OverlayXml.qll",
+    "csharp/ql/lib/semmle/code/csharp/internal/OverlayXml.qll"
   ]
 }

cpp/downgrades/1a6854060d5d3ada16c580a29f8c5ce21f3367f8/upgrade.properties

@@ -0,0 +1,3 @@
+description: Support expanded compilation argument lists
+compatibility: full
+compilation_expanded_args.rel: delete

cpp/downgrades/2121ffec11fac265524955fee1775217364d4ca4/upgrade.properties

@@ -0,0 +1,2 @@
+description: Fix decltype qualifier issue
+compatibility: full

cpp/downgrades/a42ce5fc943254097f85471b94ae2247e819104a/upgrade.properties

@@ -0,0 +1,4 @@
+description: Add databaseMetadata and overlayChangedFiles relations
+compatibility: full
+databaseMetadata.rel: delete
+overlayChangedFiles.rel: delete

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,23 @@
+## 6.1.2
+
+No user-facing changes.
+
+## 6.1.1
+
+### Minor Analysis Improvements
+
+* The class `DataFlow::FieldContent` now covers both `union` and `struct`/`class` types. A new predicate `FieldContent.getAField` has been added to access the union members associated with the `FieldContent`. The old `FieldContent` has been renamed to `NonUnionFieldContent`.
+
+## 6.1.0
+
+### New Features
+
+* New predicates `getAnExpandedArgument` and `getExpandedArgument` were added to the `Compilation` class, yielding compilation arguments after expansion of response files.
+
+### Bug Fixes
+
+* Improve performance of the range analysis in cases where it would otherwise take an exorbitant amount of time.
+
 ## 6.0.1
 
 No user-facing changes.
@@ -259,8 +279,8 @@ No user-facing changes.
 
 ### Breaking Changes
 
-* Deleted many deprecated taint-tracking configurations based on `TaintTracking::Configuration`.
-* Deleted many deprecated dataflow configurations based on `DataFlow::Configuration`.
+* Deleted many deprecated taint-tracking configurations based on `TaintTracking::Configuration`. 
+* Deleted many deprecated dataflow configurations based on `DataFlow::Configuration`. 
 * Deleted the deprecated `hasQualifiedName` and `isDefined` predicates from the `Declaration` class, use `hasGlobalName` and `hasDefinition` respectively instead.
 * Deleted the `getFullSignature` predicate from the `Function` class, use `getIdentityString(Declaration)` from `semmle.code.cpp.Print` instead.
 * Deleted the deprecated `freeCall` predicate from `Alloc.qll`. Use `DeallocationExpr` instead.
@@ -294,7 +314,7 @@ No user-facing changes.
 * A `getTemplateClass` predicate was added to the `DeductionGuide` class to get the class template for which the deduction guide is a guide.
 * An `isExplicit` predicate was added to the `Function` class that determines whether the function was declared as explicit.
 * A `getExplicitExpr` predicate was added to the `Function` class that yields the constant boolean expression (if any) that conditionally determines whether the function is explicit.
-* A `isDestroyingDeleteDeallocation` predicate was added to the `NewOrNewArrayExpr` and `DeleteOrDeleteArrayExpr` classes to indicate whether the deallocation function is a destroying delete.
+* A `isDestroyingDeleteDeallocation` predicate was added to the `NewOrNewArrayExpr` and `DeleteOrDeleteArrayExpr` classes to indicate whether the deallocation function is a destroying delete. 
 
 ### Minor Analysis Improvements
 
@@ -372,9 +392,9 @@ No user-facing changes.
 ### New Features
 
 * Added a `TaintInheritingContent` class that can be extended to model taint flowing from a qualifier to a field.
-* Added a predicate `GuardCondition.comparesEq/4` to query whether an expression is compared to a constant.
+* Added a predicate `GuardCondition.comparesEq/4` to query whether an expression is compared to a constant. 
 * Added a predicate `GuardCondition.ensuresEq/4` to query whether a basic block is guarded by an expression being equal to a constant.
-* Added a predicate `GuardCondition.comparesLt/4` to query whether an expression is compared to a constant.
+* Added a predicate `GuardCondition.comparesLt/4` to query whether an expression is compared to a constant. 
 * Added a predicate `GuardCondition.ensuresLt/4` to query whether a basic block is guarded by an expression being less than a constant.
 * Added a predicate `GuardCondition.valueControls` to query whether a basic block is guarded by a particular `case` of a `switch` statement.
 
@@ -490,7 +510,7 @@ No user-facing changes.
 * Functions that do not return due to calling functions that don't return (e.g. `exit`) are now detected as
  non-returning in the IR and dataflow.
 * Treat functions that reach the end of the function as returning in the IR.
-  They used to be treated as unreachable but it is allowed in C.
+  They used to be treated as unreachable but it is allowed in C. 
 * The `DataFlow::asDefiningArgument` predicate now takes its argument from the range starting at `1` instead of `2`. Queries that depend on the single-parameter version of `DataFlow::asDefiningArgument` should have their arguments updated accordingly.
 
 ## 0.9.3
@@ -539,7 +559,7 @@ No user-facing changes.
 
 ### New Features
 
-* The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`.
+* The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`. 
   Hence it is no longer needed to provide `none()` implementations of these predicates if they are not needed.
 
 ### Minor Analysis Improvements
@@ -733,7 +753,7 @@ No user-facing changes.
 
 ### Deprecated APIs
 
-* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. 
   The old name still exists as a deprecated alias.
 
 ### New Features
@@ -750,7 +770,7 @@ No user-facing changes.
 
 ### Deprecated APIs
 
-* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. 
   The old name still exists as a deprecated alias.
 
 ### New Features
@@ -849,7 +869,7 @@ No user-facing changes.
 
 ### Deprecated APIs
 
-* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
+* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. 
   The old name still exists as a deprecated alias.
 
 ### New Features

cpp/ql/lib/change-notes/released/6.1.0.md

@@ -0,0 +1,9 @@
+## 6.1.0
+
+### New Features
+
+* New predicates `getAnExpandedArgument` and `getExpandedArgument` were added to the `Compilation` class, yielding compilation arguments after expansion of response files.
+
+### Bug Fixes
+
+* Improve performance of the range analysis in cases where it would otherwise take an exorbitant amount of time.

cpp/ql/lib/change-notes/released/6.1.1.md

@@ -0,0 +1,5 @@
+## 6.1.1
+
+### Minor Analysis Improvements
+
+* The class `DataFlow::FieldContent` now covers both `union` and `struct`/`class` types. A new predicate `FieldContent.getAField` has been added to access the union members associated with the `FieldContent`. The old `FieldContent` has been renamed to `NonUnionFieldContent`.

cpp/ql/lib/change-notes/released/6.1.2.md

@@ -0,0 +1,3 @@
+## 6.1.2
+
+No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 6.0.1
+lastReleaseVersion: 6.1.2

cpp/ql/lib/cpp.qll

@@ -74,3 +74,4 @@ import semmle.code.cpp.Preprocessor
 import semmle.code.cpp.Iteration
 import semmle.code.cpp.NameQualifiers
 import DefaultOptions
+private import semmle.code.cpp.internal.Overlay

cpp/ql/lib/ext/cctype.model.yml

@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "", False, "tolower", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["std", "", False, "tolower", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["", "", False, "toupper", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["std", "", False, "toupper", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]

cpp/ql/lib/ext/iconv.model.yml

@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "", False, "iconv", "", "", "Argument[**1]", "Argument[**3]", "value", "manual"]
+      

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 6.0.1
+version: 6.1.2
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
@@ -21,3 +21,4 @@ dataExtensions:
   - ext/deallocation/*.model.yml
   - ext/allocation/*.model.yml
 warnOnImplicitThis: true
+compileForOverlayEval: true

cpp/ql/lib/semmle/code/cpp/Compilation.qll

@@ -94,6 +94,25 @@ class Compilation extends @compilation {
    */
   string getArgument(int i) { compilation_args(this, i, result) }
 
+  /**
+   * Gets an expanded argument passed to the extractor on this invocation.
+   */
+  string getAnExpandedArgument() { result = this.getExpandedArgument(_) }
+
+  /**
+   * Gets the `i`th expanded argument passed to the extractor on this
+   * invocation.
+   *
+   * This is similar to `getArgument`, but for a `@someFile` argument, it
+   * includes the arguments from that file, rather than just taking the
+   * argument literally.
+   */
+  string getExpandedArgument(int i) {
+    if exists(string arg | compilation_expanded_args(this, _, arg))
+    then compilation_expanded_args(this, i, result)
+    else result = this.getArgument(i)
+  }
+
   /**
    * Gets the total amount of CPU time spent processing all the files in the
    * front-end and extractor.

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -171,12 +171,14 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    * Gets the nth parameter of this function. There is no result for the
    * implicit `this` parameter, and there is no `...` varargs pseudo-parameter.
    */
+  pragma[nomagic]
   Parameter getParameter(int n) { params(unresolveElement(result), underlyingElement(this), n, _) }
 
   /**
    * Gets a parameter of this function. There is no result for the implicit
    * `this` parameter, and there is no `...` varargs pseudo-parameter.
    */
+  pragma[nomagic]
   Parameter getAParameter() { params(unresolveElement(result), underlyingElement(this), _, _) }
 
   /**

cpp/ql/lib/semmle/code/cpp/NameQualifiers.qll

@@ -144,14 +144,14 @@ class NameQualifiableElement extends Element, @namequalifiableelement {
 class NameQualifyingElement extends Element, @namequalifyingelement {
   /**
    * Gets a name qualifier for which this is the qualifying namespace or
-   * user-defined type. For example: class `X` is the
+   * user-defined type, or decltype. For example: class `X` is the
    * `NameQualifyingElement` and `X::` is the `NameQualifier`.
    */
   NameQualifier getANameQualifier() {
     namequalifiers(unresolveElement(result), _, underlyingElement(this), _)
   }
 
-  /** Gets the name of this namespace or user-defined type. */
+  /** Gets the name of this namespace, user-defined type, or decltype. */
   string getName() { none() }
 }
 

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -1146,7 +1146,7 @@ class DerivedType extends Type, @derivedtype {
  * decltype(a) b;
  * ```
  */
-class Decltype extends Type {
+class Decltype extends Type, NameQualifyingElement {
   Decltype() { decltypes(underlyingElement(this), _, 0, _, _) }
 
   override string getAPrimaryQlClass() { result = "Decltype" }
@@ -1187,7 +1187,7 @@ class Decltype extends Type {
 
   override string toString() { result = "decltype(...)" }
 
-  override string getName() { none() }
+  override string getName() { result = "decltype(...)" }
 
   override int getSize() { result = this.getBaseType().getSize() }
 
@@ -1247,7 +1247,7 @@ class TypeofType extends Type {
 
   override string toString() { result = "typeof(...)" }
 
-  override string getName() { none() }
+  override string getName() { result = "typeof(...)" }
 
   override int getSize() { result = this.getBaseType().getSize() }
 
@@ -1311,8 +1311,6 @@ class TypeofTypeType extends TypeofType {
   Type getType() { type_operators(underlyingElement(this), unresolveElement(result), _, _) }
 
   override string getAPrimaryQlClass() { result = "TypeofTypeType" }
-
-  override string toString() { result = "typeof(...)" }
 }
 
 /**
@@ -1394,7 +1392,7 @@ class IntrinsicTransformedType extends Type {
 
   override Type resolveTypedefs() { result = this.getBaseType().resolveTypedefs() }
 
-  override string getName() { none() }
+  override string getName() { result = this.getIntrinsicName() + "(...)" }
 
   override int getSize() { result = this.getBaseType().getSize() }
 

cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll

@@ -703,6 +703,7 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardConditionImpl
     )
   }
 
+  pragma[nomagic]
   override predicate comparesLt(
     Cpp::Expr left, Cpp::Expr right, int k, boolean isLessThan, boolean testIsTrue
   ) {
@@ -713,6 +714,7 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardConditionImpl
     )
   }
 
+  pragma[nomagic]
   override predicate comparesLt(Cpp::Expr e, int k, boolean isLessThan, GuardValue value) {
     exists(GuardValue partValue, GuardCondition part |
       this.(Cpp::BinaryLogicalOperation)
@@ -738,6 +740,7 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardConditionImpl
     )
   }
 
+  pragma[nomagic]
   override predicate comparesEq(
     Cpp::Expr left, Cpp::Expr right, int k, boolean areEqual, boolean testIsTrue
   ) {
@@ -757,6 +760,7 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardConditionImpl
     )
   }
 
+  pragma[nomagic]
   override predicate comparesEq(Cpp::Expr e, int k, boolean areEqual, GuardValue value) {
     exists(GuardValue partValue, GuardCondition part |
       this.(Cpp::BinaryLogicalOperation)

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -15,16 +15,17 @@
  * reading.
  * 1. The `namespace` column selects a namespace.
  * 2. The `type` column selects a type within that namespace. This column can
- *    introduce template names that can be mentioned in the `signature` column.
+ *    introduce template type names that can be mentioned in the `signature` column.
  *    For example, `vector<T,Allocator>` introduces the template names `T` and
- *    `Allocator`.
+ *    `Allocator`. Non-type template parameters cannot be specified.
  * 3. The `subtypes` is a boolean that indicates whether to jump to an
  *    arbitrary subtype of that type. Set this to `false` if leaving the `type`
  *    blank (for example, a free function).
  * 4. The `name` column optionally selects a specific named member of the type.
- *    Like the `type` column, this column can introduce template names that can
- *    be mentioned in the `signature` column. For example, `insert<InputIt>`
- *    introduces the template name `InputIt`.
+ *    Like the `type` column, this column can introduce template type names
+ *    that can be mentioned in the `signature` column. For example,
+ *    `insert<InputIt>` introduces the template name `InputIt`. Non-type
+ *    template parameters cannot be specified.
  * 5. The `signature` column optionally restricts the named member. If
  *    `signature` is blank then no such filtering is done. The format of the
  *    signature is a comma-separated list of types enclosed in parentheses. The
@@ -633,6 +634,28 @@ string getParameterTypeWithoutTemplateArguments(Function f, int n, boolean canon
   canonical = true
 }
 
+/**
+ * Gets the largest index of a template parameter of `templateFunction` that
+ * is a type template parameter.
+ */
+private int getLastTypeTemplateFunctionParameterIndex(Function templateFunction) {
+  result =
+    max(int index | templateFunction.getTemplateArgument(index) instanceof TypeTemplateParameter)
+}
+
+/** Gets the number of supported template parameters for `templateFunction`. */
+private int getNumberOfSupportedFunctionTemplateArguments(Function templateFunction) {
+  result = count(int i | exists(getSupportedFunctionTemplateArgument(templateFunction, i)) | i)
+}
+
+/** Gets the `i`'th supported template parameter for `templateFunction`. */
+private Locatable getSupportedFunctionTemplateArgument(Function templateFunction, int i) {
+  result = templateFunction.getTemplateArgument(i) and
+  // We don't yet support non-type template parameters in the middle of a
+  // template parameter list
+  i <= getLastTypeTemplateFunctionParameterIndex(templateFunction)
+}
+
 /**
  * Normalize the `n`'th parameter of `f` by replacing template names
  * with `func:N` (where `N` is the index of the template).
@@ -640,27 +663,51 @@ string getParameterTypeWithoutTemplateArguments(Function f, int n, boolean canon
 private string getTypeNameWithoutFunctionTemplates(Function f, int n, int remaining) {
   exists(Function templateFunction |
     templateFunction = getFullyTemplatedFunction(f) and
-    remaining = templateFunction.getNumberOfTemplateArguments() and
+    remaining = getNumberOfSupportedFunctionTemplateArguments(templateFunction) and
     result = getParameterTypeWithoutTemplateArguments(templateFunction, n, _)
   )
   or
   exists(string mid, TypeTemplateParameter tp, Function templateFunction |
     mid = getTypeNameWithoutFunctionTemplates(f, n, remaining + 1) and
     templateFunction = getFullyTemplatedFunction(f) and
-    tp = templateFunction.getTemplateArgument(remaining) and
+    tp = getSupportedFunctionTemplateArgument(templateFunction, remaining)
+  |
     result = mid.replaceAll(tp.getName(), "func:" + remaining.toString())
   )
 }
 
+/**
+ * Gets the largest index of a template parameter of `templateClass` that
+ * is a type template parameter.
+ */
+private int getLastTypeTemplateClassParameterIndex(Class templateClass) {
+  result =
+    max(int index | templateClass.getTemplateArgument(index) instanceof TypeTemplateParameter)
+}
+
+/** Gets the `i`'th supported template parameter for `templateClass`. */
+private Locatable getSupportedClassTemplateArgument(Class templateClass, int i) {
+  result = templateClass.getTemplateArgument(i) and
+  // We don't yet support non-type template parameters in the middle of a
+  // template parameter list
+  i <= getLastTypeTemplateClassParameterIndex(templateClass)
+}
+
+/** Gets the number of supported template parameters for `templateClass`. */
+private int getNumberOfSupportedClassTemplateArguments(Class templateClass) {
+  result = count(int i | exists(getSupportedClassTemplateArgument(templateClass, i)) | i)
+}
+
 /**
  * Normalize the `n`'th parameter of `f` by replacing template names
  * with `class:N` (where `N` is the index of the template).
  */
+pragma[nomagic]
 private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining) {
   // If there is a declaring type then we start by expanding the function templates
   exists(Class template |
     isClassConstructedFrom(f.getDeclaringType(), template) and
-    remaining = template.getNumberOfTemplateArguments() and
+    remaining = getNumberOfSupportedClassTemplateArguments(template) and
     result = getTypeNameWithoutFunctionTemplates(f, n, 0)
   )
   or
@@ -672,7 +719,8 @@ private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining
   exists(string mid, TypeTemplateParameter tp, Class template |
     mid = getTypeNameWithoutClassTemplates(f, n, remaining + 1) and
     isClassConstructedFrom(f.getDeclaringType(), template) and
-    tp = template.getTemplateArgument(remaining) and
+    tp = getSupportedClassTemplateArgument(template, remaining)
+  |
     result = mid.replaceAll(tp.getName(), "class:" + remaining.toString())
   )
 }
@@ -727,6 +775,7 @@ private string getSignatureWithoutClassTemplateNames(
  * - The `remaining` number of template arguments in `partiallyNormalizedSignature`
  * with their index in `nameArgs`.
  */
+pragma[nomagic]
 private string getSignatureWithoutFunctionTemplateNames(
   string partiallyNormalizedSignature, string typeArgs, string nameArgs, int remaining
 ) {
@@ -770,6 +819,7 @@ private string getSignatureWithoutFunctionTemplateNames(
  * ```
  * In this case, `normalizedSignature` will be `"(const func:0 &,int,class:1,class:0 *)"`.
  */
+pragma[nomagic]
 private predicate elementSpecWithArguments(
   string signature, string type, string name, string normalizedSignature, string typeArgs,
   string nameArgs
@@ -789,6 +839,35 @@ private string getSignatureParameterName(string signature, string type, string n
   )
 }
 
+/**
+ * Gets a `Function` identified by the `(namespace, type, name)` components.
+ *
+ * If `subtypes` is `true` then the result may be an override of the function
+ * identified by the components.
+ */
+pragma[nomagic]
+private Function getFunction(string namespace, string type, boolean subtypes, string name) {
+  elementSpec(namespace, type, subtypes, name, _, _) and
+  (
+    funcHasQualifiedName(result, namespace, name) and
+    subtypes = false and
+    type = ""
+    or
+    exists(Class namedClass, Class classWithMethod |
+      hasClassAndName(classWithMethod, result, name) and
+      classHasQualifiedName(namedClass, namespace, type)
+    |
+      // member declared in the named type or a subtype of it
+      subtypes = true and
+      classWithMethod = namedClass.getADerivedClass*()
+      or
+      // member declared directly in the named type
+      subtypes = false and
+      classWithMethod = namedClass
+    )
+  )
+}
+
 /**
  * Holds if the suffix containing the entries in `signature` starting at entry
  * `i` matches the suffix containing the parameters of `func` starting at entry `i`.
@@ -812,13 +891,17 @@ private string getSignatureParameterName(string signature, string type, string n
  * is `func:n` then the signature name is compared with the `n`'th name
  * in `name`.
  */
-private predicate signatureMatches(Function func, string signature, string type, string name, int i) {
+pragma[nomagic]
+private predicate signatureMatches(
+  Function func, string namespace, string signature, string type, string name, int i
+) {
+  func = getFunction(namespace, type, _, name) and
   exists(string s |
     s = getSignatureParameterName(signature, type, name, i) and
     s = getParameterTypeName(func, i)
   ) and
   if exists(getParameterTypeName(func, i + 1))
-  then signatureMatches(func, signature, type, name, i + 1)
+  then signatureMatches(func, namespace, signature, type, name, i + 1)
   else i = count(signature.indexOf(","))
 }
 
@@ -833,7 +916,7 @@ module ExternalFlowDebug {
    *
    * Exposed for testing purposes.
    */
-  predicate signatureMatches_debug = signatureMatches/5;
+  predicate signatureMatches_debug = signatureMatches/6;
 
   /**
    * INTERNAL: Do not use.
@@ -883,6 +966,7 @@ private predicate parseParens(string s, string betweenParens) { s = "(" + betwee
  * - `signatureWithoutParens` equals `signature`, but with the surrounding
  *    parentheses removed.
  */
+pragma[nomagic]
 private predicate elementSpecWithArguments0(
   string signature, string type, string name, string signatureWithoutParens, string typeArgs,
   string nameArgs
@@ -909,7 +993,7 @@ private predicate elementSpecMatchesSignature(
 ) {
   elementSpec(namespace, pragma[only_bind_into](type), subtypes, pragma[only_bind_into](name),
     pragma[only_bind_into](signature), _) and
-  signatureMatches(func, signature, type, name, 0)
+  signatureMatches(func, namespace, signature, type, name, 0)
 }
 
 /**
@@ -953,7 +1037,7 @@ private predicate funcHasQualifiedName(Function func, string namespace, string n
  * Holds if `namedClass` is in namespace `namespace` and has
  * name `type` (excluding any template parameters).
  */
-bindingset[type, namespace]
+bindingset[type]
 pragma[inline_late]
 private predicate classHasQualifiedName(Class namedClass, string namespace, string type) {
   exists(string typeWithoutArgs |
@@ -969,17 +1053,14 @@ private predicate classHasQualifiedName(Class namedClass, string namespace, stri
  *    are also returned.
  * 3. The element has name `name`
  * 4. If `signature` is non-empty, then the element has a list of parameter types described by `signature`.
- *
- * NOTE: `namespace` is currently not used (since we don't properly extract modules yet).
  */
 pragma[nomagic]
 private Element interpretElement0(
   string namespace, string type, boolean subtypes, string name, string signature
 ) {
+  result = getFunction(namespace, type, subtypes, name) and
   (
     // Non-member functions
-    funcHasQualifiedName(result, namespace, name) and
-    subtypes = false and
     type = "" and
     (
       elementSpecMatchesSignature(result, namespace, type, subtypes, name, signature)
@@ -989,52 +1070,36 @@ private Element interpretElement0(
     )
     or
     // Member functions
-    exists(Class namedClass, Class classWithMethod |
-      hasClassAndName(classWithMethod, result, name) and
-      classHasQualifiedName(namedClass, namespace, type)
-    |
-      (
-        elementSpecMatchesSignature(result, namespace, type, subtypes, name, signature)
-        or
-        signature = "" and
-        elementSpec(namespace, type, subtypes, name, "", _)
-      ) and
-      (
-        // member declared in the named type or a subtype of it
-        subtypes = true and
-        classWithMethod = namedClass.getADerivedClass*()
-        or
-        // member declared directly in the named type
-        subtypes = false and
-        classWithMethod = namedClass
-      )
-    )
+    elementSpecMatchesSignature(result, namespace, type, subtypes, name, signature)
     or
-    elementSpec(namespace, type, subtypes, name, signature, _) and
-    // Member variables
     signature = "" and
-    exists(Class namedClass, Class classWithMember, MemberVariable member |
-      member.getName() = name and
-      member = classWithMember.getAMember() and
-      namedClass.hasQualifiedName(namespace, type) and
-      result = member
-    |
-      // field declared in the named type or a subtype of it (or an extension of any)
-      subtypes = true and
-      classWithMember = namedClass.getADerivedClass*()
-      or
-      // field declared directly in the named type (or an extension of it)
-      subtypes = false and
-      classWithMember = namedClass
-    )
-    or
-    // Global or namespace variables
-    elementSpec(namespace, type, subtypes, name, signature, _) and
-    signature = "" and
-    type = "" and
-    subtypes = false and
-    result = any(GlobalOrNamespaceVariable v | v.hasQualifiedName(namespace, name))
+    elementSpec(namespace, type, subtypes, name, signature, _)
   )
+  or
+  // Member variables
+  elementSpec(namespace, type, subtypes, name, signature, _) and
+  signature = "" and
+  exists(Class namedClass, Class classWithMember, MemberVariable member |
+    member.getName() = name and
+    member = classWithMember.getAMember() and
+    namedClass.hasQualifiedName(namespace, type) and
+    result = member
+  |
+    // field declared in the named type or a subtype of it (or an extension of any)
+    subtypes = true and
+    classWithMember = namedClass.getADerivedClass*()
+    or
+    // field declared directly in the named type (or an extension of it)
+    subtypes = false and
+    classWithMember = namedClass
+  )
+  or
+  // Global or namespace variables
+  elementSpec(namespace, type, subtypes, name, signature, _) and
+  signature = "" and
+  type = "" and
+  subtypes = false and
+  result = any(GlobalOrNamespaceVariable v | v.hasQualifiedName(namespace, name))
 }
 
 cached

cpp/ql/lib/semmle/code/cpp/exprs/Cast.qll

@@ -750,6 +750,16 @@ class SizeofPackTypeOperator extends SizeofPackOperator {
  */
 class SizeofOperator extends Expr, @runtime_sizeof {
   override int getPrecedence() { result = 16 }
+
+  /**
+   * Gets the contained type of this `sizeof`. For example,
+   * the result is `int` in both cases below:
+   * ```
+   * sizeof(int);
+   * sizeof(42);
+   * ```
+   */
+  Type getTypeOperand() { none() } // overridden in subclasses
 }
 
 /**
@@ -766,6 +776,8 @@ class SizeofExprOperator extends SizeofOperator {
   /** Gets the contained expression. */
   Expr getExprOperand() { result = this.getChild(0) }
 
+  override Type getTypeOperand() { result = this.getExprOperand().getType() }
+
   override string toString() { result = "sizeof(<expr>)" }
 
   override predicate mayBeImpure() { this.getExprOperand().mayBeImpure() }
@@ -784,8 +796,7 @@ class SizeofTypeOperator extends SizeofOperator {
 
   override string getAPrimaryQlClass() { result = "SizeofTypeOperator" }
 
-  /** Gets the contained type. */
-  Type getTypeOperand() { sizeof_bind(underlyingElement(this), unresolveElement(result)) }
+  override Type getTypeOperand() { sizeof_bind(underlyingElement(this), unresolveElement(result)) }
 
   override string toString() { result = "sizeof(" + this.getTypeOperand().getName() + ")" }
 
@@ -842,6 +853,16 @@ class AlignofTypeOperator extends AlignofOperator {
  */
 class DatasizeofOperator extends Expr, @datasizeof {
   override int getPrecedence() { result = 16 }
+
+  /**
+   * Gets the contained type of this `__datasizeof`. For example,
+   * the result is `int` in both cases below:
+   * ```
+   * __datasizeof(int);
+   * __datasizeof(42);
+   * ```
+   */
+  Type getTypeOperand() { none() }
 }
 
 /**
@@ -855,6 +876,8 @@ class DatasizeofExprOperator extends DatasizeofOperator {
   /** Gets the contained expression. */
   Expr getExprOperand() { result = this.getChild(0) }
 
+  override Type getTypeOperand() { result = this.getExprOperand().getType() }
+
   override string toString() { result = "__datasizeof(<expr>)" }
 
   override predicate mayBeImpure() { this.getExprOperand().mayBeImpure() }
@@ -870,8 +893,7 @@ class DatasizeofTypeOperator extends DatasizeofOperator {
 
   override string getAPrimaryQlClass() { result = "DatasizeofTypeOperator" }
 
-  /** Gets the contained type. */
-  Type getTypeOperand() { sizeof_bind(underlyingElement(this), unresolveElement(result)) }
+  override Type getTypeOperand() { sizeof_bind(underlyingElement(this), unresolveElement(result)) }
 
   override string toString() { result = "__datasizeof(" + this.getTypeOperand().getName() + ")" }
 

cpp/ql/lib/semmle/code/cpp/internal/Overlay.qll

@@ -0,0 +1,60 @@
+/**
+ * Defines entity discard predicates for C++ overlay analysis.
+ */
+
+/**
+ * Holds always for the overlay variant and never for the base variant.
+ * This local predicate is used to define local predicates that behave
+ * differently for the base and overlay variant.
+ */
+overlay[local]
+predicate isOverlay() { databaseMetadata("isOverlay", "true") }
+
+overlay[local]
+private string getLocationFilePath(@location_default loc) {
+  exists(@file file | locations_default(loc, file, _, _, _, _) | files(file, result))
+}
+
+/**
+ * Gets the file path for an element with a single location.
+ */
+overlay[local]
+private string getSingleLocationFilePath(@element e) {
+  // @var_decl has a direct location in the var_decls relation
+  exists(@location_default loc | var_decls(e, _, _, _, loc) | result = getLocationFilePath(loc))
+  //TODO: add other kinds of elements with single locations
+}
+
+/**
+ * Gets the file path for an element with potentially multiple locations.
+ */
+overlay[local]
+private string getMultiLocationFilePath(@element e) {
+  // @variable gets its location(s) from its @var_decl(s)
+  exists(@var_decl vd, @location_default loc | var_decls(vd, e, _, _, loc) |
+    result = getLocationFilePath(loc)
+  )
+  //TODO: add other kinds of elements with multiple locations
+}
+
+/**
+ * A local helper predicate that holds in the base variant and never in the
+ * overlay variant.
+ */
+overlay[local]
+private predicate holdsInBase() { not isOverlay() }
+
+/**
+ * Discards an element from the base variant if:
+ * - It has a single location in a changed file, or
+ * - All of its locations are in changed files.
+ */
+overlay[discard_entity]
+private predicate discardElement(@element e) {
+  holdsInBase() and
+  (
+    overlayChangedFiles(getSingleLocationFilePath(e))
+    or
+    forex(string path | path = getMultiLocationFilePath(e) | overlayChangedFiles(path))
+  )
+}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -861,6 +861,10 @@ predicate jumpStep(Node n1, Node n2) {
     n2.(FlowSummaryNode).getSummaryNode())
 }
 
+bindingset[c]
+pragma[inline_late]
+private int getIndirectionIndexLate(Content c) { result = c.getIndirectionIndex() }
+
 /**
  * Holds if data can flow from `node1` to `node2` via an assignment to `f`.
  * Thus, `node2` references an object with a field `f` that contains the
@@ -873,23 +877,17 @@ predicate jumpStep(Node n1, Node n2) {
 predicate storeStepImpl(Node node1, Content c, Node node2, boolean certain) {
   exists(
     PostFieldUpdateNode postFieldUpdate, int indirectionIndex1, int numberOfLoads,
-    StoreInstruction store
+    StoreInstruction store, FieldContent fc
   |
     postFieldUpdate = node2 and
-    nodeHasInstruction(node1, store, pragma[only_bind_into](indirectionIndex1)) and
+    fc = c and
+    nodeHasInstruction(node1, pragma[only_bind_into](store),
+      pragma[only_bind_into](indirectionIndex1)) and
     postFieldUpdate.getIndirectionIndex() = 1 and
     numberOfLoadsFromOperand(postFieldUpdate.getFieldAddress(),
-      store.getDestinationAddressOperand(), numberOfLoads, certain)
-  |
-    exists(FieldContent fc | fc = c |
-      fc.getField() = postFieldUpdate.getUpdatedField() and
-      fc.getIndirectionIndex() = 1 + indirectionIndex1 + numberOfLoads
-    )
-    or
-    exists(UnionContent uc | uc = c |
-      uc.getAField() = postFieldUpdate.getUpdatedField() and
-      uc.getIndirectionIndex() = 1 + indirectionIndex1 + numberOfLoads
-    )
+      store.getDestinationAddressOperand(), numberOfLoads, certain) and
+    fc.getAField() = postFieldUpdate.getUpdatedField() and
+    getIndirectionIndexLate(fc) = 1 + indirectionIndex1 + numberOfLoads
   )
   or
   // models-as-data summarized flow
@@ -965,22 +963,17 @@ predicate nodeHasInstruction(Node node, Instruction instr, int indirectionIndex)
  * `node2`.
  */
 predicate readStep(Node node1, ContentSet c, Node node2) {
-  exists(FieldAddress fa1, Operand operand, int numberOfLoads, int indirectionIndex2 |
+  exists(
+    FieldAddress fa1, Operand operand, int numberOfLoads, int indirectionIndex2, FieldContent fc
+  |
+    fc = c and
     nodeHasOperand(node2, operand, indirectionIndex2) and
     // The `1` here matches the `node2.getIndirectionIndex() = 1` conjunct
     // in `storeStep`.
     nodeHasOperand(node1, fa1.getObjectAddressOperand(), 1) and
-    numberOfLoadsFromOperand(fa1, operand, numberOfLoads, _)
-  |
-    exists(FieldContent fc | fc = c |
-      fc.getField() = fa1.getField() and
-      fc.getIndirectionIndex() = indirectionIndex2 + numberOfLoads
-    )
-    or
-    exists(UnionContent uc | uc = c |
-      uc.getAField() = fa1.getField() and
-      uc.getIndirectionIndex() = indirectionIndex2 + numberOfLoads
-    )
+    numberOfLoadsFromOperand(fa1, operand, numberOfLoads, _) and
+    fc.getAField() = fa1.getField() and
+    getIndirectionIndexLate(fc) = indirectionIndex2 + numberOfLoads
   )
   or
   // models-as-data summarized flow
@@ -1574,7 +1567,7 @@ pragma[inline]
 ContentApprox getContentApprox(Content c) {
   exists(string prefix, Field f |
     prefix = result.(FieldApproxContent).getPrefix() and
-    f = c.(FieldContent).getField() and
+    f = c.(NonUnionFieldContent).getField() and
     fieldHasApproxName(f, prefix)
   )
   or

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -2078,38 +2078,151 @@ predicate localExprFlow(Expr e1, Expr e2) {
   localExprFlowPlus(e1, e2)
 }
 
+/**
+ * A canonical representation of a field.
+ *
+ * For performance reasons we want a unique `Content` that represents
+ * a given field across any template instantiation of a class.
+ *
+ * This is possible in _almost_ all cases, but there are cases where it is
+ * not possible to map between a field in the uninstantiated template to a
+ * field in the instantiated template. This happens in the case of local class
+ * definitions (because the local class is not the template that constructs
+ * the instantiation - it is the enclosing function). So this abstract class
+ * has two implementations: a non-local case (where we can represent a
+ * canonical field as the field declaration from an uninstantiated class
+ * template or a non-templated class), and a local case (where we simply use
+ * the field from the instantiated class).
+ */
+abstract private class CanonicalField extends Field {
+  /** Gets a field represented by this canonical field. */
+  abstract Field getAField();
+
+  /**
+   * Gets a class that declares a field represented by this canonical field.
+   */
+  abstract Class getADeclaringType();
+
+  /**
+   * Gets a type that this canonical field may have. Note that this may
+   * not be a unique type. For example, consider this case:
+   * ```
+   * template<typename T>
+   * struct S { T x; };
+   *
+   * S<int> s1;
+   * S<char> s2;
+   * ```
+   * In this case the canonical field corresponding to `S::x` has two types:
+   * `int` and `char`.
+   */
+  Type getAType() { result = this.getAField().getType() }
+
+  Type getAnUnspecifiedType() { result = this.getAType().getUnspecifiedType() }
+}
+
+private class NonLocalCanonicalField extends CanonicalField {
+  Class declaringType;
+
+  NonLocalCanonicalField() {
+    declaringType = this.getDeclaringType() and
+    not declaringType.isFromTemplateInstantiation(_) and
+    not declaringType.isLocal() // handled in LocalCanonicalField
+  }
+
+  override Field getAField() {
+    exists(Class c | result.getDeclaringType() = c |
+      // Either the declaring class of the field is a template instantiation
+      // that has been constructed from this canonical declaration
+      c.isConstructedFrom(declaringType) and
+      pragma[only_bind_out](result.getName()) = pragma[only_bind_out](this.getName())
+      or
+      // or this canonical declaration is not a template.
+      not c.isConstructedFrom(_) and
+      result = this
+    )
+  }
+
+  override Class getADeclaringType() {
+    result = this.getDeclaringType()
+    or
+    result.isConstructedFrom(this.getDeclaringType())
+  }
+}
+
+private class LocalCanonicalField extends CanonicalField {
+  Class declaringType;
+
+  LocalCanonicalField() {
+    declaringType = this.getDeclaringType() and
+    declaringType.isLocal()
+  }
+
+  override Field getAField() { result = this }
+
+  override Class getADeclaringType() { result = declaringType }
+}
+
+/**
+ * A canonical representation of a `Union`. See `CanonicalField` for the explanation for
+ * why we need a canonical representation.
+ */
+abstract private class CanonicalUnion extends Union {
+  /** Gets a union represented by this canonical union. */
+  abstract Union getAUnion();
+
+  /** Gets a canonical field of this canonical union. */
+  CanonicalField getACanonicalField() { result.getDeclaringType() = this }
+}
+
+private class NonLocalCanonicalUnion extends CanonicalUnion {
+  NonLocalCanonicalUnion() { not this.isFromTemplateInstantiation(_) and not this.isLocal() }
+
+  override Union getAUnion() {
+    result = this
+    or
+    result.isConstructedFrom(this)
+  }
+}
+
+private class LocalCanonicalUnion extends CanonicalUnion {
+  LocalCanonicalUnion() { this.isLocal() }
+
+  override Union getAUnion() { result = this }
+}
+
 bindingset[f]
 pragma[inline_late]
-private int getFieldSize(Field f) { result = f.getType().getSize() }
+private int getFieldSize(CanonicalField f) { result = max(f.getAType().getSize()) }
 
 /**
  * Gets a field in the union `u` whose size
  * is `bytes` number of bytes.
  */
-private Field getAFieldWithSize(Union u, int bytes) {
-  result = u.getAField() and
+private CanonicalField getAFieldWithSize(CanonicalUnion u, int bytes) {
+  result = u.getACanonicalField() and
   bytes = getFieldSize(result)
 }
 
 cached
 private newtype TContent =
-  TFieldContent(Field f, int indirectionIndex) {
-    // the indirection index for field content starts at 1 (because `TFieldContent` is thought of as
+  TNonUnionContent(CanonicalField f, int indirectionIndex) {
+    // the indirection index for field content starts at 1 (because `TNonUnionContent` is thought of as
     // the address of the field, `FieldAddress` in the IR).
-    indirectionIndex = [1 .. SsaImpl::getMaxIndirectionsForType(f.getUnspecifiedType())] and
+    indirectionIndex = [1 .. max(SsaImpl::getMaxIndirectionsForType(f.getAnUnspecifiedType()))] and
     // Reads and writes of union fields are tracked using `UnionContent`.
     not f.getDeclaringType() instanceof Union
   } or
-  TUnionContent(Union u, int bytes, int indirectionIndex) {
-    exists(Field f |
-      f = u.getAField() and
+  TUnionContent(CanonicalUnion u, int bytes, int indirectionIndex) {
+    exists(CanonicalField f |
+      f = u.getACanonicalField() and
       bytes = getFieldSize(f) and
       // We key `UnionContent` by the union instead of its fields since a write to one
       // field can be read by any read of the union's fields. Again, the indirection index
       // is 1-based (because 0 is considered the address).
       indirectionIndex =
         [1 .. max(SsaImpl::getMaxIndirectionsForType(getAFieldWithSize(u, bytes)
-                    .getUnspecifiedType())
+                    .getAnUnspecifiedType())
           )]
     )
   } or
@@ -2124,14 +2237,14 @@ private newtype TContent =
  */
 class Content extends TContent {
   /** Gets a textual representation of this element. */
-  abstract string toString();
+  string toString() { none() } // overridden in subclasses
 
   predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
     path = "" and sl = 0 and sc = 0 and el = 0 and ec = 0
   }
 
   /** Gets the indirection index of this `Content`. */
-  abstract int getIndirectionIndex();
+  int getIndirectionIndex() { none() } // overridden in subclasses
 
   /**
    * INTERNAL: Do not use.
@@ -2142,7 +2255,7 @@ class Content extends TContent {
    * For example, a write to a field `f` implies that any content of
    * the form `*f` is also cleared.
    */
-  abstract predicate impliesClearOf(Content c);
+  predicate impliesClearOf(Content c) { none() } // overridden in subclasses
 }
 
 /**
@@ -2162,37 +2275,62 @@ private module ContentStars {
 
 private import ContentStars
 
-/** A reference through a non-union instance field. */
+private class TFieldContent = TNonUnionContent or TUnionContent;
+
+/**
+ * A `Content` that references a `Field`. This may be a field of a `struct`,
+ * `class`, or `union`. In the case of a `union` there may be multiple fields
+ * associated with the same `Content`.
+ */
 class FieldContent extends Content, TFieldContent {
-  private Field f;
+  /** Gets a `Field` of this `Content`. */
+  Field getAField() { none() }
+
+  /**
+   * Gets the field associated with this `Content`, if a unique one exists.
+   *
+   * For fields from template instantiations this predicate may still return
+   * more than one field, but all the fields will be constructed from the same
+   * template.
+   */
+  Field getField() { none() } // overridden in subclasses
+
+  override int getIndirectionIndex() { none() } // overridden in subclasses
+
+  override string toString() { none() } // overridden in subclasses
+
+  override predicate impliesClearOf(Content c) { none() } // overridden in subclasses
+}
+
+/** A reference through a non-union instance field. */
+class NonUnionFieldContent extends FieldContent, TNonUnionContent {
+  private CanonicalField f;
   private int indirectionIndex;
 
-  FieldContent() { this = TFieldContent(f, indirectionIndex) }
+  NonUnionFieldContent() { this = TNonUnionContent(f, indirectionIndex) }
 
   override string toString() { result = contentStars(this) + f.toString() }
 
-  Field getField() { result = f }
+  final override Field getField() { result = f.getAField() }
+
+  override Field getAField() { result = this.getField() }
 
   /** Gets the indirection index of this `FieldContent`. */
-  pragma[inline]
-  override int getIndirectionIndex() {
-    pragma[only_bind_into](result) = pragma[only_bind_out](indirectionIndex)
-  }
+  override int getIndirectionIndex() { result = indirectionIndex }
 
   override predicate impliesClearOf(Content c) {
-    exists(FieldContent fc |
-      fc = c and
-      fc.getField() = f and
+    exists(int i |
+      c = TNonUnionContent(f, i) and
       // If `this` is `f` then `c` is cleared if it's of the
       // form `*f`, `**f`, etc.
-      fc.getIndirectionIndex() >= indirectionIndex
+      i >= indirectionIndex
     )
   }
 }
 
 /** A reference through an instance field of a union. */
-class UnionContent extends Content, TUnionContent {
-  private Union u;
+class UnionContent extends FieldContent, TUnionContent {
+  private CanonicalUnion u;
   private int indirectionIndex;
   private int bytes;
 
@@ -2200,27 +2338,31 @@ class UnionContent extends Content, TUnionContent {
 
   override string toString() { result = contentStars(this) + u.toString() }
 
+  final override Field getField() { result = unique( | | u.getACanonicalField()).getAField() }
+
   /** Gets a field of the underlying union of this `UnionContent`, if any. */
-  Field getAField() { result = u.getAField() and getFieldSize(result) = bytes }
-
-  /** Gets the underlying union of this `UnionContent`. */
-  Union getUnion() { result = u }
-
-  /** Gets the indirection index of this `UnionContent`. */
-  pragma[inline]
-  override int getIndirectionIndex() {
-    pragma[only_bind_into](result) = pragma[only_bind_out](indirectionIndex)
+  override Field getAField() {
+    exists(CanonicalField cf |
+      cf = u.getACanonicalField() and
+      result = cf.getAField() and
+      getFieldSize(cf) = bytes
+    )
   }
 
+  /** Gets the underlying union of this `UnionContent`. */
+  Union getUnion() { result = u.getAUnion() }
+
+  /** Gets the indirection index of this `UnionContent`. */
+  override int getIndirectionIndex() { result = indirectionIndex }
+
   override predicate impliesClearOf(Content c) {
-    exists(UnionContent uc |
-      uc = c and
-      uc.getUnion() = u and
+    exists(int i |
+      c = TUnionContent(u, _, i) and
       // If `this` is `u` then `c` is cleared if it's of the
       // form `*u`, `**u`, etc. (and we ignore `bytes` because
       // we know the entire union is overwritten because it's a
       // union).
-      uc.getIndirectionIndex() >= indirectionIndex
+      i >= indirectionIndex
     )
   }
 }
@@ -2234,10 +2376,7 @@ class ElementContent extends Content, TElementContent {
 
   ElementContent() { this = TElementContent(indirectionIndex) }
 
-  pragma[inline]
-  override int getIndirectionIndex() {
-    pragma[only_bind_into](result) = pragma[only_bind_out](indirectionIndex)
-  }
+  override int getIndirectionIndex() { result = indirectionIndex }
 
   override predicate impliesClearOf(Content c) { none() }
 

cpp/ql/lib/semmle/code/cpp/models/implementations/Memcpy.qll

@@ -12,8 +12,8 @@ import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.NonThrowing
 
 /**
- * The standard functions `memcpy`, `memmove` and `bcopy`; and the gcc variant
- * `__builtin___memcpy_chk`.
+ * The standard functions `memcpy`, `memmove` and `bcopy`; and variants such as
+ * `__builtin___memcpy_chk` and `__builtin___memmove_chk`.
  */
 private class MemcpyFunction extends ArrayFunction, DataFlowFunction, SideEffectFunction,
   AliasFunction, NonCppThrowingFunction
@@ -27,7 +27,9 @@ private class MemcpyFunction extends ArrayFunction, DataFlowFunction, SideEffect
     // bcopy(src, dest, num)
     // mempcpy(dest, src, num)
     // memccpy(dest, src, c, n)
-    this.hasGlobalName(["bcopy", mempcpy(), "memccpy", "__builtin___memcpy_chk"])
+    this.hasGlobalName([
+        "bcopy", mempcpy(), "memccpy", "__builtin___memcpy_chk", "__builtin___memmove_chk"
+      ])
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/models/implementations/Memset.qll

@@ -19,7 +19,8 @@ private class MemsetFunctionModel extends ArrayFunction, DataFlowFunction, Alias
     this.hasGlobalOrStdName("wmemset")
     or
     this.hasGlobalName([
-        bzero(), "__builtin_memset", "__builtin_memset_chk", "RtlZeroMemory", "RtlSecureZeroMemory"
+        bzero(), "__builtin_memset", "__builtin_memset_chk", "__builtin___memset_chk",
+        "RtlZeroMemory", "RtlSecureZeroMemory"
       ])
   }
 
@@ -32,7 +33,7 @@ private class MemsetFunctionModel extends ArrayFunction, DataFlowFunction, Alias
       or
       this.hasGlobalOrStdName("wmemset")
       or
-      this.hasGlobalName(["__builtin_memset", "__builtin_memset_chk"])
+      this.hasGlobalName(["__builtin_memset", "__builtin_memset_chk", "__builtin___memset_chk"])
     ) and
     result = 1
   }

cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll

@@ -30,7 +30,9 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid
         "_mbsncat", // _mbsncat(dst, src, max_amount)
         "_mbsncat_l", // _mbsncat_l(dst, src, max_amount, locale)
         "_mbsnbcat", // _mbsnbcat(dest, src, count)
-        "_mbsnbcat_l" // _mbsnbcat_l(dest, src, count, locale)
+        "_mbsnbcat_l", // _mbsnbcat_l(dest, src, count, locale)
+        "__builtin___strcat_chk", // __builtin___strcat_chk (dest, src, magic)
+        "__builtin___strncat_chk" // __builtin___strncat_chk (dest, src, max_amount, magic)
       ])
   }
 
@@ -56,7 +58,7 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     (
-      this.getName() = ["strncat", "wcsncat", "_mbsncat", "_mbsncat_l"] and
+      this.getName() = ["strncat", "wcsncat", "_mbsncat", "_mbsncat_l", "__builtin___strncat_chk"] and
       input.isParameter(2)
       or
       this.getName() = ["_mbsncat_l", "_mbsnbcat_l"] and

cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll

@@ -36,7 +36,11 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
         "_mbsnbcpy", // _mbsnbcpy(dest, src, max_amount)
         "stpcpy", // stpcpy(dest, src)
         "stpncpy", // stpncpy(dest, src, max_amount)
-        "strlcpy" // strlcpy(dst, src, dst_size)
+        "strlcpy", // strlcpy(dst, src, dst_size)
+        "__builtin___strcpy_chk", // __builtin___strcpy_chk (dest, src, magic)
+        "__builtin___stpcpy_chk", // __builtin___stpcpy_chk (dest, src, magic)
+        "__builtin___stpncpy_chk", // __builtin___stpncpy_chk(dest, src, max_amount, magic)
+        "__builtin___strncpy_chk" // __builtin___strncpy_chk (dest, src, max_amount, magic)
       ])
     or
     (

cpp/ql/lib/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll

@@ -93,6 +93,18 @@ private float wideningUpperBounds(ArithmeticType t) {
   result = 1.0 / 0.0 // +Inf
 }
 
+/** Gets the widened lower bound for a given type and lower bound. */
+bindingset[type, lb]
+float widenLowerBound(Type type, float lb) {
+  result = max(float widenLB | widenLB = wideningLowerBounds(type) and widenLB <= lb | widenLB)
+}
+
+/** Gets the widened upper bound for a given type and upper bound. */
+bindingset[type, ub]
+float widenUpperBound(Type type, float ub) {
+  result = min(float widenUB | widenUB = wideningUpperBounds(type) and widenUB >= ub | widenUB)
+}
+
 /**
  * Gets the value of the expression `e`, if it is a constant.
  * This predicate also handles the case of constant variables initialized in different
@@ -504,6 +516,336 @@ private predicate isRecursiveExpr(Expr e) {
   )
 }
 
+/**
+ * Provides predicates that estimate the number of bounds that the range
+ * analysis might produce.
+ */
+private module BoundsEstimate {
+  /**
+   * Gets the limit beyond which we enable widening. That is, if the estimated
+   * number of bounds exceeds this limit, we enable widening such that the limit
+   * will not be reached.
+   */
+  float getBoundsLimit() {
+    // This limit is arbitrary, but low enough that it prevents timeouts on
+    // specific observed customer databases (and the in the tests).
+    result = 2.0.pow(40)
+  }
+
+  /** Gets the maximum number of bounds possible for `t` when widening is used. */
+  private int getNrOfWideningBounds(ArithmeticType t) {
+    result = strictcount(wideningLowerBounds(t)).maximum(strictcount(wideningUpperBounds(t)))
+  }
+
+  /**
+   * Holds if `boundFromGuard(guard, v, _, branch)` holds, but without
+   * relying on range analysis (which would cause non-monotonic recursion
+   * elsewhere).
+   */
+  private predicate hasBoundFromGuard(Expr guard, VariableAccess v, boolean branch) {
+    exists(Expr lhs | linearAccess(lhs, v, _, _) |
+      relOpWithSwapAndNegate(guard, lhs, _, _, _, branch)
+      or
+      eqOpWithSwapAndNegate(guard, lhs, _, true, branch)
+      or
+      eqZeroWithNegate(guard, lhs, true, branch)
+    )
+  }
+
+  /** Holds if `def` is a guard phi node for `v` with a bound from a guard. */
+  predicate isGuardPhiWithBound(RangeSsaDefinition def, StackVariable v, VariableAccess access) {
+    exists(Expr guard, boolean branch |
+      def.isGuardPhi(v, access, guard, branch) and
+      hasBoundFromGuard(guard, access, branch)
+    )
+  }
+
+  /**
+   * Gets the number of bounds for `def` when `def` is a guard phi node for the
+   * variable `v`.
+   */
+  language[monotonicAggregates]
+  private float nrOfBoundsPhiGuard(RangeSsaDefinition def, StackVariable v) {
+    // If we have
+    //
+    //   if (x < c) { e1 }
+    //   e2
+    //
+    // then `e2` is both a guard phi node (guarded by `x < c`) and a normal
+    // phi node (control is merged after the `if` statement).
+    //
+    // Assume `x` has `n` bounds. Then `n` bounds are propagated to the guard
+    // phi node `{ e1 }` and, since `{ e1 }` is input to `e2` as a normal phi
+    // node, `n` bounds are propagated to `e2`. If we also propagate the `n`
+    // bounds to `e2` as a guard phi node, then we square the number of
+    // bounds.
+    //
+    // However in practice `x < c` is going to cut down the number of bounds:
+    // The tracked bounds can't flow to both branches as that would require
+    // them to simultaneously be greater and smaller than `c`. To approximate
+    // this better, the contribution from a guard phi node that is also a
+    // normal phi node is 1.
+    exists(def.getAPhiInput(v)) and
+    isGuardPhiWithBound(def, v, _) and
+    result = 1
+    or
+    not exists(def.getAPhiInput(v)) and
+    // If there's different `access`es, then they refer to the same variable
+    // with the same lower bounds. Hence adding these guards make no sense (the
+    // implementation will take the union, but they'll be removed by
+    // deduplication). Hence we use `max` as an approximation.
+    result =
+      max(VariableAccess access | isGuardPhiWithBound(def, v, access) | nrOfBoundsExpr(access))
+    or
+    def.isPhiNode(v) and
+    not isGuardPhiWithBound(def, v, _) and
+    result = 0
+  }
+
+  /**
+   * Gets the number of bounds for `def` when `def` is a normal phi node for the
+   * variable `v`.
+   */
+  language[monotonicAggregates]
+  private float nrOfBoundsPhiNormal(RangeSsaDefinition def, StackVariable v) {
+    result =
+      strictsum(RangeSsaDefinition inputDef |
+        inputDef = def.getAPhiInput(v)
+      |
+        nrOfBoundsDef(inputDef, v)
+      )
+    or
+    def.isPhiNode(v) and
+    not exists(def.getAPhiInput(v)) and
+    result = 0
+  }
+
+  /**
+   * Gets the number of bounds for `def` when `def` is an NE phi node for the
+   * variable `v`.
+   */
+  language[monotonicAggregates]
+  float nrOfBoundsNEPhi(RangeSsaDefinition def, StackVariable v) {
+    // If there's different `access`es, then they refer to the same variable
+    // with the same lower bounds. Hence adding these guards make no sense (the
+    // implementation will take the union, but they'll be removed by
+    // deduplication). Hence we use `max` as an approximation.
+    result = max(VariableAccess access | isNEPhi(v, def, access, _) | nrOfBoundsExpr(access))
+    or
+    def.isPhiNode(v) and
+    not isNEPhi(v, def, _, _) and
+    result = 0
+  }
+
+  /**
+   * Gets the number of bounds for `def` when `def` is an unsupported guard phi
+   * node for the variable `v`.
+   */
+  language[monotonicAggregates]
+  private float nrOfBoundsUnsupportedGuardPhi(RangeSsaDefinition def, StackVariable v) {
+    // If there's different `access`es, then they refer to the same variable
+    // with the same lower bounds. Hence adding these guards make no sense (the
+    // implementation will take the union, but they'll be removed by
+    // deduplication). Hence we use `max` as an approximation.
+    result =
+      max(VariableAccess access | isUnsupportedGuardPhi(v, def, access) | nrOfBoundsExpr(access))
+    or
+    def.isPhiNode(v) and
+    not isUnsupportedGuardPhi(v, def, _) and
+    result = 0
+  }
+
+  private float nrOfBoundsPhi(RangeSsaDefinition def, StackVariable v) {
+    // The cases for phi nodes are not mutually exclusive. For instance a phi
+    // node can be both a guard phi node and a normal phi node. To handle this
+    // we sum the contributions from the different cases.
+    result =
+      nrOfBoundsPhiGuard(def, v) + nrOfBoundsPhiNormal(def, v) + nrOfBoundsNEPhi(def, v) +
+        nrOfBoundsUnsupportedGuardPhi(def, v)
+  }
+
+  /** Gets the estimated number of bounds for `def` and `v`. */
+  float nrOfBoundsDef(RangeSsaDefinition def, StackVariable v) {
+    // Recursive definitions are already widened, so we simply estimate them as
+    // having the number of widening bounds available. This is crucial as it
+    // ensures that we don't follow recursive cycles when calculating the
+    // estimate. Had that not been the case the estimate itself would be at risk
+    // of causing performance issues and being non-functional.
+    if isRecursiveDef(def, v)
+    then result = getNrOfWideningBounds(getVariableRangeType(v))
+    else (
+      // Definitions with a defining value
+      exists(Expr defExpr | assignmentDef(def, v, defExpr) and result = nrOfBoundsExpr(defExpr))
+      or
+      // Assignment operations with a defining value
+      exists(AssignOperation assignOp |
+        def = assignOp and
+        assignOp.getLValue() = v.getAnAccess() and
+        result = nrOfBoundsExpr(assignOp)
+      )
+      or
+      // Phi nodes
+      result = nrOfBoundsPhi(def, v)
+      or
+      unanalyzableDefBounds(def, v, _, _) and result = 1
+    )
+  }
+
+  /**
+   * Gets a naive estimate of the number of bounds for `e`.
+   *
+   * The estimate is like an abstract interpretation of the range analysis,
+   * where the abstract value is the number of bounds. For instance,
+   * `nrOfBoundsExpr(12) = 1` and `nrOfBoundsExpr(x + y) = nrOfBoundsExpr(x) *
+   * nrOfBoundsExpr(y)`.
+   *
+   * The estimated number of bounds will usually be greater than the actual
+   * number of bounds, as the estimate can not detect cases where bounds are cut
+   * down when tracked precisely. For instance, in
+   * ```c
+   * int x = 1;
+   * if (cond) { x = 1; }
+   * int y = x + x;
+   * ```
+   * the actual number of bounds for `y` is 1. However, the estimate will be 4
+   * as the conditional assignment to `x` gives two bounds for `x` on the last
+   * line and the addition gives 2 * 2 bounds. There are two sources of inaccuracies:
+   *
+   * 1. Without tracking the lower bounds we can't see that `x` is assigned a
+   * value that is equal to its lower bound.
+   * 2. Had the conditional assignment been `x = 2` then the estimate of two
+   * bounds for `x` would have been correct. However, the estimate of 4 for `y`
+   * would still be incorrect. Summing the actual bounds `{1,2}` with itself
+   * gives `{2,3,4}` which is only three bounds. Again, we can't realise this
+   * without tracking the bounds.
+   *
+   * Since these inaccuracies compound the estimated number of bounds can often
+   * be _much_ greater than the actual number of bounds. Do note though that the
+   * estimate is not _guaranteed_ to be an upper bound. In some cases the
+   * approximations might underestimate the number of bounds.
+   *
+   * This predicate is functional. This is crucial as:
+   *
+   * - It ensures that the computing the estimate itself is fast.
+   * - Our use of monotonic aggregates assumes functionality.
+   *
+   * Any non-functional case should be considered a bug.
+   */
+  float nrOfBoundsExpr(Expr e) {
+    // Similarly to what we do for definitions, we do not attempt to measure the
+    // number of bounds for recursive expressions.
+    if isRecursiveExpr(e)
+    then result = getNrOfWideningBounds(e.getUnspecifiedType())
+    else
+      if analyzableExpr(e)
+      then
+        // The cases here are an abstraction of and mirrors the cases inside
+        // `getLowerBoundsImpl`/`getUpperBoundsImpl`.
+        result = 1 and exists(getValue(e).toFloat())
+        or
+        exists(Expr operand | result = nrOfBoundsExpr(operand) |
+          effectivelyMultipliesByPositive(e, operand, _)
+          or
+          effectivelyMultipliesByNegative(e, operand, _)
+        )
+        or
+        exists(ConditionalExpr condExpr |
+          e = condExpr and
+          result = nrOfBoundsExpr(condExpr.getThen()) * nrOfBoundsExpr(condExpr.getElse())
+        )
+        or
+        exists(BinaryOperation binop |
+          e = binop and
+          result = nrOfBoundsExpr(binop.getLeftOperand()) * nrOfBoundsExpr(binop.getRightOperand())
+        |
+          e instanceof MaxExpr or
+          e instanceof MinExpr or
+          e instanceof AddExpr or
+          e instanceof SubExpr or
+          e instanceof UnsignedMulExpr or
+          e instanceof UnsignedBitwiseAndExpr
+        )
+        or
+        exists(AssignExpr assign | e = assign and result = nrOfBoundsExpr(assign.getRValue()))
+        or
+        exists(AssignArithmeticOperation assignOp |
+          e = assignOp and
+          result = nrOfBoundsExpr(assignOp.getLValue()) * nrOfBoundsExpr(assignOp.getRValue())
+        |
+          e instanceof AssignAddExpr or
+          e instanceof AssignSubExpr or
+          e instanceof UnsignedAssignMulExpr
+        )
+        or
+        // Handles `AssignMulByPositiveConstantExpr` and `AssignMulByNegativeConstantExpr`
+        exists(AssignMulByConstantExpr mulExpr |
+          e = mulExpr and
+          result = nrOfBoundsExpr(mulExpr.getLValue())
+        )
+        or
+        // Handles the prefix and postfix increment and decrement operators.
+        exists(CrementOperation crementOp |
+          e = crementOp and result = nrOfBoundsExpr(crementOp.getOperand())
+        )
+        or
+        exists(RemExpr remExpr | e = remExpr | result = nrOfBoundsExpr(remExpr.getRightOperand()))
+        or
+        exists(Conversion convExpr |
+          e = convExpr and
+          if convExpr.getUnspecifiedType() instanceof BoolType
+          then result = 1
+          else result = nrOfBoundsExpr(convExpr.getExpr())
+        )
+        or
+        exists(RangeSsaDefinition def, StackVariable v |
+          e = def.getAUse(v) and
+          result = nrOfBoundsDef(def, v) and
+          // Avoid returning two numbers when `e` is a use with a constant value.
+          not exists(getValue(e).toFloat())
+        )
+        or
+        exists(RShiftExpr rsExpr |
+          e = rsExpr and
+          exists(getValue(rsExpr.getRightOperand().getFullyConverted()).toInt()) and
+          result = nrOfBoundsExpr(rsExpr.getLeftOperand())
+        )
+      else (
+        exists(exprMinVal(e)) and result = 1
+      )
+  }
+}
+
+/**
+ * Holds if `v` is a variable for which widening should be used, as otherwise a
+ * very large number of bounds might be generated during the range analysis for
+ * `v`.
+ */
+private predicate varHasTooManyBounds(StackVariable v) {
+  exists(RangeSsaDefinition def |
+    def.getAVariable() = v and
+    BoundsEstimate::nrOfBoundsDef(def, v) > BoundsEstimate::getBoundsLimit()
+  )
+}
+
+/**
+ * Holds if `e` is an expression for which widening should be used, as otherwise
+ * a very large number of bounds might be generated during the range analysis
+ * for `e`.
+ */
+private predicate exprHasTooManyBounds(Expr e) {
+  BoundsEstimate::nrOfBoundsExpr(e) > BoundsEstimate::getBoundsLimit()
+  or
+  // A subexpressions of an expression with too many bounds may itself not have
+  // to many bounds. For instance, `x + y` can have too many bounds without `x`
+  // having as well. But in these cases, still want to consider `e` as having
+  // too many bounds since:
+  // - The overall result is widened anyway, so widening `e` as well is unlikely
+  //   to cause further precision loss.
+  // - The number of bounds could be very large but still below the arbitrary
+  //   limit. Hence widening `e` can improve performance.
+  exists(Expr pe | exprHasTooManyBounds(pe) and e.getParent() = pe)
+}
+
 /**
  * Holds if `binop` is a binary operation that's likely to be assigned a
  * quadratic (or more) number of candidate bounds during the analysis. This can
@@ -654,13 +996,8 @@ private float getTruncatedLowerBounds(Expr expr) {
     if exprMinVal(expr) <= newLB and newLB <= exprMaxVal(expr)
     then
       // Apply widening where we might get a combinatorial explosion.
-      if isRecursiveBinary(expr)
-      then
-        result =
-          max(float widenLB |
-            widenLB = wideningLowerBounds(expr.getUnspecifiedType()) and
-            not widenLB > newLB
-          )
+      if isRecursiveBinary(expr) or exprHasTooManyBounds(expr)
+      then result = widenLowerBound(expr.getUnspecifiedType(), newLB)
       else result = newLB
     else result = exprMinVal(expr)
   ) and
@@ -713,13 +1050,8 @@ private float getTruncatedUpperBounds(Expr expr) {
         if exprMinVal(expr) <= newUB and newUB <= exprMaxVal(expr)
         then
           // Apply widening where we might get a combinatorial explosion.
-          if isRecursiveBinary(expr)
-          then
-            result =
-              min(float widenUB |
-                widenUB = wideningUpperBounds(expr.getUnspecifiedType()) and
-                not widenUB < newUB
-              )
+          if isRecursiveBinary(expr) or exprHasTooManyBounds(expr)
+          then result = widenUpperBound(expr.getUnspecifiedType(), newUB)
           else result = newUB
         else result = exprMaxVal(expr)
       )
@@ -1796,18 +2128,12 @@ module SimpleRangeAnalysisInternal {
     |
       // Widening: check whether the new lower bound is from a source which
       // depends recursively on the current definition.
-      if isRecursiveDef(def, v)
+      if isRecursiveDef(def, v) or varHasTooManyBounds(v)
       then
         // The new lower bound is from a recursive source, so we round
         // down to one of a limited set of values to prevent the
         // recursion from exploding.
-        result =
-          max(float widenLB |
-            widenLB = wideningLowerBounds(getVariableRangeType(v)) and
-            not widenLB > truncatedLB
-          |
-            widenLB
-          )
+        result = widenLowerBound(getVariableRangeType(v), truncatedLB)
       else result = truncatedLB
     )
     or
@@ -1826,18 +2152,12 @@ module SimpleRangeAnalysisInternal {
     |
       // Widening: check whether the new upper bound is from a source which
       // depends recursively on the current definition.
-      if isRecursiveDef(def, v)
+      if isRecursiveDef(def, v) or varHasTooManyBounds(v)
       then
         // The new upper bound is from a recursive source, so we round
         // up to one of a fixed set of values to prevent the recursion
         // from exploding.
-        result =
-          min(float widenUB |
-            widenUB = wideningUpperBounds(getVariableRangeType(v)) and
-            not widenUB < truncatedUB
-          |
-            widenUB
-          )
+        result = widenUpperBound(getVariableRangeType(v), truncatedUB)
       else result = truncatedUB
     )
     or
@@ -1845,4 +2165,60 @@ module SimpleRangeAnalysisInternal {
     // bound is `typeUpperBound`.
     defMightOverflowNegatively(def, v) and result = varMaxVal(v)
   }
+
+  /** Gets the estimate of the number of bounds for `e`. */
+  float estimateNrOfBounds(Expr e) { result = BoundsEstimate::nrOfBoundsExpr(e) }
+}
+
+/** Provides predicates for debugging the simple range analysis library. */
+private module Debug {
+  Locatable getRelevantLocatable() {
+    exists(string filepath, int startline |
+      result.getLocation().hasLocationInfo(filepath, startline, _, _, _) and
+      filepath.matches("%/test.c") and
+      startline = [621 .. 639]
+    )
+  }
+
+  float debugGetLowerBoundsImpl(Expr e) {
+    e = getRelevantLocatable() and
+    result = getLowerBoundsImpl(e)
+  }
+
+  float debugGetUpperBoundsImpl(Expr e) {
+    e = getRelevantLocatable() and
+    result = getUpperBoundsImpl(e)
+  }
+
+  /**
+   * Counts the number of lower bounds for a given expression. This predicate is
+   * useful for identifying performance issues in the range analysis.
+   */
+  predicate countGetLowerBoundsImpl(Expr e, int n) {
+    e = getRelevantLocatable() and
+    n = strictcount(float lb | lb = getLowerBoundsImpl(e) | lb)
+  }
+
+  float debugNrOfBounds(Expr e) {
+    e = getRelevantLocatable() and
+    result = BoundsEstimate::nrOfBoundsExpr(e)
+  }
+
+  /**
+   * Finds any expressions for which `nrOfBounds` is not functional. The result
+   * should be empty, so this predicate is useful to debug non-functional cases.
+   */
+  int nonFunctionalNrOfBounds(Expr e) {
+    strictcount(BoundsEstimate::nrOfBoundsExpr(e)) > 1 and
+    result = BoundsEstimate::nrOfBoundsExpr(e)
+  }
+
+  /**
+   * Holds if `e` is an expression that has a lower bound, but where
+   * `nrOfBounds` does not compute an estimate.
+   */
+  predicate missingNrOfBounds(Expr e, float n) {
+    n = lowerBound(e) and
+    not exists(BoundsEstimate::nrOfBoundsExpr(e))
+  }
 }

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -1,3 +1,4 @@
+
 /*- Compilations -*/
 
 /**
@@ -47,6 +48,19 @@ compilation_args(
     string arg : string ref
 );
 
+/**
+ * The expanded arguments that were passed to the extractor for a
+ * compiler invocation. This is similar to `compilation_args`, but
+ * for a `@someFile` argument, it includes the arguments from that
+ * file, rather than just taking the argument literally.
+ */
+#keyset[id, num]
+compilation_expanded_args(
+    int id : @compilation ref,
+    int num : int ref,
+    string arg : string ref
+);
+
 /**
  * Optionally, record the build mode for each compilation.
  */
@@ -1327,7 +1341,8 @@ specialnamequalifyingelements(
 @namequalifiableelement = @expr | @namequalifier;
 @namequalifyingelement = @namespace
                        | @specialnamequalifyingelement
-                       | @usertype;
+                       | @usertype
+                       | @decltype;
 
 namequalifiers(
     unique int id: @namequalifier,
@@ -2364,6 +2379,24 @@ link_parent(
     int link_target : @link_target ref
 );
 
+/**
+ * The CLI will automatically emit applicable tuples for this table,
+ * such as `databaseMetadata("isOverlay", "true")` when building an
+ * overlay database.
+ */
+databaseMetadata(
+  string metadataKey: string ref,
+  string value: string ref
+);
+
+/**
+ * The CLI will automatically emit tuples for each new/modified/deleted file
+ * when building an overlay database.
+ */
+overlayChangedFiles(
+  string path: string ref
+);
+
 /*- XML Files -*/
 
 xmlEncoding(

cpp/ql/lib/upgrades/1a6854060d5d3ada16c580a29f8c5ce21f3367f8/upgrade.properties

@@ -0,0 +1,2 @@
+description: Add databaseMetadata and overlayChangedFiles relations
+compatibility: full

cpp/ql/lib/upgrades/2121ffec11fac265524955fee1775217364d4ca4/upgrade.properties

@@ -0,0 +1,2 @@
+description: Support expanded compilation argument lists
+compatibility: backwards

cpp/ql/lib/upgrades/c16b29b27f71247023321cc0d0360998b318837c/upgrade.properties

@@ -0,0 +1,2 @@
+description: Fix decltype qualifier issue
+compatibility: full

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,15 @@
+## 1.5.6
+
+No user-facing changes.
+
+## 1.5.5
+
+No user-facing changes.
+
+## 1.5.4
+
+No user-facing changes.
+
 ## 1.5.3
 
 No user-facing changes.

cpp/ql/src/change-notes/released/1.5.4.md

@@ -0,0 +1,3 @@
+## 1.5.4
+
+No user-facing changes.

cpp/ql/src/change-notes/released/1.5.5.md

@@ -0,0 +1,3 @@
+## 1.5.5
+
+No user-facing changes.

cpp/ql/src/change-notes/released/1.5.6.md

@@ -0,0 +1,3 @@
+## 1.5.6
+
+No user-facing changes.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.3
+lastReleaseVersion: 1.5.6

cpp/ql/src/experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql

@@ -1,5 +1,5 @@
 /**
- * @name Dangerous use convert function.
+ * @name Dangerous use convert function
  * @description Using convert function with an invalid length argument can result in an out-of-bounds access error or unexpected result.
  * @kind problem
  * @id cpp/dangerous-use-convert-function

cpp/ql/src/experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql

@@ -1,5 +1,5 @@
 /**
- * @name Dangerous use of transformation after operation.
+ * @name Dangerous use of transformation after operation
  * @description By using the transformation after the operation, you are doing a pointless and dangerous action.
  * @kind problem
  * @id cpp/dangerous-use-of-transformation-after-operation

cpp/ql/src/experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql

@@ -1,5 +1,5 @@
 /**
- * @name Writing to a file without setting permissions.
+ * @name Writing to a file without setting permissions
  * @description Lack of restriction on file access rights can be unsafe.
  * @kind problem
  * @id cpp/work-with-file-without-permissions-rights

cpp/ql/src/experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql

@@ -1,5 +1,5 @@
 /**
- * @name Find work with changing working directories, with security errors.
+ * @name Find work with changing working directories, with security errors
  * @description Not validating the return value or pinning the directory can be unsafe.
  * @kind problem
  * @id cpp/work-with-changing-working-directories

cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql

@@ -1,5 +1,5 @@
 /**
- * @name Find the wrong use of the umask function.
+ * @name Find the wrong use of the umask function
  * @description Incorrectly evaluated argument to the umask function may have security implications.
  * @kind problem
  * @id cpp/wrong-use-of-the-umask

cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql

@@ -1,5 +1,5 @@
 /**
- * @name Insecure generation of filenames.
+ * @name Insecure generation of filenames
  * @description Using a predictable filename when creating a temporary file can lead to an attacker-controlled input.
  * @kind problem
  * @id cpp/insecure-generation-of-filename

cpp/ql/src/experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql

@@ -1,5 +1,5 @@
 /**
- * @name Dangerous use of exception blocks.
+ * @name Dangerous use of exception blocks
  * @description When clearing the data in the catch block, you must be sure that the memory was allocated before the exception.
  * @kind problem
  * @id cpp/dangerous-use-of-exception-blocks

cpp/ql/src/experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql

@@ -1,5 +1,5 @@
 /**
- * @name Dangerous use SSL_shutdown.
+ * @name Dangerous use SSL_shutdown
  * @description Incorrect closing of the connection leads to the creation of different states for the server and client, which can be exploited by an attacker.
  * @kind problem
  * @id cpp/dangerous-use-of-ssl-shutdown

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.5.3
+version: 1.5.6
 groups:
   - cpp
   - queries

cpp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql

@@ -1,5 +1,5 @@
 /**
- * @name Capture content based summary models.
+ * @name Capture content based summary models
  * @description Finds applicable content based summary models to be used by other queries.
  * @kind diagnostic
  * @id cpp/utils/modelgenerator/contentbased-summary-models

cpp/ql/src/utils/modelgenerator/CaptureNeutralModels.ql

@@ -1,5 +1,5 @@
 /**
- * @name Capture neutral models.
+ * @name Capture neutral models
  * @description Finds neutral models to be used by other queries.
  * @kind diagnostic
  * @id cpp/utils/modelgenerator/neutral-models

cpp/ql/src/utils/modelgenerator/CaptureSinkModels.ql

@@ -1,5 +1,5 @@
 /**
- * @name Capture sink models.
+ * @name Capture sink models
  * @description Finds public methods that act as sinks as they flow into a known sink.
  * @kind diagnostic
  * @id cpp/utils/modelgenerator/sink-models

cpp/ql/src/utils/modelgenerator/CaptureSourceModels.ql

@@ -1,5 +1,5 @@
 /**
- * @name Capture source models.
+ * @name Capture source models
  * @description Finds APIs that act as sources as they expose already known sources.
  * @kind diagnostic
  * @id cpp/utils/modelgenerator/source-models

cpp/ql/src/utils/modelgenerator/CaptureSummaryModels.ql

@@ -1,5 +1,5 @@
 /**
- * @name Capture summary models.
+ * @name Capture summary models
  * @description Finds applicable summary models to be used by other queries.
  * @kind diagnostic
  * @id cpp/utils/modelgenerator/summary-models

cpp/ql/src/utils/modelgenerator/internal/CaptureModels.qll

@@ -190,7 +190,7 @@ module ModelGeneratorCommonInput implements ModelGeneratorCommonInputSig<Cpp::Lo
   predicate isRelevantType(Type t) { any() }
 
   Type getUnderlyingContentType(DataFlow::ContentSet c) {
-    result = c.(DataFlow::FieldContent).getField().getUnspecifiedType() or
+    result = c.(DataFlow::NonUnionFieldContent).getField().getUnspecifiedType() or
     result = c.(DataFlow::UnionContent).getUnion().getUnspecifiedType()
   }
 
@@ -340,12 +340,7 @@ private module SummaryModelGeneratorInput implements SummaryModelGeneratorInputS
     )
   }
 
-  predicate isField(DataFlow::ContentSet cs) {
-    exists(DataFlow::Content c | cs.isSingleton(c) |
-      c instanceof DataFlow::FieldContent or
-      c instanceof DataFlow::UnionContent
-    )
-  }
+  predicate isField(DataFlow::ContentSet cs) { cs.isSingleton(any(DataFlow::FieldContent fc)) }
 
   predicate isCallback(DataFlow::ContentSet c) { none() }
 

cpp/ql/test/library-tests/attributes/deprecated_with_msg/deprecated_with_msg.expected

@@ -1,4 +1,2 @@
 | clang421.c:1:12:1:19 | clang421 | 0 |
 | clang450.c:1:12:1:19 | clang450 | 1 |
-| gcc421.c:1:12:1:17 | gcc421 | 0 |
-| gcc450.c:1:12:1:17 | gcc450 | 1 |

cpp/ql/test/library-tests/attributes/deprecated_with_msg/gcc421.c

@@ -1,2 +0,0 @@
-static int gcc421 = __has_feature(attribute_deprecated_with_message);
-// semmle-extractor-options: --gnu_version 40201

cpp/ql/test/library-tests/attributes/deprecated_with_msg/gcc450.c

@@ -1,2 +0,0 @@
-static int gcc450 = __has_feature(attribute_deprecated_with_message);
-// semmle-extractor-options: --gnu_version 40500

cpp/ql/test/library-tests/dataflow/external-models/flow.expected

@@ -30,13 +30,14 @@ models
 | 29 | Summary: ; ; false; RtlMoveMemory; ; ; Argument[*@1]; Argument[*@0]; value; manual |
 | 30 | Summary: ; ; false; RtlMoveVolatileMemory; ; ; Argument[*@1]; Argument[*@0]; value; manual |
 | 31 | Summary: ; ; false; callWithArgument; ; ; Argument[1]; Argument[0].Parameter[0]; value; manual |
-| 32 | Summary: ; ; false; pthread_create; ; ; Argument[@3]; Argument[2].Parameter[@0]; value; manual |
-| 33 | Summary: ; ; false; ymlStepGenerated; ; ; Argument[0]; ReturnValue; taint; df-generated |
-| 34 | Summary: ; ; false; ymlStepManual; ; ; Argument[0]; ReturnValue; taint; manual |
-| 35 | Summary: ; ; false; ymlStepManual_with_body; ; ; Argument[0]; ReturnValue; taint; manual |
-| 36 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
+| 32 | Summary: ; ; false; callWithNonTypeTemplate<T>; (const T &); ; Argument[*0]; ReturnValue; value; manual |
+| 33 | Summary: ; ; false; pthread_create; ; ; Argument[@3]; Argument[2].Parameter[@0]; value; manual |
+| 34 | Summary: ; ; false; ymlStepGenerated; ; ; Argument[0]; ReturnValue; taint; df-generated |
+| 35 | Summary: ; ; false; ymlStepManual; ; ; Argument[0]; ReturnValue; taint; manual |
+| 36 | Summary: ; ; false; ymlStepManual_with_body; ; ; Argument[0]; ReturnValue; taint; manual |
+| 37 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
 edges
-| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:36 |
+| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:37 |
 | asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:91:7:91:17 | recv_buffer | provenance | Src:MaD:17  |
 | asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:93:29:93:39 | *recv_buffer | provenance | Src:MaD:17 Sink:MaD:2 |
 | asio_streams.cpp:97:37:97:44 | call to source | asio_streams.cpp:98:7:98:14 | send_str | provenance | TaintFunction |
@@ -45,10 +46,10 @@ edges
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:101:7:101:17 | send_buffer | provenance |  |
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:2 |
 | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance |  |
-| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:36 |
-| test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | provenance | MaD:34 |
-| test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | provenance | MaD:33 |
-| test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | provenance | MaD:35 |
+| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:37 |
+| test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | provenance | MaD:35 |
+| test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | provenance | MaD:34 |
+| test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | provenance | MaD:36 |
 | test.cpp:7:47:7:52 | value2 | test.cpp:7:64:7:69 | value2 | provenance |  |
 | test.cpp:7:64:7:69 | value2 | test.cpp:7:5:7:30 | *ymlStepGenerated_with_body | provenance |  |
 | test.cpp:10:10:10:18 | call to ymlSource | test.cpp:10:10:10:18 | call to ymlSource | provenance | Src:MaD:16  |
@@ -60,15 +61,15 @@ edges
 | test.cpp:17:10:17:22 | call to ymlStepManual | test.cpp:17:10:17:22 | call to ymlStepManual | provenance |  |
 | test.cpp:17:10:17:22 | call to ymlStepManual | test.cpp:18:10:18:10 | y | provenance | Sink:MaD:1 |
 | test.cpp:17:24:17:24 | x | test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | provenance |  |
-| test.cpp:17:24:17:24 | x | test.cpp:17:10:17:22 | call to ymlStepManual | provenance | MaD:34 |
+| test.cpp:17:24:17:24 | x | test.cpp:17:10:17:22 | call to ymlStepManual | provenance | MaD:35 |
 | test.cpp:21:10:21:25 | call to ymlStepGenerated | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance |  |
 | test.cpp:21:10:21:25 | call to ymlStepGenerated | test.cpp:22:10:22:10 | z | provenance | Sink:MaD:1 |
 | test.cpp:21:27:21:27 | x | test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | provenance |  |
-| test.cpp:21:27:21:27 | x | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance | MaD:33 |
+| test.cpp:21:27:21:27 | x | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance | MaD:34 |
 | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance |  |
 | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | test.cpp:26:10:26:11 | y2 | provenance | Sink:MaD:1 |
 | test.cpp:25:35:25:35 | x | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | provenance |  |
-| test.cpp:25:35:25:35 | x | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance | MaD:35 |
+| test.cpp:25:35:25:35 | x | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance | MaD:36 |
 | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | provenance |  |
 | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | test.cpp:33:10:33:11 | z2 | provenance | Sink:MaD:1 |
 | test.cpp:32:41:32:41 | x | test.cpp:7:47:7:52 | value2 | provenance |  |
@@ -76,7 +77,7 @@ edges
 | test.cpp:46:30:46:32 | *arg [x] | test.cpp:47:12:47:19 | *arg [x] | provenance |  |
 | test.cpp:47:12:47:19 | *arg [x] | test.cpp:48:13:48:13 | *s [x] | provenance |  |
 | test.cpp:48:13:48:13 | *s [x] | test.cpp:48:16:48:16 | x | provenance | Sink:MaD:1 |
-| test.cpp:52:5:52:18 | [summary param] *3 in pthread_create [x] | test.cpp:52:5:52:18 | [summary] to write: Argument[2].Parameter[*0] in pthread_create [x] | provenance | MaD:32 |
+| test.cpp:52:5:52:18 | [summary param] *3 in pthread_create [x] | test.cpp:52:5:52:18 | [summary] to write: Argument[2].Parameter[*0] in pthread_create [x] | provenance | MaD:33 |
 | test.cpp:52:5:52:18 | [summary] to write: Argument[2].Parameter[*0] in pthread_create [x] | test.cpp:46:30:46:32 | *arg [x] | provenance |  |
 | test.cpp:56:2:56:2 | *s [post update] [x] | test.cpp:59:55:59:64 | *& ... [x] | provenance |  |
 | test.cpp:56:2:56:18 | ... = ... | test.cpp:56:2:56:2 | *s [post update] [x] | provenance |  |
@@ -103,6 +104,13 @@ edges
 | test.cpp:101:26:101:26 | x | test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | provenance |  |
 | test.cpp:103:63:103:63 | x | test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | provenance |  |
 | test.cpp:104:62:104:62 | x | test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | provenance |  |
+| test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | test.cpp:111:3:111:25 | [summary] to write: ReturnValue in callWithNonTypeTemplate | provenance | MaD:32 |
+| test.cpp:114:10:114:18 | call to ymlSource | test.cpp:114:10:114:18 | call to ymlSource | provenance | Src:MaD:16  |
+| test.cpp:114:10:114:18 | call to ymlSource | test.cpp:118:44:118:44 | *x | provenance |  |
+| test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | provenance |  |
+| test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | test.cpp:119:10:119:11 | y2 | provenance | Sink:MaD:1 |
+| test.cpp:118:44:118:44 | *x | test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | provenance |  |
+| test.cpp:118:44:118:44 | *x | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | provenance | MaD:32 |
 | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | provenance | MaD:18 |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:22:15:22:29 | *call to GetCommandLineA | provenance | Src:MaD:3  |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:24:8:24:11 | * ... | provenance |  |
@@ -314,6 +322,14 @@ nodes
 | test.cpp:101:26:101:26 | x | semmle.label | x |
 | test.cpp:103:63:103:63 | x | semmle.label | x |
 | test.cpp:104:62:104:62 | x | semmle.label | x |
+| test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | semmle.label | [summary param] *0 in callWithNonTypeTemplate |
+| test.cpp:111:3:111:25 | [summary] to write: ReturnValue in callWithNonTypeTemplate | semmle.label | [summary] to write: ReturnValue in callWithNonTypeTemplate |
+| test.cpp:114:10:114:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:114:10:114:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | semmle.label | call to callWithNonTypeTemplate |
+| test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | semmle.label | call to callWithNonTypeTemplate |
+| test.cpp:118:44:118:44 | *x | semmle.label | *x |
+| test.cpp:119:10:119:11 | y2 | semmle.label | y2 |
 | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | semmle.label | [summary param] *0 in CommandLineToArgvA |
 | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | semmle.label | [summary] to write: ReturnValue[**] in CommandLineToArgvA |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | semmle.label | *call to GetCommandLineA |
@@ -472,6 +488,7 @@ subpaths
 | test.cpp:21:27:21:27 | x | test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | test.cpp:21:10:21:25 | call to ymlStepGenerated |
 | test.cpp:25:35:25:35 | x | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | test.cpp:25:11:25:33 | call to ymlStepManual_with_body |
 | test.cpp:32:41:32:41 | x | test.cpp:7:47:7:52 | value2 | test.cpp:7:5:7:30 | *ymlStepGenerated_with_body | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body |
+| test.cpp:118:44:118:44 | *x | test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | test.cpp:111:3:111:25 | [summary] to write: ReturnValue in callWithNonTypeTemplate | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate |
 | windows.cpp:27:36:27:38 | *cmd | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA |
 | windows.cpp:537:40:537:41 | *& ... | windows.cpp:473:17:473:37 | [summary param] *1 in RtlCopyVolatileMemory | windows.cpp:473:17:473:37 | [summary param] *0 in RtlCopyVolatileMemory [Return] | windows.cpp:537:27:537:37 | RtlCopyVolatileMemory output argument |
 | windows.cpp:542:38:542:39 | *& ... | windows.cpp:479:17:479:35 | [summary param] *1 in RtlCopyDeviceMemory | windows.cpp:479:17:479:35 | [summary param] *0 in RtlCopyDeviceMemory [Return] | windows.cpp:542:25:542:35 | RtlCopyDeviceMemory output argument |

cpp/ql/test/library-tests/dataflow/external-models/flow.ext.yml

@@ -17,4 +17,5 @@ extensions:
       - ["", "", False, "ymlStepGenerated", "", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
       - ["", "", False, "ymlStepManual_with_body", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["", "", False, "ymlStepGenerated_with_body", "", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
-      - ["", "", False, "callWithArgument", "", "", "Argument[1]", "Argument[0].Parameter[0]", "value", "manual"]
+      - ["", "", False, "callWithArgument", "", "", "Argument[1]", "Argument[0].Parameter[0]", "value", "manual"]
+      - ["", "", False, "callWithNonTypeTemplate<T>", "(const T &)", "", "Argument[*0]", "ReturnValue", "value", "manual"]

cpp/ql/test/library-tests/dataflow/external-models/sinks.expected

@@ -13,3 +13,5 @@
 | test.cpp:75:11:75:11 | y | test-sink |
 | test.cpp:83:11:83:11 | y | test-sink |
 | test.cpp:89:11:89:11 | y | test-sink |
+| test.cpp:116:10:116:11 | y1 | test-sink |
+| test.cpp:119:10:119:11 | y2 | test-sink |

cpp/ql/test/library-tests/dataflow/external-models/sources.expected

@@ -2,6 +2,7 @@
 | test.cpp:10:10:10:18 | call to ymlSource | local |
 | test.cpp:56:8:56:16 | call to ymlSource | local |
 | test.cpp:94:10:94:18 | call to ymlSource | local |
+| test.cpp:114:10:114:18 | call to ymlSource | local |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | local |
 | windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | local |
 | windows.cpp:39:36:39:38 | GetEnvironmentVariableA output argument | local |

cpp/ql/test/library-tests/dataflow/external-models/test.cpp

@@ -102,4 +102,19 @@ void test_callWithArgument() {
 	}
 	callWithArgument(StructWithOperatorCall_has_constructor_2(), x);
 	callWithArgument(StructWithOperatorCall_no_constructor_2(), x);
-}
+}
+
+template<int N, typename T>
+T callWithNonTypeTemplate(const T&);
+
+template<typename T, int N>
+T callWithNonTypeTemplate(const T&);
+
+void test_callWithNonTypeTemplate() {
+	int x = ymlSource();
+	int y1 = callWithNonTypeTemplate<10, int>(x);
+	ymlSink(y1); // $ MISSING: ir
+
+	int y2 = callWithNonTypeTemplate<int, 10>(x);
+	ymlSink(y2); // $ ir
+}

cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected

@@ -142,6 +142,7 @@ postWithInFlow
 | simple.cpp:92:7:92:7 | i [post update] | PostUpdateNode should not be the target of local flow. |
 | simple.cpp:118:7:118:7 | i [post update] | PostUpdateNode should not be the target of local flow. |
 | simple.cpp:124:5:124:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| simple.cpp:167:9:167:9 | x [post update] | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition
 uniqueParameterNodePosition

cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected

@@ -308,3 +308,5 @@ WARNING: module 'DataFlow' has been deprecated and may be removed in future (par
 | simple.cpp:124:5:124:6 | * ... | AST only |
 | simple.cpp:131:14:131:14 | a | IR only |
 | simple.cpp:136:10:136:10 | a | IR only |
+| simple.cpp:167:9:167:9 | x | AST only |
+| simple.cpp:168:8:168:12 | u_int | IR only |

cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected

@@ -670,6 +670,8 @@
 | simple.cpp:131:14:131:14 | a |
 | simple.cpp:135:20:135:20 | q |
 | simple.cpp:136:10:136:10 | a |
+| simple.cpp:167:3:167:7 | u_int |
+| simple.cpp:168:8:168:12 | u_int |
 | struct_init.c:15:8:15:9 | ab |
 | struct_init.c:15:12:15:12 | a |
 | struct_init.c:16:8:16:9 | ab |

cpp/ql/test/library-tests/dataflow/fields/partial-definition.expected

@@ -597,6 +597,8 @@ WARNING: module 'DataFlow' has been deprecated and may be removed in future (par
 | simple.cpp:118:7:118:7 | i |
 | simple.cpp:124:5:124:6 | * ... |
 | simple.cpp:135:20:135:20 | q |
+| simple.cpp:167:3:167:7 | u_int |
+| simple.cpp:167:9:167:9 | x |
 | struct_init.c:15:8:15:9 | ab |
 | struct_init.c:15:12:15:12 | a |
 | struct_init.c:16:8:16:9 | ab |

cpp/ql/test/library-tests/dataflow/fields/simple.cpp

@@ -136,4 +136,36 @@ void alias_with_fields(bool b) {
     sink(a.i); // $ MISSING: ast,ir
 }
 
+template<typename T>
+union U_with_two_instantiations_of_different_size {
+  int x;
+  T y;
+};
+
+struct LargeStruct {
+  int data[64];
+};
+
+void test_union_with_two_instantiations_of_different_sizes() {
+  // A union's fields is partitioned into "chunks" for field-flow in order to
+  // improve performance (so that a write to a field of a union does not flow
+  // to too many reads that don't happen at runtime). The partitioning is based
+  // the size of the types in the union. So a write to a field of size k only
+  // flows to a read of size k.
+  // Since field-flow is based on uninstantiated types a field can have
+  // multiple sizes if the union is instantiated with types of
+  // different sizes. So to compute the partition we pick the maximum size.
+  // Because of this there are `Content`s corresponding to the union
+  // `U_with_two_instantiations_of_different_size<T>`: The one for size
+  // `sizeof(int)`, and the one for size `sizeof(LargeStruct)` (because
+  // `LargeStruct` is larger than `int`). So the write to `x` writes to the
+  // `Content` for size `sizeof(int)`, and the read of `y` reads from the
+  // `Content` for size `sizeof(LargeStruct)`.
+  U_with_two_instantiations_of_different_size<int> u_int;
+  U_with_two_instantiations_of_different_size<LargeStruct> u_very_large;
+
+  u_int.x = user_input();
+  sink(u_int.y); // $ MISSING: ir
+}
+
 } // namespace Simple

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -7988,6 +7988,26 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | taint.cpp:841:21:841:35 | call to indirect_source | taint.cpp:843:16:843:17 | fp |  |
 | taint.cpp:842:11:842:12 | ref arg fp | taint.cpp:843:16:843:17 | fp |  |
 | taint.cpp:842:15:842:16 |  | taint.cpp:842:11:842:12 | ref arg fp | TAINT |
+| taint.cpp:851:10:851:15 | call to source | taint.cpp:852:18:852:18 | s |  |
+| taint.cpp:851:10:851:15 | call to source | taint.cpp:854:18:854:18 | s |  |
+| taint.cpp:852:10:852:16 | call to toupper | taint.cpp:853:7:853:7 | u |  |
+| taint.cpp:854:10:854:16 | call to tolower | taint.cpp:855:7:855:7 | l |  |
+| taint.cpp:861:24:861:27 | size | taint.cpp:866:16:866:19 | size |  |
+| taint.cpp:862:12:862:26 | call to indirect_source | taint.cpp:866:12:866:12 | s |  |
+| taint.cpp:863:7:863:9 | out | taint.cpp:864:12:864:14 | out |  |
+| taint.cpp:864:12:864:14 | out | taint.cpp:866:23:866:23 | p |  |
+| taint.cpp:864:12:864:14 | out | taint.cpp:867:8:867:8 | p |  |
+| taint.cpp:865:9:865:16 | size_out | taint.cpp:866:27:866:34 | size_out |  |
+| taint.cpp:866:11:866:12 | ref arg & ... | taint.cpp:866:12:866:12 | s [inner post update] |  |
+| taint.cpp:866:12:866:12 | s | taint.cpp:866:11:866:12 | & ... |  |
+| taint.cpp:866:15:866:19 | ref arg & ... | taint.cpp:866:16:866:19 | size [inner post update] |  |
+| taint.cpp:866:16:866:19 | size | taint.cpp:866:15:866:19 | & ... |  |
+| taint.cpp:866:22:866:23 | ref arg & ... | taint.cpp:866:23:866:23 | p [inner post update] |  |
+| taint.cpp:866:22:866:23 | ref arg & ... | taint.cpp:867:8:867:8 | p |  |
+| taint.cpp:866:23:866:23 | p | taint.cpp:866:22:866:23 | & ... |  |
+| taint.cpp:866:26:866:34 | ref arg & ... | taint.cpp:866:27:866:34 | size_out [inner post update] |  |
+| taint.cpp:866:27:866:34 | size_out | taint.cpp:866:26:866:34 | & ... |  |
+| taint.cpp:867:8:867:8 | p | taint.cpp:867:7:867:8 | * ... | TAINT |
 | thread.cpp:10:27:10:27 | s | thread.cpp:10:27:10:27 | s |  |
 | thread.cpp:10:27:10:27 | s | thread.cpp:11:8:11:8 | s |  |
 | thread.cpp:14:26:14:26 | s | thread.cpp:15:8:15:8 | s |  |

cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp

@@ -842,4 +842,27 @@ int f7(void)
   fprintf(fp, "");
 	indirect_sink(fp); // $ ir MISSING: ast
   return 0;
+}
+
+int toupper(int);
+int tolower(int);
+
+void test_toupper_and_tolower() {
+	int s = source();
+	int u = toupper(s);
+	sink(u); // $ ir MISSING: ast
+	int l = tolower(s);
+	sink(l); // $ ir MISSING: ast
+}
+
+typedef int iconv_t;
+size_t iconv(iconv_t cd, char **, size_t *, char **, size_t *);
+
+void test_iconv(size_t size) {
+	char* s = indirect_source();
+	char out[10];
+	char* p = out;
+	size_t size_out;
+	iconv(0, &s, &size, &p, &size_out);
+	sink(*p); // $ ast,ir
 }

cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.ql

@@ -2,7 +2,7 @@ import cpp
 import semmle.code.cpp.dataflow.ExternalFlow
 import ExternalFlowDebug
 
-query predicate signatureMatches = signatureMatches_debug/5;
+query predicate signatureMatches = signatureMatches_debug/6;
 
 query predicate getSignatureParameterName = getSignatureParameterName_debug/4;
 

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/lowerBound.expected

@@ -485,197 +485,529 @@
 | test.c:411:59:411:59 | k | 0.205191 |
 | test.c:411:63:411:63 | l | 0.132041 |
 | test.c:413:10:413:15 | output | 1.842468 |
-| test.c:418:20:418:20 | x | 0 |
-| test.c:418:30:418:30 | x | 0 |
-| test.c:421:3:421:4 | y1 | 0 |
-| test.c:421:11:421:11 | y | 0 |
-| test.c:421:14:421:14 | y | 1 |
-| test.c:422:3:422:4 | y2 | 0 |
-| test.c:422:9:422:9 | y | 1 |
-| test.c:422:14:422:14 | y | 2 |
-| test.c:422:22:422:22 | y | 5 |
-| test.c:423:10:423:11 | y1 | 1 |
-| test.c:423:15:423:16 | y2 | 5 |
-| test.c:431:3:431:3 | i | -2147483648 |
-| test.c:432:7:432:7 | i | 10 |
-| test.c:434:3:434:3 | i | -2147483648 |
-| test.c:435:3:435:3 | i | 10 |
-| test.c:436:7:436:7 | i | 20 |
-| test.c:438:3:438:3 | i | -2147483648 |
-| test.c:439:3:439:3 | i | 40 |
-| test.c:440:7:440:7 | i | 30 |
-| test.c:442:3:442:3 | i | -2147483648 |
-| test.c:442:7:442:7 | j | -2147483648 |
-| test.c:443:7:443:7 | i | 40 |
-| test.c:445:3:445:3 | i | -2147483648 |
-| test.c:445:8:445:8 | j | 40 |
-| test.c:446:7:446:7 | i | 50 |
-| test.c:448:3:448:3 | i | -2147483648 |
-| test.c:448:13:448:13 | j | 50 |
-| test.c:449:7:449:7 | i | 60 |
-| test.c:456:12:456:12 | a | 0 |
-| test.c:456:17:456:17 | a | 3 |
-| test.c:456:33:456:33 | b | 0 |
-| test.c:456:38:456:38 | b | 5 |
-| test.c:457:13:457:13 | a | 3 |
-| test.c:457:15:457:15 | b | 5 |
-| test.c:458:5:458:9 | total | 0 |
-| test.c:458:14:458:14 | r | 15 |
-| test.c:460:12:460:12 | a | 0 |
-| test.c:460:17:460:17 | a | 3 |
-| test.c:460:33:460:33 | b | 0 |
-| test.c:460:38:460:38 | b | 0 |
-| test.c:461:13:461:13 | a | 3 |
-| test.c:461:15:461:15 | b | 0 |
-| test.c:462:5:462:9 | total | 0 |
-| test.c:462:14:462:14 | r | 0 |
-| test.c:464:12:464:12 | a | 0 |
-| test.c:464:17:464:17 | a | 3 |
-| test.c:464:34:464:34 | b | 0 |
-| test.c:464:39:464:39 | b | 13 |
-| test.c:465:13:465:13 | a | 3 |
-| test.c:465:15:465:15 | b | 13 |
-| test.c:466:5:466:9 | total | 0 |
-| test.c:466:14:466:14 | r | 39 |
-| test.c:469:10:469:14 | total | 0 |
-| test.c:475:12:475:12 | b | 0 |
-| test.c:475:17:475:17 | b | 5 |
-| test.c:476:16:476:16 | b | 5 |
-| test.c:477:5:477:9 | total | 0 |
-| test.c:477:14:477:14 | r | 55 |
-| test.c:479:12:479:12 | b | 0 |
-| test.c:479:17:479:17 | b | 0 |
-| test.c:480:16:480:16 | b | 0 |
-| test.c:481:5:481:9 | total | 0 |
-| test.c:481:14:481:14 | r | 0 |
-| test.c:483:13:483:13 | b | 0 |
-| test.c:483:18:483:18 | b | 13 |
-| test.c:484:16:484:16 | b | 13 |
-| test.c:485:5:485:9 | total | 0 |
-| test.c:485:14:485:14 | r | 143 |
-| test.c:488:10:488:14 | total | 0 |
-| test.c:493:3:493:3 | x | 0 |
-| test.c:493:7:493:7 | y | 0 |
-| test.c:494:3:494:4 | xy | 0 |
-| test.c:494:8:494:8 | x | 1000000003 |
-| test.c:494:12:494:12 | y | 1000000003 |
-| test.c:495:10:495:11 | xy | 1000000006000000000 |
-| test.c:500:3:500:3 | x | 0 |
-| test.c:501:3:501:3 | y | 0 |
-| test.c:502:3:502:4 | xy | 0 |
-| test.c:502:8:502:8 | x | 274177 |
-| test.c:502:12:502:12 | y | 67280421310721 |
-| test.c:503:10:503:11 | xy | 18446744073709551616 |
-| test.c:507:7:507:8 | ui | 0 |
-| test.c:508:43:508:44 | ui | 10 |
-| test.c:508:48:508:49 | ui | 10 |
-| test.c:509:12:509:17 | result | 100 |
-| test.c:511:7:511:8 | ul | 0 |
-| test.c:512:28:512:29 | ul | 10 |
-| test.c:512:33:512:34 | ul | 10 |
-| test.c:513:12:513:17 | result | 0 |
-| test.c:519:7:519:8 | ui | 0 |
-| test.c:519:19:519:20 | ui | 0 |
-| test.c:520:5:520:6 | ui | 2 |
-| test.c:520:11:520:12 | ui | 2 |
-| test.c:521:12:521:13 | ui | 4 |
-| test.c:525:3:525:9 | uiconst | 10 |
-| test.c:528:3:528:9 | ulconst | 10 |
-| test.c:529:10:529:16 | uiconst | 40 |
-| test.c:529:20:529:26 | ulconst | 40 |
-| test.c:533:7:533:7 | i | -2147483648 |
-| test.c:533:18:533:18 | i | -1 |
-| test.c:534:5:534:5 | i | -2147483648 |
-| test.c:534:13:534:13 | i | -1 |
-| test.c:535:9:535:9 | i | -5 |
-| test.c:537:5:537:5 | i | -2147483648 |
-| test.c:537:9:537:9 | i | -5 |
-| test.c:538:9:538:9 | i | -30 |
-| test.c:540:5:540:5 | i | -30 |
-| test.c:541:9:541:9 | i | -210 |
-| test.c:543:5:543:5 | i | -210 |
-| test.c:544:9:544:9 | i | -1155 |
-| test.c:546:7:546:7 | i | -2147483648 |
-| test.c:547:5:547:5 | i | -2147483648 |
-| test.c:547:9:547:9 | i | -1 |
-| test.c:548:9:548:9 | i | 1 |
-| test.c:550:3:550:3 | i | -2147483648 |
-| test.c:550:7:550:7 | i | -2147483648 |
-| test.c:551:10:551:10 | i | -2147483648 |
-| test.c:554:3:554:3 | i | -2147483648 |
-| test.c:554:10:554:11 | sc | 1 |
-| test.c:556:7:556:7 | i | -128 |
-| test.c:563:7:563:7 | n | 0 |
-| test.c:565:7:565:7 | n | 0 |
-| test.c:566:9:566:9 | n | 1 |
-| test.c:569:7:569:7 | n | 0 |
-| test.c:570:9:570:9 | n | 1 |
-| test.c:572:9:572:9 | n | 0 |
-| test.c:575:8:575:8 | n | 0 |
-| test.c:576:9:576:9 | n | 0 |
-| test.c:578:9:578:9 | n | 1 |
-| test.c:581:10:581:10 | n | 0 |
-| test.c:582:5:582:5 | n | 1 |
-| test.c:585:7:585:7 | n | 0 |
-| test.c:589:7:589:7 | n | -32768 |
-| test.c:592:7:592:7 | n | 0 |
-| test.c:593:9:593:9 | n | 0 |
-| test.c:595:9:595:9 | n | 1 |
-| test.c:598:7:598:7 | n | 0 |
-| test.c:599:9:599:9 | n | 1 |
-| test.c:601:9:601:9 | n | 0 |
-| test.c:604:10:604:10 | n | 0 |
-| test.c:605:5:605:5 | n | 1 |
-| test.c:608:7:608:7 | n | 0 |
-| test.c:612:7:612:7 | n | -32768 |
-| test.c:613:9:613:9 | n | -32768 |
-| test.c:614:11:614:11 | n | 0 |
-| test.c:618:7:618:7 | n | -32768 |
-| test.c:619:13:619:13 | n | 5 |
-| test.c:622:9:622:9 | n | 6 |
-| test.c:625:7:625:7 | n | -32768 |
-| test.c:625:22:625:22 | n | -32767 |
-| test.c:626:9:626:9 | n | -32766 |
-| test.c:629:7:629:7 | n | -32768 |
-| test.c:630:5:630:5 | n | 0 |
-| test.c:630:10:630:10 | n | 1 |
-| test.c:630:14:630:14 | n | 0 |
-| test.c:631:6:631:6 | n | 0 |
-| test.c:631:10:631:10 | n | 0 |
-| test.c:631:14:631:14 | n | 1 |
-| test.c:642:7:642:8 | ss | -32768 |
-| test.c:643:9:643:10 | ss | 0 |
-| test.c:646:7:646:8 | ss | -32768 |
-| test.c:647:9:647:10 | ss | -32768 |
-| test.c:650:14:650:15 | us | 0 |
-| test.c:651:9:651:10 | us | 0 |
-| test.c:654:14:654:15 | us | 0 |
-| test.c:655:9:655:10 | us | 0 |
-| test.c:658:7:658:8 | ss | -32768 |
-| test.c:659:9:659:10 | ss | -32768 |
-| test.c:662:7:662:8 | ss | -32768 |
-| test.c:663:9:663:10 | ss | -1 |
-| test.c:669:8:669:8 | s | -2147483648 |
-| test.c:669:15:669:15 | s | 0 |
-| test.c:669:23:669:23 | s | 0 |
-| test.c:670:18:670:18 | s | 0 |
-| test.c:670:22:670:22 | s | 0 |
-| test.c:671:9:671:14 | result | 0 |
-| test.c:677:7:677:7 | i | 0 |
-| test.c:678:9:678:9 | i | -2147483648 |
-| test.c:682:7:682:7 | u | 0 |
-| test.c:683:9:683:9 | u | 0 |
-| test.c:688:12:688:12 | s | -2147483648 |
-| test.c:689:7:689:8 | s2 | -4 |
-| test.c:694:7:694:7 | x | -2147483648 |
-| test.c:695:9:695:9 | y | -2147483648 |
-| test.c:699:7:699:7 | y | -2147483648 |
-| test.c:708:7:708:7 | x | -2147483648 |
-| test.c:713:7:713:7 | x | -2147483648 |
-| test.c:720:8:720:8 | x | 2147483647 |
-| test.c:720:12:720:12 | y | 256 |
-| test.c:721:9:721:9 | x | 2147483647 |
-| test.c:722:9:722:9 | y | 256 |
+| test.c:420:7:420:9 | rhs | 0 |
+| test.c:420:19:420:21 | rhs | 0 |
+| test.c:421:7:421:9 | rhs | 0 |
+| test.c:421:19:421:21 | rhs | 0 |
+| test.c:422:7:422:9 | rhs | 0 |
+| test.c:422:19:422:21 | rhs | 0 |
+| test.c:423:7:423:9 | rhs | 0 |
+| test.c:423:19:423:21 | rhs | 0 |
+| test.c:424:7:424:9 | rhs | 0 |
+| test.c:424:19:424:21 | rhs | 0 |
+| test.c:425:10:425:12 | rhs | 0 |
+| test.c:429:7:429:7 | a | -2147483648 |
+| test.c:430:9:430:9 | b | -2147483648 |
+| test.c:431:7:431:7 | a | 17 |
+| test.c:431:12:431:12 | b | 23 |
+| test.c:433:9:433:9 | a | 17 |
+| test.c:434:7:434:7 | b | -2147483648 |
+| test.c:439:11:439:11 | a | -2147483648 |
+| test.c:439:15:439:15 | b | -2147483648 |
+| test.c:440:10:440:10 | a | -2147483648 |
+| test.c:440:14:440:14 | b | -2147483648 |
+| test.c:447:10:447:11 | ip | 0 |
+| test.c:447:20:447:21 | ip | 0 |
+| test.c:447:40:447:41 | ip | 0 |
+| test.c:448:14:448:15 | ip | 1 |
+| test.c:449:14:449:15 | ip | 0 |
+| test.c:449:34:449:35 | ip | 0 |
+| test.c:450:11:450:12 | ip | 0 |
+| test.c:451:13:451:14 | ip | 0 |
+| test.c:452:14:452:15 | ip | 0 |
+| test.c:453:14:453:15 | ip | 0 |
+| test.c:454:15:454:16 | ip | 0 |
+| test.c:454:41:454:42 | ip | 0 |
+| test.c:454:52:454:53 | ip | 0 |
+| test.c:454:67:454:68 | ip | 0 |
+| test.c:454:78:454:79 | ip | 0 |
+| test.c:455:18:455:19 | ip | 0 |
+| test.c:456:23:456:24 | ip | 0 |
+| test.c:456:34:456:35 | ip | 0 |
+| test.c:457:25:457:26 | ip | 0 |
+| test.c:458:20:458:21 | ip | 0 |
+| test.c:459:11:459:12 | ip | 0 |
+| test.c:459:26:459:27 | ip | 0 |
+| test.c:460:16:460:17 | ip | 0 |
+| test.c:461:16:461:17 | ip | 0 |
+| test.c:462:16:462:17 | ip | 0 |
+| test.c:463:17:463:18 | ip | 0 |
+| test.c:464:22:464:23 | ip | 0 |
+| test.c:464:33:464:34 | ip | 0 |
+| test.c:464:48:464:49 | ip | 0 |
+| test.c:464:59:464:60 | ip | 0 |
+| test.c:465:20:465:21 | ip | 0 |
+| test.c:466:25:466:26 | ip | 0 |
+| test.c:466:36:466:37 | ip | 0 |
+| test.c:467:27:467:28 | ip | 0 |
+| test.c:468:22:468:23 | ip | 0 |
+| test.c:469:15:469:16 | ip | 0 |
+| test.c:469:30:469:31 | ip | 0 |
+| test.c:470:11:470:12 | ip | 0 |
+| test.c:471:12:471:13 | ip | 0 |
+| test.c:472:12:472:13 | ip | 0 |
+| test.c:473:13:473:14 | ip | 0 |
+| test.c:473:39:473:40 | ip | 0 |
+| test.c:473:50:473:51 | ip | 0 |
+| test.c:473:65:473:66 | ip | 0 |
+| test.c:473:76:473:77 | ip | 0 |
+| test.c:474:16:474:17 | ip | 0 |
+| test.c:475:21:475:22 | ip | 0 |
+| test.c:475:32:475:33 | ip | 0 |
+| test.c:476:23:476:24 | ip | 0 |
+| test.c:477:18:477:19 | ip | 0 |
+| test.c:478:11:478:12 | ip | 0 |
+| test.c:478:17:478:18 | ip | 0 |
+| test.c:478:37:478:38 | ip | 0 |
+| test.c:478:43:478:44 | ip | 0 |
+| test.c:479:14:479:15 | ip | 0 |
+| test.c:480:14:480:15 | ip | 0 |
+| test.c:481:14:481:15 | ip | 0 |
+| test.c:482:15:482:16 | ip | 0 |
+| test.c:482:41:482:42 | ip | 0 |
+| test.c:482:52:482:53 | ip | 0 |
+| test.c:482:67:482:68 | ip | 0 |
+| test.c:482:78:482:79 | ip | 0 |
+| test.c:483:18:483:19 | ip | 0 |
+| test.c:484:23:484:24 | ip | 0 |
+| test.c:484:34:484:35 | ip | 0 |
+| test.c:485:25:485:26 | ip | 0 |
+| test.c:486:20:486:21 | ip | 0 |
+| test.c:487:14:487:15 | ip | 0 |
+| test.c:487:20:487:21 | ip | 0 |
+| test.c:488:16:488:17 | ip | 0 |
+| test.c:489:12:489:13 | ip | 0 |
+| test.c:490:14:490:15 | ip | 0 |
+| test.c:491:15:491:16 | ip | 0 |
+| test.c:492:16:492:17 | ip | 0 |
+| test.c:493:16:493:17 | ip | 0 |
+| test.c:494:17:494:18 | ip | 0 |
+| test.c:495:22:495:23 | ip | 0 |
+| test.c:495:33:495:34 | ip | 0 |
+| test.c:495:48:495:49 | ip | 0 |
+| test.c:495:59:495:60 | ip | 0 |
+| test.c:496:20:496:21 | ip | 0 |
+| test.c:497:25:497:26 | ip | 0 |
+| test.c:497:36:497:37 | ip | 0 |
+| test.c:498:27:498:28 | ip | 0 |
+| test.c:499:22:499:23 | ip | 0 |
+| test.c:500:13:500:14 | ip | 0 |
+| test.c:500:28:500:29 | ip | 0 |
+| test.c:501:18:501:19 | ip | 0 |
+| test.c:502:18:502:19 | ip | 0 |
+| test.c:503:18:503:19 | ip | 0 |
+| test.c:504:19:504:20 | ip | 0 |
+| test.c:505:24:505:25 | ip | 0 |
+| test.c:505:35:505:36 | ip | 0 |
+| test.c:505:50:505:51 | ip | 0 |
+| test.c:505:61:505:62 | ip | 0 |
+| test.c:506:22:506:23 | ip | 0 |
+| test.c:507:27:507:28 | ip | 0 |
+| test.c:507:38:507:39 | ip | 0 |
+| test.c:508:29:508:30 | ip | 0 |
+| test.c:509:24:509:25 | ip | 0 |
+| test.c:510:17:510:18 | ip | 0 |
+| test.c:510:32:510:33 | ip | 0 |
+| test.c:511:14:511:15 | ip | 0 |
+| test.c:512:18:512:19 | ip | 0 |
+| test.c:513:18:513:19 | ip | 0 |
+| test.c:514:19:514:20 | ip | 0 |
+| test.c:515:24:515:25 | ip | 0 |
+| test.c:515:35:515:36 | ip | 0 |
+| test.c:515:50:515:51 | ip | 0 |
+| test.c:515:61:515:62 | ip | 0 |
+| test.c:516:22:516:23 | ip | 0 |
+| test.c:517:27:517:28 | ip | 0 |
+| test.c:517:38:517:39 | ip | 0 |
+| test.c:518:29:518:30 | ip | 0 |
+| test.c:519:24:519:25 | ip | 0 |
+| test.c:520:17:520:18 | ip | 0 |
+| test.c:520:23:520:24 | ip | 0 |
+| test.c:520:43:520:44 | ip | 0 |
+| test.c:520:49:520:50 | ip | 0 |
+| test.c:521:16:521:17 | ip | 0 |
+| test.c:522:16:522:17 | ip | 0 |
+| test.c:523:16:523:17 | ip | 0 |
+| test.c:524:17:524:18 | ip | 0 |
+| test.c:525:22:525:23 | ip | 0 |
+| test.c:525:33:525:34 | ip | 0 |
+| test.c:525:48:525:49 | ip | 0 |
+| test.c:525:59:525:60 | ip | 0 |
+| test.c:526:20:526:21 | ip | 0 |
+| test.c:527:25:527:26 | ip | 0 |
+| test.c:527:36:527:37 | ip | 0 |
+| test.c:528:27:528:28 | ip | 0 |
+| test.c:529:22:529:23 | ip | 0 |
+| test.c:530:16:530:17 | ip | 0 |
+| test.c:530:22:530:23 | ip | 0 |
+| test.c:531:18:531:19 | ip | 0 |
+| test.c:532:14:532:15 | ip | 0 |
+| test.c:533:14:533:15 | ip | 0 |
+| test.c:533:24:533:25 | ip | 0 |
+| test.c:533:44:533:45 | ip | 0 |
+| test.c:534:16:534:17 | ip | 1 |
+| test.c:535:16:535:17 | ip | 0 |
+| test.c:535:36:535:37 | ip | 0 |
+| test.c:536:14:536:15 | ip | 0 |
+| test.c:537:19:537:20 | ip | 0 |
+| test.c:538:20:538:21 | ip | 0 |
+| test.c:539:20:539:21 | ip | 0 |
+| test.c:540:21:540:22 | ip | 0 |
+| test.c:541:26:541:27 | ip | 0 |
+| test.c:541:37:541:38 | ip | 0 |
+| test.c:541:52:541:53 | ip | 0 |
+| test.c:541:63:541:64 | ip | 0 |
+| test.c:542:24:542:25 | ip | 0 |
+| test.c:543:29:543:30 | ip | 0 |
+| test.c:543:40:543:41 | ip | 0 |
+| test.c:544:31:544:32 | ip | 0 |
+| test.c:545:26:545:27 | ip | 0 |
+| test.c:546:17:546:18 | ip | 0 |
+| test.c:546:32:546:33 | ip | 0 |
+| test.c:547:22:547:23 | ip | 0 |
+| test.c:548:22:548:23 | ip | 0 |
+| test.c:549:22:549:23 | ip | 0 |
+| test.c:550:23:550:24 | ip | 0 |
+| test.c:551:28:551:29 | ip | 0 |
+| test.c:551:39:551:40 | ip | 0 |
+| test.c:551:54:551:55 | ip | 0 |
+| test.c:551:65:551:66 | ip | 0 |
+| test.c:552:26:552:27 | ip | 0 |
+| test.c:553:31:553:32 | ip | 0 |
+| test.c:553:42:553:43 | ip | 0 |
+| test.c:554:33:554:34 | ip | 0 |
+| test.c:555:28:555:29 | ip | 0 |
+| test.c:556:21:556:22 | ip | 0 |
+| test.c:556:36:556:37 | ip | 0 |
+| test.c:557:17:557:18 | ip | 0 |
+| test.c:558:18:558:19 | ip | 0 |
+| test.c:559:18:559:19 | ip | 0 |
+| test.c:560:19:560:20 | ip | 0 |
+| test.c:561:24:561:25 | ip | 0 |
+| test.c:561:35:561:36 | ip | 0 |
+| test.c:561:50:561:51 | ip | 0 |
+| test.c:561:61:561:62 | ip | 0 |
+| test.c:562:22:562:23 | ip | 0 |
+| test.c:563:27:563:28 | ip | 0 |
+| test.c:563:38:563:39 | ip | 0 |
+| test.c:564:29:564:30 | ip | 0 |
+| test.c:565:24:565:25 | ip | 0 |
+| test.c:566:17:566:18 | ip | 0 |
+| test.c:566:23:566:24 | ip | 0 |
+| test.c:566:43:566:44 | ip | 0 |
+| test.c:566:49:566:50 | ip | 0 |
+| test.c:567:20:567:21 | ip | 0 |
+| test.c:568:20:568:21 | ip | 0 |
+| test.c:569:20:569:21 | ip | 0 |
+| test.c:570:21:570:22 | ip | 0 |
+| test.c:571:26:571:27 | ip | 0 |
+| test.c:571:37:571:38 | ip | 0 |
+| test.c:571:52:571:53 | ip | 0 |
+| test.c:571:63:571:64 | ip | 0 |
+| test.c:572:24:572:25 | ip | 0 |
+| test.c:573:29:573:30 | ip | 0 |
+| test.c:573:40:573:41 | ip | 0 |
+| test.c:574:31:574:32 | ip | 0 |
+| test.c:575:26:575:27 | ip | 0 |
+| test.c:576:20:576:21 | ip | 0 |
+| test.c:576:26:576:27 | ip | 0 |
+| test.c:577:22:577:23 | ip | 0 |
+| test.c:578:18:578:19 | ip | 0 |
+| test.c:579:16:579:17 | ip | 0 |
+| test.c:580:17:580:18 | ip | 0 |
+| test.c:581:18:581:19 | ip | 0 |
+| test.c:582:18:582:19 | ip | 0 |
+| test.c:583:19:583:20 | ip | 0 |
+| test.c:584:24:584:25 | ip | 0 |
+| test.c:584:35:584:36 | ip | 0 |
+| test.c:584:50:584:51 | ip | 0 |
+| test.c:584:61:584:62 | ip | 0 |
+| test.c:585:22:585:23 | ip | 0 |
+| test.c:586:27:586:28 | ip | 0 |
+| test.c:586:38:586:39 | ip | 0 |
+| test.c:587:29:587:30 | ip | 0 |
+| test.c:588:24:588:25 | ip | 0 |
+| test.c:589:15:589:16 | ip | 0 |
+| test.c:589:30:589:31 | ip | 0 |
+| test.c:590:20:590:21 | ip | 0 |
+| test.c:591:20:591:21 | ip | 0 |
+| test.c:592:20:592:21 | ip | 0 |
+| test.c:593:21:593:22 | ip | 0 |
+| test.c:594:26:594:27 | ip | 0 |
+| test.c:594:37:594:38 | ip | 0 |
+| test.c:594:52:594:53 | ip | 0 |
+| test.c:594:63:594:64 | ip | 0 |
+| test.c:595:24:595:25 | ip | 0 |
+| test.c:596:29:596:30 | ip | 0 |
+| test.c:596:40:596:41 | ip | 0 |
+| test.c:597:31:597:32 | ip | 0 |
+| test.c:598:26:598:27 | ip | 0 |
+| test.c:599:19:599:20 | ip | 0 |
+| test.c:599:34:599:35 | ip | 0 |
+| test.c:600:16:600:17 | ip | 0 |
+| test.c:601:20:601:21 | ip | 0 |
+| test.c:602:20:602:21 | ip | 0 |
+| test.c:603:21:603:22 | ip | 0 |
+| test.c:604:26:604:27 | ip | 0 |
+| test.c:604:37:604:38 | ip | 0 |
+| test.c:604:52:604:53 | ip | 0 |
+| test.c:604:63:604:64 | ip | 0 |
+| test.c:605:24:605:25 | ip | 0 |
+| test.c:606:29:606:30 | ip | 0 |
+| test.c:606:40:606:41 | ip | 0 |
+| test.c:607:31:607:32 | ip | 0 |
+| test.c:608:26:608:27 | ip | 0 |
+| test.c:609:19:609:20 | ip | 0 |
+| test.c:609:25:609:26 | ip | 0 |
+| test.c:609:45:609:46 | ip | 0 |
+| test.c:609:51:609:52 | ip | 0 |
+| test.c:610:18:610:19 | ip | 0 |
+| test.c:611:18:611:19 | ip | 0 |
+| test.c:612:18:612:19 | ip | 0 |
+| test.c:613:19:613:20 | ip | 0 |
+| test.c:614:24:614:25 | ip | 0 |
+| test.c:614:35:614:36 | ip | 0 |
+| test.c:614:50:614:51 | ip | 0 |
+| test.c:614:61:614:62 | ip | 0 |
+| test.c:615:22:615:23 | ip | 0 |
+| test.c:616:27:616:28 | ip | 0 |
+| test.c:616:38:616:39 | ip | 0 |
+| test.c:617:29:617:30 | ip | 0 |
+| test.c:618:24:618:25 | ip | 0 |
+| test.c:619:18:619:19 | ip | 0 |
+| test.c:619:24:619:25 | ip | 0 |
+| test.c:620:20:620:21 | ip | 0 |
+| test.c:621:16:621:17 | ip | 0 |
+| test.c:622:10:622:23 | special_number | 0 |
+| test.c:630:7:630:8 | c1 | -2147483648 |
+| test.c:630:13:630:13 | x | 0 |
+| test.c:631:7:631:8 | c2 | -2147483648 |
+| test.c:631:13:631:13 | x | 0 |
+| test.c:632:7:632:8 | c3 | -2147483648 |
+| test.c:632:13:632:13 | x | 0 |
+| test.c:633:7:633:8 | c4 | -2147483648 |
+| test.c:633:13:633:13 | x | 0 |
+| test.c:634:7:634:8 | c5 | -2147483648 |
+| test.c:634:13:634:13 | x | 0 |
+| test.c:635:7:635:8 | c1 | -2147483648 |
+| test.c:635:13:635:14 | c2 | -2147483648 |
+| test.c:635:19:635:19 | x | 0 |
+| test.c:636:7:636:8 | c1 | -2147483648 |
+| test.c:636:13:636:14 | c3 | -2147483648 |
+| test.c:636:19:636:19 | x | 0 |
+| test.c:637:7:637:8 | c1 | -2147483648 |
+| test.c:637:13:637:14 | c4 | -2147483648 |
+| test.c:637:19:637:19 | x | 0 |
+| test.c:638:7:638:8 | c1 | -2147483648 |
+| test.c:638:13:638:14 | c5 | -2147483648 |
+| test.c:638:19:638:19 | x | 0 |
+| test.c:639:7:639:8 | c2 | -2147483648 |
+| test.c:639:13:639:14 | c3 | -2147483648 |
+| test.c:639:19:639:19 | x | 0 |
+| test.c:641:11:641:11 | x | 0 |
+| test.c:641:15:641:15 | x | 0 |
+| test.c:641:19:641:19 | x | 0 |
+| test.c:641:23:641:23 | x | 0 |
+| test.c:641:27:641:27 | x | 0 |
+| test.c:641:31:641:31 | x | 0 |
+| test.c:641:35:641:35 | x | 0 |
+| test.c:641:39:641:39 | x | 0 |
+| test.c:641:43:641:43 | x | 0 |
+| test.c:641:47:641:47 | x | 0 |
+| test.c:641:51:641:51 | x | 0 |
+| test.c:641:55:641:55 | x | 0 |
+| test.c:642:10:642:10 | y | -2147483648 |
+| test.c:647:20:647:20 | x | 0 |
+| test.c:647:30:647:30 | x | 0 |
+| test.c:650:3:650:4 | y1 | 0 |
+| test.c:650:11:650:11 | y | 0 |
+| test.c:650:14:650:14 | y | 1 |
+| test.c:651:3:651:4 | y2 | 0 |
+| test.c:651:9:651:9 | y | 1 |
+| test.c:651:14:651:14 | y | 2 |
+| test.c:651:22:651:22 | y | 5 |
+| test.c:652:10:652:11 | y1 | 1 |
+| test.c:652:15:652:16 | y2 | 5 |
+| test.c:660:3:660:3 | i | -2147483648 |
+| test.c:661:7:661:7 | i | 10 |
+| test.c:663:3:663:3 | i | -2147483648 |
+| test.c:664:3:664:3 | i | 10 |
+| test.c:665:7:665:7 | i | 20 |
+| test.c:667:3:667:3 | i | -2147483648 |
+| test.c:668:3:668:3 | i | 40 |
+| test.c:669:7:669:7 | i | 30 |
+| test.c:671:3:671:3 | i | -2147483648 |
+| test.c:671:7:671:7 | j | -2147483648 |
+| test.c:672:7:672:7 | i | 40 |
+| test.c:674:3:674:3 | i | -2147483648 |
+| test.c:674:8:674:8 | j | 40 |
+| test.c:675:7:675:7 | i | 50 |
+| test.c:677:3:677:3 | i | -2147483648 |
+| test.c:677:13:677:13 | j | 50 |
+| test.c:678:7:678:7 | i | 60 |
+| test.c:685:12:685:12 | a | 0 |
+| test.c:685:17:685:17 | a | 3 |
+| test.c:685:33:685:33 | b | 0 |
+| test.c:685:38:685:38 | b | 5 |
+| test.c:686:13:686:13 | a | 3 |
+| test.c:686:15:686:15 | b | 5 |
+| test.c:687:5:687:9 | total | 0 |
+| test.c:687:14:687:14 | r | 15 |
+| test.c:689:12:689:12 | a | 0 |
+| test.c:689:17:689:17 | a | 3 |
+| test.c:689:33:689:33 | b | 0 |
+| test.c:689:38:689:38 | b | 0 |
+| test.c:690:13:690:13 | a | 3 |
+| test.c:690:15:690:15 | b | 0 |
+| test.c:691:5:691:9 | total | 0 |
+| test.c:691:14:691:14 | r | 0 |
+| test.c:693:12:693:12 | a | 0 |
+| test.c:693:17:693:17 | a | 3 |
+| test.c:693:34:693:34 | b | 0 |
+| test.c:693:39:693:39 | b | 13 |
+| test.c:694:13:694:13 | a | 3 |
+| test.c:694:15:694:15 | b | 13 |
+| test.c:695:5:695:9 | total | 0 |
+| test.c:695:14:695:14 | r | 39 |
+| test.c:698:10:698:14 | total | 0 |
+| test.c:704:12:704:12 | b | 0 |
+| test.c:704:17:704:17 | b | 5 |
+| test.c:705:16:705:16 | b | 5 |
+| test.c:706:5:706:9 | total | 0 |
+| test.c:706:14:706:14 | r | 55 |
+| test.c:708:12:708:12 | b | 0 |
+| test.c:708:17:708:17 | b | 0 |
+| test.c:709:16:709:16 | b | 0 |
+| test.c:710:5:710:9 | total | 0 |
+| test.c:710:14:710:14 | r | 0 |
+| test.c:712:13:712:13 | b | 0 |
+| test.c:712:18:712:18 | b | 13 |
+| test.c:713:16:713:16 | b | 13 |
+| test.c:714:5:714:9 | total | 0 |
+| test.c:714:14:714:14 | r | 143 |
+| test.c:717:10:717:14 | total | 0 |
+| test.c:722:3:722:3 | x | 0 |
+| test.c:722:7:722:7 | y | 0 |
+| test.c:723:3:723:4 | xy | 0 |
+| test.c:723:8:723:8 | x | 1000000003 |
+| test.c:723:12:723:12 | y | 1000000003 |
+| test.c:724:10:724:11 | xy | 1000000006000000000 |
+| test.c:729:3:729:3 | x | 0 |
+| test.c:730:3:730:3 | y | 0 |
+| test.c:731:3:731:4 | xy | 0 |
+| test.c:731:8:731:8 | x | 274177 |
+| test.c:731:12:731:12 | y | 67280421310721 |
+| test.c:732:10:732:11 | xy | 18446744073709551616 |
+| test.c:736:7:736:8 | ui | 0 |
+| test.c:737:43:737:44 | ui | 10 |
+| test.c:737:48:737:49 | ui | 10 |
+| test.c:738:12:738:17 | result | 100 |
+| test.c:740:7:740:8 | ul | 0 |
+| test.c:741:28:741:29 | ul | 10 |
+| test.c:741:33:741:34 | ul | 10 |
+| test.c:742:12:742:17 | result | 0 |
+| test.c:748:7:748:8 | ui | 0 |
+| test.c:748:19:748:20 | ui | 0 |
+| test.c:749:5:749:6 | ui | 2 |
+| test.c:749:11:749:12 | ui | 2 |
+| test.c:750:12:750:13 | ui | 4 |
+| test.c:754:3:754:9 | uiconst | 10 |
+| test.c:757:3:757:9 | ulconst | 10 |
+| test.c:758:10:758:16 | uiconst | 40 |
+| test.c:758:20:758:26 | ulconst | 40 |
+| test.c:762:7:762:7 | i | -2147483648 |
+| test.c:762:18:762:18 | i | -1 |
+| test.c:763:5:763:5 | i | -2147483648 |
+| test.c:763:13:763:13 | i | -1 |
+| test.c:764:9:764:9 | i | -5 |
+| test.c:766:5:766:5 | i | -2147483648 |
+| test.c:766:9:766:9 | i | -5 |
+| test.c:767:9:767:9 | i | -30 |
+| test.c:769:5:769:5 | i | -30 |
+| test.c:770:9:770:9 | i | -210 |
+| test.c:772:5:772:5 | i | -210 |
+| test.c:773:9:773:9 | i | -1155 |
+| test.c:775:7:775:7 | i | -2147483648 |
+| test.c:776:5:776:5 | i | -2147483648 |
+| test.c:776:9:776:9 | i | -1 |
+| test.c:777:9:777:9 | i | 1 |
+| test.c:779:3:779:3 | i | -2147483648 |
+| test.c:779:7:779:7 | i | -2147483648 |
+| test.c:780:10:780:10 | i | -2147483648 |
+| test.c:783:3:783:3 | i | -2147483648 |
+| test.c:783:10:783:11 | sc | 1 |
+| test.c:785:7:785:7 | i | -128 |
+| test.c:792:7:792:7 | n | 0 |
+| test.c:794:7:794:7 | n | 0 |
+| test.c:795:9:795:9 | n | 1 |
+| test.c:798:7:798:7 | n | 0 |
+| test.c:799:9:799:9 | n | 1 |
+| test.c:801:9:801:9 | n | 0 |
+| test.c:804:8:804:8 | n | 0 |
+| test.c:805:9:805:9 | n | 0 |
+| test.c:807:9:807:9 | n | 1 |
+| test.c:810:10:810:10 | n | 0 |
+| test.c:811:5:811:5 | n | 1 |
+| test.c:814:7:814:7 | n | 0 |
+| test.c:818:7:818:7 | n | -32768 |
+| test.c:821:7:821:7 | n | 0 |
+| test.c:822:9:822:9 | n | 0 |
+| test.c:824:9:824:9 | n | 1 |
+| test.c:827:7:827:7 | n | 0 |
+| test.c:828:9:828:9 | n | 1 |
+| test.c:830:9:830:9 | n | 0 |
+| test.c:833:10:833:10 | n | 0 |
+| test.c:834:5:834:5 | n | 1 |
+| test.c:837:7:837:7 | n | 0 |
+| test.c:841:7:841:7 | n | -32768 |
+| test.c:842:9:842:9 | n | -32768 |
+| test.c:843:11:843:11 | n | 0 |
+| test.c:847:7:847:7 | n | -32768 |
+| test.c:848:13:848:13 | n | 5 |
+| test.c:851:9:851:9 | n | 6 |
+| test.c:854:7:854:7 | n | -32768 |
+| test.c:854:22:854:22 | n | -32767 |
+| test.c:855:9:855:9 | n | -32766 |
+| test.c:858:7:858:7 | n | -32768 |
+| test.c:859:5:859:5 | n | 0 |
+| test.c:859:10:859:10 | n | 1 |
+| test.c:859:14:859:14 | n | 0 |
+| test.c:860:6:860:6 | n | 0 |
+| test.c:860:10:860:10 | n | 0 |
+| test.c:860:14:860:14 | n | 1 |
+| test.c:871:7:871:8 | ss | -32768 |
+| test.c:872:9:872:10 | ss | 0 |
+| test.c:875:7:875:8 | ss | -32768 |
+| test.c:876:9:876:10 | ss | -32768 |
+| test.c:879:14:879:15 | us | 0 |
+| test.c:880:9:880:10 | us | 0 |
+| test.c:883:14:883:15 | us | 0 |
+| test.c:884:9:884:10 | us | 0 |
+| test.c:887:7:887:8 | ss | -32768 |
+| test.c:888:9:888:10 | ss | -32768 |
+| test.c:891:7:891:8 | ss | -32768 |
+| test.c:892:9:892:10 | ss | -1 |
+| test.c:898:8:898:8 | s | -2147483648 |
+| test.c:898:15:898:15 | s | 0 |
+| test.c:898:23:898:23 | s | 0 |
+| test.c:899:18:899:18 | s | 0 |
+| test.c:899:22:899:22 | s | 0 |
+| test.c:900:9:900:14 | result | 0 |
+| test.c:906:7:906:7 | i | 0 |
+| test.c:907:9:907:9 | i | -2147483648 |
+| test.c:911:7:911:7 | u | 0 |
+| test.c:912:9:912:9 | u | 0 |
+| test.c:917:12:917:12 | s | -2147483648 |
+| test.c:918:7:918:8 | s2 | -4 |
+| test.c:923:7:923:7 | x | -2147483648 |
+| test.c:924:9:924:9 | y | -2147483648 |
+| test.c:928:7:928:7 | y | -2147483648 |
+| test.c:937:7:937:7 | x | -2147483648 |
+| test.c:942:7:942:7 | x | -2147483648 |
+| test.c:949:8:949:8 | x | 2147483647 |
+| test.c:949:12:949:12 | y | 256 |
+| test.c:950:9:950:9 | x | 2147483647 |
+| test.c:951:9:951:9 | y | 256 |
 | test.cpp:10:7:10:7 | b | -2147483648 |
 | test.cpp:11:5:11:5 | x | -2147483648 |
 | test.cpp:13:10:13:10 | x | -2147483648 |