Revert to using workflow_call

Kotlin: make wrapper cache downloaded zips

.bazelversion

@@ -1 +1 @@
-7.1.2
+7.2.1

.devcontainer/swift/root.sh

@@ -3,6 +3,16 @@ set -xe
 BAZELISK_VERSION=v1.12.0
 BAZELISK_DOWNLOAD_SHA=6b0bcb2ea15bca16fffabe6fda75803440375354c085480fe361d2cbf32501db
 
+# install git lfs apt source
+curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash
+
+# install gh apt source
+(type -p wget >/dev/null || (sudo apt update && sudo apt-get install wget -y)) \
+&& sudo mkdir -p -m 755 /etc/apt/keyrings \
+&& wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null \
+&& sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg \
+&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
+
 apt-get update
 export DEBIAN_FRONTEND=noninteractive
 apt-get -y install --no-install-recommends \
@@ -10,7 +20,9 @@ apt-get -y install --no-install-recommends \
     uuid-dev \
     python3-distutils \
     python3-pip \
-    bash-completion
+    bash-completion \
+    git-lfs \
+    gh
 
 # Install Bazel
 curl -fSsL -o /usr/local/bin/bazelisk https://github.com/bazelbuild/bazelisk/releases/download/${BAZELISK_VERSION}/bazelisk-linux-amd64

.devcontainer/swift/user.sh

@@ -1,5 +1,7 @@
 set -xe
 
+git lfs install
+
 # add the workspace to the codeql search path
 mkdir -p /home/vscode/.config/codeql
 echo "--search-path /workspaces/codeql" > /home/vscode/.config/codeql/config

.github/workflows/go-tests-linux.yml

@@ -0,0 +1,26 @@
+name: "Go: Run Tests"
+on:
+  workflow_dispatch:
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  test-linux:
+    if: github.repository_owner == 'github'
+    name: Test Linux (Ubuntu)
+    runs-on: ubuntu-latest-xl
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
+      - name: Run tests
+        uses: ./go/actions/test
+        with:
+          run-code-checks: true

.github/workflows/go-tests-other-os.yml

@@ -1,15 +1,11 @@
 name: "Go: Run Tests - Other OS"
 on:
-  pull_request:
-    paths:
-      - "go/**"
-      - "!go/ql/**" # don't run other-os if only ql/ files changed
-      - .github/workflows/go-tests-other-os.yml
-      - .github/actions/**
-      - codeql-workspace.yml
-      - MODULE.bazel
-      - .bazelrc
-      - misc/bazel/**
+  workflow_dispatch:
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
 
 permissions:
   contents: read
@@ -21,6 +17,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
       - name: Run tests
         uses: ./go/actions/test
 
@@ -31,5 +29,7 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
       - name: Run tests
         uses: ./go/actions/test

.github/workflows/go-tests.yml

@@ -1,9 +1,11 @@
-name: "Go: Run Tests"
+name: "Go: Prepare Tests"
 on:
   push:
     paths:
       - "go/**"
       - .github/workflows/go-tests.yml
+      - .github/workflows/go-tests-linux.yml
+      - .github/workflows/go-tests-other-os.yml
       - .github/actions/**
       - codeql-workspace.yml
     branches:
@@ -13,24 +15,128 @@ on:
     paths:
       - "go/**"
       - .github/workflows/go-tests.yml
+      - .github/workflows/go-tests-linux.yml
+      - .github/workflows/go-tests-other-os.yml
       - .github/actions/**
       - codeql-workspace.yml
       - MODULE.bazel
       - .bazelrc
       - misc/bazel/**
 
-permissions:
-  contents: read
-
 jobs:
-  test-linux:
+  prepare-go-tests:
     if: github.repository_owner == 'github'
-    name: Test Linux (Ubuntu)
-    runs-on: ubuntu-latest-xl
+    name: "Prepare tests"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    outputs:
+      # Skip tests for this workflow run if we just created a new commit/PR to run the
+      # tests on.
+      skipTests: ${{ steps.push-bazel-files.outputs.SKIP_TESTS }}
+      # We don't want to run macOS/Windows workflows if only .ql files have changed
+      onlyQL: ${{ steps.only-ql-check.outputs.ONLY_QL_CHANGES }}
     steps:
+      - name: Print information about the workflow
+        shell: bash
+        run: |
+          echo $GITHUB_CONTEXT
+        env:
+          GITHUB_CONTEXT: ${{ toJson(github) }}
+
       - name: Check out code
         uses: actions/checkout@v4
-      - name: Run tests
-        uses: ./go/actions/test
         with:
-          run-code-checks: true
+          # For PRs, this ensures that we do not end up in a detached HEAD state;
+          # For pushes, this does not change anything.
+          # We require this to be able to easily push changes, if needed.
+          ref: ${{ github.event.pull_request.head.ref || '' }}
+          # We need HEAD^ to determine the list of changed files
+          fetch-depth: 2
+
+      # Determine whether only .ql files changed: if so, we won't run the macOS and Windows workflows
+      - name: Determine whether only .ql files changed
+        id: only-ql-check
+        shell: bash
+        run: |
+          CHANGES=$(git diff --name-only HEAD^)
+          echo $CHANGES
+
+          ONLY_QL_CHANGES=true
+          for change in $(git diff --name-only HEAD^)
+          do
+            if [[ $change != go/ql/* ]];
+            then
+              ONLY_QL_CHANGES=false
+              echo "Files other than .ql files have changed"
+              break
+            fi
+          done
+
+          echo "Setting ONLY_QL_CHANGES to $ONLY_QL_CHANGES"
+          echo "ONLY_QL_CHANGES=$ONLY_QL_CHANGES" >> $GITHUB_OUTPUT
+
+      # Dependabot will nuke Bazel build files when it updates Go dependencies;
+      # this will restore them
+      - name: Regenerate Bazel files for Dependabot PR
+        if: github.event.pull_request.user.login == 'dependabot[bot]'
+        shell: bash
+        run: |
+          bazel run //go:gazelle
+          bazel run //go:gen
+
+      # And this will push the Bazel files to the PR branch
+      - name: Push Bazel files for Dependabot PR
+        id: push-bazel-files
+        if: github.event.pull_request.user.login == 'dependabot[bot]'
+        shell: bash
+        run: |
+          git add go/extractor/vendor/**
+
+          if git diff --exit-code HEAD;
+          then
+            echo "Regenerate Bazel files resulted in no changes"
+          else
+            BAZEL_BRANCH_NAME="${{ github.head_ref }}/bazel"
+
+            echo "Pushing regenerated Bazel files to $BAZEL_BRANCH_NAME"
+            git config user.name "github-actions[bot]"
+            git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+            git commit -m 'Regenerate Bazel build files for Dependabot PR'
+
+            git checkout -b "$BAZEL_BRANCH_NAME"
+            git push -u origin "$BAZEL_BRANCH_NAME"
+
+            echo "Creating PR for $BAZEL_BRANCH_NAME"
+            gh pr create -B "${{ github.head_ref }}" -H "$BAZEL_BRANCH_NAME" \
+                --title "Go: Regenerate Bazel files for Dependabot PR" \
+                --body "Created automatically to update Bazel build files for a Dependabot PR"
+
+            echo "Merging PR by pushing to ${{ github.head_ref }}"
+            git checkout "${{ github.head_ref }}"
+            git push
+          fi
+
+          echo "SKIP_TESTS=true" >> $GITHUB_OUTPUT
+
+  run-linux-tests:
+    name: "Run Linux tests"
+    if: needs.prepare-go-tests.outputs.skipTests != 'true'
+    needs:
+      - prepare-go-tests
+    uses: ./.github/workflows/go-tests-linux.yml
+    secrets: inherit
+    with:
+      ref: ${{ github.head_ref || github.ref_name }}
+
+  run-other-os-tests:
+    name: "Run other OS tests"
+    # Only run this workflow for PRs and only if something other than .ql files changed
+    if: github.event_name == 'pull_request' && needs.prepare-go-tests.outputs.skipTests != 'true' && !(needs.prepare-go-tests.outputs.onlyQL == 'true')
+    needs:
+      - prepare-go-tests
+    uses: ./.github/workflows/go-tests-other-os.yml
+    secrets: inherit
+    with:
+      ref: ${{ github.head_ref }}

.github/workflows/ruby-build.yml

@@ -7,6 +7,7 @@ on:
       - .github/workflows/ruby-build.yml
       - .github/actions/fetch-codeql/action.yml
       - codeql-workspace.yml
+      - "shared/tree-sitter-extractor/**"
     branches:
       - main
       - "rc/*"
@@ -16,6 +17,7 @@ on:
       - .github/workflows/ruby-build.yml
       - .github/actions/fetch-codeql/action.yml
       - codeql-workspace.yml
+      - "shared/tree-sitter-extractor/**"
     branches:
       - main
       - "rc/*"

MODULE.bazel

@@ -13,22 +13,45 @@ local_path_override(
 
 # see https://registry.bazel.build/ for a list of available packages
 
-bazel_dep(name = "platforms", version = "0.0.9")
-bazel_dep(name = "rules_go", version = "0.47.0")
+bazel_dep(name = "platforms", version = "0.0.10")
+bazel_dep(name = "rules_go", version = "0.48.0")
 bazel_dep(name = "rules_pkg", version = "0.10.1")
-bazel_dep(name = "rules_nodejs", version = "6.0.3")
-bazel_dep(name = "rules_python", version = "0.31.0")
-bazel_dep(name = "bazel_skylib", version = "1.5.0")
+bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
+bazel_dep(name = "rules_python", version = "0.32.2")
+bazel_dep(name = "bazel_skylib", version = "1.6.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.0", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
 bazel_dep(name = "rules_kotlin", version = "1.9.4-codeql.1")
-bazel_dep(name = "gazelle", version = "0.36.0")
+bazel_dep(name = "gazelle", version = "0.37.0")
 bazel_dep(name = "rules_dotnet", version = "0.15.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
+bazel_dep(name = "rules_rust", version = "0.46.0")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
 
+crate = use_extension(
+    "@rules_rust//crate_universe:extension.bzl",
+    "crate",
+)
+crate.from_cargo(
+    name = "py_deps",
+    cargo_lockfile = "//python/extractor/tsg-python:Cargo.lock",
+    manifests = [
+        "//python/extractor/tsg-python:Cargo.toml",
+        "//python/extractor/tsg-python/tsp:Cargo.toml",
+    ],
+)
+crate.from_cargo(
+    name = "ruby_deps",
+    cargo_lockfile = "//ruby/extractor:Cargo.lock",
+    manifests = [
+        "//ruby/extractor:Cargo.toml",
+        "//ruby/extractor/codeql-extractor-fake-crate:Cargo.toml",
+    ],
+)
+use_repo(crate, "py_deps", "ruby_deps")
+
 dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
 dotnet.toolchain(dotnet_version = "8.0.101")
 use_repo(dotnet, "dotnet_toolchains")
@@ -62,6 +85,10 @@ use_repo(
 node = use_extension("@rules_nodejs//nodejs:extensions.bzl", "node")
 node.toolchain(
     name = "nodejs",
+    node_urls = [
+        "https://nodejs.org/dist/v{version}/{filename}",
+        "https://mirrors.dotsrc.org/nodejs/release/v{version}/{filename}",
+    ],
     node_version = "18.15.0",
 )
 use_repo(node, "nodejs", "nodejs_toolchains")

config/identical-files.json

@@ -61,10 +61,6 @@
     "java/ql/src/utils/modelgenerator/internal/CaptureModels.qll",
     "csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll"
   ],
-  "Model as Data Generation Java/C# - CaptureModelsPrinting": [
-    "java/ql/src/utils/modelgenerator/internal/CaptureModelsPrinting.qll",
-    "csharp/ql/src/utils/modelgenerator/internal/CaptureModelsPrinting.qll"
-  ],
   "Sign Java/C#": [
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll"
@@ -185,11 +181,6 @@
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
   ],
-  "C++ IR ValueNumberingImports": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll"
-  ],
   "IR SSA SSAConstruction": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll"

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,17 @@
+## 1.1.1
+
+No user-facing changes.
+
+## 1.1.0
+
+### New Features
+
+* Data models can now be added with data extensions. In this way source, sink and summary models can be added in extension `.model.yml` files, rather than by writing classes in QL code. New models should be added in the `lib/ext` folder.
+
+### Minor Analysis Improvements
+
+* A partial model for the `Boost.Asio` network library has been added. This includes sources, sinks and summaries for certain functions in `Boost.Asio`, such as `read_until` and `write`.
+
 ## 1.0.0
 
 ### Breaking Changes

cpp/ql/lib/change-notes/2024-06-10-builtin-expect.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Guards" library (`semmle.code.cpp.controlflow.Guards`) now also infers guards from calls to the builtin operation `__builtin_expect`. As a result, some queries may produce fewer false positives.

cpp/ql/lib/change-notes/2024-06-13-double-free.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The queries "Potential double free" (`cpp/double-free`) and "Potential use after free" (`cpp/use-after-free`) now produce fewer false positives.

cpp/ql/lib/change-notes/2024-06-14-boost-asio.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* A partial model for the `Boost.Asio` network library has been added. This includes sources, sinks and summaries for certain functions in `Boost.Asio`, such as `read_until` and `write`.

cpp/ql/lib/change-notes/2024-06-14-models-as-data-yml-extensions.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Data models can now be added with data extensions. In this way source, sink and summary models can be added in extension `.model.yml` files, rather than by writing classes in QL code. New models should be added in the `lib/ext` folder.

cpp/ql/lib/change-notes/2024-06-20-extensible-allocation-deallocation.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* It is now possible to extend the classes `AllocationFunction` and `DeallocationFunction` via data extensions. Extensions of these classes should be added to the `lib/ext/allocation` and `lib/ext/deallocation` directories respectively.

cpp/ql/lib/change-notes/2024-07-03-extended-mad-syntax.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* The syntax for models-as-data rows has been extended to make it easier to select sources, sinks, and summaries that involve templated functions and classes. Additionally, the syntax has also been extended to make it easier to specify models with arbitrary levels of indirection. See `dataflow/ExternalFlow.qll` for the updated documentation and specification for the model format.

cpp/ql/lib/change-notes/released/1.1.0.md

@@ -0,0 +1,9 @@
+## 1.1.0
+
+### New Features
+
+* Data models can now be added with data extensions. In this way source, sink and summary models can be added in extension `.model.yml` files, rather than by writing classes in QL code. New models should be added in the `lib/ext` folder.
+
+### Minor Analysis Improvements
+
+* A partial model for the `Boost.Asio` network library has been added. This includes sources, sinks and summaries for certain functions in `Boost.Asio`, such as `read_until` and `write`.

cpp/ql/lib/change-notes/released/1.1.1.md

@@ -0,0 +1,3 @@
+## 1.1.1
+
+No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.0
+lastReleaseVersion: 1.1.1

cpp/ql/lib/ext/Boost.Asio.model.yml

@@ -1,4 +1,3 @@
-extensions:
   # partial model of the Boost::Asio network library
 extensions:
   - addsTo:

cpp/ql/lib/ext/allocation/Bsd.allocation.model.yml

@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: allocationFunctionModel
+    data:
+      - ["", "", False, "kmem_alloc", "0", "", "", True]
+      - ["", "", False, "kmem_zalloc", "0", "", "", True]

cpp/ql/lib/ext/allocation/Glibc.allocation.model.yml

@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: allocationFunctionModel
+    data:
+      - ["", "", False, "g_malloc", "0", "", "", True]
+      - ["", "", False, "g_try_malloc", "0", "", "", True]

cpp/ql/lib/ext/allocation/OpenSSL.allocation.model.yml

@@ -0,0 +1,10 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: allocationFunctionModel
+    data:
+      - ["", "", False, "CRYPTO_malloc", "0", "", "", True]
+      - ["", "", False, "CRYPTO_zalloc", "0", "", "", True]
+      - ["", "", False, "CRYPTO_secure_malloc", "0", "", "", True]
+      - ["", "", False, "CRYPTO_secure_zalloc", "0", "", "", True]
+

cpp/ql/lib/ext/allocation/Std.allocation.model.yml

@@ -0,0 +1,15 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: allocationFunctionModel
+    data:
+      - ["", "", False, "malloc", "0", "", "", True]
+      - ["std", "", False, "malloc", "0", "", "", True]
+      - ["bsl", "", False, "malloc", "0", "", "", True]
+      - ["", "", False, "alloca", "0", "", "", False]
+      - ["", "", False, "__builtin_alloca", "0", "", "", False]
+      - ["", "", False, "_alloca", "0", "", "", False]
+      - ["", "", False, "_malloca", "0", "", "", False]
+      - ["", "", False, "calloc", "1", "0", "", True]
+      - ["std", "", False, "calloc", "1", "0", "", True]
+      - ["bsl", "", False, "calloc", "1", "0", "", True]

cpp/ql/lib/ext/allocation/Windows.allocation.model.yml

@@ -0,0 +1,29 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: allocationFunctionModel
+    data:
+      - ["", "", False, "MmAllocateContiguousMemory", "0", "", "", True]
+      - ["", "", False, "MmAllocateContiguousNodeMemory", "0", "", "", True]
+      - ["", "", False, "MmAllocateContiguousMemorySpecifyCache", "0", "", "", True]
+      - ["", "", False, "MmAllocateContiguousMemorySpecifyCacheNode", "0", "", "", True]
+      - ["", "", False, "MmAllocateNonCachedMemory", "0", "", "", True]
+      - ["", "", False, "MmAllocateMappingAddress", "0", "", "", True]
+      - ["", "", False, "CoTaskMemAlloc", "0", "", "", True]
+      - ["", "", False, "ExAllocatePool", "1", "", "", True]
+      - ["", "", False, "ExAllocatePool2", "1", "", "", True]
+      - ["", "", False, "ExAllocatePool3", "1", "", "", True]
+      - ["", "", False, "ExAllocatePoolWithTag", "1", "", "", True]
+      - ["", "", False, "ExAllocatePoolWithTagPriority", "1", "", "", True]
+      - ["", "", False, "ExAllocatePoolWithQuota", "1", "", "", True]
+      - ["", "", False, "ExAllocatePoolWithQuotaTag", "1", "", "", True]
+      - ["", "", False, "ExAllocatePoolZero", "1", "", "", True]
+      - ["", "", False, "IoAllocateMdl", "1", "", "", True]
+      - ["", "", False, "IoAllocateErrorLogEntry", "1", "", "", True]
+      - ["", "", False, "LocalAlloc", "1", "", "", True]
+      - ["", "", False, "GlobalAlloc", "1", "", "", True]
+      - ["", "", False, "VirtualAlloc", "1", "", "", True]
+      - ["", "", False, "HeapAlloc", "2", "", "", True]
+      - ["", "", False, "MmAllocatePagesForMdl", "3", "", "", True]
+      - ["", "", False, "MmAllocatePagesForMdlEx", "3", "", "", True]
+      - ["", "", False, "MmAllocateNodePagesForMdlEx", "3", "", "", True]

cpp/ql/lib/ext/allocation/empty.allocation.model.yml

@@ -0,0 +1,5 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: allocationFunctionModel
+    data: []

cpp/ql/lib/ext/bsl.array.model.yml

@@ -0,0 +1,14 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["bsl", "array", True, "at", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "array", True, "begin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "array", True, "cbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "array", True, "data", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "array", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "array", True, "rbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "array", True, "rcbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "array", True, "front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "array", True, "back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]

cpp/ql/lib/ext/bsl.deque.model.yml

@@ -0,0 +1,73 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["bsl", "deque<T,Allocator>", True, "assign", "(size_type,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "assign<InputIt>", "(InputIt,InputIt)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "at", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "deque", True, "back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "deque", True, "begin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "cbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "deque", "(const deque &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "deque", "(deque &&)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace", "", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace", "", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace", "", "", "Argument[*@3]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace", "", "", "Argument[*@4]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace", "", "", "Argument[*@5]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "deque", True, "front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "deque", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "deque", True, "push_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "push_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "rbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "deque", True, "rcbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "deque<T,Allocator>", True, "deque", "(const deque &,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque<T,Allocator>", True, "deque", "(deque &&,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque<T,Allocator>", True, "deque", "(size_type,const T &,const Allocator &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque<T,Allocator>", True, "deque<InputIterator>", "(InputIterator,InputIterator,const Allocator &)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "deque<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "deque<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "deque<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "deque<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "deque<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "deque<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]

cpp/ql/lib/ext/bsl.forward_list.model.yml

@@ -0,0 +1,56 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["bsl", "forward_list", True, "insert_after<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "forward_list<T>", True, "insert_after", "(const_iterator,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "forward_list<T>", True, "insert_after", "(const_iterator,size_type,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "forward_list<T,Allocator>", True, "assign", "(size_type,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "assign<InputIt>", "(InputIt,InputIt)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "begin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "cbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[*@3]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[*@4]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[*@5]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "forward_list", "(const forward_list &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "forward_list", "(forward_list &&)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "insert_after<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "insert_after<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "push_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "rbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "forward_list", True, "rcbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "forward_list<T,Allocator>", True, "forward_list", "(const forward_list &,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list<T,Allocator>", True, "forward_list", "(forward_list &&,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list<T,Allocator>", True, "forward_list", "(InputIterator,InputIterator,const Allocator &)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list<T,Allocator>", True, "forward_list", "(size_type,const T &,const Allocator &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list<T>", True, "insert_after", "(const_iterator,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list<T>", True, "insert_after", "(const_iterator,const T &)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "forward_list<T>", True, "insert_after", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list<T>", True, "insert_after", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "forward_list<T>", True, "insert_after", "(const_iterator,T &&)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "forward_list<T>", True, "insert_after", "(const_iterator,T &&)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "forward_list<T>", True, "insert_after", "(const_iterator,T &&)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]

cpp/ql/lib/ext/bsl.list.model.yml

@@ -0,0 +1,71 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["bsl", "list<T,Allocator>", True, "assign", "(size_type,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "assign<InputIt>", "(InputIt,InputIt)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "begin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "cbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "emplace_front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "list", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "list", "(const list &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "list", "(list &&)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "push_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "push_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "rbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "list", True, "rcbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "list<T,Allocator>", True, "list", "(const list &,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list<T,Allocator>", True, "list", "(list &&,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list<T,Allocator>", True, "list", "(size_type,const T &,const Allocator &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list<T,Allocator>", True, "list<InputIterator>", "(InputIterator,InputIterator,const Allocator &)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "list<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "list<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "list<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "list<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "list<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "list<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]

cpp/ql/lib/ext/bsl.vector.model.yml

@@ -0,0 +1,60 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["bsl", "vector<T,Allocator>", True, "assign", "(size_type,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "assign<InputIt>", "(InputIt,InputIt)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "at", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "vector", True, "back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "vector", True, "begin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "cbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "data", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace", "", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace", "", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace", "", "", "Argument[*@3]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace", "", "", "Argument[*@4]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace", "", "", "Argument[*@5]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "vector", True, "front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "vector", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["bsl", "vector", True, "push_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "rbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "rcbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "vector", "(const vector &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector", True, "vector", "(vector &&)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector<T,Allocator>", True, "vector", "(const vector &,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector<T,Allocator>", True, "vector", "(size_type,const T &,const Allocator &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector<T,Allocator>", True, "vector", "(vector &&,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector<T,Allocator>", True, "vector<InputIterator>", "(InputIterator,InputIterator,const Allocator &)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "vector<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "vector<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "vector<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "vector<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["bsl", "vector<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["bsl", "vector<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]

cpp/ql/lib/ext/deallocation/Bsd.deallocation.model.yml

@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: deallocationFunctionModel
+    data:
+      - ["", "", False, "pool_put", "1"]
+      - ["", "", False, "pool_cache_put", "1"]
+      - ["", "", False, "kmem_free", "0"]

cpp/ql/lib/ext/deallocation/Std.deallocation.model.yml

@@ -0,0 +1,42 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: deallocationFunctionModel
+    data:
+      - ["", "", False, "free", "0"]
+      - ["std", "", False, "free", "0"]
+      - ["bsl", "", False, "free", "0"]
+      - ["", "", False, "realloc", "0"]
+      - ["std", "", False, "realloc", "0"]
+      - ["bsl", "", False, "realloc", "0"]
+      - ["", "", False, "CRYPTO_free", "0"]
+      - ["", "", False, "CRYPTO_secure_free", "0"]
+      - ["", "", False, "g_free", "0"]
+      - ["", "", False, "ExFreePool", "0"]
+      - ["", "", False, "ExFreePoolWithTag", "0"]
+      - ["", "", False, "ExDeleteTimer", "0"]
+      - ["", "", False, "IoFreeIrp", "0"]
+      - ["", "", False, "IoFreeMdl", "0"]
+      - ["", "", False, "IoFreeErrorLogEntry", "0"]
+      - ["", "", False, "IoFreeWorkItem", "0"]
+      - ["", "", False, "MmFreeContiguousMemory", "0"]
+      - ["", "", False, "MmFreeContiguousMemorySpecifyCache", "0"]
+      - ["", "", False, "MmFreeNonCachedMemory", "0"]
+      - ["", "", False, "MmFreeMappingAddress", "0"]
+      - ["", "", False, "MmFreePagesFromMdl", "0"]
+      - ["", "", False, "MmUnmapReservedMapping", "0"]
+      - ["", "", False, "MmUnmapLockedPages", "0"]
+      - ["", "", False, "NdisFreeGenericObject", "0"]
+      - ["", "", False, "NdisFreeMemory", "0"]
+      - ["", "", False, "NdisFreeMemoryWithTag", "0"]
+      - ["", "", False, "NdisFreeMdl", "0"]
+      - ["", "", False, "NdisFreeNetBufferListPool", "0"]
+      - ["", "", False, "NdisFreeNetBufferPool", "0"]
+      - ["", "", False, "LocalFree", "0"]
+      - ["", "", False, "GlobalFree", "0"]
+      - ["", "", False, "LocalReAlloc", "0"]
+      - ["", "", False, "GlobalReAlloc", "0"]
+      - ["", "", False, "VirtualFree", "0"]
+      - ["", "", False, "CoTaskMemFree", "0"]
+      - ["", "", False, "CoTaskMemRealloc", "0"]
+      - ["", "", False, "SysFreeString", "0"]

cpp/ql/lib/ext/deallocation/Windows.deallocation.model.yml

@@ -0,0 +1,41 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: deallocationFunctionModel
+    data:
+      - ["", "", False, "ExFreePool", "0"]
+      - ["", "", False, "ExFreePoolWithTag", "0"]
+      - ["", "", False, "ExDeleteTimer", "0"]
+      - ["", "", False, "IoFreeIrp", "0"]
+      - ["", "", False, "IoFreeMdl", "0"]
+      - ["", "", False, "IoFreeErrorLogEntry", "0"]
+      - ["", "", False, "IoFreeWorkItem", "0"]
+      - ["", "", False, "MmFreeContiguousMemory", "0"]
+      - ["", "", False, "MmFreeContiguousMemorySpecifyCache", "0"]
+      - ["", "", False, "MmFreeNonCachedMemory", "0"]
+      - ["", "", False, "MmFreeMappingAddress", "0"]
+      - ["", "", False, "MmFreePagesFromMdl", "0"]
+      - ["", "", False, "MmUnmapReservedMapping", "0"]
+      - ["", "", False, "MmUnmapLockedPages", "0"]
+      - ["", "", False, "NdisFreeGenericObject", "0"]
+      - ["", "", False, "NdisFreeMemory", "0"]
+      - ["", "", False, "NdisFreeMemoryWithTag", "0"]
+      - ["", "", False, "NdisFreeMdl", "0"]
+      - ["", "", False, "NdisFreeNetBufferListPool", "0"]
+      - ["", "", False, "NdisFreeNetBufferPool", "0"]
+      - ["", "", False, "LocalFree", "0"]
+      - ["", "", False, "GlobalFree", "0"]
+      - ["", "", False, "LocalReAlloc", "0"]
+      - ["", "", False, "GlobalReAlloc", "0"]
+      - ["", "", False, "VirtualFree", "0"]
+      - ["", "", False, "CoTaskMemFree", "0"]
+      - ["", "", False, "CoTaskMemRealloc", "0"]
+      - ["", "", False, "SysFreeString", "0"]
+      - ["", "", False, "ExFreeToLookasideListEx", "1"]
+      - ["", "", False, "ExFreeToPagedLookasideList", "1"]
+      - ["", "", False, "ExFreeToNPagedLookasideList", "1"]
+      - ["", "", False, "NdisFreeMemoryWithTagPriority", "1"]
+      - ["", "", False, "StorPortFreeMdl", "1"]
+      - ["", "", False, "StorPortFreePool", "1"]
+      - ["", "", False, "HeapFree", "2"]
+      - ["", "", False, "HeapReAlloc", "2"]

cpp/ql/lib/ext/deallocation/empty.deallocation.model.yml

@@ -0,0 +1,5 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: deallocationFunctionModel
+    data: []

cpp/ql/lib/ext/std.array.model.yml

@@ -0,0 +1,14 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["std", "array", True, "at", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "array", True, "begin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "array", True, "cbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "array", True, "data", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "array", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "array", True, "rbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "array", True, "rcbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "array", True, "front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "array", True, "back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]

cpp/ql/lib/ext/std.deque.model.yml

@@ -0,0 +1,73 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["std", "deque<T,Allocator>", True, "assign", "(size_type,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "assign<InputIt>", "(InputIt,InputIt)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "at", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "deque", True, "back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "deque", True, "begin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "deque", True, "cbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "deque", True, "deque", "(const deque &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "deque", "(deque &&)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace", "", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace", "", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace", "", "", "Argument[*@3]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace", "", "", "Argument[*@4]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace", "", "", "Argument[*@5]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "deque", True, "emplace_front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "deque", True, "front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "deque", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "deque", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "deque", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "deque", True, "push_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "push_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque", True, "rbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "deque", True, "rcbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "deque<T,Allocator>", True, "deque", "(const deque &,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque<T,Allocator>", True, "deque", "(deque &&,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque<T,Allocator>", True, "deque", "(size_type,const T &,const Allocator &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque<T,Allocator>", True, "deque<InputIterator>", "(InputIterator,InputIterator,const Allocator &)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "deque<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "deque<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "deque<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "deque<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "deque<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "deque<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]

cpp/ql/lib/ext/std.forward_list.model.yml

@@ -0,0 +1,56 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["std", "forward_list", True, "insert_after<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "forward_list<T>", True, "insert_after", "(const_iterator,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "forward_list<T>", True, "insert_after", "(const_iterator,size_type,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "forward_list<T,Allocator>", True, "assign", "(size_type,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "assign<InputIt>", "(InputIt,InputIt)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "begin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "cbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[*@3]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[*@4]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[*@5]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "forward_list", True, "forward_list", "(const forward_list &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "forward_list", "(forward_list &&)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "forward_list", True, "insert_after<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "insert_after<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "push_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "rbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "forward_list", True, "rcbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "forward_list<T,Allocator>", True, "forward_list", "(const forward_list &,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list<T,Allocator>", True, "forward_list", "(forward_list &&,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list<T,Allocator>", True, "forward_list", "(InputIterator,InputIterator,const Allocator &)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list<T,Allocator>", True, "forward_list", "(size_type,const T &,const Allocator &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list<T>", True, "insert_after", "(const_iterator,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list<T>", True, "insert_after", "(const_iterator,const T &)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "forward_list<T>", True, "insert_after", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list<T>", True, "insert_after", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "forward_list<T>", True, "insert_after", "(const_iterator,T &&)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "forward_list<T>", True, "insert_after", "(const_iterator,T &&)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "forward_list<T>", True, "insert_after", "(const_iterator,T &&)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]

cpp/ql/lib/ext/std.iterator.model.yml

@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["std", "iterator", True, "operator*", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "iterator", True, "operator->", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "iterator", True, "iterator", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["__gnu_cxx", "__normal_iterator", True, "operator*", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["__gnu_cxx", "__normal_iterator", True, "operator->", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["__gnu_cxx", "__normal_iterator", True, "__normal_iterator", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]

cpp/ql/lib/ext/std.list.model.yml

@@ -0,0 +1,71 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["std", "list<T,Allocator>", True, "assign", "(size_type,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "assign<InputIt>", "(InputIt,InputIt)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "list", True, "begin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "list", True, "cbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace", "", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace", "", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace", "", "", "Argument[*@3]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace", "", "", "Argument[*@4]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace", "", "", "Argument[*@5]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace_back", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "list", True, "emplace_back", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace_back", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "list", True, "emplace_back", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace_back", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "list", True, "emplace_back", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace_back", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "list", True, "emplace_back", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace_back", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "list", True, "emplace_back", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace_back", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "list", True, "emplace_back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "list", True, "emplace_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace_front", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "list", True, "emplace_front", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace_front", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "list", True, "emplace_front", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace_front", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "list", True, "emplace_front", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace_front", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "list", True, "emplace_front", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace_front", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "list", True, "emplace_front", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "emplace_front", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "list", True, "emplace_front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "list", True, "front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "list", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "list", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "list", True, "list", "(const list &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "list", "(list &&)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "push_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "push_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list", True, "rbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "list", True, "rcbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "list<T,Allocator>", True, "list", "(const list &,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list<T,Allocator>", True, "list", "(list &&,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list<T,Allocator>", True, "list", "(size_type,const T &,const Allocator &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list<T,Allocator>", True, "list<InputIterator>", "(InputIterator,InputIterator,const Allocator &)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "list<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "list<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "list<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "list<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "list<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "list<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]

cpp/ql/lib/ext/std.vector.model.yml

@@ -0,0 +1,60 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["std", "vector<T,Allocator>", True, "assign", "(size_type,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector", True, "assign<InputIt>", "(InputIt,InputIt)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector", True, "at", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "vector", True, "back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "vector", True, "begin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "vector", True, "cbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "vector", True, "data", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "vector", True, "emplace", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector", True, "emplace", "", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "vector", True, "emplace", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector", True, "emplace", "", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "vector", True, "emplace", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector", True, "emplace", "", "", "Argument[*@3]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "vector", True, "emplace", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector", True, "emplace", "", "", "Argument[*@4]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "vector", True, "emplace", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector", True, "emplace", "", "", "Argument[*@5]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "vector", True, "emplace", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "vector", True, "emplace_back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "vector", True, "front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "vector", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "vector", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "vector", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["std", "vector", True, "push_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector", True, "rbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "vector", True, "rcbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "vector", True, "vector", "(const vector &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector", True, "vector", "(vector &&)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector<T,Allocator>", True, "vector", "(const vector &,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector<T,Allocator>", True, "vector", "(size_type,const T &,const Allocator &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector<T,Allocator>", True, "vector", "(vector &&,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector<T,Allocator>", True, "vector<InputIterator>", "(InputIterator,InputIterator,const Allocator &)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "vector<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "vector<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "vector<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "vector<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["std", "vector<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["std", "vector<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 1.0.1-dev
+version: 1.1.2-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
@@ -16,4 +16,6 @@ dependencies:
   codeql/xml: ${workspace}
 dataExtensions:
   - ext/*.model.yml
+  - ext/deallocation/*.model.yml
+  - ext/allocation/*.model.yml
 warnOnImplicitThis: true

cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll

@@ -59,8 +59,7 @@ class MatchValue extends AbstractValue, TMatchValue {
 }
 
 /**
- * A Boolean condition in the AST that guards one or more basic blocks. This includes
- * operands of logical operators but not switch statements.
+ * A Boolean condition in the AST that guards one or more basic blocks.
  */
 cached
 class GuardCondition extends Expr {
@@ -366,15 +365,42 @@ private predicate nonExcludedIRAndBasicBlock(IRBlock irb, BasicBlock controlled)
 }
 
 /**
- * A Boolean condition in the IR that guards one or more basic blocks. This includes
- * operands of logical operators but not switch statements. Note that `&&` and `||`
- * don't have an explicit representation in the IR, and therefore will not appear as
- * IRGuardConditions.
+ * A Boolean condition in the IR that guards one or more basic blocks.
+ *
+ * Note that `&&` and `||` don't have an explicit representation in the IR,
+ * and therefore will not appear as IRGuardConditions.
  */
 cached
 class IRGuardCondition extends Instruction {
   Instruction branch;
 
+  /*
+   * An `IRGuardCondition` supports reasoning about four different kinds of
+   * relations:
+   * 1. A unary equality relation of the form `e == k`
+   * 2. A binary equality relation of the form `e1 == e2 + k`
+   * 3. A unary inequality relation of the form `e < k`
+   * 4. A binary inequality relation of the form `e1 < e2 + k`
+   *
+   * where `k` is a constant.
+   *
+   * Furthermore, the unary relations (i.e., case 1 and case 3) are also
+   * inferred from `switch` statement guards: equality relations are inferred
+   * from the unique `case` statement, if any, and inequality relations are
+   * inferred from the [case range](https://gcc.gnu.org/onlinedocs/gcc/Case-Ranges.html)
+   * gcc extension.
+   *
+   * The implementation of all four follows the same structure: Each relation
+   * has a cached user-facing predicate that. For example,
+   * `GuardCondition::comparesEq` calls `compares_eq`. This predicate has
+   * several cases that recursively decompose the relation to bring it to a
+   * canonical form (i.e., a relation of the form `e1 == e2 + k`). The base
+   * case for this relation (i.e., `simple_comparison_eq`) handles
+   * `CompareEQInstruction`s and `CompareNEInstruction`, and recursive
+   * predicates (e.g., `complex_eq`) rewrites larger expressions such as
+   * `e1 + k1 == e2 + k2` into canonical the form `e1 == e2 + (k2 - k1)`.
+   */
+
   cached
   IRGuardCondition() { branch = getBranchForCondition(this) }
 
@@ -735,6 +761,8 @@ private predicate compares_eq(
   exists(AbstractValue dual | value = dual.getDualValue() |
     compares_eq(test.(LogicalNotInstruction).getUnary(), left, right, k, areEqual, dual)
   )
+  or
+  compares_eq(test.(BuiltinExpectCallInstruction).getCondition(), left, right, k, areEqual, value)
 }
 
 /**
@@ -776,7 +804,9 @@ private predicate unary_compares_eq(
   Instruction test, Operand op, int k, boolean areEqual, boolean inNonZeroCase, AbstractValue value
 ) {
   /* The simple case where the test *is* the comparison so areEqual = testIsTrue xor eq. */
-  exists(AbstractValue v | unary_simple_comparison_eq(test, op, k, inNonZeroCase, v) |
+  exists(AbstractValue v |
+    unary_simple_comparison_eq(test, k, inNonZeroCase, v) and op.getDef() = test
+  |
     areEqual = true and value = v
     or
     areEqual = false and value = v.getDualValue()
@@ -802,6 +832,9 @@ private predicate unary_compares_eq(
     int_value(const) = k1 and
     k = k1 + k2
   )
+  or
+  unary_compares_eq(test.(BuiltinExpectCallInstruction).getCondition(), op, k, areEqual,
+    inNonZeroCase, value)
 }
 
 /** Rearrange various simple comparisons into `left == right + k` form. */
@@ -821,45 +854,55 @@ private predicate simple_comparison_eq(
   value.(BooleanValue).getValue() = false
 }
 
-/**
- * Holds if `test` is an instruction that is part of test that eventually is
- * used in a conditional branch.
- */
-private predicate relevantUnaryComparison(Instruction test) {
-  not test instanceof CompareInstruction and
-  exists(IRType type, ConditionalBranchInstruction branch |
-    type instanceof IRAddressType or type instanceof IRIntegerType
-  |
-    type = test.getResultIRType() and
-    branch.getCondition() = test
-  )
-  or
-  exists(LogicalNotInstruction logicalNot |
-    relevantUnaryComparison(logicalNot) and
-    test = logicalNot.getUnary()
-  )
-}
-
 /**
  * Rearrange various simple comparisons into `op == k` form.
  */
 private predicate unary_simple_comparison_eq(
-  Instruction test, Operand op, int k, boolean inNonZeroCase, AbstractValue value
+  Instruction test, int k, boolean inNonZeroCase, AbstractValue value
 ) {
   exists(SwitchInstruction switch, CaseEdge case |
     test = switch.getExpression() and
-    op.getDef() = test and
     case = value.(MatchValue).getCase() and
     exists(switch.getSuccessor(case)) and
     case.getValue().toInt() = k and
     inNonZeroCase = false
   )
   or
-  // There's no implicit CompareInstruction in files compiled as C since C
-  // doesn't have implicit boolean conversions. So instead we check whether
-  // there's a branch on a value of pointer or integer type.
-  relevantUnaryComparison(test) and
-  op.getDef() = test and
+  // Any instruction with an integral type could potentially be part of a
+  // check for nullness when used in a guard. So we include all integral
+  // typed instructions here. However, since some of these instructions are
+  // already included as guards in other cases, we exclude those here.
+  // These are instructions that compute a binary equality or inequality
+  // relation. For example, the following:
+  // ```cpp
+  // if(a == b + 42) { ... }
+  // ```
+  // generates the following IR:
+  // ```
+  // r1(glval<int>) = VariableAddress[a]     :
+  // r2(int)        = Load[a]                : &:r1, m1
+  // r3(glval<int>) = VariableAddress[b]     :
+  // r4(int)        = Load[b]                : &:r3, m2
+  // r5(int)        = Constant[42]           :
+  // r6(int)        = Add                    : r4, r5
+  // r7(bool)       = CompareEQ              : r2, r6
+  // v1(void)       = ConditionalBranch      : r7
+  // ```
+  // and since `r7` is an integral typed instruction this predicate could
+  // include a case for when `r7` evaluates to true (in which case we would
+  // infer that `r6` was non-zero, and a case for when `r7` evaluates to false
+  // (in which case we would infer that `r6` was zero).
+  // However, since `a == b + 42` is already supported when reasoning about
+  // binary equalities we exclude those cases here.
+  not test.isGLValue() and
+  not simple_comparison_eq(test, _, _, _, _) and
+  not simple_comparison_lt(test, _, _, _) and
+  not test = any(SwitchInstruction switch).getExpression() and
+  (
+    test.getResultIRType() instanceof IRAddressType or
+    test.getResultIRType() instanceof IRIntegerType or
+    test.getResultIRType() instanceof IRBooleanType
+  ) and
   (
     k = 1 and
     value.(BooleanValue).getValue() = true and
@@ -871,12 +914,68 @@ private predicate unary_simple_comparison_eq(
   )
 }
 
+/** A call to the builtin operation `__builtin_expect`. */
+private class BuiltinExpectCallInstruction extends CallInstruction {
+  BuiltinExpectCallInstruction() { this.getStaticCallTarget().hasName("__builtin_expect") }
+
+  /** Gets the condition of this call. */
+  Instruction getCondition() {
+    // The first parameter of `__builtin_expect` has type `long`. So we skip
+    // the conversion when inferring guards.
+    result = this.getArgument(0).(ConvertInstruction).getUnary()
+  }
+}
+
+/**
+ * Holds if `left == right + k` is `areEqual` if `cmp` evaluates to `value`,
+ * and `cmp` is an instruction that compares the value of
+ * `__builtin_expect(left == right + k, _)` to `0`.
+ */
+private predicate builtin_expect_eq(
+  CompareInstruction cmp, Operand left, Operand right, int k, boolean areEqual, AbstractValue value
+) {
+  exists(BuiltinExpectCallInstruction call, Instruction const, AbstractValue innerValue |
+    int_value(const) = 0 and
+    cmp.hasOperands(call.getAUse(), const.getAUse()) and
+    compares_eq(call.getCondition(), left, right, k, areEqual, innerValue)
+  |
+    cmp instanceof CompareNEInstruction and
+    value = innerValue
+    or
+    cmp instanceof CompareEQInstruction and
+    value.getDualValue() = innerValue
+  )
+}
+
 private predicate complex_eq(
   CompareInstruction cmp, Operand left, Operand right, int k, boolean areEqual, AbstractValue value
 ) {
   sub_eq(cmp, left, right, k, areEqual, value)
   or
   add_eq(cmp, left, right, k, areEqual, value)
+  or
+  builtin_expect_eq(cmp, left, right, k, areEqual, value)
+}
+
+/**
+ * Holds if `op == k` is `areEqual` if `cmp` evaluates to `value`, and `cmp` is
+ * an instruction that compares the value of `__builtin_expect(op == k, _)` to `0`.
+ */
+private predicate unary_builtin_expect_eq(
+  CompareInstruction cmp, Operand op, int k, boolean areEqual, boolean inNonZeroCase,
+  AbstractValue value
+) {
+  exists(BuiltinExpectCallInstruction call, Instruction const, AbstractValue innerValue |
+    int_value(const) = 0 and
+    cmp.hasOperands(call.getAUse(), const.getAUse()) and
+    unary_compares_eq(call.getCondition(), op, k, areEqual, inNonZeroCase, innerValue)
+  |
+    cmp instanceof CompareNEInstruction and
+    value = innerValue
+    or
+    cmp instanceof CompareEQInstruction and
+    value.getDualValue() = innerValue
+  )
 }
 
 private predicate unary_complex_eq(
@@ -885,6 +984,8 @@ private predicate unary_complex_eq(
   unary_sub_eq(test, op, k, areEqual, inNonZeroCase, value)
   or
   unary_add_eq(test, op, k, areEqual, inNonZeroCase, value)
+  or
+  unary_builtin_expect_eq(test, op, k, areEqual, inNonZeroCase, value)
 }
 
 /*
@@ -913,7 +1014,8 @@ private predicate compares_lt(
 
 /** Holds if `op < k` evaluates to `isLt` given that `test` evaluates to `value`. */
 private predicate compares_lt(Instruction test, Operand op, int k, boolean isLt, AbstractValue value) {
-  simple_comparison_lt(test, op, k, isLt, value)
+  unary_simple_comparison_lt(test, k, isLt, value) and
+  op.getDef() = test
   or
   complex_lt(test, op, k, isLt, value)
   or
@@ -960,12 +1062,11 @@ private predicate simple_comparison_lt(CompareInstruction cmp, Operand left, Ope
 }
 
 /** Rearrange various simple comparisons into `op < k` form. */
-private predicate simple_comparison_lt(
-  Instruction test, Operand op, int k, boolean isLt, AbstractValue value
+private predicate unary_simple_comparison_lt(
+  Instruction test, int k, boolean isLt, AbstractValue value
 ) {
   exists(SwitchInstruction switch, CaseEdge case |
     test = switch.getExpression() and
-    op.getDef() = test and
     case = value.(MatchValue).getCase() and
     exists(switch.getSuccessor(case)) and
     case.getMaxValue() > case.getMinValue()

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -14,16 +14,22 @@
  * The interpretation of a row is similar to API-graphs with a left-to-right
  * reading.
  * 1. The `namespace` column selects a namespace.
- * 2. The `type` column selects a type within that namespace.
+ * 2. The `type` column selects a type within that namespace. This column can
+ *    introduce template names that can be mentioned in the `signature` column.
+ *    For example, `vector<T,Allocator>` introduces the template names `T` and
+ *    `Allocator`.
  * 3. The `subtypes` is a boolean that indicates whether to jump to an
  *    arbitrary subtype of that type. Set this to `false` if leaving the `type`
  *    blank (for example, a free function).
  * 4. The `name` column optionally selects a specific named member of the type.
+ *    Like the `type` column, this column can introduce template names that can
+ *    be mentioned in the `signature` column. For example, `insert<InputIt>`
+ *    introduces the template name `InputIt`.
  * 5. The `signature` column optionally restricts the named member. If
  *    `signature` is blank then no such filtering is done. The format of the
  *    signature is a comma-separated list of types enclosed in parentheses. The
- *    types can be short names or fully qualified names (mixing these two options
- *    is not allowed within a single signature).
+ *    types must be stripped of template names. That is, write `const vector &`
+ *    instead of `const vector<T> &`.
  * 6. The `ext` column specifies additional API-graph-like edges. Currently
  *    there is only one valid value: "".
  * 7. The `input` column specifies how data enters the element selected by the
@@ -44,6 +50,9 @@
  *      One or more "*" can be added as an argument to indicate indirection, for
  *      example, "ReturnValue[*]" indicates the first indirection of the return
  *      value.
+ *    The special symbol `@` can be used to specify an arbitrary (but fixed)
+ *    number of indirections. For example, the `input` column `Argument[*@0]`
+ *    indicates one or more indirections of the 0th argument.
  *
  *    An `output` can be either:
  *    - "": Selects a read of a selected field.
@@ -65,6 +74,17 @@
  *      One or more "*" can be added as an argument to indicate indirection, for
  *      example, "ReturnValue[*]" indicates the first indirection of the return
  *      value.
+ *    The special symbol `@` can be used to specify an arbitrary (but fixed)
+ *    number of indirections. For example, the `output` column
+ *    `ReturnValue[*@0]` indicates one or more indirections of the return
+ *    value.
+ *    Note: The symbol `@` only ever takes a single value across a row. Thus,
+ *    the (`input`, `output`) pair `("Argument[*@0]", "ReturnValue[@]")`
+ *    represents:
+ *    - flow from the _first_ indirection of the 0th argument to the return
+ *    value, and
+ *    - flow from the _second_ indirection of the 0th argument to the first
+ *    indirection of the return value, etc.
  * 8. The `kind` column is a tag that can be referenced from QL to determine to
  *    which classes the interpreted elements should be added. For example, for
  *    sources "remote" indicates a default remote flow source, and for summaries
@@ -74,6 +94,8 @@
 
 import cpp
 private import new.DataFlow
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate as Private
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
 private import internal.FlowSummaryImpl
 private import internal.FlowSummaryImpl::Public
 private import internal.FlowSummaryImpl::Private
@@ -166,8 +188,12 @@ predicate sinkModel(
   Extensions::sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance, _)
 }
 
-/** Holds if a summary model exists for the given parameters. */
-predicate summaryModel(
+/**
+ * Holds if a summary model exists for the given parameters.
+ *
+ * This predicate does not expand `@` to `*`s.
+ */
+private predicate summaryModel0(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
   string input, string output, string kind, string provenance
 ) {
@@ -190,6 +216,33 @@ predicate summaryModel(
     provenance, _)
 }
 
+/**
+ * Holds if `input` is `input0`, but with all occurrences of `@` replaced
+ * by `n` repetitions of `*` (and similarly for `output` and `output0`).
+ */
+bindingset[input0, output0, n]
+pragma[inline_late]
+private predicate expandInputAndOutput(
+  string input0, string input, string output0, string output, int n
+) {
+  input = input0.replaceAll("@", repeatStars(n)) and
+  output = output0.replaceAll("@", repeatStars(n))
+}
+
+/**
+ * Holds if a summary model exists for the given parameters.
+ */
+predicate summaryModel(
+  string namespace, string type, boolean subtypes, string name, string signature, string ext,
+  string input, string output, string kind, string provenance
+) {
+  exists(string input0, string output0 |
+    summaryModel0(namespace, type, subtypes, name, signature, ext, input0, output0, kind, provenance) and
+    expandInputAndOutput(input0, input, output0, output,
+      [0 .. Private::getMaxElementContentIndirectionIndex() - 1])
+  )
+}
+
 private predicate relevantNamespace(string namespace) {
   sourceModel(namespace, _, _, _, _, _, _, _, _) or
   sinkModel(namespace, _, _, _, _, _, _, _, _) or
@@ -367,16 +420,155 @@ private predicate elementSpec(
   summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _, _)
 }
 
-private string paramsStringPart(Function c, int i) {
-  i = -1 and result = "(" and exists(c)
-  or
-  exists(int n, string p | c.getParameter(n).getType().toString() = p |
-    i = 2 * n and result = p
-    or
-    i = 2 * n - 1 and result = "," and n != 0
+/** Gets the fully templated version of `f`. */
+private Function getFullyTemplatedMemberFunction(Function f) {
+  not f.isFromUninstantiatedTemplate(_) and
+  exists(Class c, Class templateClass, int i |
+    c.isConstructedFrom(templateClass) and
+    f = c.getAMember(i) and
+    result = templateClass.getCanonicalMember(i)
+  )
+}
+
+/**
+ * Gets the type name of the `n`'th parameter of `f` without any template
+ * arguments.
+ */
+bindingset[f]
+pragma[inline_late]
+string getParameterTypeWithoutTemplateArguments(Function f, int n) {
+  exists(string s, string base, string specifiers |
+    s = f.getParameter(n).getType().getName() and
+    parseAngles(s, base, _, specifiers) and
+    result = base + specifiers
+  )
+}
+
+/**
+ * Normalize the `n`'th parameter of `f` by replacing template names
+ * with `func:N` (where `N` is the index of the template).
+ */
+private string getTypeNameWithoutFunctionTemplates(Function f, int n, int remaining) {
+  exists(Function templateFunction |
+    templateFunction = getFullyTemplatedMemberFunction(f) and
+    remaining = templateFunction.getNumberOfTemplateArguments() and
+    result = getParameterTypeWithoutTemplateArguments(templateFunction, n)
   )
   or
-  i = 2 * c.getNumberOfParameters() and result = ")"
+  exists(string mid, TemplateParameter tp, Function templateFunction |
+    mid = getTypeNameWithoutFunctionTemplates(f, n, remaining + 1) and
+    templateFunction = getFullyTemplatedMemberFunction(f) and
+    tp = templateFunction.getTemplateArgument(remaining) and
+    result = mid.replaceAll(tp.getName(), "func:" + remaining.toString())
+  )
+}
+
+/**
+ * Normalize the `n`'th parameter of `f` by replacing template names
+ * with `class:N` (where `N` is the index of the template).
+ */
+private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining) {
+  exists(Class template |
+    f.getDeclaringType().isConstructedFrom(template) and
+    remaining = template.getNumberOfTemplateArguments() and
+    result = getTypeNameWithoutFunctionTemplates(f, n, 0)
+  )
+  or
+  exists(string mid, TemplateParameter tp, Class template |
+    mid = getTypeNameWithoutClassTemplates(f, n, remaining + 1) and
+    f.getDeclaringType().isConstructedFrom(template) and
+    tp = template.getTemplateArgument(remaining) and
+    result = mid.replaceAll(tp.getName(), "class:" + remaining.toString())
+  )
+}
+
+/** Gets the string representation of the `i`'th parameter of `c`. */
+private string getParameterTypeName(Function c, int i) {
+  result = getTypeNameWithoutClassTemplates(c, i, 0)
+}
+
+/** Splits `s` by `,` and gets the `i`'th element. */
+bindingset[s]
+pragma[inline_late]
+private string getAtIndex(string s, int i) {
+  result = s.splitAt(",", i) and
+  // when `s` is `""` and `i` is `0` we get `result = ""` which we don't want.
+  not (s = "" and i = 0)
+}
+
+/**
+ * Normalizes `partiallyNormalizedSignature` by replacing the `remaining`
+ * number of template arguments in `partiallyNormalizedSignature` with their
+ * index in `typeArgs`.
+ */
+private string getSignatureWithoutClassTemplateNames(
+  string partiallyNormalizedSignature, string typeArgs, string nameArgs, int remaining
+) {
+  elementSpecWithArguments0(_, _, _, partiallyNormalizedSignature, typeArgs, nameArgs) and
+  remaining = count(partiallyNormalizedSignature.indexOf(",")) + 1 and
+  result = partiallyNormalizedSignature
+  or
+  exists(string mid |
+    mid =
+      getSignatureWithoutClassTemplateNames(partiallyNormalizedSignature, typeArgs, nameArgs,
+        remaining + 1)
+  |
+    exists(string typeArg |
+      typeArg = getAtIndex(typeArgs, remaining) and
+      result = mid.replaceAll(typeArg, "class:" + remaining.toString())
+    )
+    or
+    // Make sure `remaining` is properly bound
+    remaining = [0 .. count(partiallyNormalizedSignature.indexOf(",")) + 1] and
+    not exists(getAtIndex(typeArgs, remaining)) and
+    result = mid
+  )
+}
+
+/**
+ * Normalizes `partiallyNormalizedSignature` by replacing:
+ * - _All_ the template arguments in `partiallyNormalizedSignature` that refer to
+ * template parameters in `typeArgs` with their index in `typeArgs`, and
+ * - The `remaining` number of template arguments in `partiallyNormalizedSignature`
+ * with their index in `nameArgs`.
+ */
+private string getSignatureWithoutFunctionTemplateNames(
+  string partiallyNormalizedSignature, string typeArgs, string nameArgs, int remaining
+) {
+  remaining = count(partiallyNormalizedSignature.indexOf(",")) + 1 and
+  result =
+    getSignatureWithoutClassTemplateNames(partiallyNormalizedSignature, typeArgs, nameArgs, 0)
+  or
+  exists(string mid |
+    mid =
+      getSignatureWithoutFunctionTemplateNames(partiallyNormalizedSignature, typeArgs, nameArgs,
+        remaining + 1)
+  |
+    exists(string nameArg |
+      nameArg = getAtIndex(nameArgs, remaining) and
+      result = mid.replaceAll(nameArg, "func:" + remaining.toString())
+    )
+    or
+    // Make sure `remaining` is properly bound
+    remaining = [0 .. count(partiallyNormalizedSignature.indexOf(",")) + 1] and
+    not exists(getAtIndex(nameArgs, remaining)) and
+    result = mid
+  )
+}
+
+private string paramsStringPart(Function c, int i) {
+  not c.isFromUninstantiatedTemplate(_) and
+  (
+    i = -1 and result = "(" and exists(c)
+    or
+    exists(int n, string p | getParameterTypeName(c, n) = p |
+      i = 2 * n and result = p
+      or
+      i = 2 * n - 1 and result = "," and n != 0
+    )
+    or
+    i = 2 * c.getNumberOfParameters() and result = ")"
+  )
 }
 
 /**
@@ -396,6 +588,193 @@ private predicate matchesSignature(Function func, string signature) {
   paramsString(func) = signature
 }
 
+/**
+ * Holds if `elementSpec(_, type, _, name, signature, _)` holds and
+ * - `typeArgs` represents the named template parameters supplied to `type`, and
+ * - `nameArgs` represents the named template parameters supplied to `name`, and
+ * - `normalizedSignature` is `signature`, except with
+ *    - template parameter names replaced by `func:i` if the template name is
+ *      the `i`'th entry in `nameArgs`, and
+ *    - template parameter names replaced by `class:i` if the template name is
+ *      the `i`'th entry in `typeArgs`.
+ *
+ * In other words, the string `normalizedSignature` represents a "normalized"
+ * signature with no mention of any free template parameters.
+ *
+ * For example, consider a summary row such as:
+ * ```
+ * elementSpec(_, "MyClass<B, C>", _, myFunc<A>, "(const A &,int,C,B *)", _)
+ * ```
+ * In this case, `normalizedSignature` will be `"(const func:0 &,int,class:1,class:0 *)"`.
+ */
+private predicate elementSpecWithArguments(
+  string signature, string type, string name, string normalizedSignature, string typeArgs,
+  string nameArgs
+) {
+  exists(string signatureWithoutParens |
+    elementSpecWithArguments0(signature, type, name, signatureWithoutParens, typeArgs, nameArgs) and
+    normalizedSignature =
+      getSignatureWithoutFunctionTemplateNames(signatureWithoutParens, typeArgs, nameArgs, 0)
+  )
+}
+
+/** Gets the `n`'th normalized signature parameter for the function `name` in class `type`. */
+private string getSignatureParameterName(string signature, string type, string name, int n) {
+  exists(string normalizedSignature |
+    elementSpecWithArguments(signature, type, name, normalizedSignature, _, _) and
+    result = getAtIndex(normalizedSignature, n)
+  )
+}
+
+/**
+ * Holds if the suffix containing the entries in `signature` starting at entry
+ * `i` matches the suffix containing the parameters of `func` starting at entry `i`.
+ *
+ * For example, consider the signature `(int,bool,char)` and a function:
+ * ```
+ * void f(int a, bool b, char c);
+ * ```
+ * 1. The predicate holds for `i = 2` because the suffix containing all the entries
+ * in `signature` starting at `2` is `char`, and suffix containing all the parameters
+ * of `func` starting at `2` is `char`.
+ * 2. The predicate holds for `i = 1` because the suffix containing all the entries
+ * in `signature` starting at `1` is `bool,char`, and the suffix containing all the
+ * parameters of `func` starting at `1` is `bool, char`.
+ * 3. The predicate holds for `i = 0` because the suffix containing all the entries
+ * in `signature` starting at `0` is `int,bool,char` and the suffix containing all
+ * the parameters of `func` starting at `0` is `int, bool, char`.
+ *
+ * When `paramsString(func)[i]` is `class:n` then the signature name is
+ * compared with the `n`'th name in `type`, and when `paramsString(func)[i]`
+ * is `func:n` then the signature name is compared with the `n`'th name
+ * in `name`.
+ */
+private predicate signatureMatches(Function func, string signature, string type, string name, int i) {
+  exists(string s |
+    s = getSignatureParameterName(signature, type, name, i) and
+    s = getParameterTypeName(func, i)
+  ) and
+  if exists(getParameterTypeName(func, i + 1))
+  then signatureMatches(func, signature, type, name, i + 1)
+  else i = count(signature.indexOf(","))
+}
+
+/**
+ * Internal: Do not use.
+ *
+ * This module only exists to expose internal predicates for testing purposes.
+ */
+module ExternalFlowDebug {
+  /**
+   * INTERNAL: Do not use.
+   *
+   * Exposed for testing purposes.
+   */
+  predicate signatureMatches_debug = signatureMatches/5;
+
+  /**
+   * INTERNAL: Do not use.
+   *
+   * Exposed for testing purposes.
+   */
+  predicate getSignatureParameterName_debug = getSignatureParameterName/4;
+
+  /**
+   * INTERNAL: Do not use.
+   *
+   * Exposed for testing purposes.
+   */
+  predicate getParameterTypeName_debug = getParameterTypeName/2;
+}
+
+/**
+ * Holds if `s` can be broken into a string of the form
+ * `beforeAngles<betweenAngles>`,
+ * or `s = beforeAngles` where `beforeAngles` does not have any brackets.
+ */
+bindingset[s]
+pragma[inline_late]
+private predicate parseAngles(
+  string s, string beforeAngles, string betweenAngles, string afterAngles
+) {
+  beforeAngles = s.regexpCapture("([^<]+)(?:<([^>]+)>(.*))?", 1) and
+  (
+    betweenAngles = s.regexpCapture("([^<]+)(?:<([^>]+)>(.*))?", 2) and
+    afterAngles = s.regexpCapture("([^<]+)(?:<([^>]+)>(.*))?", 3)
+    or
+    not exists(s.regexpCapture("([^<]+)(?:<([^>]+)>(.*))?", 2)) and
+    betweenAngles = "" and
+    afterAngles = ""
+  )
+}
+
+/** Holds if `s` can be broken into a string of the form `(betweenParens)`. */
+bindingset[s]
+pragma[inline_late]
+private predicate parseParens(string s, string betweenParens) { s = "(" + betweenParens + ")" }
+
+/**
+ * Holds if `elementSpec(_, type, _, name, signature, _)` and:
+ * - `type` introduces template parameters `typeArgs`, and
+ * - `name` introduces template parameters `nameArgs`, and
+ * - `signatureWithoutParens` equals `signature`, but with the surrounding
+ *    parentheses removed.
+ */
+private predicate elementSpecWithArguments0(
+  string signature, string type, string name, string signatureWithoutParens, string typeArgs,
+  string nameArgs
+) {
+  elementSpec(_, type, _, name, signature, _) and
+  parseAngles(name, _, nameArgs, "") and
+  (
+    type = "" and typeArgs = ""
+    or
+    parseAngles(type, _, typeArgs, "")
+  ) and
+  parseParens(signature, signatureWithoutParens)
+}
+
+/**
+ * Holds if `elementSpec(namespace, type, subtypes, name, signature, _)` and
+ * `method`'s signature matches `signature`.
+ *
+ * `signature` may contain template parameter names that are bound by `type` and `name`.
+ */
+pragma[nomagic]
+private predicate elementSpecMatchesSignature(
+  Function method, string namespace, string type, boolean subtypes, string name, string signature
+) {
+  elementSpec(namespace, pragma[only_bind_into](type), subtypes, pragma[only_bind_into](name),
+    pragma[only_bind_into](signature), _) and
+  signatureMatches(method, signature, type, name, 0)
+}
+
+/**
+ * Holds if `classWithMethod` has `method` named `name` (excluding any
+ * template parameters).
+ */
+bindingset[name]
+pragma[inline_late]
+private predicate hasClassAndName(Class classWithMethod, Function method, string name) {
+  exists(string nameWithoutArgs |
+    parseAngles(name, nameWithoutArgs, _, "") and
+    classWithMethod = method.getClassAndName(nameWithoutArgs)
+  )
+}
+
+/**
+ * Holds if `namedClass` is in namespace `namespace` and has
+ * name `type` (excluding any template parameters).
+ */
+bindingset[type, namespace]
+pragma[inline_late]
+private predicate hasQualifiedName(Class namedClass, string namespace, string type) {
+  exists(string typeWithoutArgs |
+    parseAngles(type, typeWithoutArgs, _, "") and
+    namedClass.hasQualifiedName(namespace, typeWithoutArgs)
+  )
+}
+
 /**
  * Gets the element in module `namespace` that satisfies the following properties:
  * 1. If the element is a member of a class-like type, then the class-like type has name `type`
@@ -410,8 +789,8 @@ pragma[nomagic]
 private Element interpretElement0(
   string namespace, string type, boolean subtypes, string name, string signature
 ) {
-  elementSpec(namespace, type, subtypes, name, signature, _) and
   (
+    elementSpec(namespace, type, subtypes, name, signature, _) and
     // Non-member functions
     exists(Function func |
       func.hasQualifiedName(namespace, name) and
@@ -423,21 +802,28 @@ private Element interpretElement0(
     )
     or
     // Member functions
-    exists(Class namedClass, Class classWithMethod, Function method |
-      classWithMethod = method.getClassAndName(name) and
-      namedClass.hasQualifiedName(namespace, type) and
-      matchesSignature(method, signature) and
-      result = method
-    |
-      // member declared in the named type or a subtype of it
-      subtypes = true and
-      classWithMethod = namedClass.getADerivedClass*()
-      or
-      // member declared directly in the named type
-      subtypes = false and
-      classWithMethod = namedClass
+    exists(Class namedClass, Class classWithMethod |
+      (
+        elementSpecMatchesSignature(result, namespace, type, subtypes, name, signature) and
+        hasClassAndName(classWithMethod, result, name)
+        or
+        signature = "" and
+        elementSpec(namespace, type, subtypes, name, "", _) and
+        hasClassAndName(classWithMethod, result, name)
+      ) and
+      hasQualifiedName(namedClass, namespace, type) and
+      (
+        // member declared in the named type or a subtype of it
+        subtypes = true and
+        classWithMethod = namedClass.getADerivedClass*()
+        or
+        // member declared directly in the named type
+        subtypes = false and
+        classWithMethod = namedClass
+      )
     )
     or
+    elementSpec(namespace, type, subtypes, name, signature, _) and
     // Member variables
     signature = "" and
     exists(Class namedClass, Class classWithMember, MemberVariable member |
@@ -456,6 +842,7 @@ private Element interpretElement0(
     )
     or
     // Global or namespace variables
+    elementSpec(namespace, type, subtypes, name, signature, _) and
     signature = "" and
     type = "" and
     subtypes = false and

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll

@@ -216,7 +216,7 @@ predicate localMustFlowStep(Node node1, Node node2) { none() }
 
 /** Gets the type of `n` used for type pruning. */
 Type getNodeType(Node n) {
-  suppressUnusedNode(n) and
+  exists(n) and
   result instanceof VoidType // stub implementation
 }
 
@@ -227,13 +227,10 @@ string ppReprType(Type t) { none() } // stub implementation
  * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
  * a node of type `t1` to a node of type `t2`.
  */
-pragma[inline]
 predicate compatibleTypes(Type t1, Type t2) {
-  any() // stub implementation
+  t1 instanceof VoidType and t2 instanceof VoidType // stub implementation
 }
 
-private predicate suppressUnusedNode(Node n) { any() }
-
 //////////////////////////////////////////////////////////////////////////////
 // Java QL library compatibility wrappers
 //////////////////////////////////////////////////////////////////////////////

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll

@@ -35,16 +35,22 @@ module Input implements InputSig<Location, DataFlowImplSpecific::CppDataFlow> {
       result = "Field" and
       arg = repeatStars(c.getIndirectionIndex() - 1) + c.getField().getName()
     )
+    or
+    exists(ElementContent ec |
+      cs.isSingleton(ec) and
+      result = "Element" and
+      arg = repeatStars(ec.getIndirectionIndex() - 1)
+    )
   }
 
   string encodeWithoutContent(ContentSet c, string arg) {
     // used for type tracking, not currently used in C/C++.
-    result = "WithoutContent" + c and arg = ""
+    none()
   }
 
   string encodeWithContent(ContentSet c, string arg) {
     // used for type tracking, not currently used in C/C++.
-    result = "WithContent" + c and arg = ""
+    none()
   }
 
   /**
@@ -79,25 +85,6 @@ module Input implements InputSig<Location, DataFlowImplSpecific::CppDataFlow> {
     token.getName() = "Parameter" and
     result = decodePosition(token.getAnArgument())
   }
-
-  bindingset[token]
-  ContentSet decodeUnknownContent(AccessPath::AccessPathTokenBase token) {
-    // field content (no indirection support)
-    exists(FieldContent c |
-      result.isSingleton(c) and
-      token.getName() = c.getField().getName() and
-      not exists(token.getArgumentList()) and
-      c.getIndirectionIndex() = 1
-    )
-    or
-    // field content (with indirection support)
-    exists(FieldContent c |
-      result.isSingleton(c) and
-      token.getName() = c.getField().getName() and
-      // FieldContent indices have 0 for the address, 1 for content, so we need to subtract one.
-      token.getAnArgument() = repeatStars(c.getIndirectionIndex() - 1)
-    )
-  }
 }
 
 private import Make<Location, DataFlowImplSpecific::CppDataFlow, Input> as Impl

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -412,6 +412,8 @@ class ArgumentPosition = Position;
 
 abstract class Position extends TPosition {
   abstract string toString();
+
+  abstract int getIndirectionIndex();
 }
 
 class DirectPosition extends Position, TDirectPosition {
@@ -421,13 +423,15 @@ class DirectPosition extends Position, TDirectPosition {
 
   override string toString() {
     index = -1 and
-    result = "this"
+    result = "this pointer"
     or
     index != -1 and
     result = index.toString()
   }
 
   int getIndex() { result = index }
+
+  final override int getIndirectionIndex() { result = 0 }
 }
 
 class IndirectionPosition extends Position, TIndirectionPosition {
@@ -438,16 +442,13 @@ class IndirectionPosition extends Position, TIndirectionPosition {
 
   override string toString() {
     if argumentIndex = -1
-    then if indirectionIndex > 0 then result = "this indirection" else result = "this"
-    else
-      if indirectionIndex > 0
-      then result = argumentIndex.toString() + " indirection"
-      else result = argumentIndex.toString()
+    then result = repeatStars(indirectionIndex - 1) + "this"
+    else result = repeatStars(indirectionIndex) + argumentIndex.toString()
   }
 
   int getArgumentIndex() { result = argumentIndex }
 
-  int getIndirectionIndex() { result = indirectionIndex }
+  final override int getIndirectionIndex() { result = indirectionIndex }
 }
 
 newtype TPosition =
@@ -988,7 +989,7 @@ predicate localMustFlowStep(Node node1, Node node2) { none() }
 
 /** Gets the type of `n` used for type pruning. */
 DataFlowType getNodeType(Node n) {
-  suppressUnusedNode(n) and
+  exists(n) and
   result instanceof VoidType // stub implementation
 }
 
@@ -999,13 +1000,10 @@ string ppReprType(DataFlowType t) { none() } // stub implementation
  * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
  * a node of type `t1` to a node of type `t2`.
  */
-pragma[inline]
 predicate compatibleTypes(DataFlowType t1, DataFlowType t2) {
-  any() // stub implementation
+  t1 instanceof VoidType and t2 instanceof VoidType // stub implementation
 }
 
-private predicate suppressUnusedNode(Node n) { any() }
-
 //////////////////////////////////////////////////////////////////////////////
 // Java QL library compatibility wrappers
 //////////////////////////////////////////////////////////////////////////////
@@ -1325,7 +1323,7 @@ import IsUnreachableInCall
  * Holds if access paths with `c` at their head always should be tracked at high
  * precision. This disables adaptive access path precision for such access paths.
  */
-predicate forceHighPrecision(Content c) { none() }
+predicate forceHighPrecision(Content c) { c instanceof ElementContent }
 
 /** Holds if `n` should be hidden from path explanations. */
 predicate nodeIsHidden(Node n) {
@@ -1396,7 +1394,8 @@ private predicate unionHasApproxName(Cpp::Union u, string s) { s = u.getName().c
 cached
 private newtype TContentApprox =
   TFieldApproxContent(string s) { fieldHasApproxName(_, s) } or
-  TUnionApproxContent(string s) { unionHasApproxName(_, s) }
+  TUnionApproxContent(string s) { unionHasApproxName(_, s) } or
+  TElementApproxContent()
 
 /** An approximated `Content`. */
 class ContentApprox extends TContentApprox {
@@ -1427,6 +1426,10 @@ private class UnionApproxContent extends ContentApprox, TUnionApproxContent {
   final override string toString() { result = s }
 }
 
+private class ElementApproxContent extends ContentApprox, TElementApproxContent {
+  final override string toString() { result = "ElementApprox" }
+}
+
 /** Gets an approximated value for content `c`. */
 pragma[inline]
 ContentApprox getContentApprox(Content c) {
@@ -1441,6 +1444,9 @@ ContentApprox getContentApprox(Content c) {
     u = c.(UnionContent).getUnion() and
     unionHasApproxName(u, prefix)
   )
+  or
+  c instanceof ElementContent and
+  result instanceof ElementApproxContent
 }
 
 /**
@@ -1700,6 +1706,14 @@ class DataFlowSecondLevelScope extends TDataFlowSecondLevelScope {
 /** Gets the second-level scope containing the node `n`, if any. */
 DataFlowSecondLevelScope getSecondLevelScope(Node n) { result.getANode() = n }
 
+/**
+ * Gets the maximum number of indirections to use for `ElementContent`.
+ *
+ * This should be equal to the largest number of stars (i.e., `*`s) in any
+ * `Element` content across all of our MaD summaries, sources, and sinks.
+ */
+int getMaxElementContentIndirectionIndex() { result = 5 }
+
 /**
  * Module that defines flow through iterators.
  * For example,
@@ -1812,7 +1826,7 @@ module IteratorFlow {
      * Holds if `(bb, i)` contains a write to an iterator that may have been obtained
      * by calling `begin` (or related functions) on the variable `v`.
      */
-    predicate variableWrite(IRBlock bb, int i, SourceVariable v, boolean certain) {
+    predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain) {
       certain = false and
       exists(GetsIteratorCall beginCall, Instruction writeToDeref, IRBlock bbQual, int iQual |
         isIteratorStoreInstruction(beginCall, writeToDeref) and
@@ -1823,7 +1837,7 @@ module IteratorFlow {
     }
 
     /** Holds if `(bb, i)` reads the container variable `v`. */
-    predicate variableRead(IRBlock bb, int i, SourceVariable v, boolean certain) {
+    predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain) {
       Ssa::variableRead(bb, i, v, certain)
     }
   }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -17,6 +17,7 @@ private import SsaInternals as Ssa
 private import DataFlowImplCommon as DataFlowImplCommon
 private import codeql.util.Unit
 private import Node0ToString
+import ExprNodes
 
 /**
  * The IR dataflow graph consists of the following nodes:
@@ -1296,466 +1297,6 @@ class UninitializedNode extends Node {
   LocalVariable getLocalVariable() { result = v }
 }
 
-private module GetConvertedResultExpression {
-  private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedExpr
-  private import semmle.code.cpp.ir.implementation.raw.internal.InstructionTag
-
-  private Operand getAnInitializeDynamicAllocationInstructionAddress() {
-    result = any(InitializeDynamicAllocationInstruction init).getAllocationAddressOperand()
-  }
-
-  /**
-   * Gets the expression that should be returned as the result expression from `instr`.
-   *
-   * Note that this predicate may return multiple results in cases where a conversion belongs to a
-   * different AST element than its operand.
-   */
-  Expr getConvertedResultExpression(Instruction instr, int n) {
-    // Only fully converted instructions have a result for `asConvertedExpr`
-    not conversionFlow(unique(Operand op |
-        // The address operand of a `InitializeDynamicAllocationInstruction` is
-        // special: we need to handle it during dataflow (since it's
-        // effectively a store to an indirection), but it doesn't appear in
-        // source syntax, so dataflow node <-> expression conversion shouldn't
-        // care about it.
-        op = getAUse(instr) and not op = getAnInitializeDynamicAllocationInstructionAddress()
-      |
-        op
-      ), _, false, false) and
-    result = getConvertedResultExpressionImpl(instr) and
-    n = 0
-    or
-    // If the conversion also has a result then we return multiple results
-    exists(Operand operand | conversionFlow(operand, instr, false, false) |
-      n = 1 and
-      result = getConvertedResultExpressionImpl(operand.getDef())
-      or
-      result = getConvertedResultExpression(operand.getDef(), n - 1)
-    )
-  }
-
-  private Expr getConvertedResultExpressionImpl0(Instruction instr) {
-    // IR construction inserts an additional cast to a `size_t` on the extent
-    // of a `new[]` expression. The resulting `ConvertInstruction` doesn't have
-    // a result for `getConvertedResultExpression`. We remap this here so that
-    // this `ConvertInstruction` maps to the result of the expression that
-    // represents the extent.
-    exists(TranslatedNonConstantAllocationSize tas |
-      result = tas.getExtent().getExpr() and
-      instr = tas.getInstruction(AllocationExtentConvertTag())
-    )
-    or
-    // There's no instruction that returns `ParenthesisExpr`, but some queries
-    // expect this
-    exists(TranslatedTransparentConversion ttc |
-      result = ttc.getExpr().(ParenthesisExpr) and
-      instr = ttc.getResult()
-    )
-    or
-    // Certain expressions generate `CopyValueInstruction`s only when they
-    // are needed. Examples of this include crement operations and compound
-    // assignment operations. For example:
-    // ```cpp
-    // int x = ...
-    // int y = x++;
-    // ```
-    // this generate IR like:
-    // ```
-    // r1(glval<int>) = VariableAddress[x] :
-    // r2(int)        = Constant[0]        :
-    // m3(int)        = Store[x]           : &:r1, r2
-    // r4(glval<int>) = VariableAddress[y] :
-    // r5(glval<int>) = VariableAddress[x] :
-    // r6(int)        = Load[x]            : &:r5, m3
-    // r7(int)        = Constant[1]        :
-    // r8(int)        = Add                : r6, r7
-    // m9(int)        = Store[x]           : &:r5, r8
-    // r11(int)       = CopyValue         : r6
-    // m12(int)       = Store[y]          : &:r4, r11
-    // ```
-    // When the `CopyValueInstruction` is not generated there is no instruction
-    // whose `getConvertedResultExpression` maps back to the expression. When
-    // such an instruction doesn't exist it means that the old value is not
-    // needed, and in that case the only value that will propagate forward in
-    // the program is the value that's been updated. So in those cases we just
-    // use the result of `node.asDefinition()` as the result of `node.asExpr()`.
-    exists(TranslatedCoreExpr tco |
-      tco.getInstruction(_) = instr and
-      tco.producesExprResult() and
-      result = asDefinitionImpl0(instr)
-    )
-  }
-
-  private Expr getConvertedResultExpressionImpl(Instruction instr) {
-    result = getConvertedResultExpressionImpl0(instr)
-    or
-    not exists(getConvertedResultExpressionImpl0(instr)) and
-    result = instr.getConvertedResultExpression()
-  }
-
-  /**
-   * Gets the result for `node.asDefinition()` (when `node` is the instruction
-   * node that wraps `store`) in the cases where `store.getAst()` should not be
-   * used to define the result of `node.asDefinition()`.
-   */
-  private Expr asDefinitionImpl0(StoreInstruction store) {
-    // For an expression such as `i += 2` we pretend that the generated
-    // `StoreInstruction` contains the result of the expression even though
-    // this isn't totally aligned with the C/C++ standard.
-    exists(TranslatedAssignOperation tao |
-      store = tao.getInstruction(AssignmentStoreTag()) and
-      result = tao.getExpr()
-    )
-    or
-    // Similarly for `i++` and `++i` we pretend that the generated
-    // `StoreInstruction` is contains the result of the expression even though
-    // this isn't totally aligned with the C/C++ standard.
-    exists(TranslatedCrementOperation tco |
-      store = tco.getInstruction(CrementStoreTag()) and
-      result = tco.getExpr()
-    )
-  }
-
-  /**
-   * Holds if the expression returned by `store.getAst()` should not be
-   * returned as the result of `node.asDefinition()` when `node` is the
-   * instruction node that wraps `store`.
-   */
-  private predicate excludeAsDefinitionResult(StoreInstruction store) {
-    // Exclude the store to the temporary generated by a ternary expression.
-    exists(TranslatedConditionalExpr tce |
-      store = tce.getInstruction(ConditionValueFalseStoreTag())
-      or
-      store = tce.getInstruction(ConditionValueTrueStoreTag())
-    )
-  }
-
-  /**
-   * Gets the expression that represents the result of `StoreInstruction` for
-   * dataflow purposes.
-   *
-   * For example, consider the following example
-   * ```cpp
-   * int x = 42;     // 1
-   * x = 34;         // 2
-   * ++x;            // 3
-   * x++;            // 4
-   * x += 1;         // 5
-   * int y = x += 2; // 6
-   * ```
-   * For (1) the result is `42`.
-   * For (2) the result is `x = 34`.
-   * For (3) the result is `++x`.
-   * For (4) the result is `x++`.
-   * For (5) the result is `x += 1`.
-   * For (6) there are two results:
-   *   - For the `StoreInstruction` generated by `x += 2` the result
-   *     is `x += 2`
-   *   - For the `StoreInstruction` generated by `int y = ...` the result
-   *     is also `x += 2`
-   */
-  Expr asDefinitionImpl(StoreInstruction store) {
-    not exists(asDefinitionImpl0(store)) and
-    not excludeAsDefinitionResult(store) and
-    result = store.getAst().(Expr).getUnconverted()
-    or
-    result = asDefinitionImpl0(store)
-  }
-}
-
-private import GetConvertedResultExpression
-
-/** Holds if `node` is an `OperandNode` that should map `node.asExpr()` to `e`. */
-predicate exprNodeShouldBeOperand(OperandNode node, Expr e, int n) {
-  not exprNodeShouldBeIndirectOperand(_, e, n) and
-  exists(Instruction def |
-    unique( | | getAUse(def)) = node.getOperand() and
-    e = getConvertedResultExpression(def, n)
-  )
-}
-
-/** Holds if `node` should be an `IndirectOperand` that maps `node.asIndirectExpr()` to `e`. */
-private predicate indirectExprNodeShouldBeIndirectOperand(
-  IndirectOperand node, Expr e, int n, int indirectionIndex
-) {
-  exists(Instruction def |
-    node.hasOperandAndIndirectionIndex(unique( | | getAUse(def)), indirectionIndex) and
-    e = getConvertedResultExpression(def, n)
-  )
-}
-
-/** Holds if `node` should be an `IndirectOperand` that maps `node.asExpr()` to `e`. */
-private predicate exprNodeShouldBeIndirectOperand(IndirectOperand node, Expr e, int n) {
-  exists(ArgumentOperand operand |
-    // When an argument (qualifier or positional) is a prvalue and the
-    // parameter (qualifier or positional) is a (const) reference, IR
-    // construction introduces a temporary `IRVariable`. The `VariableAddress`
-    // instruction has the argument as its `getConvertedResultExpression`
-    // result. However, the instruction actually represents the _address_ of
-    // the argument. So to fix this mismatch, we have the indirection of the
-    // `VariableAddressInstruction` map to the expression.
-    node.hasOperandAndIndirectionIndex(operand, 1) and
-    e = getConvertedResultExpression(operand.getDef(), n) and
-    operand.getDef().(VariableAddressInstruction).getIRVariable() instanceof IRTempVariable
-  )
-}
-
-private predicate exprNodeShouldBeIndirectOutNode(IndirectArgumentOutNode node, Expr e, int n) {
-  exists(CallInstruction call |
-    call.getStaticCallTarget() instanceof Constructor and
-    e = getConvertedResultExpression(call, n) and
-    call.getThisArgumentOperand() = node.getAddressOperand()
-  )
-}
-
-/** Holds if `node` should be an instruction node that maps `node.asExpr()` to `e`. */
-predicate exprNodeShouldBeInstruction(Node node, Expr e, int n) {
-  not exprNodeShouldBeOperand(_, e, n) and
-  not exprNodeShouldBeIndirectOutNode(_, e, n) and
-  not exprNodeShouldBeIndirectOperand(_, e, n) and
-  e = getConvertedResultExpression(node.asInstruction(), n)
-}
-
-/** Holds if `node` should be an `IndirectInstruction` that maps `node.asIndirectExpr()` to `e`. */
-predicate indirectExprNodeShouldBeIndirectInstruction(
-  IndirectInstruction node, Expr e, int n, int indirectionIndex
-) {
-  not indirectExprNodeShouldBeIndirectOperand(_, e, n, indirectionIndex) and
-  exists(Instruction instr |
-    node.hasInstructionAndIndirectionIndex(instr, indirectionIndex) and
-    e = getConvertedResultExpression(instr, n)
-  )
-}
-
-abstract private class ExprNodeBase extends Node {
-  /**
-   * Gets the expression corresponding to this node, if any. The returned
-   * expression may be a `Conversion`.
-   */
-  abstract Expr getConvertedExpr(int n);
-
-  /** Gets the non-conversion expression corresponding to this node, if any. */
-  final Expr getExpr(int n) { result = this.getConvertedExpr(n).getUnconverted() }
-}
-
-/**
- * Holds if there exists a dataflow node whose `asExpr(n)` should evaluate
- * to `e`.
- */
-private predicate exprNodeShouldBe(Expr e, int n) {
-  exprNodeShouldBeInstruction(_, e, n) or
-  exprNodeShouldBeOperand(_, e, n) or
-  exprNodeShouldBeIndirectOutNode(_, e, n) or
-  exprNodeShouldBeIndirectOperand(_, e, n)
-}
-
-private class InstructionExprNode extends ExprNodeBase, InstructionNode {
-  InstructionExprNode() {
-    exists(Expr e, int n |
-      exprNodeShouldBeInstruction(this, e, n) and
-      not exists(Expr conv |
-        exprNodeShouldBe(conv, n + 1) and
-        conv.getUnconverted() = e.getUnconverted()
-      )
-    )
-  }
-
-  final override Expr getConvertedExpr(int n) { exprNodeShouldBeInstruction(this, result, n) }
-}
-
-private class OperandExprNode extends ExprNodeBase, OperandNode {
-  OperandExprNode() {
-    exists(Expr e, int n |
-      exprNodeShouldBeOperand(this, e, n) and
-      not exists(Expr conv |
-        exprNodeShouldBe(conv, n + 1) and
-        conv.getUnconverted() = e.getUnconverted()
-      )
-    )
-  }
-
-  final override Expr getConvertedExpr(int n) { exprNodeShouldBeOperand(this, result, n) }
-}
-
-abstract private class IndirectExprNodeBase extends Node {
-  /**
-   * Gets the expression corresponding to this node, if any. The returned
-   * expression may be a `Conversion`.
-   */
-  abstract Expr getConvertedExpr(int n, int indirectionIndex);
-
-  /** Gets the non-conversion expression corresponding to this node, if any. */
-  final Expr getExpr(int n, int indirectionIndex) {
-    result = this.getConvertedExpr(n, indirectionIndex).getUnconverted()
-  }
-}
-
-/** A signature for converting an indirect node to an expression. */
-private signature module IndirectNodeToIndirectExprSig {
-  /** The indirect node class to be converted to an expression */
-  class IndirectNode;
-
-  /**
-   * Holds if the indirect expression at indirection index `indirectionIndex`
-   * of `node` is `e`. The integer `n` specifies how many conversions has been
-   * applied to `node`.
-   */
-  predicate indirectNodeHasIndirectExpr(IndirectNode node, Expr e, int n, int indirectionIndex);
-}
-
-/**
- * A module that implements the logic for deciding whether an indirect node
- * should be an `IndirectExprNode`.
- */
-private module IndirectNodeToIndirectExpr<IndirectNodeToIndirectExprSig Sig> {
-  import Sig
-
-  /**
-   * This predicate shifts the indirection index by one when `conv` is a
-   * `ReferenceDereferenceExpr`.
-   *
-   * This is necessary because `ReferenceDereferenceExpr` is a conversion
-   * in the AST, but appears as a `LoadInstruction` in the IR.
-   */
-  bindingset[e, indirectionIndex]
-  private predicate adjustForReference(
-    Expr e, int indirectionIndex, Expr conv, int adjustedIndirectionIndex
-  ) {
-    conv.(ReferenceDereferenceExpr).getExpr() = e and
-    adjustedIndirectionIndex = indirectionIndex - 1
-    or
-    not conv instanceof ReferenceDereferenceExpr and
-    conv = e and
-    adjustedIndirectionIndex = indirectionIndex
-  }
-
-  /** Holds if `node` should be an `IndirectExprNode`. */
-  predicate charpred(IndirectNode node) {
-    exists(Expr e, int n, int indirectionIndex |
-      indirectNodeHasIndirectExpr(node, e, n, indirectionIndex) and
-      not exists(Expr conv, int adjustedIndirectionIndex |
-        adjustForReference(e, indirectionIndex, conv, adjustedIndirectionIndex) and
-        indirectExprNodeShouldBe(conv, n + 1, adjustedIndirectionIndex)
-      )
-    )
-  }
-}
-
-private predicate indirectExprNodeShouldBe(Expr e, int n, int indirectionIndex) {
-  indirectExprNodeShouldBeIndirectOperand(_, e, n, indirectionIndex) or
-  indirectExprNodeShouldBeIndirectInstruction(_, e, n, indirectionIndex)
-}
-
-private module IndirectOperandIndirectExprNodeImpl implements IndirectNodeToIndirectExprSig {
-  class IndirectNode = IndirectOperand;
-
-  predicate indirectNodeHasIndirectExpr = indirectExprNodeShouldBeIndirectOperand/4;
-}
-
-module IndirectOperandToIndirectExpr =
-  IndirectNodeToIndirectExpr<IndirectOperandIndirectExprNodeImpl>;
-
-private class IndirectOperandIndirectExprNode extends IndirectExprNodeBase instanceof IndirectOperand
-{
-  IndirectOperandIndirectExprNode() { IndirectOperandToIndirectExpr::charpred(this) }
-
-  final override Expr getConvertedExpr(int n, int index) {
-    IndirectOperandToIndirectExpr::indirectNodeHasIndirectExpr(this, result, n, index)
-  }
-}
-
-private module IndirectInstructionIndirectExprNodeImpl implements IndirectNodeToIndirectExprSig {
-  class IndirectNode = IndirectInstruction;
-
-  predicate indirectNodeHasIndirectExpr = indirectExprNodeShouldBeIndirectInstruction/4;
-}
-
-module IndirectInstructionToIndirectExpr =
-  IndirectNodeToIndirectExpr<IndirectInstructionIndirectExprNodeImpl>;
-
-private class IndirectInstructionIndirectExprNode extends IndirectExprNodeBase instanceof IndirectInstruction
-{
-  IndirectInstructionIndirectExprNode() { IndirectInstructionToIndirectExpr::charpred(this) }
-
-  final override Expr getConvertedExpr(int n, int index) {
-    IndirectInstructionToIndirectExpr::indirectNodeHasIndirectExpr(this, result, n, index)
-  }
-}
-
-private class IndirectArgumentOutExprNode extends ExprNodeBase, IndirectArgumentOutNode {
-  IndirectArgumentOutExprNode() { exprNodeShouldBeIndirectOutNode(this, _, _) }
-
-  final override Expr getConvertedExpr(int n) { exprNodeShouldBeIndirectOutNode(this, result, n) }
-}
-
-private class IndirectOperandExprNode extends ExprNodeBase instanceof IndirectOperand {
-  IndirectOperandExprNode() { exprNodeShouldBeIndirectOperand(this, _, _) }
-
-  final override Expr getConvertedExpr(int n) { exprNodeShouldBeIndirectOperand(this, result, n) }
-}
-
-/**
- * An expression, viewed as a node in a data flow graph.
- */
-class ExprNode extends Node instanceof ExprNodeBase {
-  /**
-   * INTERNAL: Do not use.
-   */
-  Expr getExpr(int n) { result = super.getExpr(n) }
-
-  /**
-   * Gets the non-conversion expression corresponding to this node, if any. If
-   * this node strictly (in the sense of `getConvertedExpr`) corresponds to a
-   * `Conversion`, then the result is that `Conversion`'s non-`Conversion` base
-   * expression.
-   */
-  final Expr getExpr() { result = this.getExpr(_) }
-
-  /**
-   * INTERNAL: Do not use.
-   */
-  Expr getConvertedExpr(int n) { result = super.getConvertedExpr(n) }
-
-  /**
-   * Gets the expression corresponding to this node, if any. The returned
-   * expression may be a `Conversion`.
-   */
-  final Expr getConvertedExpr() { result = this.getConvertedExpr(_) }
-}
-
-/**
- * An indirect expression, viewed as a node in a data flow graph.
- */
-class IndirectExprNode extends Node instanceof IndirectExprNodeBase {
-  /**
-   * Gets the non-conversion expression corresponding to this node, if any. If
-   * this node strictly (in the sense of `getConvertedExpr`) corresponds to a
-   * `Conversion`, then the result is that `Conversion`'s non-`Conversion` base
-   * expression.
-   */
-  final Expr getExpr(int indirectionIndex) { result = this.getExpr(_, indirectionIndex) }
-
-  /**
-   * INTERNAL: Do not use.
-   */
-  Expr getExpr(int n, int indirectionIndex) { result = super.getExpr(n, indirectionIndex) }
-
-  /**
-   * INTERNAL: Do not use.
-   */
-  Expr getConvertedExpr(int n, int indirectionIndex) {
-    result = super.getConvertedExpr(n, indirectionIndex)
-  }
-
-  /**
-   * Gets the expression corresponding to this node, if any. The returned
-   * expression may be a `Conversion`.
-   */
-  Expr getConvertedExpr(int indirectionIndex) {
-    result = this.getConvertedExpr(_, indirectionIndex)
-  }
-}
-
 abstract private class AbstractParameterNode extends Node {
   /**
    * Holds if this node is the parameter of `f` at the specified position. The
@@ -2542,6 +2083,9 @@ private newtype TContent =
       indirectionIndex =
         [1 .. max(Ssa::getMaxIndirectionsForType(getAFieldWithSize(u, bytes).getUnspecifiedType()))]
     )
+  } or
+  TElementContent(int indirectionIndex) {
+    indirectionIndex = [1 .. getMaxElementContentIndirectionIndex()]
   }
 
 /**
@@ -2652,6 +2196,25 @@ class UnionContent extends Content, TUnionContent {
   }
 }
 
+/**
+ * A `Content` that represents one of the elements of a
+ * container (e.g., `std::vector`).
+ */
+class ElementContent extends Content, TElementContent {
+  int indirectionIndex;
+
+  ElementContent() { this = TElementContent(indirectionIndex) }
+
+  pragma[inline]
+  override int getIndirectionIndex() {
+    pragma[only_bind_into](result) = pragma[only_bind_out](indirectionIndex)
+  }
+
+  override predicate impliesClearOf(Content c) { none() }
+
+  override string toString() { result = contentStars(this) + "element" }
+}
+
 /**
  * An entity that represents a set of `Content`s.
  *

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ExprNodes.qll

@@ -0,0 +1,518 @@
+/**
+ * Provides the classes `ExprNode` and `IndirectExprNode` for converting between `Expr` and `Node`.
+ */
+
+private import cpp
+private import semmle.code.cpp.ir.IR
+private import DataFlowUtil
+private import DataFlowPrivate
+private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedExpr
+private import semmle.code.cpp.ir.implementation.raw.internal.InstructionTag
+
+cached
+private module Cached {
+  private Operand getAnInitializeDynamicAllocationInstructionAddress() {
+    result = any(InitializeDynamicAllocationInstruction init).getAllocationAddressOperand()
+  }
+
+  /**
+   * Gets the expression that should be returned as the result expression from `instr`.
+   *
+   * Note that this predicate may return multiple results in cases where a conversion belongs to a
+   * different AST element than its operand.
+   */
+  private Expr getConvertedResultExpression(Instruction instr, int n) {
+    // Only fully converted instructions have a result for `asConvertedExpr`
+    not conversionFlow(unique(Operand op |
+        // The address operand of a `InitializeDynamicAllocationInstruction` is
+        // special: we need to handle it during dataflow (since it's
+        // effectively a store to an indirection), but it doesn't appear in
+        // source syntax, so dataflow node <-> expression conversion shouldn't
+        // care about it.
+        op = getAUse(instr) and not op = getAnInitializeDynamicAllocationInstructionAddress()
+      |
+        op
+      ), _, false, false) and
+    result = getConvertedResultExpressionImpl(instr) and
+    n = 0
+    or
+    // If the conversion also has a result then we return multiple results
+    exists(Operand operand | conversionFlow(operand, instr, false, false) |
+      n = 1 and
+      result = getConvertedResultExpressionImpl(operand.getDef())
+      or
+      result = getConvertedResultExpression(operand.getDef(), n - 1)
+    )
+  }
+
+  private Expr getConvertedResultExpressionImpl0(Instruction instr) {
+    // IR construction inserts an additional cast to a `size_t` on the extent
+    // of a `new[]` expression. The resulting `ConvertInstruction` doesn't have
+    // a result for `getConvertedResultExpression`. We remap this here so that
+    // this `ConvertInstruction` maps to the result of the expression that
+    // represents the extent.
+    exists(TranslatedNonConstantAllocationSize tas |
+      result = tas.getExtent().getExpr() and
+      instr = tas.getInstruction(AllocationExtentConvertTag())
+    )
+    or
+    // There's no instruction that returns `ParenthesisExpr`, but some queries
+    // expect this
+    exists(TranslatedTransparentConversion ttc |
+      result = ttc.getExpr().(ParenthesisExpr) and
+      instr = ttc.getResult()
+    )
+    or
+    // Certain expressions generate `CopyValueInstruction`s only when they
+    // are needed. Examples of this include crement operations and compound
+    // assignment operations. For example:
+    // ```cpp
+    // int x = ...
+    // int y = x++;
+    // ```
+    // this generate IR like:
+    // ```
+    // r1(glval<int>) = VariableAddress[x] :
+    // r2(int)        = Constant[0]        :
+    // m3(int)        = Store[x]           : &:r1, r2
+    // r4(glval<int>) = VariableAddress[y] :
+    // r5(glval<int>) = VariableAddress[x] :
+    // r6(int)        = Load[x]            : &:r5, m3
+    // r7(int)        = Constant[1]        :
+    // r8(int)        = Add                : r6, r7
+    // m9(int)        = Store[x]           : &:r5, r8
+    // r11(int)       = CopyValue         : r6
+    // m12(int)       = Store[y]          : &:r4, r11
+    // ```
+    // When the `CopyValueInstruction` is not generated there is no instruction
+    // whose `getConvertedResultExpression` maps back to the expression. When
+    // such an instruction doesn't exist it means that the old value is not
+    // needed, and in that case the only value that will propagate forward in
+    // the program is the value that's been updated. So in those cases we just
+    // use the result of `node.asDefinition()` as the result of `node.asExpr()`.
+    exists(TranslatedCoreExpr tco |
+      tco.getInstruction(_) = instr and
+      tco.producesExprResult() and
+      result = asDefinitionImpl0(instr)
+    )
+  }
+
+  private Expr getConvertedResultExpressionImpl(Instruction instr) {
+    result = getConvertedResultExpressionImpl0(instr)
+    or
+    not exists(getConvertedResultExpressionImpl0(instr)) and
+    result = instr.getConvertedResultExpression()
+  }
+
+  /**
+   * Gets the result for `node.asDefinition()` (when `node` is the instruction
+   * node that wraps `store`) in the cases where `store.getAst()` should not be
+   * used to define the result of `node.asDefinition()`.
+   */
+  private Expr asDefinitionImpl0(StoreInstruction store) {
+    // For an expression such as `i += 2` we pretend that the generated
+    // `StoreInstruction` contains the result of the expression even though
+    // this isn't totally aligned with the C/C++ standard.
+    exists(TranslatedAssignOperation tao |
+      store = tao.getInstruction(AssignmentStoreTag()) and
+      result = tao.getExpr()
+    )
+    or
+    // Similarly for `i++` and `++i` we pretend that the generated
+    // `StoreInstruction` is contains the result of the expression even though
+    // this isn't totally aligned with the C/C++ standard.
+    exists(TranslatedCrementOperation tco |
+      store = tco.getInstruction(CrementStoreTag()) and
+      result = tco.getExpr()
+    )
+  }
+
+  /**
+   * Holds if the expression returned by `store.getAst()` should not be
+   * returned as the result of `node.asDefinition()` when `node` is the
+   * instruction node that wraps `store`.
+   */
+  private predicate excludeAsDefinitionResult(StoreInstruction store) {
+    // Exclude the store to the temporary generated by a ternary expression.
+    exists(TranslatedConditionalExpr tce |
+      store = tce.getInstruction(ConditionValueFalseStoreTag())
+      or
+      store = tce.getInstruction(ConditionValueTrueStoreTag())
+    )
+  }
+
+  /**
+   * Gets the expression that represents the result of `StoreInstruction` for
+   * dataflow purposes.
+   *
+   * For example, consider the following example
+   * ```cpp
+   * int x = 42;     // 1
+   * x = 34;         // 2
+   * ++x;            // 3
+   * x++;            // 4
+   * x += 1;         // 5
+   * int y = x += 2; // 6
+   * ```
+   * For (1) the result is `42`.
+   * For (2) the result is `x = 34`.
+   * For (3) the result is `++x`.
+   * For (4) the result is `x++`.
+   * For (5) the result is `x += 1`.
+   * For (6) there are two results:
+   *   - For the `StoreInstruction` generated by `x += 2` the result
+   *     is `x += 2`
+   *   - For the `StoreInstruction` generated by `int y = ...` the result
+   *     is also `x += 2`
+   */
+  cached
+  Expr asDefinitionImpl(StoreInstruction store) {
+    not exists(asDefinitionImpl0(store)) and
+    not excludeAsDefinitionResult(store) and
+    result = store.getAst().(Expr).getUnconverted()
+    or
+    result = asDefinitionImpl0(store)
+  }
+
+  /** Holds if `node` is an `OperandNode` that should map `node.asExpr()` to `e`. */
+  private predicate exprNodeShouldBeOperand(OperandNode node, Expr e, int n) {
+    not exprNodeShouldBeIndirectOperand(_, e, n) and
+    exists(Instruction def |
+      unique( | | getAUse(def)) = node.getOperand() and
+      e = getConvertedResultExpression(def, n)
+    )
+  }
+
+  /** Holds if `node` should be an `IndirectOperand` that maps `node.asIndirectExpr()` to `e`. */
+  private predicate indirectExprNodeShouldBeIndirectOperand(
+    IndirectOperand node, Expr e, int n, int indirectionIndex
+  ) {
+    exists(Instruction def |
+      node.hasOperandAndIndirectionIndex(unique( | | getAUse(def)), indirectionIndex) and
+      e = getConvertedResultExpression(def, n)
+    )
+  }
+
+  /** Holds if `operand`'s definition is a `VariableAddressInstruction` whose variable is a temporary */
+  private predicate isIRTempVariable(Operand operand) {
+    operand.getDef().(VariableAddressInstruction).getIRVariable() instanceof IRTempVariable
+  }
+
+  /**
+   * Holds if `node` is an indirect operand whose operand is an argument, and
+   * the `n`'th expression associated with the operand is `e`.
+   */
+  private predicate isIndirectOperandOfArgument(
+    IndirectOperand node, ArgumentOperand operand, Expr e, int n
+  ) {
+    node.hasOperandAndIndirectionIndex(operand, 1) and
+    e = getConvertedResultExpression(operand.getDef(), n)
+  }
+
+  /**
+   * Holds if `opFrom` is an operand to a conversion, and `opTo` is the unique
+   * use of the conversion.
+   */
+  private predicate isConversionStep(Operand opFrom, Operand opTo) {
+    exists(Instruction mid |
+      conversionFlow(opFrom, mid, false, false) and
+      opTo = unique( | | getAUse(mid))
+    )
+  }
+
+  /**
+   * Holds if an operand that satisfies `isIRTempVariable` flows to `op`
+   * through a (possibly empty) sequence of conversions.
+   */
+  private predicate irTempOperandConversionFlows(Operand op) {
+    isIRTempVariable(op)
+    or
+    exists(Operand mid |
+      irTempOperandConversionFlows(mid) and
+      isConversionStep(mid, op)
+    )
+  }
+
+  /** Holds if `node` should be an `IndirectOperand` that maps `node.asExpr()` to `e`. */
+  private predicate exprNodeShouldBeIndirectOperand(IndirectOperand node, Expr e, int n) {
+    exists(ArgumentOperand operand |
+      // When an argument (qualifier or positional) is a prvalue and the
+      // parameter (qualifier or positional) is a (const) reference, IR
+      // construction introduces a temporary `IRVariable`. The `VariableAddress`
+      // instruction has the argument as its `getConvertedResultExpression`
+      // result. However, the instruction actually represents the _address_ of
+      // the argument. So to fix this mismatch, we have the indirection of the
+      // `VariableAddressInstruction` map to the expression.
+      isIndirectOperandOfArgument(node, operand, e, n) and
+      irTempOperandConversionFlows(operand)
+    )
+  }
+
+  private predicate exprNodeShouldBeIndirectOutNode(IndirectArgumentOutNode node, Expr e, int n) {
+    exists(CallInstruction call |
+      call.getStaticCallTarget() instanceof Constructor and
+      e = getConvertedResultExpression(call, n) and
+      call.getThisArgumentOperand() = node.getAddressOperand()
+    )
+  }
+
+  /** Holds if `node` should be an instruction node that maps `node.asExpr()` to `e`. */
+  private predicate exprNodeShouldBeInstruction(Node node, Expr e, int n) {
+    not exprNodeShouldBeOperand(_, e, n) and
+    not exprNodeShouldBeIndirectOutNode(_, e, n) and
+    not exprNodeShouldBeIndirectOperand(_, e, n) and
+    e = getConvertedResultExpression(node.asInstruction(), n)
+  }
+
+  /** Holds if `node` should be an `IndirectInstruction` that maps `node.asIndirectExpr()` to `e`. */
+  private predicate indirectExprNodeShouldBeIndirectInstruction(
+    IndirectInstruction node, Expr e, int n, int indirectionIndex
+  ) {
+    not indirectExprNodeShouldBeIndirectOperand(_, e, n, indirectionIndex) and
+    exists(Instruction instr |
+      node.hasInstructionAndIndirectionIndex(instr, indirectionIndex) and
+      e = getConvertedResultExpression(instr, n)
+    )
+  }
+
+  abstract private class ExprNodeBase extends Node {
+    /**
+     * Gets the expression corresponding to this node, if any. The returned
+     * expression may be a `Conversion`.
+     */
+    abstract Expr getConvertedExpr(int n);
+
+    /** Gets the non-conversion expression corresponding to this node, if any. */
+    final Expr getExpr(int n) { result = this.getConvertedExpr(n).getUnconverted() }
+  }
+
+  /**
+   * Holds if there exists a dataflow node whose `asExpr(n)` should evaluate
+   * to `e`.
+   */
+  private predicate exprNodeShouldBe(Expr e, int n) {
+    exprNodeShouldBeInstruction(_, e, n) or
+    exprNodeShouldBeOperand(_, e, n) or
+    exprNodeShouldBeIndirectOutNode(_, e, n) or
+    exprNodeShouldBeIndirectOperand(_, e, n)
+  }
+
+  private class InstructionExprNode extends ExprNodeBase, InstructionNode {
+    InstructionExprNode() {
+      exists(Expr e, int n |
+        exprNodeShouldBeInstruction(this, e, n) and
+        not exists(Expr conv |
+          exprNodeShouldBe(conv, n + 1) and
+          conv.getUnconverted() = e.getUnconverted()
+        )
+      )
+    }
+
+    final override Expr getConvertedExpr(int n) { exprNodeShouldBeInstruction(this, result, n) }
+  }
+
+  private class OperandExprNode extends ExprNodeBase, OperandNode {
+    OperandExprNode() {
+      exists(Expr e, int n |
+        exprNodeShouldBeOperand(this, e, n) and
+        not exists(Expr conv |
+          exprNodeShouldBe(conv, n + 1) and
+          conv.getUnconverted() = e.getUnconverted()
+        )
+      )
+    }
+
+    final override Expr getConvertedExpr(int n) { exprNodeShouldBeOperand(this, result, n) }
+  }
+
+  abstract private class IndirectExprNodeBase extends Node {
+    /**
+     * Gets the expression corresponding to this node, if any. The returned
+     * expression may be a `Conversion`.
+     */
+    abstract Expr getConvertedExpr(int n, int indirectionIndex);
+
+    /** Gets the non-conversion expression corresponding to this node, if any. */
+    final Expr getExpr(int n, int indirectionIndex) {
+      result = this.getConvertedExpr(n, indirectionIndex).getUnconverted()
+    }
+  }
+
+  /** A signature for converting an indirect node to an expression. */
+  private signature module IndirectNodeToIndirectExprSig {
+    /** The indirect node class to be converted to an expression */
+    class IndirectNode;
+
+    /**
+     * Holds if the indirect expression at indirection index `indirectionIndex`
+     * of `node` is `e`. The integer `n` specifies how many conversions has been
+     * applied to `node`.
+     */
+    predicate indirectNodeHasIndirectExpr(IndirectNode node, Expr e, int n, int indirectionIndex);
+  }
+
+  /**
+   * A module that implements the logic for deciding whether an indirect node
+   * should be an `IndirectExprNode`.
+   */
+  private module IndirectNodeToIndirectExpr<IndirectNodeToIndirectExprSig Sig> {
+    import Sig
+
+    /**
+     * This predicate shifts the indirection index by one when `conv` is a
+     * `ReferenceDereferenceExpr`.
+     *
+     * This is necessary because `ReferenceDereferenceExpr` is a conversion
+     * in the AST, but appears as a `LoadInstruction` in the IR.
+     */
+    bindingset[e, indirectionIndex]
+    private predicate adjustForReference(
+      Expr e, int indirectionIndex, Expr conv, int adjustedIndirectionIndex
+    ) {
+      conv.(ReferenceDereferenceExpr).getExpr() = e and
+      adjustedIndirectionIndex = indirectionIndex - 1
+      or
+      not conv instanceof ReferenceDereferenceExpr and
+      conv = e and
+      adjustedIndirectionIndex = indirectionIndex
+    }
+
+    /** Holds if `node` should be an `IndirectExprNode`. */
+    predicate charpred(IndirectNode node) {
+      exists(Expr e, int n, int indirectionIndex |
+        indirectNodeHasIndirectExpr(node, e, n, indirectionIndex) and
+        not exists(Expr conv, int adjustedIndirectionIndex |
+          adjustForReference(e, indirectionIndex, conv, adjustedIndirectionIndex) and
+          indirectExprNodeShouldBe(conv, n + 1, adjustedIndirectionIndex)
+        )
+      )
+    }
+  }
+
+  private predicate indirectExprNodeShouldBe(Expr e, int n, int indirectionIndex) {
+    indirectExprNodeShouldBeIndirectOperand(_, e, n, indirectionIndex) or
+    indirectExprNodeShouldBeIndirectInstruction(_, e, n, indirectionIndex)
+  }
+
+  private module IndirectOperandIndirectExprNodeImpl implements IndirectNodeToIndirectExprSig {
+    class IndirectNode = IndirectOperand;
+
+    predicate indirectNodeHasIndirectExpr = indirectExprNodeShouldBeIndirectOperand/4;
+  }
+
+  module IndirectOperandToIndirectExpr =
+    IndirectNodeToIndirectExpr<IndirectOperandIndirectExprNodeImpl>;
+
+  private class IndirectOperandIndirectExprNode extends IndirectExprNodeBase instanceof IndirectOperand
+  {
+    IndirectOperandIndirectExprNode() { IndirectOperandToIndirectExpr::charpred(this) }
+
+    final override Expr getConvertedExpr(int n, int index) {
+      IndirectOperandToIndirectExpr::indirectNodeHasIndirectExpr(this, result, n, index)
+    }
+  }
+
+  private module IndirectInstructionIndirectExprNodeImpl implements IndirectNodeToIndirectExprSig {
+    class IndirectNode = IndirectInstruction;
+
+    predicate indirectNodeHasIndirectExpr = indirectExprNodeShouldBeIndirectInstruction/4;
+  }
+
+  module IndirectInstructionToIndirectExpr =
+    IndirectNodeToIndirectExpr<IndirectInstructionIndirectExprNodeImpl>;
+
+  private class IndirectInstructionIndirectExprNode extends IndirectExprNodeBase instanceof IndirectInstruction
+  {
+    IndirectInstructionIndirectExprNode() { IndirectInstructionToIndirectExpr::charpred(this) }
+
+    final override Expr getConvertedExpr(int n, int index) {
+      IndirectInstructionToIndirectExpr::indirectNodeHasIndirectExpr(this, result, n, index)
+    }
+  }
+
+  private class IndirectArgumentOutExprNode extends ExprNodeBase, IndirectArgumentOutNode {
+    IndirectArgumentOutExprNode() { exprNodeShouldBeIndirectOutNode(this, _, _) }
+
+    final override Expr getConvertedExpr(int n) { exprNodeShouldBeIndirectOutNode(this, result, n) }
+  }
+
+  private class IndirectOperandExprNode extends ExprNodeBase instanceof IndirectOperand {
+    IndirectOperandExprNode() { exprNodeShouldBeIndirectOperand(this, _, _) }
+
+    final override Expr getConvertedExpr(int n) { exprNodeShouldBeIndirectOperand(this, result, n) }
+  }
+
+  /**
+   * An expression, viewed as a node in a data flow graph.
+   */
+  cached
+  class ExprNode extends Node instanceof ExprNodeBase {
+    /**
+     * INTERNAL: Do not use.
+     */
+    cached
+    Expr getExpr(int n) { result = super.getExpr(n) }
+
+    /**
+     * Gets the non-conversion expression corresponding to this node, if any. If
+     * this node strictly (in the sense of `getConvertedExpr`) corresponds to a
+     * `Conversion`, then the result is that `Conversion`'s non-`Conversion` base
+     * expression.
+     */
+    cached
+    final Expr getExpr() { result = this.getExpr(_) }
+
+    /**
+     * INTERNAL: Do not use.
+     */
+    cached
+    Expr getConvertedExpr(int n) { result = super.getConvertedExpr(n) }
+
+    /**
+     * Gets the expression corresponding to this node, if any. The returned
+     * expression may be a `Conversion`.
+     */
+    cached
+    final Expr getConvertedExpr() { result = this.getConvertedExpr(_) }
+  }
+
+  /**
+   * An indirect expression, viewed as a node in a data flow graph.
+   */
+  cached
+  class IndirectExprNode extends Node instanceof IndirectExprNodeBase {
+    /**
+     * Gets the non-conversion expression corresponding to this node, if any. If
+     * this node strictly (in the sense of `getConvertedExpr`) corresponds to a
+     * `Conversion`, then the result is that `Conversion`'s non-`Conversion` base
+     * expression.
+     */
+    cached
+    final Expr getExpr(int indirectionIndex) { result = this.getExpr(_, indirectionIndex) }
+
+    /**
+     * INTERNAL: Do not use.
+     */
+    cached
+    Expr getExpr(int n, int indirectionIndex) { result = super.getExpr(n, indirectionIndex) }
+
+    /**
+     * INTERNAL: Do not use.
+     */
+    cached
+    Expr getConvertedExpr(int n, int indirectionIndex) {
+      result = super.getConvertedExpr(n, indirectionIndex)
+    }
+
+    /**
+     * Gets the expression corresponding to this node, if any. The returned
+     * expression may be a `Conversion`.
+     */
+    cached
+    Expr getConvertedExpr(int indirectionIndex) {
+      result = this.getConvertedExpr(_, indirectionIndex)
+    }
+  }
+}
+
+import Cached

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -981,7 +981,7 @@ private module SsaInput implements SsaImplCommon::InputSig<Location> {
    * Holds if the `i`'th write in block `bb` writes to the variable `v`.
    * `certain` is `true` if the write is guaranteed to overwrite the entire variable.
    */
-  predicate variableWrite(IRBlock bb, int i, SourceVariable v, boolean certain) {
+  predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain) {
     DataFlowImplCommon::forceCachingInSameStage() and
     (
       exists(DefImpl def | def.hasIndexInBlock(bb, i, v) |
@@ -999,7 +999,7 @@ private module SsaInput implements SsaImplCommon::InputSig<Location> {
    * Holds if the `i`'th read in block `bb` reads to the variable `v`.
    * `certain` is `true` if the read is guaranteed. For C++, this is always the case.
    */
-  predicate variableRead(IRBlock bb, int i, SourceVariable v, boolean certain) {
+  predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain) {
     exists(UseImpl use | use.hasIndexInBlock(bb, i, v) |
       if use.isCertain() then certain = true else certain = false
     )

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -757,13 +757,19 @@ import Cached
  * between the SSA pruning stage, and the final SSA stage.
  */
 module InputSigCommon {
-  class BasicBlock = IRBlock;
+  class BasicBlock extends IRBlock {
+    ControlFlowNode getNode(int i) { result = this.getInstruction(i) }
+
+    int length() { result = this.getInstructionCount() }
+  }
+
+  class ControlFlowNode = Instruction;
 
   BasicBlock getImmediateBasicBlockDominator(BasicBlock bb) { result.immediatelyDominates(bb) }
 
   BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
 
-  class ExitBasicBlock extends IRBlock {
+  class ExitBasicBlock extends BasicBlock {
     ExitBasicBlock() { this.getLastInstruction() instanceof ExitFunctionInstruction }
   }
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

@@ -147,7 +147,10 @@ predicate defaultAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink, st
  * of `c` at sinks and inputs to additional taint steps.
  */
 bindingset[node]
-predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) { none() }
+predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) {
+  node instanceof ArgumentNode and
+  c.isSingleton(any(ElementContent ec))
+}
 
 /**
  * Holds if `node` should be a sanitizer in all global taint flow configurations

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll

@@ -1,3 +1,3 @@
-import semmle.code.cpp.ir.implementation.aliased_ssa.IR
+import semmle.code.cpp.ir.implementation.raw.IR
 import semmle.code.cpp.ir.internal.Overlap
 import semmle.code.cpp.ir.internal.IRCppLanguage as Language

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll

@@ -1,3 +1,3 @@
-import semmle.code.cpp.ir.implementation.aliased_ssa.IR
+import semmle.code.cpp.ir.implementation.unaliased_ssa.IR
 import semmle.code.cpp.ir.internal.Overlap
 import semmle.code.cpp.ir.internal.IRCppLanguage as Language

cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll

@@ -7,119 +7,6 @@
 import semmle.code.cpp.models.interfaces.Allocation
 import semmle.code.cpp.models.interfaces.Taint
 
-/**
- * An allocation function (such as `malloc`) that has an argument for the size
- * in bytes.
- */
-private class MallocAllocationFunction extends AllocationFunction {
-  int sizeArg;
-
-  MallocAllocationFunction() {
-    // --- C library allocation
-    this.hasGlobalOrStdOrBslName("malloc") and // malloc(size)
-    sizeArg = 0
-    or
-    this.hasGlobalName([
-        // --- Windows Memory Management for Windows Drivers
-        "MmAllocateContiguousMemory", // MmAllocateContiguousMemory(size, maxaddress)
-        "MmAllocateContiguousNodeMemory", // MmAllocateContiguousNodeMemory(size, minaddress, maxaddress, bound, flag, prefer)
-        "MmAllocateContiguousMemorySpecifyCache", // MmAllocateContiguousMemorySpecifyCache(size, minaddress, maxaddress, bound, type)
-        "MmAllocateContiguousMemorySpecifyCacheNode", // MmAllocateContiguousMemorySpecifyCacheNode(size, minaddress, maxaddress, bound, type, prefer)
-        "MmAllocateNonCachedMemory", // MmAllocateNonCachedMemory(size)
-        "MmAllocateMappingAddress", // MmAllocateMappingAddress(size, tag)
-        // --- Windows COM allocation
-        "CoTaskMemAlloc", // CoTaskMemAlloc(size)
-        // --- Solaris/BSD kernel memory allocator
-        "kmem_alloc", // kmem_alloc(size, flags)
-        "kmem_zalloc", // kmem_zalloc(size, flags)
-        // --- OpenSSL memory allocation
-        "CRYPTO_malloc", // CRYPTO_malloc(size_t num, const char *file, int line)
-        "CRYPTO_zalloc", // CRYPTO_zalloc(size_t num, const char *file, int line)
-        "CRYPTO_secure_malloc", // CRYPTO_secure_malloc(size_t num, const char *file, int line)
-        "CRYPTO_secure_zalloc", // CRYPTO_secure_zalloc(size_t num, const char *file, int line)
-        "g_malloc", // g_malloc (n_bytes);
-        "g_try_malloc" // g_try_malloc(n_bytes);
-      ]) and
-    sizeArg = 0
-    or
-    this.hasGlobalName([
-        // --- Windows Memory Management for Windows Drivers
-        "ExAllocatePool", // ExAllocatePool(type, size)
-        "ExAllocatePool2", // ExAllocatePool2(flags, size, tag)
-        "ExAllocatePool3", // ExAllocatePool3(flags, size, tag, extparams, extparamscount)
-        "ExAllocatePoolWithTag", // ExAllocatePool(type, size, tag)
-        "ExAllocatePoolWithTagPriority", // ExAllocatePoolWithTagPriority(type, size, tag, priority)
-        "ExAllocatePoolWithQuota", // ExAllocatePoolWithQuota(type, size)
-        "ExAllocatePoolWithQuotaTag", // ExAllocatePoolWithQuotaTag(type, size, tag)
-        "ExAllocatePoolZero", // ExAllocatePoolZero(type, size, tag)
-        "IoAllocateMdl", // IoAllocateMdl(address, size, flag, flag, irp)
-        "IoAllocateErrorLogEntry", // IoAllocateErrorLogEntry(object, size)
-        // --- Windows Global / Local legacy allocation
-        "LocalAlloc", // LocalAlloc(flags, size)
-        "GlobalAlloc", // GlobalAlloc(flags, size)
-        // --- Windows System Services allocation
-        "VirtualAlloc" // VirtualAlloc(address, size, type, flag)
-      ]) and
-    sizeArg = 1
-    or
-    this.hasGlobalName("HeapAlloc") and // HeapAlloc(heap, flags, size)
-    sizeArg = 2
-    or
-    this.hasGlobalName([
-        // --- Windows Memory Management for Windows Drivers
-        "MmAllocatePagesForMdl", // MmAllocatePagesForMdl(minaddress, maxaddress, skip, size)
-        "MmAllocatePagesForMdlEx", // MmAllocatePagesForMdlEx(minaddress, maxaddress, skip, size, type, flags)
-        "MmAllocateNodePagesForMdlEx" // MmAllocateNodePagesForMdlEx(minaddress, maxaddress, skip, size, type, prefer, flags)
-      ]) and
-    sizeArg = 3
-  }
-
-  override int getSizeArg() { result = sizeArg }
-}
-
-/**
- * An allocation function (such as `alloca`) that does not require a
- * corresponding free (and has an argument for the size in bytes).
- */
-private class AllocaAllocationFunction extends AllocationFunction {
-  int sizeArg;
-
-  AllocaAllocationFunction() {
-    this.hasGlobalName([
-        // --- stack allocation
-        "alloca", // // alloca(size)
-        "__builtin_alloca", // __builtin_alloca(size)
-        "_alloca", // _alloca(size)
-        "_malloca" // _malloca(size)
-      ]) and
-    sizeArg = 0
-  }
-
-  override int getSizeArg() { result = sizeArg }
-
-  override predicate requiresDealloc() { none() }
-}
-
-/**
- * An allocation function (such as `calloc`) that has an argument for the size
- * and another argument for the size of those units (in bytes).
- */
-private class CallocAllocationFunction extends AllocationFunction {
-  int sizeArg;
-  int multArg;
-
-  CallocAllocationFunction() {
-    // --- C library allocation
-    this.hasGlobalOrStdOrBslName("calloc") and // calloc(num, size)
-    sizeArg = 1 and
-    multArg = 0
-  }
-
-  override int getSizeArg() { result = sizeArg }
-
-  override int getSizeMult() { result = multArg }
-}
-
 /**
  * An allocation function (such as `realloc`) that has an argument for the size
  * in bytes, and an argument for an existing pointer that is to be reallocated.
@@ -373,6 +260,63 @@ private class NewArrayAllocationExpr extends AllocationExpr, NewArrayExpr {
   override predicate requiresDealloc() { not exists(this.getPlacementPointer()) }
 }
 
+/**
+ * Holds if `f` is an allocation function according to the
+ * extensible `allocationFunctionModel` predicate.
+ */
+private predicate isAllocationFunctionFromModel(
+  Function f, string namespace, string type, string name
+) {
+  exists(boolean subtypes | allocationFunctionModel(namespace, type, subtypes, name, _, _, _, _) |
+    if type = ""
+    then f.hasQualifiedName(namespace, "", name)
+    else
+      exists(Class c |
+        c.hasQualifiedName(namespace, type) and f.hasQualifiedName(namespace, _, name)
+      |
+        if subtypes = true
+        then f = c.getADerivedClass*().getAMemberFunction()
+        else f = c.getAMemberFunction()
+      )
+  )
+}
+
+/**
+ * An allocation function modeled via the extensible `allocationFunctionModel` predicate.
+ */
+private class AllocationFunctionFromModel extends AllocationFunction {
+  string namespace;
+  string type;
+  string name;
+
+  AllocationFunctionFromModel() { isAllocationFunctionFromModel(this, namespace, type, name) }
+
+  final override int getSizeArg() {
+    exists(string sizeArg |
+      allocationFunctionModel(namespace, type, _, name, sizeArg, _, _, _) and
+      result = sizeArg.toInt()
+    )
+  }
+
+  final override int getSizeMult() {
+    exists(string sizeMult |
+      allocationFunctionModel(namespace, type, _, name, _, sizeMult, _, _) and
+      result = sizeMult.toInt()
+    )
+  }
+
+  final override int getReallocPtrArg() {
+    exists(string reallocPtrArg |
+      allocationFunctionModel(namespace, type, _, name, _, _, reallocPtrArg, _) and
+      result = reallocPtrArg.toInt()
+    )
+  }
+
+  final override predicate requiresDealloc() {
+    allocationFunctionModel(namespace, type, _, name, _, _, _, true)
+  }
+}
+
 private module HeuristicAllocation {
   /** A class that maps an `AllocationExpr` to an `HeuristicAllocationExpr`. */
   private class HeuristicAllocationModeled extends HeuristicAllocationExpr instanceof AllocationExpr

cpp/ql/lib/semmle/code/cpp/models/implementations/Deallocation.qll

@@ -7,61 +7,42 @@
 import semmle.code.cpp.models.interfaces.Deallocation
 
 /**
- * A deallocation function such as `free`.
+ * Holds if `f` is an deallocation function according to the
+ * extensible `deallocationFunctionModel` predicate.
  */
-private class StandardDeallocationFunction extends DeallocationFunction {
-  int freedArg;
+private predicate isDeallocationFunctionFromModel(
+  Function f, string namespace, string type, string name
+) {
+  exists(boolean subtypes | deallocationFunctionModel(namespace, type, subtypes, name, _) |
+    if type = ""
+    then f.hasQualifiedName(namespace, "", name)
+    else
+      exists(Class c |
+        c.hasQualifiedName(namespace, type) and f.hasQualifiedName(namespace, _, name)
+      |
+        if subtypes = true
+        then f = c.getADerivedClass*().getAMemberFunction()
+        else f = c.getAMemberFunction()
+      )
+  )
+}
 
-  StandardDeallocationFunction() {
-    this.hasGlobalOrStdOrBslName([
-        // --- C library allocation
-        "free", "realloc"
-      ]) and
-    freedArg = 0
-    or
-    this.hasGlobalName([
-        // --- OpenSSL memory deallocation
-        "CRYPTO_free", "CRYPTO_secure_free",
-        // --- glib memory deallocation
-        "g_free"
-      ]) and
-    freedArg = 0
-    or
-    this.hasGlobalOrStdName([
-        // --- Windows Memory Management for Windows Drivers
-        "ExFreePool", "ExFreePoolWithTag", "ExDeleteTimer", "IoFreeIrp", "IoFreeMdl",
-        "IoFreeErrorLogEntry", "IoFreeWorkItem", "MmFreeContiguousMemory",
-        "MmFreeContiguousMemorySpecifyCache", "MmFreeNonCachedMemory", "MmFreeMappingAddress",
-        "MmFreePagesFromMdl", "MmUnmapReservedMapping", "MmUnmapLockedPages",
-        "NdisFreeGenericObject", "NdisFreeMemory", "NdisFreeMemoryWithTag", "NdisFreeMdl",
-        "NdisFreeNetBufferListPool", "NdisFreeNetBufferPool",
-        // --- Windows Global / Local legacy allocation
-        "LocalFree", "GlobalFree", "LocalReAlloc", "GlobalReAlloc",
-        // --- Windows System Services allocation
-        "VirtualFree",
-        // --- Windows COM allocation
-        "CoTaskMemFree", "CoTaskMemRealloc",
-        // --- Windows Automation
-        "SysFreeString",
-        // --- Solaris/BSD kernel memory allocator
-        "kmem_free"
-      ]) and
-    freedArg = 0
-    or
-    this.hasGlobalOrStdName([
-        // --- Windows Memory Management for Windows Drivers
-        "ExFreeToLookasideListEx", "ExFreeToPagedLookasideList", "ExFreeToNPagedLookasideList",
-        "NdisFreeMemoryWithTagPriority", "StorPortFreeMdl", "StorPortFreePool",
-        // --- NetBSD pool manager
-        "pool_put", "pool_cache_put"
-      ]) and
-    freedArg = 1
-    or
-    this.hasGlobalOrStdName(["HeapFree", "HeapReAlloc"]) and
-    freedArg = 2
+/**
+ * A deallocation function modeled via the extensible `deallocationFunctionModel` predicate.
+ */
+private class DeallocationFunctionFromModel extends DeallocationFunction {
+  string namespace;
+  string type;
+  string name;
+
+  DeallocationFunctionFromModel() { isDeallocationFunctionFromModel(this, namespace, type, name) }
+
+  final override int getFreedArg() {
+    exists(string freedArg |
+      deallocationFunctionModel(namespace, type, _, name, freedArg) and
+      result = freedArg.toInt()
+    )
   }
-
-  override int getFreedArg() { result = freedArg }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/models/implementations/StdContainer.qll

@@ -2,7 +2,7 @@
  * Provides models for C++ containers `std::array`, `std::vector`, `std::deque`, `std::list` and `std::forward_list`.
  */
 
-import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.FlowSource
 import semmle.code.cpp.models.interfaces.Iterator
 
 /**
@@ -55,73 +55,6 @@ private class Vector extends StdSequenceContainer {
   Vector() { this.hasQualifiedName(["std", "bsl"], "vector") }
 }
 
-/**
- * Additional model for standard container constructors that reference the
- * value type of the container (that is, the `T` in `std::vector<T>`).  For
- * example the fill constructor:
- * ```
- * std::vector<std::string> v(100, potentially_tainted_string);
- * ```
- */
-private class StdSequenceContainerConstructor extends Constructor, TaintFunction {
-  StdSequenceContainerConstructor() {
-    this.getDeclaringType() instanceof Vector or
-    this.getDeclaringType() instanceof Deque or
-    this.getDeclaringType() instanceof List or
-    this.getDeclaringType() instanceof ForwardList
-  }
-
-  /**
-   * Gets the index of a parameter to this function that is a reference to the
-   * value type of the container.
-   */
-  int getAValueTypeParameterIndex() {
-    this.getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
-      this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
-  }
-
-  /**
-   * Gets the index of a parameter to this function that is an iterator.
-   */
-  int getAnIteratorParameterIndex() { this.getParameter(result).getType() instanceof Iterator }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // taint flow from any parameter of the value type to the returned object
-    (
-      input.isParameterDeref(this.getAValueTypeParameterIndex()) or
-      input.isParameter(this.getAnIteratorParameterIndex())
-    ) and
-    (
-      output.isReturnValue() // TODO: this is only needed for AST data flow, which treats constructors as returning the new object
-      or
-      output.isQualifierObject()
-    )
-  }
-}
-
-/**
- * The standard container function `data`.
- */
-private class StdSequenceContainerData extends TaintFunction {
-  StdSequenceContainerData() {
-    this.getClassAndName("data") instanceof Array or
-    this.getClassAndName("data") instanceof Vector
-  }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // flow from container itself (qualifier) to return value
-    input.isQualifierObject() and
-    output.isReturnValueDeref()
-    or
-    // reverse flow from returned reference to the qualifier (for writes to
-    // `data`)
-    input.isReturnValueDeref() and
-    output.isQualifierObject()
-  }
-
-  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
-}
-
 /**
  * The standard container functions `push_back` and `push_front`.
  */
@@ -143,35 +76,6 @@ class StdSequenceContainerPush extends MemberFunction {
   }
 }
 
-private class StdSequenceContainerPushModel extends StdSequenceContainerPush, TaintFunction {
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // flow from parameter to qualifier
-    input.isParameterDeref(0) and
-    output.isQualifierObject()
-  }
-
-  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
-}
-
-/**
- * The standard container functions `front` and `back`.
- */
-private class StdSequenceContainerFrontBack extends TaintFunction {
-  StdSequenceContainerFrontBack() {
-    this.getClassAndName(["front", "back"]) instanceof Array or
-    this.getClassAndName(["front", "back"]) instanceof Deque or
-    this.getClassAndName("front") instanceof ForwardList or
-    this.getClassAndName(["front", "back"]) instanceof List or
-    this.getClassAndName(["front", "back"]) instanceof Vector
-  }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // flow from object to returned reference
-    input.isQualifierObject() and
-    output.isReturnValueDeref()
-  }
-}
-
 /**
  * The standard container functions `insert` and `insert_after`.
  */
@@ -198,58 +102,6 @@ class StdSequenceContainerInsert extends MemberFunction {
   int getAnIteratorParameterIndex() { this.getParameter(result).getType() instanceof Iterator }
 }
 
-private class StdSequenceContainerInsertModel extends StdSequenceContainerInsert, TaintFunction {
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // flow from parameter to container itself (qualifier) and return value
-    (
-      input.isQualifierObject() or
-      input.isParameterDeref(this.getAValueTypeParameterIndex()) or
-      input.isParameter(this.getAnIteratorParameterIndex())
-    ) and
-    (
-      output.isQualifierObject() or
-      output.isReturnValue()
-    )
-  }
-
-  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
-}
-
-/**
- * The standard container function `assign`.
- */
-private class StdSequenceContainerAssign extends TaintFunction {
-  StdSequenceContainerAssign() {
-    this.getClassAndName("assign") instanceof Deque or
-    this.getClassAndName("assign") instanceof ForwardList or
-    this.getClassAndName("assign") instanceof List or
-    this.getClassAndName("assign") instanceof Vector
-  }
-
-  /**
-   * Gets the index of a parameter to this function that is a reference to the
-   * value type of the container.
-   */
-  int getAValueTypeParameterIndex() {
-    this.getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
-      this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
-  }
-
-  /**
-   * Gets the index of a parameter to this function that is an iterator.
-   */
-  int getAnIteratorParameterIndex() { this.getParameter(result).getType() instanceof Iterator }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // flow from parameter to container itself (qualifier)
-    (
-      input.isParameterDeref(this.getAValueTypeParameterIndex()) or
-      input.isParameter(this.getAnIteratorParameterIndex())
-    ) and
-    output.isQualifierObject()
-  }
-}
-
 /**
  * The standard container functions `at` and `operator[]`.
  */
@@ -261,20 +113,6 @@ class StdSequenceContainerAt extends MemberFunction {
   }
 }
 
-private class StdSequenceContainerAtModel extends StdSequenceContainerAt, TaintFunction {
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // flow from qualifier to referenced return value
-    input.isQualifierObject() and
-    output.isReturnValueDeref()
-    or
-    // reverse flow from returned reference to the qualifier
-    input.isReturnValueDeref() and
-    output.isQualifierObject()
-  }
-
-  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
-}
-
 /**
  * The standard `emplace` function.
  */
@@ -297,20 +135,6 @@ class StdSequenceEmplace extends MemberFunction {
   }
 }
 
-private class StdSequenceEmplaceModel extends StdSequenceEmplace, TaintFunction {
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // flow from any parameter except the position iterator to qualifier and return value
-    // (here we assume taint flow from any constructor parameter to the constructed object)
-    input.isParameterDeref([1 .. this.getNumberOfParameters() - 1]) and
-    (
-      output.isQualifierObject() or
-      output.isReturnValue()
-    )
-  }
-
-  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
-}
-
 /**
  * The standard vector `emplace` function.
  */
@@ -340,17 +164,6 @@ class StdSequenceEmplaceBack extends MemberFunction {
   }
 }
 
-private class StdSequenceEmplaceBackModel extends StdSequenceEmplaceBack, TaintFunction {
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // flow from any parameter to qualifier
-    // (here we assume taint flow from any constructor parameter to the constructed object)
-    input.isParameterDeref([0 .. this.getNumberOfParameters() - 1]) and
-    output.isQualifierObject()
-  }
-
-  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
-}
-
 /**
  * The standard vector `emplace_back` function.
  */

cpp/ql/lib/semmle/code/cpp/models/interfaces/Allocation.qll

@@ -89,6 +89,14 @@ abstract class AllocationFunction extends Function {
   predicate requiresDealloc() { any() }
 }
 
+/**
+ * Holds if an external allocation model exists for the given parameters.
+ */
+extensible predicate allocationFunctionModel(
+  string namespace, string type, boolean subtypes, string name, string sizeArg, string multArg,
+  string reallocPtrArg, boolean requiresDealloc
+);
+
 /**
  * An `operator new` or `operator new[]` function that may be associated with
  * `new` or `new[]` expressions.  Note that `new` and `new[]` are not function

cpp/ql/lib/semmle/code/cpp/models/interfaces/Deallocation.qll

@@ -34,6 +34,13 @@ abstract class DeallocationFunction extends Function {
   int getFreedArg() { none() }
 }
 
+/**
+ * Holds if an external deallocation model exists for the given parameters.
+ */
+extensible predicate deallocationFunctionModel(
+  string namespace, string type, boolean subtypes, string name, string freedArg
+);
+
 /**
  * An `operator delete` or `operator delete[]` function that may be associated
  * with `delete` or `delete[]` expressions.  Note that `delete` and `delete[]`

cpp/ql/lib/semmle/code/cpp/security/flowafterfree/FlowAfterFree.qll

@@ -95,7 +95,7 @@ module FlowFromFree<FlowFromFreeParamSig P> {
         e = any(StoreInstruction store).getDestinationAddress().getUnconvertedResultExpression()
       )
       or
-      n.asExpr() instanceof ArrayExpr
+      [n.asExpr(), n.asIndirectExpr()] instanceof ArrayExpr
     }
   }
 

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 1.0.2
+
+No user-facing changes.
+
+## 1.0.1
+
+### Minor Analysis Improvements
+
+* The `cpp/dangerous-function-overflow` no longer produces a false positive alert when the `gets` function does not have exactly one parameter.
+
 ## 1.0.0
 
 ### Breaking Changes

cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql

@@ -215,13 +215,18 @@ predicate noThrowInTryBlock(NewOrNewArrayExpr newExpr, BadAllocCatchBlock catchB
  */
 predicate nullCheckInThrowingNew(NewOrNewArrayExpr newExpr, GuardCondition guard) {
   newExpr.getAllocator() instanceof ThrowingAllocator and
-  (
-    // Handles null comparisons.
-    guard.ensuresEq(globalValueNumber(newExpr).getAnExpr(), any(NullValue null), _, _, _)
-    or
-    // Handles `if(ptr)` and `if(!ptr)` cases.
-    guard = globalValueNumber(newExpr).getAnExpr()
-  )
+  // There can be many guard conditions that compares `newExpr` againgst 0.
+  // For example, for `if(!p)` both `p` and `!p` are guard conditions. To not
+  // produce duplicates results we pick the "first" guard condition according
+  // to some arbitrary ordering (i.e., location information). This means `!p` is the
+  // element that we use to construct the alert.
+  guard =
+    min(GuardCondition gc, int startline, int startcolumn, int endline, int endcolumn |
+      gc.comparesEq(globalValueNumber(newExpr).getAnExpr(), 0, _, _) and
+      gc.getLocation().hasLocationInfo(_, startline, startcolumn, endline, endcolumn)
+    |
+      gc order by startline, startcolumn, endline, endcolumn
+    )
 }
 
 from NewOrNewArrayExpr newExpr, Element element, string msg, string elementString

cpp/ql/src/change-notes/released/1.0.1.md

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
+## 1.0.1
+
+### Minor Analysis Improvements
+
 * The `cpp/dangerous-function-overflow` no longer produces a false positive alert when the `gets` function does not have exactly one parameter.

cpp/ql/src/change-notes/released/1.0.2.md

@@ -0,0 +1,3 @@
+## 1.0.2
+
+No user-facing changes.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.0
+lastReleaseVersion: 1.0.2

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.0.1-dev
+version: 1.0.3-dev
 groups:
   - cpp
   - queries

cpp/ql/test/header-variant-tests/iquote/iquote.c

@@ -3,4 +3,4 @@
 #include "b.h"
 static int has_angle_b = __has_include(<b.h>);
 
-// semmle-extractor-options: -I${testdir}/dir2 -iquote ${testdir}/dir1 --edg --clang
+// semmle-extractor-options: -I${testdir}/dir2 -iquote ${testdir}/dir1 --clang

cpp/ql/test/library-tests/CPP-207/options

@@ -1 +1 @@
-semmle-extractor-options: --edg --microsoft
+semmle-extractor-options: --microsoft

cpp/ql/test/library-tests/arguments/arguments.expected

@@ -1,22 +1,21 @@
 | arguments.c | 1 | --preprocessArgs |
-| arguments.c | 2 | --force-recompute |
-| arguments.c | 3 | --edg |
-| arguments.c | 4 | --disable_system_macros |
-| arguments.c | 5 | --edg |
-| arguments.c | 6 | --codeql-verbosity |
-| arguments.c | 7 | --edg |
-| arguments.c | 8 | 2 |
-| arguments.c | 9 | --edg |
-| arguments.c | 10 | --target |
-| arguments.c | 11 | --edg |
-| arguments.c | 12 | linux_x86_64 |
-| arguments.c | 13 | --edg |
-| arguments.c | 14 | -D |
-| arguments.c | 15 | --edg |
-| arguments.c | 16 | __CODEQL_TEST__ |
-| arguments.c | 17 | --gcc |
-| arguments.c | 18 | --predefined_macros |
-| arguments.c | 19 | <tools>/qltest/predefined_macros |
-| arguments.c | 20 | -w |
-| arguments.c | 21 | -Werror |
-| arguments.c | 22 | arguments.c |
+| arguments.c | 2 | --edg |
+| arguments.c | 3 | --force-recompute |
+| arguments.c | 4 | --edg |
+| arguments.c | 5 | --disable_system_macros |
+| arguments.c | 6 | --edg |
+| arguments.c | 7 | --codeql-verbosity |
+| arguments.c | 8 | --edg |
+| arguments.c | 9 | 2 |
+| arguments.c | 10 | --edg |
+| arguments.c | 11 | --target |
+| arguments.c | 12 | --edg |
+| arguments.c | 13 | linux_x86_64 |
+| arguments.c | 14 | --edg |
+| arguments.c | 15 | -D |
+| arguments.c | 16 | --edg |
+| arguments.c | 17 | __CODEQL_TEST__ |
+| arguments.c | 18 | --gcc |
+| arguments.c | 19 | -w |
+| arguments.c | 20 | -Werror |
+| arguments.c | 21 | arguments.c |

cpp/ql/test/library-tests/arguments/arguments.ql

@@ -4,8 +4,5 @@ from Compilation c, int i, string s
 // Skip the extractor name; it'll vary depending on platform
 where
   i > 0 and
-  s =
-    c.getArgument(i)
-        .replaceAll("\\", "/")
-        .regexpReplaceAll(".*(/qltest/predefined_macros)", "<tools>$1")
+  s = c.getArgument(i).replaceAll("\\", "/")
 select c.getAFileCompiled().toString(), i, s

cpp/ql/test/library-tests/attributes/availability/options

@@ -1 +1 @@
-semmle-extractor-options: --edg --clang
+semmle-extractor-options: --clang

cpp/ql/test/library-tests/attributes/routine_attributes/arguments.expected

@@ -1,4 +1,8 @@
 | declspec.cpp:4:23:4:43 | Use fatal() instead | declspec.cpp:4:59:4:62 | exit | declspec.cpp:4:12:4:21 | deprecated | Use fatal() instead |
+| routine_attributes2.cpp:5:6:5:11 | hidden | routine_attributes2.cpp:5:13:5:21 | a_routine | routine_attributes2.cpp:5:6:5:11 | visibility | hidden |
+| routine_attributes2.cpp:5:6:5:11 | hidden | routine_attributes2.cpp:5:13:5:21 | a_routine | routine_attributes2.cpp:5:6:5:11 | visibility | hidden |
+| routine_attributes2.h:3:6:3:11 | hidden | routine_attributes2.cpp:5:13:5:21 | a_routine | routine_attributes2.h:3:6:3:11 | visibility | hidden |
+| routine_attributes2.h:3:6:3:11 | hidden | routine_attributes2.cpp:5:13:5:21 | a_routine | routine_attributes2.h:3:6:3:11 | visibility | hidden |
 | routine_attributes.c:3:53:3:59 | dummy | routine_attributes.c:3:12:3:24 | named_weakref | routine_attributes.c:3:44:3:50 | weakref | dummy |
 | routine_attributes.c:4:62:4:68 | dummy | routine_attributes.c:4:12:4:26 | aliased_weakref | routine_attributes.c:4:55:4:59 | alias | dummy |
 | routine_attributes.c:6:49:6:55 | dummy | routine_attributes.c:6:12:6:22 | plain_alias | routine_attributes.c:6:42:6:46 | alias | dummy |

cpp/ql/test/library-tests/attributes/routine_attributes/routine_attributes.expected

@@ -18,6 +18,10 @@
 | header_export.cpp:14:16:14:26 | myFunction4 | header_export.cpp:14:1:14:9 | dllexport |
 | header_export.cpp:18:6:18:16 | myFunction5 | header.h:10:2:10:10 | dllexport |
 | header_export.cpp:18:6:18:16 | myFunction5 | header.h:10:2:10:10 | dllimport |
+| routine_attributes2.cpp:5:13:5:21 | a_routine | routine_attributes2.cpp:5:6:5:11 | visibility |
+| routine_attributes2.cpp:5:13:5:21 | a_routine | routine_attributes2.cpp:5:6:5:11 | visibility |
+| routine_attributes2.cpp:5:13:5:21 | a_routine | routine_attributes2.h:3:6:3:11 | visibility |
+| routine_attributes2.cpp:5:13:5:21 | a_routine | routine_attributes2.h:3:6:3:11 | visibility |
 | routine_attributes.c:3:12:3:24 | named_weakref | routine_attributes.c:3:44:3:50 | weakref |
 | routine_attributes.c:4:12:4:26 | aliased_weakref | routine_attributes.c:4:46:4:52 | weakref |
 | routine_attributes.c:4:12:4:26 | aliased_weakref | routine_attributes.c:4:55:4:59 | alias |

cpp/ql/test/library-tests/attributes/routine_attributes/routine_attributes2.cpp

@@ -0,0 +1,7 @@
+#define HIDDEN __attribute__((visibility("hidden")))
+
+#include "routine_attributes2.h"
+
+void HIDDEN a_routine() {
+    return;
+}

cpp/ql/test/library-tests/attributes/routine_attributes/routine_attributes2.h

@@ -0,0 +1,3 @@
+#pragma once
+
+void HIDDEN a_routine();

cpp/ql/test/library-tests/attributes/routine_attributes/routine_attributes3.cpp

@@ -0,0 +1,3 @@
+#define HIDDEN __attribute__((visibility("hidden")))
+
+#include "routine_attributes2.h"

cpp/ql/test/library-tests/attributes/type_attributes/arguments.expected

@@ -1,3 +1,6 @@
+| type_attributes2.cpp:5:14:5:20 | a_class | type_attributes2.cpp:5:7:5:12 | visibility | type_attributes2.cpp:5:7:5:12 | hidden |
+| type_attributes2.cpp:5:14:5:20 | a_class | type_attributes2.h:3:7:3:12 | visibility | type_attributes2.h:3:7:3:12 | hidden |
+| type_attributes2.cpp:5:14:5:20 | a_class | type_attributes2.h:3:7:3:12 | visibility | type_attributes2.h:3:7:3:12 | hidden |
 | type_attributes_ms.cpp:4:67:4:75 | IDispatch | type_attributes_ms.cpp:4:19:4:22 | uuid | type_attributes_ms.cpp:4:24:4:63 | {00020400-0000-0000-c000-000000000046} |
 | type_attributes_ms.cpp:5:30:5:33 | Str1 | type_attributes_ms.cpp:5:12:5:16 | align | type_attributes_ms.cpp:5:18:5:19 | 32 |
 | type_attributes_ms.cpp:6:55:6:62 | IUnknown | type_attributes_ms.cpp:6:2:6:2 | uuid | type_attributes_ms.cpp:6:2:6:2 | 00000000-0000-0000-c000-000000000046 |

cpp/ql/test/library-tests/attributes/type_attributes/type_attributes.expected

@@ -1,4 +1,7 @@
 | file://:0:0:0:0 | short __attribute((__may_alias__)) | type_attributes.c:25:30:25:42 | may_alias |
+| type_attributes2.cpp:5:14:5:20 | a_class | type_attributes2.cpp:5:7:5:12 | visibility |
+| type_attributes2.cpp:5:14:5:20 | a_class | type_attributes2.h:3:7:3:12 | visibility |
+| type_attributes2.cpp:5:14:5:20 | a_class | type_attributes2.h:3:7:3:12 | visibility |
 | type_attributes.c:5:36:5:51 | my_packed_struct | type_attributes.c:5:23:5:32 | packed |
 | type_attributes.c:10:54:10:54 | (unnamed class/struct/union) | type_attributes.c:10:30:10:50 | transparent_union |
 | type_attributes.c:16:54:16:54 | (unnamed class/struct/union) | type_attributes.c:16:30:16:50 | transparent_union |

cpp/ql/test/library-tests/attributes/type_attributes/type_attributes2.cpp

@@ -0,0 +1,6 @@
+#define HIDDEN __attribute__((visibility("hidden")))
+
+#include "type_attributes2.h"
+
+class HIDDEN a_class {
+};

cpp/ql/test/library-tests/attributes/type_attributes/type_attributes2.h

@@ -0,0 +1,3 @@
+#pragma once
+
+class HIDDEN a_class;

cpp/ql/test/library-tests/attributes/type_attributes/type_attributes3.cpp

@@ -0,0 +1,3 @@
+#define HIDDEN __attribute__((visibility("hidden")))
+
+#include "type_attributes2.h"

cpp/ql/test/library-tests/attributes/var_attributes/var_attributes.expected

@@ -6,6 +6,10 @@
 | ms_var_attributes.cpp:12:42:12:46 | field | ms_var_attributes.cpp:12:14:12:21 | property |
 | ms_var_attributes.cpp:20:34:20:37 | pBuf | ms_var_attributes.cpp:20:12:20:12 | SAL_volatile |
 | ms_var_attributes.h:5:22:5:27 | myInt3 | ms_var_attributes.h:5:1:5:9 | dllexport |
+| var_attributes2.cpp:5:12:5:21 | a_variable | var_attributes2.cpp:5:5:5:10 | visibility |
+| var_attributes2.cpp:5:12:5:21 | a_variable | var_attributes2.cpp:5:5:5:10 | visibility |
+| var_attributes2.cpp:5:12:5:21 | a_variable | var_attributes2.h:3:12:3:17 | visibility |
+| var_attributes2.cpp:5:12:5:21 | a_variable | var_attributes2.h:3:12:3:17 | visibility |
 | var_attributes.c:1:12:1:19 | weak_var | var_attributes.c:1:36:1:39 | weak |
 | var_attributes.c:2:12:2:22 | weakref_var | var_attributes.c:2:39:2:45 | weakref |
 | var_attributes.c:3:12:3:19 | used_var | var_attributes.c:3:36:3:39 | used |

cpp/ql/test/library-tests/attributes/var_attributes/var_attributes2.cpp

@@ -0,0 +1,5 @@
+#define HIDDEN __attribute__((visibility("hidden")))
+
+#include "var_attributes2.h"
+
+int HIDDEN a_variable;

cpp/ql/test/library-tests/attributes/var_attributes/var_attributes2.h

@@ -0,0 +1,3 @@
+#pragma once
+
+extern int HIDDEN a_variable;

cpp/ql/test/library-tests/attributes/var_attributes/var_attributes3.cpp

@@ -0,0 +1,3 @@
+#define HIDDEN __attribute__((visibility("hidden")))
+
+#include "var_attributes2.h"

cpp/ql/test/library-tests/clang_builtin_macros/addressof.c

@@ -1,4 +1,4 @@
-// semmle-extractor-options: --edg --clang
+// semmle-extractor-options: --clang
 
 int x = 0;
 

cpp/ql/test/library-tests/clang_builtin_macros/extended.cpp

@@ -1,4 +1,4 @@
-// semmle-extractor-options: --edg --clang --edg --c++11 --edg --nullptr
+// semmle-extractor-options: --clang --edg --c++11 --edg --nullptr
 
 static int has_nullptr_f = __has_feature(cxx_nullptr);
 static int has_nullptr_e = __has_extension(cxx_nullptr);

cpp/ql/test/library-tests/clang_builtin_macros/options

@@ -1 +1 @@
-semmle-extractor-options: --edg --clang
+semmle-extractor-options: --clang

cpp/ql/test/library-tests/clang_builtin_macros/test.cpp

@@ -1,7 +1,7 @@
 // For the canonical behaviour, run: clang -E -w test.cpp
 #define __builtin_TRAP __builtin_trap
 #define BAR "bar.h"
-// semmle-extractor-options: --edg --clang --expect_errors
+// semmle-extractor-options: --clang --expect_errors
 #if defined(__has_include)
 static int has_include = 1;
 #else

cpp/ql/test/library-tests/clang_ms/options

@@ -1 +1 @@
-semmle-extractor-options: --edg --clang --edg --ms_extensions
+semmle-extractor-options: --clang --edg --ms_extensions

cpp/ql/test/library-tests/controlflow/guards-ir/tests.expected

@@ -74,6 +74,8 @@ astGuardsCompare
 | 34 | j >= 10+0 when ... < ... is false |
 | 42 | 10 < j+1 when ... < ... is false |
 | 42 | 10 >= j+1 when ... < ... is true |
+| 42 | call to getABool != 0 when call to getABool is true |
+| 42 | call to getABool == 0 when call to getABool is false |
 | 42 | j < 10+0 when ... < ... is true |
 | 42 | j >= 10+0 when ... < ... is false |
 | 44 | 0 < z+0 when ... > ... is true |
@@ -537,6 +539,8 @@ astGuardsEnsure_const
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | != | -1 | 34 | 34 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | == | -1 | 30 | 30 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | == | -1 | 31 | 32 |
+| test.cpp:42:13:42:20 | call to getABool | test.cpp:42:13:42:20 | call to getABool | != | 0 | 43 | 45 |
+| test.cpp:42:13:42:20 | call to getABool | test.cpp:42:13:42:20 | call to getABool | == | 0 | 53 | 53 |
 irGuards
 | test.c:7:9:7:13 | CompareGT: ... > ... |
 | test.c:17:8:17:12 | CompareLT: ... < ... |
@@ -613,6 +617,8 @@ irGuardsCompare
 | 34 | j >= 10+0 when CompareLT: ... < ... is false |
 | 42 | 10 < j+1 when CompareLT: ... < ... is false |
 | 42 | 10 >= j+1 when CompareLT: ... < ... is true |
+| 42 | call to getABool != 0 when Call: call to getABool is true |
+| 42 | call to getABool == 0 when Call: call to getABool is false |
 | 42 | j < 10 when CompareLT: ... < ... is true |
 | 42 | j < 10+0 when CompareLT: ... < ... is true |
 | 42 | j >= 10 when CompareLT: ... < ... is false |
@@ -1081,3 +1087,5 @@ irGuardsEnsure_const
 | test.cpp:31:7:31:13 | CompareEQ: ... == ... | test.cpp:31:7:31:7 | Load: x | != | -1 | 34 | 34 |
 | test.cpp:31:7:31:13 | CompareEQ: ... == ... | test.cpp:31:7:31:7 | Load: x | == | -1 | 30 | 30 |
 | test.cpp:31:7:31:13 | CompareEQ: ... == ... | test.cpp:31:7:31:7 | Load: x | == | -1 | 32 | 32 |
+| test.cpp:42:13:42:20 | Call: call to getABool | test.cpp:42:13:42:20 | Call: call to getABool | != | 0 | 44 | 44 |
+| test.cpp:42:13:42:20 | Call: call to getABool | test.cpp:42:13:42:20 | Call: call to getABool | == | 0 | 53 | 53 |

cpp/ql/test/library-tests/controlflow/guards/Guards.expected

@@ -42,3 +42,10 @@
 | test.cpp:99:6:99:6 | f |
 | test.cpp:105:6:105:14 | ... != ... |
 | test.cpp:111:6:111:14 | ... != ... |
+| test.cpp:122:9:122:9 | b |
+| test.cpp:125:13:125:20 | ! ... |
+| test.cpp:125:14:125:17 | call to safe |
+| test.cpp:131:6:131:21 | call to __builtin_expect |
+| test.cpp:135:6:135:21 | call to __builtin_expect |
+| test.cpp:141:6:141:21 | call to __builtin_expect |
+| test.cpp:145:6:145:21 | call to __builtin_expect |

cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.expected

@@ -44,6 +44,8 @@
 | 34 | j >= 10+0 when ... < ... is false |
 | 42 | 10 < j+1 when ... < ... is false |
 | 42 | 10 >= j+1 when ... < ... is true |
+| 42 | call to getABool != 0 when call to getABool is true |
+| 42 | call to getABool == 0 when call to getABool is false |
 | 42 | j < 10 when ... < ... is true |
 | 42 | j < 10+0 when ... < ... is true |
 | 42 | j >= 10 when ... < ... is false |
@@ -149,16 +151,59 @@
 | 111 | 0.0 == i+0 when ... != ... is false |
 | 111 | i != 0.0+0 when ... != ... is true |
 | 111 | i == 0.0+0 when ... != ... is false |
+| 122 | b != 0 when b is true |
+| 122 | b == 0 when b is false |
+| 125 | ! ... != 0 when ! ... is true |
+| 125 | ! ... == 0 when ! ... is false |
+| 125 | call to safe != 0 when ! ... is false |
+| 125 | call to safe != 0 when call to safe is true |
+| 125 | call to safe == 0 when call to safe is false |
 | 126 | 1 != 0 when 1 is true |
 | 126 | 1 != 0 when ... && ... is true |
 | 126 | 1 == 0 when 1 is false |
 | 126 | call to test3_condition != 0 when ... && ... is true |
 | 126 | call to test3_condition != 0 when call to test3_condition is true |
 | 126 | call to test3_condition == 0 when call to test3_condition is false |
+| 131 | ... + ... != a+0 when call to __builtin_expect is false |
+| 131 | ... + ... == a+0 when call to __builtin_expect is true |
+| 131 | a != ... + ...+0 when call to __builtin_expect is false |
+| 131 | a != b+42 when call to __builtin_expect is false |
+| 131 | a == ... + ...+0 when call to __builtin_expect is true |
+| 131 | a == b+42 when call to __builtin_expect is true |
 | 131 | b != 0 when b is true |
+| 131 | b != a+-42 when call to __builtin_expect is false |
 | 131 | b == 0 when b is false |
+| 131 | b == a+-42 when call to __builtin_expect is true |
+| 131 | call to __builtin_expect != 0 when call to __builtin_expect is true |
+| 131 | call to __builtin_expect == 0 when call to __builtin_expect is false |
+| 135 | ... + ... != a+0 when call to __builtin_expect is true |
+| 135 | ... + ... == a+0 when call to __builtin_expect is false |
+| 135 | a != ... + ...+0 when call to __builtin_expect is true |
+| 135 | a != b+42 when call to __builtin_expect is true |
+| 135 | a == ... + ...+0 when call to __builtin_expect is false |
+| 135 | a == b+42 when call to __builtin_expect is false |
+| 135 | b != a+-42 when call to __builtin_expect is true |
+| 135 | b == a+-42 when call to __builtin_expect is false |
+| 135 | call to __builtin_expect != 0 when call to __builtin_expect is true |
+| 135 | call to __builtin_expect == 0 when call to __builtin_expect is false |
 | 137 | 0 != 0 when 0 is true |
 | 137 | 0 == 0 when 0 is false |
+| 141 | 42 != a+0 when call to __builtin_expect is false |
+| 141 | 42 == a+0 when call to __builtin_expect is true |
+| 141 | a != 42 when call to __builtin_expect is false |
+| 141 | a != 42+0 when call to __builtin_expect is false |
+| 141 | a == 42 when call to __builtin_expect is true |
+| 141 | a == 42+0 when call to __builtin_expect is true |
+| 141 | call to __builtin_expect != 0 when call to __builtin_expect is true |
+| 141 | call to __builtin_expect == 0 when call to __builtin_expect is false |
+| 145 | 42 != a+0 when call to __builtin_expect is true |
+| 145 | 42 == a+0 when call to __builtin_expect is false |
+| 145 | a != 42 when call to __builtin_expect is true |
+| 145 | a != 42+0 when call to __builtin_expect is true |
+| 145 | a == 42 when call to __builtin_expect is false |
+| 145 | a == 42+0 when call to __builtin_expect is false |
+| 145 | call to __builtin_expect != 0 when call to __builtin_expect is true |
+| 145 | call to __builtin_expect == 0 when call to __builtin_expect is false |
 | 146 | ! ... != 0 when ! ... is true |
 | 146 | ! ... == 0 when ! ... is false |
 | 146 | x != 0 when ! ... is false |

cpp/ql/test/library-tests/controlflow/guards/GuardsControl.expected

@@ -100,3 +100,11 @@
 | test.cpp:99:6:99:6 | f | true | 99 | 100 |
 | test.cpp:105:6:105:14 | ... != ... | true | 105 | 106 |
 | test.cpp:111:6:111:14 | ... != ... | true | 111 | 112 |
+| test.cpp:122:9:122:9 | b | true | 123 | 125 |
+| test.cpp:122:9:122:9 | b | true | 125 | 125 |
+| test.cpp:125:13:125:20 | ! ... | true | 125 | 125 |
+| test.cpp:125:14:125:17 | call to safe | false | 125 | 125 |
+| test.cpp:131:6:131:21 | call to __builtin_expect | true | 131 | 132 |
+| test.cpp:135:6:135:21 | call to __builtin_expect | true | 135 | 136 |
+| test.cpp:141:6:141:21 | call to __builtin_expect | true | 141 | 142 |
+| test.cpp:145:6:145:21 | call to __builtin_expect | true | 145 | 146 |

cpp/ql/test/library-tests/controlflow/guards/GuardsEnsure.expected

@@ -159,6 +159,18 @@ binary
 | test.cpp:105:6:105:14 | ... != ... | test.cpp:105:11:105:14 | 0.0 | != | test.cpp:105:6:105:6 | f | 0 | 105 | 106 |
 | test.cpp:111:6:111:14 | ... != ... | test.cpp:111:6:111:6 | i | != | test.cpp:111:11:111:14 | 0.0 | 0 | 111 | 112 |
 | test.cpp:111:6:111:14 | ... != ... | test.cpp:111:11:111:14 | 0.0 | != | test.cpp:111:6:111:6 | i | 0 | 111 | 112 |
+| test.cpp:131:6:131:21 | call to __builtin_expect | test.cpp:131:23:131:23 | a | == | test.cpp:131:28:131:28 | b | 42 | 131 | 132 |
+| test.cpp:131:6:131:21 | call to __builtin_expect | test.cpp:131:23:131:23 | a | == | test.cpp:131:28:131:33 | ... + ... | 0 | 131 | 132 |
+| test.cpp:131:6:131:21 | call to __builtin_expect | test.cpp:131:28:131:28 | b | == | test.cpp:131:23:131:23 | a | -42 | 131 | 132 |
+| test.cpp:131:6:131:21 | call to __builtin_expect | test.cpp:131:28:131:33 | ... + ... | == | test.cpp:131:23:131:23 | a | 0 | 131 | 132 |
+| test.cpp:135:6:135:21 | call to __builtin_expect | test.cpp:135:23:135:23 | a | != | test.cpp:135:28:135:28 | b | 42 | 135 | 136 |
+| test.cpp:135:6:135:21 | call to __builtin_expect | test.cpp:135:23:135:23 | a | != | test.cpp:135:28:135:33 | ... + ... | 0 | 135 | 136 |
+| test.cpp:135:6:135:21 | call to __builtin_expect | test.cpp:135:28:135:28 | b | != | test.cpp:135:23:135:23 | a | -42 | 135 | 136 |
+| test.cpp:135:6:135:21 | call to __builtin_expect | test.cpp:135:28:135:33 | ... + ... | != | test.cpp:135:23:135:23 | a | 0 | 135 | 136 |
+| test.cpp:141:6:141:21 | call to __builtin_expect | test.cpp:141:23:141:23 | a | == | test.cpp:141:28:141:29 | 42 | 0 | 141 | 142 |
+| test.cpp:141:6:141:21 | call to __builtin_expect | test.cpp:141:28:141:29 | 42 | == | test.cpp:141:23:141:23 | a | 0 | 141 | 142 |
+| test.cpp:145:6:145:21 | call to __builtin_expect | test.cpp:145:23:145:23 | a | != | test.cpp:145:28:145:29 | 42 | 0 | 145 | 146 |
+| test.cpp:145:6:145:21 | call to __builtin_expect | test.cpp:145:28:145:29 | 42 | != | test.cpp:145:23:145:23 | a | 0 | 145 | 146 |
 unary
 | test.c:7:9:7:13 | ... > ... | test.c:7:9:7:9 | x | < | 1 | 10 | 11 |
 | test.c:7:9:7:13 | ... > ... | test.c:7:9:7:9 | x | >= | 1 | 7 | 9 |
@@ -257,6 +269,8 @@ unary
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | != | -1 | 34 | 34 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | == | -1 | 30 | 30 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | == | -1 | 31 | 32 |
+| test.cpp:42:13:42:20 | call to getABool | test.cpp:42:13:42:20 | call to getABool | != | 0 | 43 | 45 |
+| test.cpp:42:13:42:20 | call to getABool | test.cpp:42:13:42:20 | call to getABool | == | 0 | 53 | 53 |
 | test.cpp:61:10:61:10 | i | test.cpp:61:10:61:10 | i | == | 0 | 62 | 64 |
 | test.cpp:61:10:61:10 | i | test.cpp:61:10:61:10 | i | == | 1 | 65 | 66 |
 | test.cpp:74:10:74:10 | i | test.cpp:74:10:74:10 | i | < | 11 | 75 | 77 |
@@ -264,3 +278,13 @@ unary
 | test.cpp:74:10:74:10 | i | test.cpp:74:10:74:10 | i | >= | 0 | 75 | 77 |
 | test.cpp:74:10:74:10 | i | test.cpp:74:10:74:10 | i | >= | 11 | 78 | 79 |
 | test.cpp:93:6:93:6 | c | test.cpp:93:6:93:6 | c | != | 0 | 93 | 94 |
+| test.cpp:122:9:122:9 | b | test.cpp:122:9:122:9 | b | != | 0 | 123 | 125 |
+| test.cpp:122:9:122:9 | b | test.cpp:122:9:122:9 | b | != | 0 | 125 | 125 |
+| test.cpp:125:13:125:20 | ! ... | test.cpp:125:13:125:20 | ! ... | != | 0 | 125 | 125 |
+| test.cpp:125:14:125:17 | call to safe | test.cpp:125:14:125:17 | call to safe | == | 0 | 125 | 125 |
+| test.cpp:131:6:131:21 | call to __builtin_expect | test.cpp:131:6:131:21 | call to __builtin_expect | != | 0 | 131 | 132 |
+| test.cpp:135:6:135:21 | call to __builtin_expect | test.cpp:135:6:135:21 | call to __builtin_expect | != | 0 | 135 | 136 |
+| test.cpp:141:6:141:21 | call to __builtin_expect | test.cpp:141:6:141:21 | call to __builtin_expect | != | 0 | 141 | 142 |
+| test.cpp:141:6:141:21 | call to __builtin_expect | test.cpp:141:23:141:23 | a | == | 42 | 141 | 142 |
+| test.cpp:145:6:145:21 | call to __builtin_expect | test.cpp:145:6:145:21 | call to __builtin_expect | != | 0 | 145 | 146 |
+| test.cpp:145:6:145:21 | call to __builtin_expect | test.cpp:145:23:145:23 | a | != | 42 | 145 | 146 |

cpp/ql/test/library-tests/controlflow/guards/test.cpp

@@ -112,3 +112,37 @@ void int_float_comparison(int i) {
     use(i);
   }
 }
+
+int source();
+bool safe(int);
+
+void test(bool b)
+{
+    int x;
+    if (b)
+    {
+        x = source();
+        if (!safe(x)) return;
+    }
+    use(x);
+}
+
+void binary_test_builtin_expected(int a, int b) {
+  if(__builtin_expect(a == b + 42, 0)) {
+      use(a);
+  }
+
+  if(__builtin_expect(a != b + 42, 0)) {
+      use(a);
+  }
+}
+
+void unary_test_builtin_expected(int a) {
+  if(__builtin_expect(a == 42, 0)) {
+      use(a);
+  }
+
+  if(__builtin_expect(a != 42, 0)) {
+      use(a);
+  }
+}

cpp/ql/test/library-tests/dataflow/dataflow-edge-tests/additionalEdges.expected

@@ -1,6 +1,6 @@
-WARNING: Module DataFlow has been deprecated and may be removed in future (additionalEdges.ql:31,6-14)
-WARNING: Module DataFlow has been deprecated and may be removed in future (additionalEdges.ql:31,31-39)
-WARNING: Module DataFlow has been deprecated and may be removed in future (additionalEdges.ql:32,7-15)
+WARNING: module 'DataFlow' has been deprecated and may be removed in future (additionalEdges.ql:31,6-14)
+WARNING: module 'DataFlow' has been deprecated and may be removed in future (additionalEdges.ql:31,31-39)
+WARNING: module 'DataFlow' has been deprecated and may be removed in future (additionalEdges.ql:32,7-15)
 | tryExcept.c:7:7:7:7 | x | tryExcept.c:14:10:14:10 | x |
 | tryExcept.c:7:13:7:14 | 0 | tryExcept.c:10:9:10:9 | y |
 | tryExcept.c:10:9:10:9 | y | tryExcept.c:10:5:10:9 | ... = ... |

cpp/ql/test/library-tests/dataflow/dataflow-edge-tests/standardEdges.expected

@@ -1,5 +1,5 @@
-WARNING: Module DataFlow has been deprecated and may be removed in future (standardEdges.ql:4,6-14)
-WARNING: Module DataFlow has been deprecated and may be removed in future (standardEdges.ql:4,31-39)
-WARNING: Module DataFlow has been deprecated and may be removed in future (standardEdges.ql:5,7-15)
+WARNING: module 'DataFlow' has been deprecated and may be removed in future (standardEdges.ql:4,6-14)
+WARNING: module 'DataFlow' has been deprecated and may be removed in future (standardEdges.ql:4,31-39)
+WARNING: module 'DataFlow' has been deprecated and may be removed in future (standardEdges.ql:5,7-15)
 | tryExcept.c:7:13:7:14 | 0 | tryExcept.c:10:9:10:9 | y |
 | tryExcept.c:10:9:10:9 | y | tryExcept.c:10:5:10:9 | ... = ... |

cpp/ql/test/library-tests/dataflow/dataflow-tests/BarrierGuard.cpp

@@ -83,7 +83,7 @@ void test_guard_and_reassign() {
   if(!guarded(x)) {
     x = 0;
   }
-  sink(x); // $ SPURIOUS: ast,ir
+  sink(x); // $ SPURIOUS: ast
 }
 
 void test_phi_read_guard(bool b) {
@@ -98,7 +98,7 @@ void test_phi_read_guard(bool b) {
       return;
   }
   
-  sink(x); // $ SPURIOUS: ast,ir
+  sink(x); // $ SPURIOUS: ast
 }
 
 bool unsafe(int);

cpp/ql/test/library-tests/dataflow/dataflow-tests/TestBase.qll

@@ -7,14 +7,17 @@ module AstTest {
    * S in `if (guarded(x)) S`.
    */
   // This is tested in `BarrierGuard.cpp`.
-  predicate testBarrierGuard(GuardCondition g, Expr checked, boolean isTrue) {
-    g.(FunctionCall).getTarget().getName() = "guarded" and
-    checked = g.(FunctionCall).getArgument(0) and
-    isTrue = true
-    or
-    g.(FunctionCall).getTarget().getName() = "unsafe" and
-    checked = g.(FunctionCall).getArgument(0) and
-    isTrue = false
+  predicate testBarrierGuard(GuardCondition g, Expr checked, boolean branch) {
+    exists(Call call, boolean b |
+      checked = call.getArgument(0) and
+      g.comparesEq(call, 0, b, any(BooleanValue bv | bv.getValue() = branch))
+    |
+      call.getTarget().hasName("guarded") and
+      b = false
+      or
+      call.getTarget().hasName("unsafe") and
+      b = true
+    )
   }
 
   /** Common data flow configuration to be used by tests. */
@@ -106,16 +109,16 @@ module IRTest {
    * S in `if (guarded(x)) S`.
    */
   // This is tested in `BarrierGuard.cpp`.
-  predicate testBarrierGuard(IRGuardCondition g, Expr checked, boolean isTrue) {
-    exists(Call call |
-      call = g.getUnconvertedResultExpression() and
-      checked = call.getArgument(0)
+  predicate testBarrierGuard(IRGuardCondition g, Expr checked, boolean branch) {
+    exists(CallInstruction call, boolean b |
+      checked = call.getArgument(0).getUnconvertedResultExpression() and
+      g.comparesEq(call.getAUse(), 0, b, any(BooleanValue bv | bv.getValue() = branch))
     |
-      call.getTarget().hasName("guarded") and
-      isTrue = true
+      call.getStaticCallTarget().hasName("guarded") and
+      b = false
       or
-      call.getTarget().hasName("unsafe") and
-      isTrue = false
+      call.getStaticCallTarget().hasName("unsafe") and
+      b = true
     )
   }
 
@@ -148,6 +151,9 @@ module IRTest {
         or
         call.getTarget().getName() = "indirect_sink" and
         sink.asIndirectExpr() = e
+        or
+        call.getTarget().getName() = "indirect_sink_const_ref" and
+        sink.asIndirectExpr() = e
       )
     }