Merge pull request #15266 from github/felicitymay-publish-docs

Update supported-versions-compilers.rst on release candidate branch

.gitattributes

@@ -71,3 +71,6 @@ go/extractor/opencsv/CSVReader.java -text
 # `javascript/ql/experimental/adaptivethreatmodeling/test/update_endpoint_test_files.py`.
 javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.js linguist-generated=true -merge
 javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.ts linguist-generated=true -merge
+
+# Auto-generated modeling for Python
+python/ql/lib/semmle/python/frameworks/data/internal/subclass-capture/*.yml linguist-generated=true

config/identical-files.json

@@ -454,10 +454,6 @@
     "ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll",
     "swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qll"
   ],
-  "SummaryTypeTracker": [
-    "python/ql/lib/semmle/python/dataflow/new/internal/SummaryTypeTracker.qll",
-    "ruby/ql/lib/codeql/ruby/typetracking/internal/SummaryTypeTracker.qll"
-  ],
   "IncompleteUrlSubstringSanitization": [
     "javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll",
     "ruby/ql/src/queries/security/cwe-020/IncompleteUrlSubstringSanitization.qll"

cpp/downgrades/7f34caf73ca98314885030cc5a22b6e328fe687c/functions.ql

@@ -0,0 +1,9 @@
+class Function extends @function {
+  string toString() { none() }
+}
+
+from Function fun, string name, int kind, int kind_new
+where
+  functions(fun, name, kind) and
+  if kind = 7 or kind = 8 then kind_new = 0 else kind_new = kind
+select fun, name, kind_new

cpp/downgrades/7f34caf73ca98314885030cc5a22b6e328fe687c/upgrade.properties

@@ -0,0 +1,3 @@
+description: Support more function types
+compatibility: full
+functions.rel: run functions.qlo

cpp/downgrades/d8149ca90e695fe26f9a0c5a7fa0edd6d4ea3f5d/attribute_args.ql

@@ -0,0 +1,17 @@
+class AttributeArg extends @attribute_arg {
+  string toString() { none() }
+}
+
+class Attribute extends @attribute {
+  string toString() { none() }
+}
+
+class Location extends @location_default {
+  string toString() { none() }
+}
+
+from AttributeArg arg, int kind, int kind_new, Attribute attr, int index, Location location
+where
+  attribute_args(arg, kind, attr, index, location) and
+  if arg instanceof @attribute_arg_expr then kind_new = 0 else kind_new = kind
+select arg, kind_new, attr, index, location

cpp/downgrades/d8149ca90e695fe26f9a0c5a7fa0edd6d4ea3f5d/upgrade.properties

@@ -0,0 +1,4 @@
+description: Support expression attribute arguments
+compatibility: partial
+attribute_arg_expr.rel: delete
+attribute_args.rel: run attribute_args.qlo

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,28 @@
+## 0.12.3
+
+### Deprecated APIs
+
+* The `isUserInput`, `userInputArgument`, and `userInputReturned` predicates from `SecurityOptions` have been deprecated. Use `FlowSource` instead.
+
+### New Features
+
+* `UserDefineLiteral` and `DeductionGuide` classes have been added, representing C++11 user defined literals and C++17 deduction guides.
+
+### Minor Analysis Improvements
+
+* Changed the output of `Node.toString` to better reflect how many indirections a given dataflow node has.
+* Added a new predicate `Node.asDefinition` on `DataFlow::Node`s for selecting the dataflow node corresponding to a particular definition.
+* The deprecated `DefaultTaintTracking` library has been removed.
+* The `Guards` library has been replaced with the API-compatible `IRGuards` implementation, which has better precision in some cases.
+
+### Bug Fixes
+
+* Under certain circumstances a function declaration that is not also a definition could be associated with a `Function` that did not have the definition as a `FunctionDeclarationEntry`. This is now fixed when only one definition exists, and a unique `Function` will exist that has both the declaration and the definition as a `FunctionDeclarationEntry`.
+
+## 0.12.2
+
+No user-facing changes.
+
 ## 0.12.1
 
 ### New Features

cpp/ql/lib/change-notes/2022-11-21-ir-guards-replacement.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The `Guards` library has been replaced with the API-compatible `IRGuards` implementation, which has better precision in some cases.

cpp/ql/lib/change-notes/2023-11-25-default-taint-tracking-removal.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The deprecated `DefaultTaintTracking` library has been removed.

cpp/ql/lib/change-notes/2023-11-30-as-definition.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added a new predicate `Node.asDefinition` on `DataFlow::Node`s for selecting the dataflow node corresponding to a particular definition.

cpp/ql/lib/change-notes/2023-12-08-ususerinput-deprecation.md

@@ -1,4 +0,0 @@
----
-category: deprecated
----
-* The `isUserInput`, `userInputArgument`, and `userInputReturned` predicates from `SecurityOptions` have been deprecated. Use `FlowSource` instead.

cpp/ql/lib/change-notes/released/0.12.2.md

@@ -0,0 +1,3 @@
+## 0.12.2
+
+No user-facing changes.

cpp/ql/lib/change-notes/released/0.12.3.md

@@ -0,0 +1,20 @@
+## 0.12.3
+
+### Deprecated APIs
+
+* The `isUserInput`, `userInputArgument`, and `userInputReturned` predicates from `SecurityOptions` have been deprecated. Use `FlowSource` instead.
+
+### New Features
+
+* `UserDefineLiteral` and `DeductionGuide` classes have been added, representing C++11 user defined literals and C++17 deduction guides.
+
+### Minor Analysis Improvements
+
+* Changed the output of `Node.toString` to better reflect how many indirections a given dataflow node has.
+* Added a new predicate `Node.asDefinition` on `DataFlow::Node`s for selecting the dataflow node corresponding to a particular definition.
+* The deprecated `DefaultTaintTracking` library has been removed.
+* The `Guards` library has been replaced with the API-compatible `IRGuards` implementation, which has better precision in some cases.
+
+### Bug Fixes
+
+* Under certain circumstances a function declaration that is not also a definition could be associated with a `Function` that did not have the definition as a `FunctionDeclarationEntry`. This is now fixed when only one definition exists, and a unique `Function` will exist that has both the declaration and the definition as a `FunctionDeclarationEntry`.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.12.1
+lastReleaseVersion: 0.12.3

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.12.2-dev
+version: 0.12.3
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -328,6 +328,7 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
   MetricFunction getMetrics() { result = this }
 
   /** Holds if this function calls the function `f`. */
+  pragma[nomagic]
   predicate calls(Function f) { this.calls(f, _) }
 
   /**
@@ -338,10 +339,6 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
     exists(FunctionCall call |
       call.getEnclosingFunction() = this and call.getTarget() = f and call = l
     )
-    or
-    exists(DestructorCall call |
-      call.getEnclosingFunction() = this and call.getTarget() = f and call = l
-    )
   }
 
   /** Holds if this function accesses a function or variable or enumerator `a`. */
@@ -885,3 +882,17 @@ class BuiltInFunction extends Function {
 }
 
 private predicate suppressUnusedThis(Function f) { any() }
+
+/**
+ * A C++ user-defined literal [N4140 13.5.8].
+ */
+class UserDefinedLiteral extends Function {
+  UserDefinedLiteral() { functions(underlyingElement(this), _, 7) }
+}
+
+/**
+ * A C++ deduction guide [N4659 17.9].
+ */
+class DeductionGuide extends Function {
+  DeductionGuide() { functions(underlyingElement(this), _, 8) }
+}

cpp/ql/lib/semmle/code/cpp/Specifier.qll

@@ -281,6 +281,11 @@ class AttributeArgument extends Element, @attribute_arg {
     attribute_arg_constant(underlyingElement(this), unresolveElement(result))
   }
 
+  /**
+   * Gets the value of this argument, if its value is an expression.
+   */
+  Expr getValueExpr() { attribute_arg_expr(underlyingElement(this), unresolveElement(result)) }
+
   /**
    * Gets the attribute to which this is an argument.
    */
@@ -308,7 +313,10 @@ class AttributeArgument extends Element, @attribute_arg {
           else
             if underlyingElement(this) instanceof @attribute_arg_constant_expr
             then tail = this.getValueConstant().toString()
-            else tail = this.getValueText()
+            else
+              if underlyingElement(this) instanceof @attribute_arg_expr
+              then tail = this.getValueExpr().toString()
+              else tail = this.getValueText()
         ) and
         result = prefix + tail
       )

cpp/ql/lib/semmle/code/cpp/controlflow/internal/ConstantExprs.qll

@@ -110,8 +110,8 @@ private predicate loopConditionAlwaysUponEntry(ControlFlowNode loop, Expr condit
  * should be in this relation.
  */
 pragma[noinline]
-private predicate isFunction(Element el) {
-  el instanceof Function
+private predicate isFunction(@element el) {
+  el instanceof @function
   or
   el.(Expr).getParent() = el
 }
@@ -122,7 +122,7 @@ private predicate isFunction(Element el) {
  */
 pragma[noopt]
 private predicate callHasNoTarget(@funbindexpr fc) {
-  exists(Function f |
+  exists(@function f |
     funbind(fc, f) and
     not isFunction(f)
   )

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

cpp/ql/lib/semmle/code/cpp/internal/ResolveGlobalVariable.qll

@@ -24,8 +24,8 @@ private predicate isGlobalWithMangledNameAndWithoutDefinition(@mangledname name,
  * a unique global variable `complete` with the same name that does have a definition.
  */
 private predicate hasTwinWithDefinition(@globalvariable incomplete, @globalvariable complete) {
+  not variable_instantiation(incomplete, complete) and
   exists(@mangledname name |
-    not variable_instantiation(incomplete, complete) and
     isGlobalWithMangledNameAndWithoutDefinition(name, incomplete) and
     isGlobalWithMangledNameAndWithDefinition(name, complete)
   )

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -59,6 +59,41 @@ private module Cached {
 import Cached
 private import Nodes0
 
+/**
+ * A module for calculating the number of stars (i.e., `*`s) needed for various
+ * dataflow node `toString` predicates.
+ */
+module NodeStars {
+  private int getNumberOfIndirections(Node n) {
+    result = n.(RawIndirectOperand).getIndirectionIndex()
+    or
+    result = n.(RawIndirectInstruction).getIndirectionIndex()
+    or
+    result = n.(VariableNode).getIndirectionIndex()
+    or
+    result = n.(PostUpdateNodeImpl).getIndirectionIndex()
+    or
+    result = n.(FinalParameterNode).getIndirectionIndex()
+  }
+
+  private int maxNumberOfIndirections() { result = max(getNumberOfIndirections(_)) }
+
+  private string repeatStars(int n) {
+    n = 0 and result = ""
+    or
+    n = [1 .. maxNumberOfIndirections()] and
+    result = "*" + repeatStars(n - 1)
+  }
+
+  /**
+   * Gets the number of stars (i.e., `*`s) needed to produce the `toString`
+   * output for `n`.
+   */
+  string stars(Node n) { result = repeatStars(getNumberOfIndirections(n)) }
+}
+
+import NodeStars
+
 class Node0Impl extends TIRDataFlowNode0 {
   /**
    * INTERNAL: Do not use.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -486,16 +486,6 @@ class Node extends TIRDataFlowNode {
   }
 }
 
-private string toExprString(Node n) {
-  not isDebugMode() and
-  (
-    result = n.asExpr(0).toString()
-    or
-    not exists(n.asExpr()) and
-    result = n.asIndirectExpr(0, 1).toString() + " indirection"
-  )
-}
-
 /**
  * A class that lifts pre-SSA dataflow nodes to regular dataflow nodes.
  */
@@ -558,7 +548,10 @@ Type stripPointer(Type t) {
   result = t.(FunctionPointerIshType).getBaseType()
 }
 
-private class PostUpdateNodeImpl extends PartialDefinitionNode, TPostUpdateNodeImpl {
+/**
+ * INTERNAL: Do not use.
+ */
+class PostUpdateNodeImpl extends PartialDefinitionNode, TPostUpdateNodeImpl {
   int indirectionIndex;
   Operand operand;
 
@@ -786,10 +779,12 @@ class IndirectParameterNode extends Node instanceof IndirectInstruction {
   override Location getLocationImpl() { result = this.getParameter().getLocation() }
 
   override string toStringImpl() {
-    result = this.getParameter().toString() + " indirection"
-    or
-    not exists(this.getParameter()) and
-    result = "this indirection"
+    exists(string prefix | prefix = stars(this) |
+      result = prefix + this.getParameter().toString()
+      or
+      not exists(this.getParameter()) and
+      result = prefix + "this"
+    )
   }
 }
 
@@ -964,7 +959,8 @@ private Type getTypeImpl0(Type t, int indirectionIndex) {
  *
  * If `indirectionIndex` cannot be stripped off `t`, an `UnknownType` is returned.
  */
-bindingset[indirectionIndex]
+bindingset[t, indirectionIndex]
+pragma[inline_late]
 Type getTypeImpl(Type t, int indirectionIndex) {
   result = getTypeImpl0(t, indirectionIndex)
   or
@@ -1016,7 +1012,7 @@ private module RawIndirectNodes {
     }
 
     override string toStringImpl() {
-      result = operandNode(this.getOperand()).toStringImpl() + " indirection"
+      result = stars(this) + operandNode(this.getOperand()).toStringImpl()
     }
   }
 
@@ -1058,7 +1054,7 @@ private module RawIndirectNodes {
     }
 
     override string toStringImpl() {
-      result = instructionNode(this.getInstruction()).toStringImpl() + " indirection"
+      result = stars(this) + instructionNode(this.getInstruction()).toStringImpl()
     }
   }
 
@@ -1151,9 +1147,7 @@ class FinalParameterNode extends Node, TFinalParameterNode {
     result instanceof UnknownDefaultLocation
   }
 
-  override string toStringImpl() {
-    if indirectionIndex > 1 then result = p.toString() + " indirection" else result = p.toString()
-  }
+  override string toStringImpl() { result = stars(this) + p.toString() }
 }
 
 /**
@@ -1787,9 +1781,7 @@ class VariableNode extends Node, TVariableNode {
     result instanceof UnknownDefaultLocation
   }
 
-  override string toStringImpl() {
-    if indirectionIndex = 1 then result = v.toString() else result = v.toString() + " indirection"
-  }
+  override string toStringImpl() { result = stars(this) + v.toString() }
 }
 
 /**
@@ -2249,6 +2241,25 @@ class Content extends TContent {
   abstract predicate impliesClearOf(Content c);
 }
 
+private module ContentStars {
+  private int maxNumberOfIndirections() { result = max(any(Content c).getIndirectionIndex()) }
+
+  private string repeatStars(int n) {
+    n = 0 and result = ""
+    or
+    n = [1 .. maxNumberOfIndirections()] and
+    result = "*" + repeatStars(n - 1)
+  }
+
+  /**
+   * Gets the number of stars (i.e., `*`s) needed to produce the `toString`
+   * output for `c`.
+   */
+  string contentStars(Content c) { result = repeatStars(c.getIndirectionIndex() - 1) }
+}
+
+private import ContentStars
+
 /** A reference through a non-union instance field. */
 class FieldContent extends Content, TFieldContent {
   Field f;
@@ -2256,11 +2267,7 @@ class FieldContent extends Content, TFieldContent {
 
   FieldContent() { this = TFieldContent(f, indirectionIndex) }
 
-  override string toString() {
-    indirectionIndex = 1 and result = f.toString()
-    or
-    indirectionIndex > 1 and result = f.toString() + " indirection"
-  }
+  override string toString() { result = contentStars(this) + f.toString() }
 
   Field getField() { result = f }
 
@@ -2289,11 +2296,7 @@ class UnionContent extends Content, TUnionContent {
 
   UnionContent() { this = TUnionContent(u, bytes, indirectionIndex) }
 
-  override string toString() {
-    indirectionIndex = 1 and result = u.toString()
-    or
-    indirectionIndex > 1 and result = u.toString() + " indirection"
-  }
+  override string toString() { result = contentStars(this) + u.toString() }
 
   /** Gets a field of the underlying union of this `UnionContent`, if any. */
   Field getAField() { result = u.getAField() and getFieldSize(result) = bytes }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DebugPrinting.qll

@@ -1,9 +1,24 @@
 /**
- * This file activates debugging mode for dataflow node printing.
+ * This file contains the class that implements the _debug_ version of
+ * `toString` for `Instruction` and `Operand` dataflow nodes.
  */
 
+private import semmle.code.cpp.ir.IR
+private import codeql.util.Unit
 private import Node0ToString
+private import DataFlowUtil
 
 private class DebugNode0ToString extends Node0ToString {
-  final override predicate isDebugMode() { any() }
+  DebugNode0ToString() {
+    // Silence warning about `this` not being bound.
+    exists(this)
+  }
+
+  override string instructionToString(Instruction i) { result = i.getDumpString() }
+
+  override string operandToString(Operand op) {
+    result = op.getDumpString() + " @ " + op.getUse().getResultId()
+  }
+
+  override string toExprString(Node n) { none() }
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/Node0ToString.qll

@@ -1,75 +1,53 @@
 /**
- * This file contains the abstract class that serves as the base class for
- * dataflow node printing.
+ * This file imports the class that is used to construct the strings used by
+ * `Node.ToString`.
  *
- * By default, a non-debug string is produced. However, a debug-friendly
- * string can be produced by importing `DebugPrinting.qll`.
+ * Normally, this file should just import `NormalNode0ToString` to compute the
+ * efficient `toString`, but for debugging purposes one can import
+ * `DebugPrinting.qll` to better correlate the dataflow nodes with their
+ * underlying instructions and operands.
  */
 
 private import semmle.code.cpp.ir.IR
 private import codeql.util.Unit
+private import DataFlowUtil
+import NormalNode0ToString // Change this import to control which version should be used.
 
-/**
- * A class to control whether a debugging version of instructions and operands
- * should be printed as part of the `toString` output of dataflow nodes.
- *
- * To enable debug printing import the `DebugPrinting.ql` file. By default,
- * non-debug output will be used.
- */
-class Node0ToString extends Unit {
-  abstract predicate isDebugMode();
-
-  private string normalInstructionToString(Instruction i) {
-    not this.isDebugMode() and
-    if i.(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
-    then result = "this"
-    else result = i.getAst().toString()
-  }
-
-  private string normalOperandToString(Operand op) {
-    not this.isDebugMode() and
-    if op.getDef().(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
-    then result = "this"
-    else result = op.getDef().getAst().toString()
-  }
+/** An abstract class to control the behavior of `Node.toString`. */
+abstract class Node0ToString extends Unit {
+  /**
+   * Gets the string that should be used by `OperandNode.toString` to print the
+   * dataflow node whose underlying operand is `op.`
+   */
+  abstract string operandToString(Operand op);
 
   /**
-   * Gets the string that should be used by `InstructionNode.toString`
+   * Gets the string that should be used by `InstructionNode.toString` to print
+   * the dataflow node whose underlying instruction is `instr`.
    */
-  string instructionToString(Instruction i) {
-    if this.isDebugMode()
-    then result = i.getDumpString()
-    else result = this.normalInstructionToString(i)
-  }
+  abstract string instructionToString(Instruction i);
 
   /**
-   * Gets the string that should be used by `OperandNode.toString`.
+   * Gets the string representation of the `Expr` associated with `n`, if any.
    */
-  string operandToString(Operand op) {
-    if this.isDebugMode()
-    then result = op.getDumpString() + " @ " + op.getUse().getResultId()
-    else result = this.normalOperandToString(op)
-  }
-}
-
-private class NoDebugNode0ToString extends Node0ToString {
-  final override predicate isDebugMode() { none() }
+  abstract string toExprString(Node n);
 }
 
 /**
- * Gets the string that should be used by `OperandNode.toString`.
+ * Gets the string that should be used by `OperandNode.toString` to print the
+ * dataflow node whose underlying operand is `op.`
  */
-string operandToString(Operand op) { result = any(Node0ToString nts).operandToString(op) }
+string operandToString(Operand op) { result = any(Node0ToString s).operandToString(op) }
 
 /**
- * Gets the string that should be used by `InstructionNode.toString`
+ * Gets the string that should be used by `InstructionNode.toString` to print
+ * the dataflow node whose underlying instruction is `instr`.
  */
-string instructionToString(Instruction i) { result = any(Node0ToString nts).instructionToString(i) }
+string instructionToString(Instruction instr) {
+  result = any(Node0ToString s).instructionToString(instr)
+}
 
 /**
- * Holds if debugging mode is enabled.
- *
- * In debug mode the `toString` on dataflow nodes is more expensive to compute,
- * but gives more precise information about the different dataflow nodes.
+ * Gets the string representation of the `Expr` associated with `n`, if any.
  */
-predicate isDebugMode() { any(Node0ToString nts).isDebugMode() }
+string toExprString(Node n) { result = any(Node0ToString s).toExprString(n) }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/NormalNode0ToString.qll

@@ -0,0 +1,36 @@
+/**
+ * This file contains the class that implements the non-debug version of
+ * `toString` for `Instruction` and `Operand` dataflow nodes.
+ */
+
+private import semmle.code.cpp.ir.IR
+private import codeql.util.Unit
+private import Node0ToString
+private import DataFlowUtil
+private import DataFlowPrivate
+
+private class NormalNode0ToString extends Node0ToString {
+  NormalNode0ToString() {
+    // Silence warning about `this` not being bound.
+    exists(this)
+  }
+
+  override string instructionToString(Instruction i) {
+    if i.(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
+    then result = "this"
+    else result = i.getAst().toString()
+  }
+
+  override string operandToString(Operand op) {
+    if op.getDef().(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
+    then result = "this"
+    else result = op.getDef().getAst().toString()
+  }
+
+  override string toExprString(Node n) {
+    result = n.asExpr(0).toString()
+    or
+    not exists(n.asExpr()) and
+    result = stars(n) + n.asIndirectExpr(0, 1).toString()
+  }
+}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRLocalFlow.qll

@@ -1,6 +1,7 @@
 private import cpp
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
 private import SsaInternals as Ssa
 private import PrintIRUtilities
 
@@ -33,9 +34,9 @@ private string getNodeProperty(Node node, string key) {
   key = "flow" and
   result =
     strictconcat(string flow, boolean to, int order1, int order2 |
-      flow = getFromFlow(node, order1, order2) + "->" + starsForNode(node) + "@" and to = false
+      flow = getFromFlow(node, order1, order2) + "->" + stars(node) + "@" and to = false
       or
-      flow = starsForNode(node) + "@->" + getToFlow(node, order1, order2) and to = true
+      flow = stars(node) + "@->" + getToFlow(node, order1, order2) and to = true
     |
       flow, ", " order by to, order1, order2, flow
     )

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRUtilities.qll

@@ -7,37 +7,14 @@ private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
 
-private string stars(int k) {
-  k =
-    [0 .. max([
-            any(RawIndirectInstruction n).getIndirectionIndex(),
-            any(RawIndirectOperand n).getIndirectionIndex()
-          ]
-      )] and
-  (if k = 0 then result = "" else result = "*" + stars(k - 1))
-}
-
-string starsForNode(Node node) {
-  exists(int indirectionIndex |
-    node.(IndirectInstruction).hasInstructionAndIndirectionIndex(_, indirectionIndex) or
-    node.(IndirectOperand).hasOperandAndIndirectionIndex(_, indirectionIndex)
-  |
-    result = stars(indirectionIndex)
-  )
-  or
-  not node instanceof IndirectInstruction and
-  not node instanceof IndirectOperand and
-  result = ""
-}
-
 private Instruction getInstruction(Node n, string stars) {
   result = [n.asInstruction(), n.(RawIndirectInstruction).getInstruction()] and
-  stars = starsForNode(n)
+  stars = stars(n)
 }
 
 private Operand getOperand(Node n, string stars) {
   result = [n.asOperand(), n.(RawIndirectOperand).getOperand()] and
-  stars = starsForNode(n)
+  stars = stars(n)
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -16,6 +16,15 @@ private module SourceVariables {
       ind = [0 .. countIndirectionsForCppType(base.getLanguageType()) + 1]
     }
 
+  private int maxNumberOfIndirections() { result = max(SourceVariable sv | | sv.getIndirection()) }
+
+  private string repeatStars(int n) {
+    n = 0 and result = ""
+    or
+    n = [1 .. maxNumberOfIndirections()] and
+    result = "*" + repeatStars(n - 1)
+  }
+
   class SourceVariable extends TSourceVariable {
     SsaInternals0::SourceVariable base;
     int ind;
@@ -32,13 +41,7 @@ private module SourceVariables {
     SsaInternals0::SourceVariable getBaseVariable() { result = base }
 
     /** Gets a textual representation of this element. */
-    string toString() {
-      ind = 0 and
-      result = this.getBaseVariable().toString()
-      or
-      ind > 0 and
-      result = this.getBaseVariable().toString() + " indirection"
-    }
+    string toString() { result = repeatStars(this.getIndirection()) + base.toString() }
 
     /**
      * Gets the number of loads performed on the base source variable

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -418,6 +418,11 @@ class BaseCallVariable extends AbstractBaseSourceVariable, TBaseCallVariable {
 }
 
 private module IsModifiableAtImpl {
+  pragma[nomagic]
+  private predicate isUnderlyingIndirectionType(Type t) {
+    t = any(Indirection ind).getUnderlyingType()
+  }
+
   /**
    * Holds if the `indirectionIndex`'th dereference of a value of type
    * `cppType` is a type that can be modified (either by modifying the value
@@ -445,10 +450,9 @@ private module IsModifiableAtImpl {
   bindingset[cppType, indirectionIndex]
   pragma[inline_late]
   private predicate impl(CppType cppType, int indirectionIndex) {
-    exists(Type pointerType, Type base, Type t |
-      pointerType = t.getUnderlyingType() and
-      pointerType = any(Indirection ind).getUnderlyingType() and
-      cppType.hasType(t, _) and
+    exists(Type pointerType, Type base |
+      isUnderlyingIndirectionType(pointerType) and
+      cppType.hasUnderlyingType(pointerType, _) and
       base = getTypeImpl(pointerType, indirectionIndex)
     |
       // The value cannot be modified if it has a const specifier,

cpp/ql/lib/semmle/code/cpp/ir/internal/CppType.qll

@@ -227,7 +227,7 @@ class CppType extends TCppType {
   predicate hasType(Type type, boolean isGLValue) { none() }
 
   /**
-   * Holds if this type represents the C++ type `type`. If `isGLValue` is `true`, then this type
+   * Holds if this type represents the C++ unspecified type `type`. If `isGLValue` is `true`, then this type
    * represents a glvalue of type `type`. Otherwise, it represents a prvalue of type `type`.
    */
   final predicate hasUnspecifiedType(Type type, boolean isGLValue) {
@@ -236,6 +236,18 @@ class CppType extends TCppType {
       type = specifiedType.getUnspecifiedType()
     )
   }
+
+  /**
+   * Holds if this type represents the C++ type `type` (after resolving
+   * typedefs). If `isGLValue` is `true`, then this type represents a glvalue
+   * of type `type`. Otherwise, it represents a prvalue of type `type`.
+   */
+  final predicate hasUnderlyingType(Type type, boolean isGLValue) {
+    exists(Type typedefType |
+      this.hasType(typedefType, isGLValue) and
+      type = typedefType.getUnderlyingType()
+    )
+  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll

@@ -9,8 +9,9 @@
 import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.Taint
 
+pragma[nomagic]
 private Type stripTopLevelSpecifiersOnly(Type t) {
-  result = stripTopLevelSpecifiersOnly(t.(SpecifiedType).getBaseType())
+  result = stripTopLevelSpecifiersOnly(pragma[only_bind_out](t.(SpecifiedType).getBaseType()))
   or
   result = t and
   not t instanceof SpecifiedType

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -356,6 +356,8 @@ case @function.kind of
 | 4 = @conversion_function
 | 5 = @operator
 | 6 = @builtin_function     // GCC built-in functions, e.g. __builtin___memcpy_chk
+| 7 = @user_defined_literal
+| 8 = @deduction_guide
 ;
 */
 
@@ -937,6 +939,7 @@ case @attribute_arg.kind of
 | 2 = @attribute_arg_constant
 | 3 = @attribute_arg_type
 | 4 = @attribute_arg_constant_expr
+| 5 = @attribute_arg_expr
 ;
 
 attribute_arg_value(
@@ -951,6 +954,10 @@ attribute_arg_constant(
     unique int arg: @attribute_arg ref,
     int constant: @expr ref
 )
+attribute_arg_expr(
+    unique int arg: @attribute_arg ref,
+    int expr: @expr ref
+)
 attribute_arg_name(
     unique int arg: @attribute_arg ref,
     string name: string ref

cpp/ql/lib/upgrades/d8149ca90e695fe26f9a0c5a7fa0edd6d4ea3f5d/upgrade.properties

@@ -0,0 +1,2 @@
+description: Support more function types
+compatibility: backwards

cpp/ql/lib/upgrades/fc81eb5a3a7cdde8d9ad813da1e8f1e90dadbb91/upgrade.properties

@@ -0,0 +1,2 @@
+description: Support expression attribute arguments
+compatibility: backwards

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,18 @@
+## 0.9.2
+
+### New Queries
+
+* Added a new query, `cpp/use-of-unique-pointer-after-lifetime-ends`, to detect uses of the contents unique pointers that will be destroyed immediately.
+* The `cpp/incorrectly-checked-scanf` query has been added. This finds results where the return value of scanf is not checked correctly. Some of these were previously found by `cpp/missing-check-scanf` and will no longer be reported there.
+
+### Minor Analysis Improvements
+
+* The `cpp/badly-bounded-write` query could report false positives when a pointer was first initialized with a literal and later assigned a dynamically allocated array. These false positives now no longer occur.
+
+## 0.9.1
+
+No user-facing changes.
+
 ## 0.9.0
 
 ### Breaking Changes

cpp/ql/src/Critical/FlowAfterFree.qll

@@ -87,6 +87,8 @@ module FlowFromFree<isSinkSig/2 isASink, isExcludedSig/2 isExcluded> {
       |
         e = any(StoreInstruction store).getDestinationAddress().getUnconvertedResultExpression()
       )
+      or
+      n.asExpr() instanceof ArrayExpr
     }
   }
 

cpp/ql/src/Critical/UseAfterFree.ql

@@ -101,35 +101,43 @@ module ParameterSinks {
     )
   }
 
-  private CallInstruction getAnAlwaysReachedCallInstruction(IRFunction f) {
-    result.getBlock().postDominates(f.getEntryBlock())
+  private CallInstruction getAnAlwaysReachedCallInstruction() {
+    exists(IRFunction f | result.getBlock().postDominates(f.getEntryBlock()))
   }
 
   pragma[nomagic]
-  predicate callHasTargetAndArgument(Function f, int i, CallInstruction call, Instruction argument) {
-    call.getStaticCallTarget() = f and
-    call.getArgument(i) = argument
+  private predicate callHasTargetAndArgument(Function f, int i, Instruction argument) {
+    exists(CallInstruction call |
+      call.getStaticCallTarget() = f and
+      call.getArgument(i) = argument and
+      call = getAnAlwaysReachedCallInstruction()
+    )
   }
 
   pragma[nomagic]
-  predicate initializeParameterInFunction(Function f, int i, InitializeParameterInstruction init) {
-    pragma[only_bind_out](init.getEnclosingFunction()) = f and
-    init.hasIndex(i)
+  private predicate initializeParameterInFunction(Function f, int i) {
+    exists(InitializeParameterInstruction init |
+      pragma[only_bind_out](init.getEnclosingFunction()) = f and
+      init.hasIndex(i) and
+      init = getAnAlwaysDereferencedParameter()
+    )
+  }
+
+  pragma[nomagic]
+  private predicate alwaysDereferencedArgumentHasValueNumber(ValueNumber vn) {
+    exists(int i, Function f, Instruction argument |
+      callHasTargetAndArgument(f, i, argument) and
+      initializeParameterInFunction(pragma[only_bind_into](f), pragma[only_bind_into](i)) and
+      vn.getAnInstruction() = argument
+    )
   }
 
   InitializeParameterInstruction getAnAlwaysDereferencedParameter() {
     result = getAnAlwaysDereferencedParameter0()
     or
-    exists(
-      CallInstruction call, int i, InitializeParameterInstruction p, Instruction argument,
-      Function f
-    |
-      callHasTargetAndArgument(f, i, call, argument) and
-      initializeParameterInFunction(f, i, p) and
-      p = getAnAlwaysDereferencedParameter() and
-      result =
-        pragma[only_bind_out](pragma[only_bind_into](valueNumber(argument)).getAnInstruction()) and
-      call = getAnAlwaysReachedCallInstruction(_)
+    exists(ValueNumber vn |
+      alwaysDereferencedArgumentHasValueNumber(vn) and
+      vn.getAnInstruction() = result
     )
   }
 }

cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql

@@ -24,7 +24,7 @@ import semmle.code.cpp.security.BufferWrite
 from BufferWrite bw, int destSize
 where
   bw.hasExplicitLimit() and // has an explicit size limit
-  destSize = getBufferSize(bw.getDest(), _) and
+  destSize = max(getBufferSize(bw.getDest(), _)) and
   bw.getExplicitLimit() > destSize // but it's larger than the destination
 select bw,
   "This '" + bw.getBWDesc() + "' operation is limited to " + bw.getExplicitLimit() +

cpp/ql/src/Security/CWE/CWE-416/Temporaries.qll

@@ -0,0 +1,98 @@
+import cpp
+import semmle.code.cpp.models.implementations.StdContainer
+
+/**
+ * Holds if `e` will be consumed by its parent as a glvalue and does not have
+ * an lvalue-to-rvalue conversion. This means that it will be materialized into
+ * a temporary object.
+ */
+predicate isTemporary(Expr e) {
+  e instanceof TemporaryObjectExpr
+  or
+  e.isPRValueCategory() and
+  e.getUnspecifiedType() instanceof Class and
+  not e.hasLValueToRValueConversion()
+}
+
+/** Holds if `e` is written to a container. */
+predicate isStoredInContainer(Expr e) {
+  exists(StdSequenceContainerInsert insert, Call call, int index |
+    call = insert.getACallToThisFunction() and
+    index = insert.getAValueTypeParameterIndex() and
+    call.getArgument(index) = e
+  )
+  or
+  exists(StdSequenceContainerPush push, Call call, int index |
+    call = push.getACallToThisFunction() and
+    index = push.getAValueTypeParameterIndex() and
+    call.getArgument(index) = e
+  )
+  or
+  exists(StdSequenceEmplace emplace, Call call, int index |
+    call = emplace.getACallToThisFunction() and
+    index = emplace.getAValueTypeParameterIndex() and
+    call.getArgument(index) = e
+  )
+  or
+  exists(StdSequenceEmplaceBack emplaceBack, Call call, int index |
+    call = emplaceBack.getACallToThisFunction() and
+    index = emplaceBack.getAValueTypeParameterIndex() and
+    call.getArgument(index) = e
+  )
+}
+
+/**
+ * Holds if `e` or a conversion of `e` has an lvalue-to-rvalue conversion.
+ */
+private predicate hasLValueToRValueConversion(Expr e) {
+  e.getConversion*().hasLValueToRValueConversion() and
+  not e instanceof ConditionalExpr // ConditionalExpr may be spuriously reported as having an lvalue-to-rvalue conversion
+}
+
+/**
+ * Holds if the value of `e` outlives the enclosing full expression. For
+ * example, because the value is stored in a local variable.
+ */
+predicate outlivesFullExpr(Expr e) {
+  not hasLValueToRValueConversion(e) and
+  (
+    any(Assignment assign).getRValue() = e
+    or
+    any(Variable v).getInitializer().getExpr() = e
+    or
+    any(ReturnStmt ret).getExpr() = e
+    or
+    exists(ConditionalExpr cond |
+      outlivesFullExpr(cond) and
+      [cond.getThen(), cond.getElse()] = e
+    )
+    or
+    exists(BinaryOperation bin |
+      outlivesFullExpr(bin) and
+      bin.getAnOperand() = e and
+      not bin instanceof ComparisonOperation
+    )
+    or
+    exists(PointerFieldAccess fa |
+      outlivesFullExpr(fa) and
+      fa.getQualifier() = e
+    )
+    or
+    exists(AddressOfExpr ao |
+      outlivesFullExpr(ao) and
+      ao.getOperand() = e
+    )
+    or
+    exists(ClassAggregateLiteral aggr |
+      outlivesFullExpr(aggr) and
+      aggr.getAFieldExpr(_) = e
+    )
+    or
+    exists(ArrayAggregateLiteral aggr |
+      outlivesFullExpr(aggr) and
+      aggr.getAnElementExpr(_) = e
+    )
+    or
+    isStoredInContainer(e)
+  )
+}

cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql

@@ -14,81 +14,7 @@
 
 import cpp
 import semmle.code.cpp.models.implementations.StdString
-import semmle.code.cpp.models.implementations.StdContainer
-
-/**
- * Holds if `e` will be consumed by its parent as a glvalue and does not have
- * an lvalue-to-rvalue conversion. This means that it will be materialized into
- * a temporary object.
- */
-predicate isTemporary(Expr e) {
-  e instanceof TemporaryObjectExpr
-  or
-  e.isPRValueCategory() and
-  e.getUnspecifiedType() instanceof Class and
-  not e.hasLValueToRValueConversion()
-}
-
-/** Holds if `e` is written to a container. */
-predicate isStoredInContainer(Expr e) {
-  exists(StdSequenceContainerInsert insert, Call call, int index |
-    call = insert.getACallToThisFunction() and
-    index = insert.getAValueTypeParameterIndex() and
-    call.getArgument(index) = e
-  )
-  or
-  exists(StdSequenceContainerPush push, Call call, int index |
-    call = push.getACallToThisFunction() and
-    index = push.getAValueTypeParameterIndex() and
-    call.getArgument(index) = e
-  )
-  or
-  exists(StdSequenceEmplace emplace, Call call, int index |
-    call = emplace.getACallToThisFunction() and
-    index = emplace.getAValueTypeParameterIndex() and
-    call.getArgument(index) = e
-  )
-  or
-  exists(StdSequenceEmplaceBack emplaceBack, Call call, int index |
-    call = emplaceBack.getACallToThisFunction() and
-    index = emplaceBack.getAValueTypeParameterIndex() and
-    call.getArgument(index) = e
-  )
-}
-
-/**
- * Holds if the value of `e` outlives the enclosing full expression. For
- * example, because the value is stored in a local variable.
- */
-predicate outlivesFullExpr(Expr e) {
-  any(Assignment assign).getRValue() = e
-  or
-  any(Variable v).getInitializer().getExpr() = e
-  or
-  any(ReturnStmt ret).getExpr() = e
-  or
-  exists(ConditionalExpr cond |
-    outlivesFullExpr(cond) and
-    [cond.getThen(), cond.getElse()] = e
-  )
-  or
-  exists(BinaryOperation bin |
-    outlivesFullExpr(bin) and
-    bin.getAnOperand() = e
-  )
-  or
-  exists(ClassAggregateLiteral aggr |
-    outlivesFullExpr(aggr) and
-    aggr.getAFieldExpr(_) = e
-  )
-  or
-  exists(ArrayAggregateLiteral aggr |
-    outlivesFullExpr(aggr) and
-    aggr.getAnElementExpr(_) = e
-  )
-  or
-  isStoredInContainer(e)
-}
+import Temporaries
 
 from Call c
 where

cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.qhelp

@@ -0,0 +1,44 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Calling <code>get</code> on a <code>std::unique_ptr</code> object returns a pointer to the underlying allocations.
+When the <code>std::unique_ptr</code> object is destroyed, the pointer returned by <code>get</code> is no
+longer valid. If the pointer is used after the <code>std::unique_ptr</code> object is destroyed, then the behavior is undefined.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Ensure that the pointer returned by <code>get</code> does not outlive the underlying <code>std::unique_ptr</code> object.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example gets a <code>std::unique_ptr</code> object, and then converts the resulting unique pointer to a
+pointer using <code>get</code> so that it can be passed to the <code>work</code> function.
+
+However, the <code>std::unique_ptr</code> object is destroyed as soon as the call
+to <code>get</code> returns. This means that <code>work</code> is given a pointer to invalid memory.
+</p>
+
+<sample src="UseOfUniquePointerAfterLifetimeEndsBad.cpp" />
+
+<p>
+The following example fixes the above code by ensuring that the pointer returned by the call to <code>get</code> does
+not outlive the underlying <code>std::unique_ptr</code> objects. This ensures that the pointer passed to <code>work</code>
+points to valid memory.
+</p>
+
+<sample src="UseOfUniquePointerAfterLifetimeEndsGood.cpp" />
+
+</example>
+<references>
+
+<li><a href="https://wiki.sei.cmu.edu/confluence/display/cplusplus/MEM50-CPP.+Do+not+access+freed+memory">MEM50-CPP. Do not access freed memory</a>.</li>
+
+</references>
+</qhelp>

cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql

@@ -0,0 +1,36 @@
+/**
+ * @name Use of unique pointer after lifetime ends
+ * @description Referencing the contents of a unique pointer after the underlying object has expired may lead to unexpected behavior.
+ * @kind problem
+ * @precision high
+ * @id cpp/use-of-unique-pointer-after-lifetime-ends
+ * @problem.severity warning
+ * @security-severity 8.8
+ * @tags reliability
+ *       security
+ *       external/cwe/cwe-416
+ *       external/cwe/cwe-664
+ */
+
+import cpp
+import semmle.code.cpp.models.interfaces.PointerWrapper
+import Temporaries
+
+predicate isUniquePointerDerefFunction(Function f) {
+  exists(PointerWrapper wrapper |
+    f = wrapper.getAnUnwrapperFunction() and
+    // We only want unique pointers as the memory behind share pointers may still be
+    // alive after the shared pointer is destroyed.
+    wrapper.(Class).hasQualifiedName(["std", "bsl"], "unique_ptr")
+  )
+}
+
+from Call c
+where
+  outlivesFullExpr(c) and
+  not c.isFromUninstantiatedTemplate(_) and
+  isUniquePointerDerefFunction(c.getTarget()) and
+  isTemporary(c.getQualifier().getFullyConverted())
+select c,
+  "The underlying unique pointer object is destroyed after the call to '" + c.getTarget() +
+    "' returns."

cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEndsBad.cpp

@@ -0,0 +1,10 @@
+#include <memory>
+std::unique_ptr<T> getUniquePointer();
+void work(const T*);
+
+// BAD: the unique pointer is deallocated when `get` returns. So `work`
+// is given a pointer to invalid memory.
+void work_with_unique_ptr_bad() {
+  const T* combined_string = getUniquePointer().get();
+  work(combined_string);
+}

cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEndsGood.cpp

@@ -0,0 +1,10 @@
+#include <memory>
+std::unique_ptr<T> getUniquePointer();
+void work(const T*);
+
+// GOOD: the unique pointer outlives the call to `work`. So the pointer
+// obtainted from `get` is valid.
+void work_with_unique_ptr_good() {
+  auto combined_string = getUniquePointer();
+  work(combined_string.get());
+}

cpp/ql/src/change-notes/2023-12-04-incorrectly-checked-scanf.md

@@ -1,4 +0,0 @@
----
-category: newQuery
----
-* The `cpp/incorrectly-checked-scanf` query has been added. This finds results where the return value of scanf is not checked correctly. Some of these were previously found by `cpp/missing-check-scanf` and will no longer be reported there.

cpp/ql/src/change-notes/released/0.9.1.md

@@ -0,0 +1,3 @@
+## 0.9.1
+
+No user-facing changes.

cpp/ql/src/change-notes/released/0.9.2.md

@@ -0,0 +1,10 @@
+## 0.9.2
+
+### New Queries
+
+* Added a new query, `cpp/use-of-unique-pointer-after-lifetime-ends`, to detect uses of the contents unique pointers that will be destroyed immediately.
+* The `cpp/incorrectly-checked-scanf` query has been added. This finds results where the return value of scanf is not checked correctly. Some of these were previously found by `cpp/missing-check-scanf` and will no longer be reported there.
+
+### Minor Analysis Improvements
+
+* The `cpp/badly-bounded-write` query could report false positives when a pointer was first initialized with a literal and later assigned a dynamically allocated array. These false positives now no longer occur.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.9.0
+lastReleaseVersion: 0.9.2

cpp/ql/src/jsf/4.10 Classes/AV Rule 79.ql

@@ -126,13 +126,13 @@ class Resource extends MemberVariable {
   }
 
   private predicate calledFromDestructor(Function f) {
-    f instanceof Destructor and f.getDeclaringType() = this.getDeclaringType()
+    pragma[only_bind_into](f) instanceof Destructor and
+    f.getDeclaringType() = this.getDeclaringType()
     or
-    exists(Function mid, FunctionCall fc |
+    exists(Function mid |
       this.calledFromDestructor(mid) and
-      fc.getEnclosingFunction() = mid and
-      fc.getTarget() = f and
-      f.getDeclaringType() = this.getDeclaringType()
+      mid.calls(f) and
+      pragma[only_bind_out](f.getDeclaringType()) = pragma[only_bind_out](this.getDeclaringType())
     )
   }
 

cpp/ql/src/jsf/4.16 Initialization/AV Rule 145.ql

@@ -32,18 +32,41 @@ predicate hasReferenceInitializer(EnumConstant c) {
   )
 }
 
+/**
+ * Gets the `rnk`'th (1-based) enumeration constant in `e` that does not have a
+ * reference initializer (i.e., an initializer that refers to an enumeration
+ * constant from the same enumeration).
+ */
+EnumConstant getNonReferenceInitializedEnumConstantByRank(Enum e, int rnk) {
+  result =
+    rank[rnk](EnumConstant cand, int pos, string filepath, int startline, int startcolumn |
+      e.getEnumConstant(pos) = cand and
+      not hasReferenceInitializer(cand) and
+      cand.getLocation().hasLocationInfo(filepath, startline, startcolumn, _, _)
+    |
+      cand order by pos, filepath, startline, startcolumn
+    )
+}
+
+/**
+ * Holds if `ec` is not the last enumeration constant in `e` that has a non-
+ * reference initializer.
+ */
+predicate hasNextWithoutReferenceInitializer(Enum e, EnumConstant ec) {
+  exists(int rnk |
+    ec = getNonReferenceInitializedEnumConstantByRank(e, rnk) and
+    exists(getNonReferenceInitializedEnumConstantByRank(e, rnk + 1))
+  )
+}
+
 // There exists another constant whose value is implicit, but it's
 // not the last one: the last value is okay to use to get the highest
 // enum value automatically. It can be followed by aliases though.
 predicate enumThatHasConstantWithImplicitValue(Enum e) {
-  exists(EnumConstant ec, int pos |
-    ec = e.getEnumConstant(pos) and
+  exists(EnumConstant ec |
+    ec = e.getAnEnumConstant() and
     not hasInitializer(ec) and
-    exists(EnumConstant ec2, int pos2 |
-      ec2 = e.getEnumConstant(pos2) and
-      pos2 > pos and
-      not hasReferenceInitializer(ec2)
-    )
+    hasNextWithoutReferenceInitializer(e, ec)
   )
 }
 

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.9.1-dev
+version: 0.9.2
 groups:
   - cpp
   - queries

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.expected

@@ -1,8 +1,8 @@
 edges
-| test.cpp:22:27:22:30 | argv indirection | test.cpp:29:13:29:20 | filePath indirection |
+| test.cpp:22:27:22:30 | **argv | test.cpp:29:13:29:20 | *filePath |
 nodes
-| test.cpp:22:27:22:30 | argv indirection | semmle.label | argv indirection |
-| test.cpp:29:13:29:20 | filePath indirection | semmle.label | filePath indirection |
+| test.cpp:22:27:22:30 | **argv | semmle.label | **argv |
+| test.cpp:29:13:29:20 | *filePath | semmle.label | *filePath |
 subpaths
 #select
-| test.cpp:29:13:29:20 | filePath indirection | test.cpp:22:27:22:30 | argv indirection | test.cpp:29:13:29:20 | filePath indirection | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
+| test.cpp:29:13:29:20 | *filePath | test.cpp:22:27:22:30 | **argv | test.cpp:29:13:29:20 | *filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected

@@ -1,87 +1,87 @@
 edges
 | test.cpp:4:17:4:22 | call to malloc | test.cpp:6:9:6:11 | arr |
 | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr |
-| test.cpp:19:9:19:16 | mk_array indirection [p] | test.cpp:28:19:28:26 | call to mk_array [p] |
-| test.cpp:19:9:19:16 | mk_array indirection [p] | test.cpp:50:18:50:25 | call to mk_array [p] |
-| test.cpp:21:5:21:7 | arr indirection [post update] [p] | test.cpp:22:5:22:7 | arr indirection [p] |
-| test.cpp:21:5:21:24 | ... = ... | test.cpp:21:5:21:7 | arr indirection [post update] [p] |
+| test.cpp:19:9:19:16 | *mk_array [p] | test.cpp:28:19:28:26 | call to mk_array [p] |
+| test.cpp:19:9:19:16 | *mk_array [p] | test.cpp:50:18:50:25 | call to mk_array [p] |
+| test.cpp:21:5:21:7 | *arr [post update] [p] | test.cpp:22:5:22:7 | *arr [p] |
+| test.cpp:21:5:21:24 | ... = ... | test.cpp:21:5:21:7 | *arr [post update] [p] |
 | test.cpp:21:13:21:18 | call to malloc | test.cpp:21:5:21:24 | ... = ... |
-| test.cpp:22:5:22:7 | arr indirection [p] | test.cpp:19:9:19:16 | mk_array indirection [p] |
-| test.cpp:28:19:28:26 | call to mk_array [p] | test.cpp:31:9:31:11 | arr indirection [p] |
-| test.cpp:28:19:28:26 | call to mk_array [p] | test.cpp:35:9:35:11 | arr indirection [p] |
-| test.cpp:31:9:31:11 | arr indirection [p] | test.cpp:31:13:31:13 | p |
-| test.cpp:35:9:35:11 | arr indirection [p] | test.cpp:35:13:35:13 | p |
-| test.cpp:39:27:39:29 | arr [p] | test.cpp:41:9:41:11 | arr indirection [p] |
-| test.cpp:39:27:39:29 | arr [p] | test.cpp:45:9:45:11 | arr indirection [p] |
-| test.cpp:41:9:41:11 | arr indirection [p] | test.cpp:41:13:41:13 | p |
-| test.cpp:45:9:45:11 | arr indirection [p] | test.cpp:45:13:45:13 | p |
+| test.cpp:22:5:22:7 | *arr [p] | test.cpp:19:9:19:16 | *mk_array [p] |
+| test.cpp:28:19:28:26 | call to mk_array [p] | test.cpp:31:9:31:11 | *arr [p] |
+| test.cpp:28:19:28:26 | call to mk_array [p] | test.cpp:35:9:35:11 | *arr [p] |
+| test.cpp:31:9:31:11 | *arr [p] | test.cpp:31:13:31:13 | p |
+| test.cpp:35:9:35:11 | *arr [p] | test.cpp:35:13:35:13 | p |
+| test.cpp:39:27:39:29 | arr [p] | test.cpp:41:9:41:11 | *arr [p] |
+| test.cpp:39:27:39:29 | arr [p] | test.cpp:45:9:45:11 | *arr [p] |
+| test.cpp:41:9:41:11 | *arr [p] | test.cpp:41:13:41:13 | p |
+| test.cpp:45:9:45:11 | *arr [p] | test.cpp:45:13:45:13 | p |
 | test.cpp:50:18:50:25 | call to mk_array [p] | test.cpp:39:27:39:29 | arr [p] |
-| test.cpp:55:5:55:7 | arr indirection [post update] [p] | test.cpp:56:5:56:7 | arr indirection [p] |
-| test.cpp:55:5:55:24 | ... = ... | test.cpp:55:5:55:7 | arr indirection [post update] [p] |
+| test.cpp:55:5:55:7 | *arr [post update] [p] | test.cpp:56:5:56:7 | *arr [p] |
+| test.cpp:55:5:55:24 | ... = ... | test.cpp:55:5:55:7 | *arr [post update] [p] |
 | test.cpp:55:13:55:18 | call to malloc | test.cpp:55:5:55:24 | ... = ... |
-| test.cpp:56:5:56:7 | arr indirection [p] | test.cpp:59:9:59:11 | arr indirection [p] |
-| test.cpp:56:5:56:7 | arr indirection [p] | test.cpp:63:9:63:11 | arr indirection [p] |
-| test.cpp:59:9:59:11 | arr indirection [p] | test.cpp:59:13:59:13 | p |
-| test.cpp:63:9:63:11 | arr indirection [p] | test.cpp:63:13:63:13 | p |
-| test.cpp:67:10:67:19 | mk_array_p indirection [p] | test.cpp:76:20:76:29 | call to mk_array_p indirection [p] |
-| test.cpp:67:10:67:19 | mk_array_p indirection [p] | test.cpp:98:18:98:27 | call to mk_array_p indirection [p] |
-| test.cpp:69:5:69:7 | arr indirection [post update] [p] | test.cpp:70:5:70:7 | arr indirection [p] |
-| test.cpp:69:5:69:25 | ... = ... | test.cpp:69:5:69:7 | arr indirection [post update] [p] |
+| test.cpp:56:5:56:7 | *arr [p] | test.cpp:59:9:59:11 | *arr [p] |
+| test.cpp:56:5:56:7 | *arr [p] | test.cpp:63:9:63:11 | *arr [p] |
+| test.cpp:59:9:59:11 | *arr [p] | test.cpp:59:13:59:13 | p |
+| test.cpp:63:9:63:11 | *arr [p] | test.cpp:63:13:63:13 | p |
+| test.cpp:67:10:67:19 | **mk_array_p [p] | test.cpp:76:20:76:29 | *call to mk_array_p [p] |
+| test.cpp:67:10:67:19 | **mk_array_p [p] | test.cpp:98:18:98:27 | *call to mk_array_p [p] |
+| test.cpp:69:5:69:7 | *arr [post update] [p] | test.cpp:70:5:70:7 | *arr [p] |
+| test.cpp:69:5:69:25 | ... = ... | test.cpp:69:5:69:7 | *arr [post update] [p] |
 | test.cpp:69:14:69:19 | call to malloc | test.cpp:69:5:69:25 | ... = ... |
-| test.cpp:70:5:70:7 | arr indirection [p] | test.cpp:67:10:67:19 | mk_array_p indirection [p] |
-| test.cpp:76:20:76:29 | call to mk_array_p indirection [p] | test.cpp:79:9:79:11 | arr indirection [p] |
-| test.cpp:76:20:76:29 | call to mk_array_p indirection [p] | test.cpp:83:9:83:11 | arr indirection [p] |
-| test.cpp:79:9:79:11 | arr indirection [p] | test.cpp:79:14:79:14 | p |
-| test.cpp:83:9:83:11 | arr indirection [p] | test.cpp:83:14:83:14 | p |
-| test.cpp:87:28:87:30 | arr indirection [p] | test.cpp:89:9:89:11 | arr indirection [p] |
-| test.cpp:87:28:87:30 | arr indirection [p] | test.cpp:93:9:93:11 | arr indirection [p] |
-| test.cpp:89:9:89:11 | arr indirection [p] | test.cpp:89:14:89:14 | p |
-| test.cpp:93:9:93:11 | arr indirection [p] | test.cpp:93:14:93:14 | p |
-| test.cpp:98:18:98:27 | call to mk_array_p indirection [p] | test.cpp:87:28:87:30 | arr indirection [p] |
+| test.cpp:70:5:70:7 | *arr [p] | test.cpp:67:10:67:19 | **mk_array_p [p] |
+| test.cpp:76:20:76:29 | *call to mk_array_p [p] | test.cpp:79:9:79:11 | *arr [p] |
+| test.cpp:76:20:76:29 | *call to mk_array_p [p] | test.cpp:83:9:83:11 | *arr [p] |
+| test.cpp:79:9:79:11 | *arr [p] | test.cpp:79:14:79:14 | p |
+| test.cpp:83:9:83:11 | *arr [p] | test.cpp:83:14:83:14 | p |
+| test.cpp:87:28:87:30 | *arr [p] | test.cpp:89:9:89:11 | *arr [p] |
+| test.cpp:87:28:87:30 | *arr [p] | test.cpp:93:9:93:11 | *arr [p] |
+| test.cpp:89:9:89:11 | *arr [p] | test.cpp:89:14:89:14 | p |
+| test.cpp:93:9:93:11 | *arr [p] | test.cpp:93:14:93:14 | p |
+| test.cpp:98:18:98:27 | *call to mk_array_p [p] | test.cpp:87:28:87:30 | *arr [p] |
 nodes
 | test.cpp:4:17:4:22 | call to malloc | semmle.label | call to malloc |
 | test.cpp:6:9:6:11 | arr | semmle.label | arr |
 | test.cpp:10:9:10:11 | arr | semmle.label | arr |
-| test.cpp:19:9:19:16 | mk_array indirection [p] | semmle.label | mk_array indirection [p] |
-| test.cpp:21:5:21:7 | arr indirection [post update] [p] | semmle.label | arr indirection [post update] [p] |
+| test.cpp:19:9:19:16 | *mk_array [p] | semmle.label | *mk_array [p] |
+| test.cpp:21:5:21:7 | *arr [post update] [p] | semmle.label | *arr [post update] [p] |
 | test.cpp:21:5:21:24 | ... = ... | semmle.label | ... = ... |
 | test.cpp:21:13:21:18 | call to malloc | semmle.label | call to malloc |
-| test.cpp:22:5:22:7 | arr indirection [p] | semmle.label | arr indirection [p] |
+| test.cpp:22:5:22:7 | *arr [p] | semmle.label | *arr [p] |
 | test.cpp:28:19:28:26 | call to mk_array [p] | semmle.label | call to mk_array [p] |
-| test.cpp:31:9:31:11 | arr indirection [p] | semmle.label | arr indirection [p] |
+| test.cpp:31:9:31:11 | *arr [p] | semmle.label | *arr [p] |
 | test.cpp:31:13:31:13 | p | semmle.label | p |
-| test.cpp:35:9:35:11 | arr indirection [p] | semmle.label | arr indirection [p] |
+| test.cpp:35:9:35:11 | *arr [p] | semmle.label | *arr [p] |
 | test.cpp:35:13:35:13 | p | semmle.label | p |
 | test.cpp:39:27:39:29 | arr [p] | semmle.label | arr [p] |
-| test.cpp:41:9:41:11 | arr indirection [p] | semmle.label | arr indirection [p] |
+| test.cpp:41:9:41:11 | *arr [p] | semmle.label | *arr [p] |
 | test.cpp:41:13:41:13 | p | semmle.label | p |
-| test.cpp:45:9:45:11 | arr indirection [p] | semmle.label | arr indirection [p] |
+| test.cpp:45:9:45:11 | *arr [p] | semmle.label | *arr [p] |
 | test.cpp:45:13:45:13 | p | semmle.label | p |
 | test.cpp:50:18:50:25 | call to mk_array [p] | semmle.label | call to mk_array [p] |
-| test.cpp:55:5:55:7 | arr indirection [post update] [p] | semmle.label | arr indirection [post update] [p] |
+| test.cpp:55:5:55:7 | *arr [post update] [p] | semmle.label | *arr [post update] [p] |
 | test.cpp:55:5:55:24 | ... = ... | semmle.label | ... = ... |
 | test.cpp:55:13:55:18 | call to malloc | semmle.label | call to malloc |
-| test.cpp:56:5:56:7 | arr indirection [p] | semmle.label | arr indirection [p] |
-| test.cpp:59:9:59:11 | arr indirection [p] | semmle.label | arr indirection [p] |
+| test.cpp:56:5:56:7 | *arr [p] | semmle.label | *arr [p] |
+| test.cpp:59:9:59:11 | *arr [p] | semmle.label | *arr [p] |
 | test.cpp:59:13:59:13 | p | semmle.label | p |
-| test.cpp:63:9:63:11 | arr indirection [p] | semmle.label | arr indirection [p] |
+| test.cpp:63:9:63:11 | *arr [p] | semmle.label | *arr [p] |
 | test.cpp:63:13:63:13 | p | semmle.label | p |
-| test.cpp:67:10:67:19 | mk_array_p indirection [p] | semmle.label | mk_array_p indirection [p] |
-| test.cpp:69:5:69:7 | arr indirection [post update] [p] | semmle.label | arr indirection [post update] [p] |
+| test.cpp:67:10:67:19 | **mk_array_p [p] | semmle.label | **mk_array_p [p] |
+| test.cpp:69:5:69:7 | *arr [post update] [p] | semmle.label | *arr [post update] [p] |
 | test.cpp:69:5:69:25 | ... = ... | semmle.label | ... = ... |
 | test.cpp:69:14:69:19 | call to malloc | semmle.label | call to malloc |
-| test.cpp:70:5:70:7 | arr indirection [p] | semmle.label | arr indirection [p] |
-| test.cpp:76:20:76:29 | call to mk_array_p indirection [p] | semmle.label | call to mk_array_p indirection [p] |
-| test.cpp:79:9:79:11 | arr indirection [p] | semmle.label | arr indirection [p] |
+| test.cpp:70:5:70:7 | *arr [p] | semmle.label | *arr [p] |
+| test.cpp:76:20:76:29 | *call to mk_array_p [p] | semmle.label | *call to mk_array_p [p] |
+| test.cpp:79:9:79:11 | *arr [p] | semmle.label | *arr [p] |
 | test.cpp:79:14:79:14 | p | semmle.label | p |
-| test.cpp:83:9:83:11 | arr indirection [p] | semmle.label | arr indirection [p] |
+| test.cpp:83:9:83:11 | *arr [p] | semmle.label | *arr [p] |
 | test.cpp:83:14:83:14 | p | semmle.label | p |
-| test.cpp:87:28:87:30 | arr indirection [p] | semmle.label | arr indirection [p] |
-| test.cpp:89:9:89:11 | arr indirection [p] | semmle.label | arr indirection [p] |
+| test.cpp:87:28:87:30 | *arr [p] | semmle.label | *arr [p] |
+| test.cpp:89:9:89:11 | *arr [p] | semmle.label | *arr [p] |
 | test.cpp:89:14:89:14 | p | semmle.label | p |
-| test.cpp:93:9:93:11 | arr indirection [p] | semmle.label | arr indirection [p] |
+| test.cpp:93:9:93:11 | *arr [p] | semmle.label | *arr [p] |
 | test.cpp:93:14:93:14 | p | semmle.label | p |
-| test.cpp:98:18:98:27 | call to mk_array_p indirection [p] | semmle.label | call to mk_array_p indirection [p] |
+| test.cpp:98:18:98:27 | *call to mk_array_p [p] | semmle.label | *call to mk_array_p [p] |
 subpaths
 #select
 | test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:4:24:4:27 | size | size |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected

@@ -35,10 +35,10 @@ edges
 | test.cpp:136:9:136:16 | ... += ... | test.cpp:138:13:138:15 | arr |
 | test.cpp:143:18:143:21 | asdf | test.cpp:134:25:134:27 | arr |
 | test.cpp:143:18:143:21 | asdf | test.cpp:143:18:143:21 | asdf |
-| test.cpp:146:26:146:26 | p indirection | test.cpp:147:4:147:9 | -- ... |
+| test.cpp:146:26:146:26 | *p | test.cpp:147:4:147:9 | -- ... |
 | test.cpp:156:12:156:14 | buf | test.cpp:156:12:156:18 | ... + ... |
-| test.cpp:156:12:156:18 | ... + ... | test.cpp:158:17:158:18 | & ... indirection |
-| test.cpp:158:17:158:18 | & ... indirection | test.cpp:146:26:146:26 | p indirection |
+| test.cpp:156:12:156:18 | ... + ... | test.cpp:158:17:158:18 | *& ... |
+| test.cpp:158:17:158:18 | *& ... | test.cpp:146:26:146:26 | *p |
 | test.cpp:218:23:218:28 | buffer | test.cpp:220:5:220:11 | access to array |
 | test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array |
 | test.cpp:229:25:229:29 | array | test.cpp:231:5:231:10 | access to array |
@@ -121,11 +121,11 @@ nodes
 | test.cpp:138:13:138:15 | arr | semmle.label | arr |
 | test.cpp:143:18:143:21 | asdf | semmle.label | asdf |
 | test.cpp:143:18:143:21 | asdf | semmle.label | asdf |
-| test.cpp:146:26:146:26 | p indirection | semmle.label | p indirection |
+| test.cpp:146:26:146:26 | *p | semmle.label | *p |
 | test.cpp:147:4:147:9 | -- ... | semmle.label | -- ... |
 | test.cpp:156:12:156:14 | buf | semmle.label | buf |
 | test.cpp:156:12:156:18 | ... + ... | semmle.label | ... + ... |
-| test.cpp:158:17:158:18 | & ... indirection | semmle.label | & ... indirection |
+| test.cpp:158:17:158:18 | *& ... | semmle.label | *& ... |
 | test.cpp:218:23:218:28 | buffer | semmle.label | buffer |
 | test.cpp:220:5:220:11 | access to array | semmle.label | access to array |
 | test.cpp:221:5:221:11 | access to array | semmle.label | access to array |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected

@@ -1,5 +1,5 @@
 edges
-| test.cpp:45:18:45:23 | buffer | test.cpp:45:7:45:10 | func indirection |
+| test.cpp:45:18:45:23 | buffer | test.cpp:45:7:45:10 | *func |
 | test.cpp:74:24:74:30 | medical | test.cpp:78:24:78:27 | temp |
 | test.cpp:74:24:74:30 | medical | test.cpp:81:22:81:28 | medical |
 | test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp |
@@ -10,7 +10,7 @@ edges
 | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode |
 | test.cpp:99:61:99:70 | theZipcode | test.cpp:99:42:99:51 | theZipcode |
 nodes
-| test.cpp:45:7:45:10 | func indirection | semmle.label | func indirection |
+| test.cpp:45:7:45:10 | *func | semmle.label | *func |
 | test.cpp:45:18:45:23 | buffer | semmle.label | buffer |
 | test.cpp:57:9:57:18 | theZipcode | semmle.label | theZipcode |
 | test.cpp:74:24:74:30 | medical | semmle.label | medical |
@@ -25,7 +25,7 @@ nodes
 | test.cpp:99:42:99:51 | theZipcode | semmle.label | theZipcode |
 | test.cpp:99:61:99:70 | theZipcode | semmle.label | theZipcode |
 subpaths
-| test.cpp:81:22:81:28 | medical | test.cpp:45:18:45:23 | buffer | test.cpp:45:7:45:10 | func indirection | test.cpp:81:17:81:20 | call to func |
+| test.cpp:81:22:81:28 | medical | test.cpp:45:18:45:23 | buffer | test.cpp:45:7:45:10 | *func | test.cpp:81:17:81:20 | call to func |
 #select
 | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:57:9:57:18 | theZipcode | this source of private data. |
 | test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | This write into the external location 'medical' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. |

cpp/ql/test/header-variant-tests/clang-pch/clang-pch.expected

@@ -1,6 +1,7 @@
 | b.c:5:3:5:34 | return ... | 10 |
 | c.c:2:3:2:20 | return ... | 5 |
 | e.c:2:3:2:19 | return ... | 17 |
+| g.c:3:3:3:12 | return ... | 20 |
 | i.c:3:3:3:12 | return ... | 30 |
 | i.c:8:3:8:12 | return ... | 31 |
 | i.c:13:3:13:12 | return ... | 32 |

cpp/ql/test/header-variant-tests/clang-pch/g.c

@@ -3,4 +3,4 @@ static int g() {
   return 20;
 }
 #endif
-// semmle-extractor-options: --clang -include-pch ${testdir}/clang-pch.testproj/f.pch --expect_errors
+// semmle-extractor-options: --clang -include-pch ${testdir}/clang-pch.testproj/f.pch

cpp/ql/test/header-variant-tests/clang-pch/i.c

@@ -1,6 +1,6 @@
 #ifdef SEEN_H
 static int h() {
-  return 30; // [FALSE POSITIVE] (#pragma hdrstop bug, SEEN_H should not be defined in the precompiled header)
+  return 30;
 }
 #endif
 #ifdef H1
@@ -10,7 +10,7 @@ static int h1() {
 #endif
 #ifdef H2
 static int h2() {
-  return 32; // [FALSE POSITIVE] (#pragma hdrstop bug, H2 should not be defined in the precompiled header)
+  return 32;
 }
 #endif
 // semmle-extractor-options: --clang -include-pch ${testdir}/clang-pch.testproj/h.pch

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected

@@ -12,14 +12,14 @@ compatibleTypesReflexive
 unreachableNodeCCtx
 localCallNodes
 postIsNotPre
-| flowOut.cpp:84:3:84:14 | access to array indirection | PostUpdateNode should not equal its pre-update node. |
+| flowOut.cpp:84:3:84:14 | *access to array | PostUpdateNode should not equal its pre-update node. |
 postHasUniquePre
 uniquePostUpdate
 postIsInSameCallable
 reverseRead
 argHasPostUpdate
 postWithInFlow
-| flowOut.cpp:84:3:84:14 | access to array indirection | PostUpdateNode should not be the target of local flow. |
+| flowOut.cpp:84:3:84:14 | *access to array | PostUpdateNode should not be the target of local flow. |
 | test.cpp:384:10:384:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
 | test.cpp:391:10:391:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
 | test.cpp:400:10:400:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |

cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected

@@ -142,16 +142,16 @@ irFlow
 | BarrierGuard.cpp:60:11:60:16 | call to source | BarrierGuard.cpp:66:14:66:14 | x |
 | acrossLinkTargets.cpp:19:27:19:32 | call to source | acrossLinkTargets.cpp:12:8:12:8 | x |
 | clang.cpp:12:9:12:20 | sourceArray1 | clang.cpp:18:8:18:19 | sourceArray1 |
-| clang.cpp:12:9:12:20 | sourceArray1 | clang.cpp:23:17:23:29 | & ... indirection |
+| clang.cpp:12:9:12:20 | sourceArray1 | clang.cpp:23:17:23:29 | *& ... |
 | clang.cpp:29:27:29:32 | call to source | clang.cpp:30:27:30:28 | m1 |
 | clang.cpp:29:27:29:32 | call to source | clang.cpp:31:27:31:34 | call to getFirst |
 | clang.cpp:35:32:35:37 | call to source | clang.cpp:38:10:38:11 | m2 |
 | clang.cpp:40:42:40:47 | call to source | clang.cpp:42:18:42:19 | m2 |
 | clang.cpp:44:35:44:40 | call to source | clang.cpp:46:17:46:18 | m2 |
 | clang.cpp:50:7:50:16 | definition of stackArray | clang.cpp:52:8:52:17 | stackArray |
-| clang.cpp:50:25:50:30 | call to source | clang.cpp:53:17:53:26 | stackArray indirection |
-| clang.cpp:50:35:50:40 | call to source | clang.cpp:53:17:53:26 | stackArray indirection |
-| clang.cpp:51:19:51:24 | call to source | clang.cpp:53:17:53:26 | stackArray indirection |
+| clang.cpp:50:25:50:30 | call to source | clang.cpp:53:17:53:26 | *stackArray |
+| clang.cpp:50:35:50:40 | call to source | clang.cpp:53:17:53:26 | *stackArray |
+| clang.cpp:51:19:51:24 | call to source | clang.cpp:53:17:53:26 | *stackArray |
 | dispatch.cpp:9:37:9:42 | call to source | dispatch.cpp:35:16:35:25 | call to notSource1 |
 | dispatch.cpp:9:37:9:42 | call to source | dispatch.cpp:43:15:43:24 | call to notSource1 |
 | dispatch.cpp:10:37:10:42 | call to source | dispatch.cpp:36:16:36:25 | call to notSource2 |
@@ -210,7 +210,7 @@ irFlow
 | test.cpp:75:7:75:8 | definition of u1 | test.cpp:76:8:76:9 | u1 |
 | test.cpp:83:7:83:8 | definition of u2 | test.cpp:84:8:84:18 | ... ? ... : ... |
 | test.cpp:83:7:83:8 | definition of u2 | test.cpp:86:8:86:9 | i1 |
-| test.cpp:89:28:89:34 | source1 indirection | test.cpp:90:8:90:14 | source1 |
+| test.cpp:89:28:89:34 | *source1 | test.cpp:90:8:90:14 | source1 |
 | test.cpp:100:13:100:18 | call to source | test.cpp:103:10:103:12 | ref |
 | test.cpp:138:27:138:32 | call to source | test.cpp:140:8:140:8 | y |
 | test.cpp:151:33:151:38 | call to source | test.cpp:144:8:144:8 | s |
@@ -256,19 +256,19 @@ irFlow
 | test.cpp:531:29:531:34 | call to source | test.cpp:532:8:532:9 | * ... |
 | test.cpp:547:9:547:9 | definition of x | test.cpp:536:10:536:11 | * ... |
 | test.cpp:551:9:551:9 | definition of y | test.cpp:541:10:541:10 | y |
-| test.cpp:562:17:562:31 | call to indirect_source indirection | test.cpp:566:10:566:19 | * ... |
-| test.cpp:562:17:562:31 | call to indirect_source indirection | test.cpp:568:10:568:19 | * ... |
-| test.cpp:562:17:562:31 | call to indirect_source indirection | test.cpp:572:10:572:19 | * ... |
-| test.cpp:562:17:562:31 | call to indirect_source indirection | test.cpp:578:10:578:19 | * ... |
-| test.cpp:576:17:576:31 | call to indirect_source indirection | test.cpp:566:10:566:19 | * ... |
-| test.cpp:576:17:576:31 | call to indirect_source indirection | test.cpp:568:10:568:19 | * ... |
-| test.cpp:576:17:576:31 | call to indirect_source indirection | test.cpp:572:10:572:19 | * ... |
-| test.cpp:576:17:576:31 | call to indirect_source indirection | test.cpp:578:10:578:19 | * ... |
-| test.cpp:594:12:594:26 | call to indirect_source indirection | test.cpp:597:8:597:13 | * ... |
+| test.cpp:562:17:562:31 | *call to indirect_source | test.cpp:566:10:566:19 | * ... |
+| test.cpp:562:17:562:31 | *call to indirect_source | test.cpp:568:10:568:19 | * ... |
+| test.cpp:562:17:562:31 | *call to indirect_source | test.cpp:572:10:572:19 | * ... |
+| test.cpp:562:17:562:31 | *call to indirect_source | test.cpp:578:10:578:19 | * ... |
+| test.cpp:576:17:576:31 | *call to indirect_source | test.cpp:566:10:566:19 | * ... |
+| test.cpp:576:17:576:31 | *call to indirect_source | test.cpp:568:10:568:19 | * ... |
+| test.cpp:576:17:576:31 | *call to indirect_source | test.cpp:572:10:572:19 | * ... |
+| test.cpp:576:17:576:31 | *call to indirect_source | test.cpp:578:10:578:19 | * ... |
+| test.cpp:594:12:594:26 | *call to indirect_source | test.cpp:597:8:597:13 | * ... |
 | test.cpp:601:20:601:20 | intPointerSource output argument | test.cpp:603:8:603:9 | * ... |
 | test.cpp:607:20:607:20 | intPointerSource output argument | test.cpp:609:8:609:9 | * ... |
 | test.cpp:614:20:614:20 | intPointerSource output argument | test.cpp:616:8:616:17 | * ... |
-| test.cpp:628:20:628:25 | intPointerSource output argument | test.cpp:629:17:629:22 | buffer indirection |
+| test.cpp:628:20:628:25 | intPointerSource output argument | test.cpp:629:17:629:22 | *buffer |
 | test.cpp:633:18:633:23 | call to source | test.cpp:634:8:634:8 | x |
 | test.cpp:646:7:646:12 | call to source | test.cpp:645:8:645:8 | x |
 | test.cpp:660:7:660:12 | call to source | test.cpp:658:8:658:8 | x |
@@ -283,23 +283,23 @@ irFlow
 | test.cpp:775:32:775:37 | call to source | test.cpp:760:10:760:10 | x |
 | test.cpp:788:31:788:36 | call to source | test.cpp:782:12:782:12 | x |
 | test.cpp:790:31:790:36 | call to source | test.cpp:782:12:782:12 | x |
-| test.cpp:797:22:797:28 | intPointerSource output argument | test.cpp:798:19:798:25 | content indirection |
-| test.cpp:808:25:808:39 | call to indirect_source indirection | test.cpp:813:19:813:35 | * ... indirection |
+| test.cpp:797:22:797:28 | intPointerSource output argument | test.cpp:798:19:798:25 | *content |
+| test.cpp:808:25:808:39 | *call to indirect_source | test.cpp:813:19:813:35 | ** ... |
 | test.cpp:818:26:818:31 | call to source | test.cpp:823:10:823:27 | * ... |
 | test.cpp:832:21:832:26 | call to source | test.cpp:836:10:836:22 | global_direct |
 | test.cpp:842:11:842:16 | call to source | test.cpp:844:8:844:8 | y |
-| test.cpp:846:13:846:27 | call to indirect_source indirection | test.cpp:848:17:848:25 | rpx indirection |
+| test.cpp:846:13:846:27 | *call to indirect_source | test.cpp:848:17:848:25 | *rpx |
 | test.cpp:853:55:853:62 | call to source | test.cpp:854:10:854:36 | * ... |
 | test.cpp:860:54:860:59 | call to source | test.cpp:861:10:861:37 | static_local_pointer_dynamic |
 | test.cpp:872:46:872:51 | call to source | test.cpp:875:10:875:31 | global_pointer_dynamic |
-| test.cpp:880:64:880:83 | indirect_source(1) indirection | test.cpp:883:10:883:45 | static_local_array_static_indirect_1 |
-| test.cpp:881:64:881:83 | indirect_source(2) indirection | test.cpp:886:19:886:54 | static_local_array_static_indirect_2 indirection |
+| test.cpp:880:64:880:83 | indirect_source(1) | test.cpp:883:10:883:45 | static_local_array_static_indirect_1 |
+| test.cpp:881:64:881:83 | *indirect_source(2) | test.cpp:886:19:886:54 | *static_local_array_static_indirect_2 |
 | test.cpp:890:54:890:61 | source | test.cpp:893:10:893:36 | static_local_pointer_static |
-| test.cpp:891:65:891:84 | indirect_source(1) indirection | test.cpp:895:19:895:56 | static_local_pointer_static_indirect_1 indirection |
-| test.cpp:901:56:901:75 | indirect_source(1) indirection | test.cpp:907:10:907:39 | global_array_static_indirect_1 |
-| test.cpp:902:56:902:75 | indirect_source(2) indirection | test.cpp:911:19:911:48 | global_array_static_indirect_2 indirection |
+| test.cpp:891:65:891:84 | *indirect_source(1) | test.cpp:895:19:895:56 | *static_local_pointer_static_indirect_1 |
+| test.cpp:901:56:901:75 | indirect_source(1) | test.cpp:907:10:907:39 | global_array_static_indirect_1 |
+| test.cpp:902:56:902:75 | *indirect_source(2) | test.cpp:911:19:911:48 | *global_array_static_indirect_2 |
 | test.cpp:914:46:914:53 | source | test.cpp:919:10:919:30 | global_pointer_static |
-| test.cpp:915:57:915:76 | indirect_source(1) indirection | test.cpp:921:19:921:50 | global_pointer_static_indirect_1 indirection |
+| test.cpp:915:57:915:76 | *indirect_source(1) | test.cpp:921:19:921:50 | *global_pointer_static_indirect_1 |
 | true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x |
 | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
 | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |

cpp/ql/test/library-tests/special_members/generated_copy/functions.expected

@@ -1,94 +1,94 @@
-| copy.cpp:5:5:5:5 | C |  | defaulted |
-| copy.cpp:6:8:6:16 | operator= |  | defaulted |
-| copy.cpp:9:9:9:9 | Sub1 |  |  |
-| copy.cpp:9:9:9:9 | Sub1 |  |  |
-| copy.cpp:9:9:9:9 | Sub1 | deleted |  |
-| copy.cpp:9:9:9:9 | operator= |  |  |
-| copy.cpp:9:9:9:9 | operator= |  |  |
-| copy.cpp:13:9:13:9 | Sub2 |  |  |
-| copy.cpp:13:9:13:9 | Sub2 |  |  |
-| copy.cpp:13:9:13:9 | Sub2 | deleted |  |
-| copy.cpp:13:9:13:9 | operator= |  |  |
-| copy.cpp:13:9:13:9 | operator= |  |  |
-| copy.cpp:17:9:17:9 | HasMember |  |  |
-| copy.cpp:17:9:17:9 | HasMember |  |  |
-| copy.cpp:17:9:17:9 | HasMember | deleted |  |
-| copy.cpp:17:9:17:9 | operator= |  |  |
-| copy.cpp:17:9:17:9 | operator= |  |  |
-| copy.cpp:25:5:25:5 | C | deleted |  |
-| copy.cpp:26:8:26:16 | operator= | deleted |  |
-| copy.cpp:29:9:29:9 | Sub | deleted |  |
-| copy.cpp:29:9:29:9 | Sub | deleted |  |
-| copy.cpp:29:9:29:9 | operator= | deleted |  |
-| copy.cpp:37:5:37:5 | C |  | defaulted |
-| copy.cpp:38:8:38:16 | operator= |  | defaulted |
-| copy.cpp:41:9:41:9 | operator= |  |  |
-| copy.cpp:46:5:46:7 | Sub | deleted | defaulted |
-| copy.cpp:49:9:49:9 | HasPointer |  |  |
-| copy.cpp:49:9:49:9 | operator= |  |  |
-| copy.cpp:49:9:49:9 | operator= |  |  |
-| copy.cpp:54:9:54:9 | HasArray | deleted |  |
-| copy.cpp:54:9:54:9 | HasArray | deleted |  |
-| copy.cpp:54:9:54:9 | operator= |  |  |
-| copy.cpp:54:9:54:9 | operator= |  |  |
-| copy.cpp:59:9:59:9 | HasArray2D | deleted |  |
-| copy.cpp:59:9:59:9 | HasArray2D | deleted |  |
-| copy.cpp:59:9:59:9 | operator= |  |  |
-| copy.cpp:59:9:59:9 | operator= |  |  |
-| copy.cpp:67:9:67:9 | Wrapper |  |  |
-| copy.cpp:67:9:67:9 | Wrapper |  |  |
-| copy.cpp:67:9:67:9 | Wrapper | deleted |  |
-| copy.cpp:67:9:67:9 | Wrapper | deleted |  |
-| copy.cpp:67:9:67:9 | operator= |  |  |
-| copy.cpp:67:9:67:9 | operator= |  |  |
-| copy.cpp:67:9:67:9 | operator= | deleted |  |
-| copy.cpp:71:9:71:9 | operator= |  |  |
-| copy.cpp:71:9:71:9 | operator= |  |  |
-| copy.cpp:72:9:72:9 | NotCopyable |  |  |
-| copy.cpp:72:9:72:9 | NotCopyable | deleted |  |
-| copy.cpp:72:9:72:9 | NotCopyable | deleted |  |
-| copy.cpp:72:9:72:9 | operator= | deleted |  |
-| copy.cpp:76:9:76:9 | CopyableComposition |  |  |
-| copy.cpp:76:9:76:9 | operator= |  |  |
-| copy.cpp:76:9:76:9 | operator= |  |  |
-| copy.cpp:80:9:80:9 | NotCopyableComposition |  |  |
-| copy.cpp:80:9:80:9 | NotCopyableComposition | deleted |  |
-| copy.cpp:80:9:80:9 | NotCopyableComposition | deleted |  |
-| copy.cpp:80:9:80:9 | operator= | deleted |  |
-| copy.cpp:84:9:84:9 | CopyableInheritance |  |  |
-| copy.cpp:84:9:84:9 | operator= |  |  |
-| copy.cpp:84:9:84:9 | operator= |  |  |
-| copy.cpp:86:9:86:9 | NotCopyableInheritance |  |  |
-| copy.cpp:86:9:86:9 | NotCopyableInheritance | deleted |  |
-| copy.cpp:86:9:86:9 | NotCopyableInheritance | deleted |  |
-| copy.cpp:86:9:86:9 | operator= | deleted |  |
-| copy.cpp:90:9:90:9 | operator= |  |  |
-| copy.cpp:90:9:90:9 | operator= |  |  |
-| copy.cpp:91:11:91:11 | operator= |  |  |
-| copy.cpp:91:11:91:11 | operator= |  |  |
-| copy.cpp:95:9:95:9 | operator= |  |  |
-| copy.cpp:95:9:95:9 | operator= |  |  |
-| copy.cpp:100:9:100:9 | Derived |  |  |
-| copy.cpp:100:9:100:9 | operator= |  |  |
-| copy.cpp:100:9:100:9 | operator= |  |  |
-| copy.cpp:106:9:106:9 | MoveCtor | deleted |  |
-| copy.cpp:106:9:106:9 | operator= | deleted |  |
-| copy.cpp:108:5:108:12 | MoveCtor |  |  |
-| copy.cpp:111:9:111:9 | MoveAssign |  |  |
-| copy.cpp:111:9:111:9 | MoveAssign | deleted |  |
-| copy.cpp:111:9:111:9 | operator= | deleted |  |
-| copy.cpp:113:17:113:25 | operator= |  |  |
-| copy.cpp:120:9:120:9 | OnlyCtor | deleted |  |
-| copy.cpp:120:9:120:9 | operator= | deleted |  |
-| copy.cpp:126:11:126:19 | operator= |  |  |
-| copy.cpp:128:5:128:8 | Base |  |  |
-| copy.cpp:131:9:131:9 | OnlyAssign | deleted |  |
-| copy.cpp:131:9:131:9 | OnlyAssign | deleted |  |
-| copy.cpp:131:9:131:9 | operator= |  |  |
-| copy.cpp:131:9:131:9 | operator= |  |  |
-| copy.cpp:137:9:137:9 | operator= |  |  |
-| copy.cpp:139:5:139:11 | Wrapper |  |  |
-| copy.cpp:143:5:143:5 | Wrapper |  |  |
-| copy.cpp:143:5:143:11 | Wrapper |  |  |
-| file://:0:0:0:0 | operator= |  |  |
-| file://:0:0:0:0 | operator= |  |  |
+| copy.cpp:5:5:5:5 | C | void protected_cc::C::C(protected_cc::C const&) |  | defaulted |
+| copy.cpp:6:8:6:16 | operator= | protected_cc::C& protected_cc::C::operator=(protected_cc::C const&) |  | defaulted |
+| copy.cpp:9:9:9:9 | Sub1 | void protected_cc::Sub1::Sub1() | deleted |  |
+| copy.cpp:9:9:9:9 | Sub1 | void protected_cc::Sub1::Sub1(protected_cc::Sub1 const&) |  |  |
+| copy.cpp:9:9:9:9 | Sub1 | void protected_cc::Sub1::Sub1(protected_cc::Sub1&&) |  |  |
+| copy.cpp:9:9:9:9 | operator= | protected_cc::Sub1& protected_cc::Sub1::operator=(protected_cc::Sub1 const&) |  |  |
+| copy.cpp:9:9:9:9 | operator= | protected_cc::Sub1& protected_cc::Sub1::operator=(protected_cc::Sub1&&) |  |  |
+| copy.cpp:13:9:13:9 | Sub2 | void protected_cc::Sub2::Sub2() | deleted |  |
+| copy.cpp:13:9:13:9 | Sub2 | void protected_cc::Sub2::Sub2(protected_cc::Sub2 const&) |  |  |
+| copy.cpp:13:9:13:9 | Sub2 | void protected_cc::Sub2::Sub2(protected_cc::Sub2&&) |  |  |
+| copy.cpp:13:9:13:9 | operator= | protected_cc::Sub2& protected_cc::Sub2::operator=(protected_cc::Sub2 const&) |  |  |
+| copy.cpp:13:9:13:9 | operator= | protected_cc::Sub2& protected_cc::Sub2::operator=(protected_cc::Sub2&&) |  |  |
+| copy.cpp:17:9:17:9 | HasMember | void protected_cc::HasMember::HasMember() | deleted |  |
+| copy.cpp:17:9:17:9 | HasMember | void protected_cc::HasMember::HasMember(protected_cc::HasMember const&) |  |  |
+| copy.cpp:17:9:17:9 | HasMember | void protected_cc::HasMember::HasMember(protected_cc::HasMember&&) |  |  |
+| copy.cpp:17:9:17:9 | operator= | protected_cc::HasMember& protected_cc::HasMember::operator=(protected_cc::HasMember const&) |  |  |
+| copy.cpp:17:9:17:9 | operator= | protected_cc::HasMember& protected_cc::HasMember::operator=(protected_cc::HasMember&&) |  |  |
+| copy.cpp:25:5:25:5 | C | void deleted_cc::C::C(deleted_cc::C const&) | deleted |  |
+| copy.cpp:26:8:26:16 | operator= | deleted_cc::C& deleted_cc::C::operator=(deleted_cc::C const&) | deleted |  |
+| copy.cpp:29:9:29:9 | Sub | void deleted_cc::Sub::Sub() | deleted |  |
+| copy.cpp:29:9:29:9 | Sub | void deleted_cc::Sub::Sub(deleted_cc::Sub const&) | deleted |  |
+| copy.cpp:29:9:29:9 | operator= | deleted_cc::Sub& deleted_cc::Sub::operator=(deleted_cc::Sub const&) | deleted |  |
+| copy.cpp:37:5:37:5 | C | void private_cc::C::C(private_cc::C&) |  | defaulted |
+| copy.cpp:38:8:38:16 | operator= | private_cc::C& private_cc::C::operator=(private_cc::C const&) |  | defaulted |
+| copy.cpp:41:9:41:9 | operator= | private_cc::Sub& private_cc::Sub::operator=(private_cc::Sub const&) |  |  |
+| copy.cpp:46:5:46:7 | Sub | void private_cc::Sub::Sub(private_cc::Sub&) | deleted | defaulted |
+| copy.cpp:49:9:49:9 | HasPointer | void private_cc::HasPointer::HasPointer() |  |  |
+| copy.cpp:49:9:49:9 | operator= | private_cc::HasPointer& private_cc::HasPointer::operator=(private_cc::HasPointer const&) |  |  |
+| copy.cpp:49:9:49:9 | operator= | private_cc::HasPointer& private_cc::HasPointer::operator=(private_cc::HasPointer&&) |  |  |
+| copy.cpp:54:9:54:9 | HasArray | void private_cc::HasArray::HasArray() | deleted |  |
+| copy.cpp:54:9:54:9 | HasArray | void private_cc::HasArray::HasArray(private_cc::HasArray&) | deleted |  |
+| copy.cpp:54:9:54:9 | operator= | private_cc::HasArray& private_cc::HasArray::operator=(private_cc::HasArray const&) |  |  |
+| copy.cpp:54:9:54:9 | operator= | private_cc::HasArray& private_cc::HasArray::operator=(private_cc::HasArray&&) |  |  |
+| copy.cpp:59:9:59:9 | HasArray2D | void private_cc::HasArray2D::HasArray2D() | deleted |  |
+| copy.cpp:59:9:59:9 | HasArray2D | void private_cc::HasArray2D::HasArray2D(private_cc::HasArray2D&) | deleted |  |
+| copy.cpp:59:9:59:9 | operator= | private_cc::HasArray2D& private_cc::HasArray2D::operator=(private_cc::HasArray2D const&) |  |  |
+| copy.cpp:59:9:59:9 | operator= | private_cc::HasArray2D& private_cc::HasArray2D::operator=(private_cc::HasArray2D&&) |  |  |
+| copy.cpp:67:9:67:9 | Wrapper | void container::Wrapper<container::Copyable>::Wrapper() |  |  |
+| copy.cpp:67:9:67:9 | Wrapper | void container::Wrapper<container::NotCopyable>::Wrapper() | deleted |  |
+| copy.cpp:67:9:67:9 | Wrapper | void container::Wrapper<container::NotCopyable>::Wrapper(container::Wrapper<container::NotCopyable> const&) | deleted |  |
+| copy.cpp:67:9:67:9 | Wrapper | void container::Wrapper<container::NotCopyable>::Wrapper(container::Wrapper<container::NotCopyable>&&) |  |  |
+| copy.cpp:67:9:67:9 | operator= | container::Wrapper<container::Copyable>& container::Wrapper<container::Copyable>::operator=(container::Wrapper<container::Copyable> const&) |  |  |
+| copy.cpp:67:9:67:9 | operator= | container::Wrapper<container::Copyable>& container::Wrapper<container::Copyable>::operator=(container::Wrapper<container::Copyable>&&) |  |  |
+| copy.cpp:67:9:67:9 | operator= | container::Wrapper<container::NotCopyable>& container::Wrapper<container::NotCopyable>::operator=(container::Wrapper<container::NotCopyable> const&) | deleted |  |
+| copy.cpp:71:9:71:9 | operator= | container::Copyable& container::Copyable::operator=(container::Copyable const&) |  |  |
+| copy.cpp:71:9:71:9 | operator= | container::Copyable& container::Copyable::operator=(container::Copyable&&) |  |  |
+| copy.cpp:72:9:72:9 | NotCopyable | void container::NotCopyable::NotCopyable() | deleted |  |
+| copy.cpp:72:9:72:9 | NotCopyable | void container::NotCopyable::NotCopyable(container::NotCopyable const&) | deleted |  |
+| copy.cpp:72:9:72:9 | NotCopyable | void container::NotCopyable::NotCopyable(container::NotCopyable&&) |  |  |
+| copy.cpp:72:9:72:9 | operator= | container::NotCopyable& container::NotCopyable::operator=(container::NotCopyable const&) | deleted |  |
+| copy.cpp:76:9:76:9 | CopyableComposition | void container::CopyableComposition::CopyableComposition() |  |  |
+| copy.cpp:76:9:76:9 | operator= | container::CopyableComposition& container::CopyableComposition::operator=(container::CopyableComposition const&) |  |  |
+| copy.cpp:76:9:76:9 | operator= | container::CopyableComposition& container::CopyableComposition::operator=(container::CopyableComposition&&) |  |  |
+| copy.cpp:80:9:80:9 | NotCopyableComposition | void container::NotCopyableComposition::NotCopyableComposition() | deleted |  |
+| copy.cpp:80:9:80:9 | NotCopyableComposition | void container::NotCopyableComposition::NotCopyableComposition(container::NotCopyableComposition const&) | deleted |  |
+| copy.cpp:80:9:80:9 | NotCopyableComposition | void container::NotCopyableComposition::NotCopyableComposition(container::NotCopyableComposition&&) |  |  |
+| copy.cpp:80:9:80:9 | operator= | container::NotCopyableComposition& container::NotCopyableComposition::operator=(container::NotCopyableComposition const&) | deleted |  |
+| copy.cpp:84:9:84:9 | CopyableInheritance | void container::CopyableInheritance::CopyableInheritance() |  |  |
+| copy.cpp:84:9:84:9 | operator= | container::CopyableInheritance& container::CopyableInheritance::operator=(container::CopyableInheritance const&) |  |  |
+| copy.cpp:84:9:84:9 | operator= | container::CopyableInheritance& container::CopyableInheritance::operator=(container::CopyableInheritance&&) |  |  |
+| copy.cpp:86:9:86:9 | NotCopyableInheritance | void container::NotCopyableInheritance::NotCopyableInheritance() | deleted |  |
+| copy.cpp:86:9:86:9 | NotCopyableInheritance | void container::NotCopyableInheritance::NotCopyableInheritance(container::NotCopyableInheritance const&) | deleted |  |
+| copy.cpp:86:9:86:9 | NotCopyableInheritance | void container::NotCopyableInheritance::NotCopyableInheritance(container::NotCopyableInheritance&&) |  |  |
+| copy.cpp:86:9:86:9 | operator= | container::NotCopyableInheritance& container::NotCopyableInheritance::operator=(container::NotCopyableInheritance const&) | deleted |  |
+| copy.cpp:90:9:90:9 | operator= | typedefs::A& typedefs::A::operator=(typedefs::A const&) |  |  |
+| copy.cpp:90:9:90:9 | operator= | typedefs::A& typedefs::A::operator=(typedefs::A&&) |  |  |
+| copy.cpp:91:11:91:11 | operator= | typedefs::A::B& typedefs::A::B::operator=(typedefs::A::B const private&) |  |  |
+| copy.cpp:91:11:91:11 | operator= | typedefs::A::B& typedefs::A::B::operator=(typedefs::A::B&&) |  |  |
+| copy.cpp:95:9:95:9 | operator= | typedefs::C& typedefs::C::operator=(typedefs::C const&) |  |  |
+| copy.cpp:95:9:95:9 | operator= | typedefs::C& typedefs::C::operator=(typedefs::C&&) |  |  |
+| copy.cpp:100:9:100:9 | Derived | void typedefs::Derived::Derived() |  |  |
+| copy.cpp:100:9:100:9 | operator= | typedefs::Derived& typedefs::Derived::operator=(typedefs::Derived const&) |  |  |
+| copy.cpp:100:9:100:9 | operator= | typedefs::Derived& typedefs::Derived::operator=(typedefs::Derived&&) |  |  |
+| copy.cpp:106:9:106:9 | MoveCtor | void moves::MoveCtor::MoveCtor(moves::MoveCtor const&) | deleted |  |
+| copy.cpp:106:9:106:9 | operator= | moves::MoveCtor& moves::MoveCtor::operator=(moves::MoveCtor const&) | deleted |  |
+| copy.cpp:108:5:108:12 | MoveCtor | void moves::MoveCtor::MoveCtor(moves::MoveCtor&&) |  |  |
+| copy.cpp:111:9:111:9 | MoveAssign | void moves::MoveAssign::MoveAssign() |  |  |
+| copy.cpp:111:9:111:9 | MoveAssign | void moves::MoveAssign::MoveAssign(moves::MoveAssign const&) | deleted |  |
+| copy.cpp:111:9:111:9 | operator= | moves::MoveAssign& moves::MoveAssign::operator=(moves::MoveAssign const&) | deleted |  |
+| copy.cpp:113:17:113:25 | operator= | moves::MoveAssign& moves::MoveAssign::operator=(moves::MoveAssign&&) |  |  |
+| copy.cpp:120:9:120:9 | OnlyCtor | void difference::OnlyCtor::OnlyCtor() | deleted |  |
+| copy.cpp:120:9:120:9 | operator= | difference::OnlyCtor& difference::OnlyCtor::operator=(difference::OnlyCtor const&) | deleted |  |
+| copy.cpp:126:11:126:19 | operator= | difference::Base& difference::Base::operator=(difference::Base const&) |  |  |
+| copy.cpp:128:5:128:8 | Base | void difference::Base::Base(difference::Base const&) |  |  |
+| copy.cpp:131:9:131:9 | OnlyAssign | void difference::OnlyAssign::OnlyAssign() | deleted |  |
+| copy.cpp:131:9:131:9 | OnlyAssign | void difference::OnlyAssign::OnlyAssign(difference::OnlyAssign const&) | deleted |  |
+| copy.cpp:131:9:131:9 | operator= | difference::OnlyAssign& difference::OnlyAssign::operator=(difference::OnlyAssign const&) |  |  |
+| copy.cpp:131:9:131:9 | operator= | difference::OnlyAssign& difference::OnlyAssign::operator=(difference::OnlyAssign&&) |  |  |
+| copy.cpp:137:9:137:9 | operator= | instantiated_explicit_ctor::Wrapper<int>& instantiated_explicit_ctor::Wrapper<int>::operator=(instantiated_explicit_ctor::Wrapper<int> const&) |  |  |
+| copy.cpp:139:5:139:11 | Wrapper | void instantiated_explicit_ctor::Wrapper<T>::Wrapper(instantiated_explicit_ctor::Wrapper<T>&) |  |  |
+| copy.cpp:143:5:143:5 | Wrapper | void instantiated_explicit_ctor::Wrapper<int>::Wrapper() |  |  |
+| copy.cpp:143:5:143:11 | Wrapper | void instantiated_explicit_ctor::Wrapper<T>::Wrapper() |  |  |
+| file://:0:0:0:0 | operator= | __va_list_tag& __va_list_tag::operator=(__va_list_tag const&) |  |  |
+| file://:0:0:0:0 | operator= | __va_list_tag& __va_list_tag::operator=(__va_list_tag&&) |  |  |

cpp/ql/test/library-tests/special_members/generated_copy/functions.ql

@@ -1,7 +1,8 @@
 import cpp
+import semmle.code.cpp.Print
 
 from Function f, string deleted, string defaulted
 where
   (if f.isDeleted() then deleted = "deleted" else deleted = "") and
   if f.isDefaulted() then defaulted = "defaulted" else defaulted = ""
-select f, deleted, defaulted
+select f, getIdentityString(f), deleted, defaulted

cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected

@@ -35,8 +35,8 @@ postWithInFlow
 | try_catch.cpp:7:8:7:8 | call to exception | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition
-| ir.cpp:726:6:726:13 | TryCatch | 0 indirection | ir.cpp:737:22:737:22 | s indirection | Parameters with overlapping positions. |
-| ir.cpp:726:6:726:13 | TryCatch | 0 indirection | ir.cpp:740:24:740:24 | e indirection | Parameters with overlapping positions. |
+| ir.cpp:726:6:726:13 | TryCatch | 0 indirection | ir.cpp:737:22:737:22 | *s | Parameters with overlapping positions. |
+| ir.cpp:726:6:726:13 | TryCatch | 0 indirection | ir.cpp:740:24:740:24 | *e | Parameters with overlapping positions. |
 uniqueParameterNodePosition
 uniqueContentApprox
 identityLocalStep

cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected

@@ -9,7 +9,6 @@ edges
 | test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:85:12:85:12 | a |
 | test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:103:10:103:10 | a |
 | test_free.cpp:128:10:128:11 | pointer to free output argument | test_free.cpp:129:10:129:11 | * ... |
-| test_free.cpp:131:10:131:13 | pointer to free output argument | test_free.cpp:132:10:132:13 | access to array |
 | test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:154:10:154:10 | a |
 | test_free.cpp:207:10:207:10 | pointer to free output argument | test_free.cpp:209:10:209:10 | a |
 nodes
@@ -33,8 +32,6 @@ nodes
 | test_free.cpp:103:10:103:10 | a | semmle.label | a |
 | test_free.cpp:128:10:128:11 | pointer to free output argument | semmle.label | pointer to free output argument |
 | test_free.cpp:129:10:129:11 | * ... | semmle.label | * ... |
-| test_free.cpp:131:10:131:13 | pointer to free output argument | semmle.label | pointer to free output argument |
-| test_free.cpp:132:10:132:13 | access to array | semmle.label | access to array |
 | test_free.cpp:152:27:152:27 | pointer to free output argument | semmle.label | pointer to free output argument |
 | test_free.cpp:154:10:154:10 | a | semmle.label | a |
 | test_free.cpp:207:10:207:10 | pointer to free output argument | semmle.label | pointer to free output argument |
@@ -51,6 +48,5 @@ subpaths
 | test_free.cpp:85:12:85:12 | a | test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:85:12:85:12 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:83:5:83:13 | delete | delete |
 | test_free.cpp:103:10:103:10 | a | test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:103:10:103:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:101:5:101:8 | call to free | call to free |
 | test_free.cpp:129:10:129:11 | * ... | test_free.cpp:128:10:128:11 | pointer to free output argument | test_free.cpp:129:10:129:11 | * ... | Memory pointed to by '* ...' may already have been freed by $@. | test_free.cpp:128:5:128:8 | call to free | call to free |
-| test_free.cpp:132:10:132:13 | access to array | test_free.cpp:131:10:131:13 | pointer to free output argument | test_free.cpp:132:10:132:13 | access to array | Memory pointed to by 'access to array' may already have been freed by $@. | test_free.cpp:131:5:131:8 | call to free | call to free |
 | test_free.cpp:154:10:154:10 | a | test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:154:10:154:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free |
 | test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | pointer to free output argument | test_free.cpp:209:10:209:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:207:5:207:8 | call to free | call to free |

cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected

@@ -12,16 +12,16 @@ edges
 | test_free.cpp:233:14:233:15 | pointer to free output argument | test_free.cpp:236:9:236:10 | * ... |
 | test_free.cpp:239:14:239:15 | pointer to free output argument | test_free.cpp:241:9:241:10 | * ... |
 | test_free.cpp:245:10:245:11 | pointer to free output argument | test_free.cpp:246:9:246:10 | * ... |
-| test_free.cpp:277:8:277:8 | s indirection [post update] [buf] | test_free.cpp:278:12:278:12 | s indirection [buf] |
-| test_free.cpp:277:8:277:13 | pointer to free output argument | test_free.cpp:277:8:277:8 | s indirection [post update] [buf] |
-| test_free.cpp:278:12:278:12 | s indirection [buf] | test_free.cpp:278:15:278:17 | buf |
-| test_free.cpp:282:8:282:8 | s indirection [post update] [buf] | test_free.cpp:283:12:283:12 | s indirection [buf] |
-| test_free.cpp:282:8:282:12 | pointer to free output argument | test_free.cpp:282:8:282:8 | s indirection [post update] [buf] |
-| test_free.cpp:283:12:283:12 | s indirection [buf] | test_free.cpp:283:14:283:16 | buf |
+| test_free.cpp:277:8:277:8 | *s [post update] [buf] | test_free.cpp:278:12:278:12 | *s [buf] |
+| test_free.cpp:277:8:277:13 | pointer to free output argument | test_free.cpp:277:8:277:8 | *s [post update] [buf] |
+| test_free.cpp:278:12:278:12 | *s [buf] | test_free.cpp:278:15:278:17 | buf |
+| test_free.cpp:282:8:282:8 | *s [post update] [buf] | test_free.cpp:283:12:283:12 | *s [buf] |
+| test_free.cpp:282:8:282:12 | pointer to free output argument | test_free.cpp:282:8:282:8 | *s [post update] [buf] |
+| test_free.cpp:283:12:283:12 | *s [buf] | test_free.cpp:283:14:283:16 | buf |
 | test_free.cpp:293:8:293:10 | pointer to free output argument | test_free.cpp:294:3:294:13 | ... = ... |
-| test_free.cpp:294:3:294:3 | s indirection [post update] [buf] | test_free.cpp:295:12:295:12 | s indirection [buf] |
-| test_free.cpp:294:3:294:13 | ... = ... | test_free.cpp:294:3:294:3 | s indirection [post update] [buf] |
-| test_free.cpp:295:12:295:12 | s indirection [buf] | test_free.cpp:295:14:295:16 | buf |
+| test_free.cpp:294:3:294:3 | *s [post update] [buf] | test_free.cpp:295:12:295:12 | *s [buf] |
+| test_free.cpp:294:3:294:13 | ... = ... | test_free.cpp:294:3:294:3 | *s [post update] [buf] |
+| test_free.cpp:295:12:295:12 | *s [buf] | test_free.cpp:295:14:295:16 | buf |
 nodes
 | test_free.cpp:11:10:11:10 | pointer to free output argument | semmle.label | pointer to free output argument |
 | test_free.cpp:12:5:12:5 | a | semmle.label | a |
@@ -48,18 +48,18 @@ nodes
 | test_free.cpp:241:9:241:10 | * ... | semmle.label | * ... |
 | test_free.cpp:245:10:245:11 | pointer to free output argument | semmle.label | pointer to free output argument |
 | test_free.cpp:246:9:246:10 | * ... | semmle.label | * ... |
-| test_free.cpp:277:8:277:8 | s indirection [post update] [buf] | semmle.label | s indirection [post update] [buf] |
+| test_free.cpp:277:8:277:8 | *s [post update] [buf] | semmle.label | *s [post update] [buf] |
 | test_free.cpp:277:8:277:13 | pointer to free output argument | semmle.label | pointer to free output argument |
-| test_free.cpp:278:12:278:12 | s indirection [buf] | semmle.label | s indirection [buf] |
+| test_free.cpp:278:12:278:12 | *s [buf] | semmle.label | *s [buf] |
 | test_free.cpp:278:15:278:17 | buf | semmle.label | buf |
-| test_free.cpp:282:8:282:8 | s indirection [post update] [buf] | semmle.label | s indirection [post update] [buf] |
+| test_free.cpp:282:8:282:8 | *s [post update] [buf] | semmle.label | *s [post update] [buf] |
 | test_free.cpp:282:8:282:12 | pointer to free output argument | semmle.label | pointer to free output argument |
-| test_free.cpp:283:12:283:12 | s indirection [buf] | semmle.label | s indirection [buf] |
+| test_free.cpp:283:12:283:12 | *s [buf] | semmle.label | *s [buf] |
 | test_free.cpp:283:14:283:16 | buf | semmle.label | buf |
 | test_free.cpp:293:8:293:10 | pointer to free output argument | semmle.label | pointer to free output argument |
-| test_free.cpp:294:3:294:3 | s indirection [post update] [buf] | semmle.label | s indirection [post update] [buf] |
+| test_free.cpp:294:3:294:3 | *s [post update] [buf] | semmle.label | *s [post update] [buf] |
 | test_free.cpp:294:3:294:13 | ... = ... | semmle.label | ... = ... |
-| test_free.cpp:295:12:295:12 | s indirection [buf] | semmle.label | s indirection [buf] |
+| test_free.cpp:295:12:295:12 | *s [buf] | semmle.label | *s [buf] |
 | test_free.cpp:295:14:295:16 | buf | semmle.label | buf |
 subpaths
 #select

cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp

@@ -129,7 +129,7 @@ void test_ptr_deref(void ** a) {
     free(*a); // BAD
     *a = malloc(10);
     free(a[0]); // GOOD
-    free(a[1]); // GOOD [FALSE POSITIVE]
+    free(a[1]); // GOOD
 }
 
 struct list {

cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected

@@ -1,8 +1,8 @@
 edges
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | *data |
 nodes
 | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | semmle.label | fgets output argument |
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection | semmle.label | data indirection |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | *data | semmle.label | *data |
 subpaths
 #select
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | user input (string read by fgets) |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | *data | This argument to a file access function is derived from $@ and then passed to fopen(filename). | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | user input (string read by fgets) |

cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/TaintedPath.expected

@@ -1,22 +1,22 @@
 edges
-| test.c:8:27:8:30 | argv indirection | test.c:17:11:17:18 | fileName indirection |
-| test.c:8:27:8:30 | argv indirection | test.c:32:11:32:18 | fileName indirection |
-| test.c:8:27:8:30 | argv indirection | test.c:57:10:57:16 | access to array indirection |
-| test.c:37:17:37:24 | scanf output argument | test.c:38:11:38:18 | fileName indirection |
-| test.c:43:17:43:24 | scanf output argument | test.c:44:11:44:18 | fileName indirection |
+| test.c:8:27:8:30 | **argv | test.c:17:11:17:18 | *fileName |
+| test.c:8:27:8:30 | **argv | test.c:32:11:32:18 | *fileName |
+| test.c:8:27:8:30 | **argv | test.c:57:10:57:16 | *access to array |
+| test.c:37:17:37:24 | scanf output argument | test.c:38:11:38:18 | *fileName |
+| test.c:43:17:43:24 | scanf output argument | test.c:44:11:44:18 | *fileName |
 nodes
-| test.c:8:27:8:30 | argv indirection | semmle.label | argv indirection |
-| test.c:17:11:17:18 | fileName indirection | semmle.label | fileName indirection |
-| test.c:32:11:32:18 | fileName indirection | semmle.label | fileName indirection |
+| test.c:8:27:8:30 | **argv | semmle.label | **argv |
+| test.c:17:11:17:18 | *fileName | semmle.label | *fileName |
+| test.c:32:11:32:18 | *fileName | semmle.label | *fileName |
 | test.c:37:17:37:24 | scanf output argument | semmle.label | scanf output argument |
-| test.c:38:11:38:18 | fileName indirection | semmle.label | fileName indirection |
+| test.c:38:11:38:18 | *fileName | semmle.label | *fileName |
 | test.c:43:17:43:24 | scanf output argument | semmle.label | scanf output argument |
-| test.c:44:11:44:18 | fileName indirection | semmle.label | fileName indirection |
-| test.c:57:10:57:16 | access to array indirection | semmle.label | access to array indirection |
+| test.c:44:11:44:18 | *fileName | semmle.label | *fileName |
+| test.c:57:10:57:16 | *access to array | semmle.label | *access to array |
 subpaths
 #select
-| test.c:17:11:17:18 | fileName | test.c:8:27:8:30 | argv indirection | test.c:17:11:17:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:8:27:8:30 | argv indirection | user input (a command-line argument) |
-| test.c:32:11:32:18 | fileName | test.c:8:27:8:30 | argv indirection | test.c:32:11:32:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:8:27:8:30 | argv indirection | user input (a command-line argument) |
-| test.c:38:11:38:18 | fileName | test.c:37:17:37:24 | scanf output argument | test.c:38:11:38:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:37:17:37:24 | scanf output argument | user input (value read by scanf) |
-| test.c:44:11:44:18 | fileName | test.c:43:17:43:24 | scanf output argument | test.c:44:11:44:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:43:17:43:24 | scanf output argument | user input (value read by scanf) |
-| test.c:57:10:57:16 | access to array | test.c:8:27:8:30 | argv indirection | test.c:57:10:57:16 | access to array indirection | This argument to a file access function is derived from $@ and then passed to read(fileName), which calls fopen(filename). | test.c:8:27:8:30 | argv indirection | user input (a command-line argument) |
+| test.c:17:11:17:18 | fileName | test.c:8:27:8:30 | **argv | test.c:17:11:17:18 | *fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:8:27:8:30 | **argv | user input (a command-line argument) |
+| test.c:32:11:32:18 | fileName | test.c:8:27:8:30 | **argv | test.c:32:11:32:18 | *fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:8:27:8:30 | **argv | user input (a command-line argument) |
+| test.c:38:11:38:18 | fileName | test.c:37:17:37:24 | scanf output argument | test.c:38:11:38:18 | *fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:37:17:37:24 | scanf output argument | user input (value read by scanf) |
+| test.c:44:11:44:18 | fileName | test.c:43:17:43:24 | scanf output argument | test.c:44:11:44:18 | *fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:43:17:43:24 | scanf output argument | user input (value read by scanf) |
+| test.c:57:10:57:16 | access to array | test.c:8:27:8:30 | **argv | test.c:57:10:57:16 | *access to array | This argument to a file access function is derived from $@ and then passed to read(fileName), which calls fopen(filename). | test.c:8:27:8:30 | **argv | user input (a command-line argument) |

cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected

@@ -1,16 +1,16 @@
 edges
-| tests.cpp:26:15:26:23 | badSource indirection | tests.cpp:51:12:51:20 | call to badSource indirection |
-| tests.cpp:33:34:33:39 | call to getenv indirection | tests.cpp:38:39:38:49 | environment indirection |
-| tests.cpp:38:25:38:36 | strncat output argument | tests.cpp:26:15:26:23 | badSource indirection |
-| tests.cpp:38:39:38:49 | environment indirection | tests.cpp:38:25:38:36 | strncat output argument |
-| tests.cpp:51:12:51:20 | call to badSource indirection | tests.cpp:53:16:53:19 | data indirection |
+| tests.cpp:26:15:26:23 | **badSource | tests.cpp:51:12:51:20 | *call to badSource |
+| tests.cpp:33:34:33:39 | *call to getenv | tests.cpp:38:39:38:49 | *environment |
+| tests.cpp:38:25:38:36 | strncat output argument | tests.cpp:26:15:26:23 | **badSource |
+| tests.cpp:38:39:38:49 | *environment | tests.cpp:38:25:38:36 | strncat output argument |
+| tests.cpp:51:12:51:20 | *call to badSource | tests.cpp:53:16:53:19 | *data |
 nodes
-| tests.cpp:26:15:26:23 | badSource indirection | semmle.label | badSource indirection |
-| tests.cpp:33:34:33:39 | call to getenv indirection | semmle.label | call to getenv indirection |
+| tests.cpp:26:15:26:23 | **badSource | semmle.label | **badSource |
+| tests.cpp:33:34:33:39 | *call to getenv | semmle.label | *call to getenv |
 | tests.cpp:38:25:38:36 | strncat output argument | semmle.label | strncat output argument |
-| tests.cpp:38:39:38:49 | environment indirection | semmle.label | environment indirection |
-| tests.cpp:51:12:51:20 | call to badSource indirection | semmle.label | call to badSource indirection |
-| tests.cpp:53:16:53:19 | data indirection | semmle.label | data indirection |
+| tests.cpp:38:39:38:49 | *environment | semmle.label | *environment |
+| tests.cpp:51:12:51:20 | *call to badSource | semmle.label | *call to badSource |
+| tests.cpp:53:16:53:19 | *data | semmle.label | *data |
 subpaths
 #select
-| tests.cpp:53:16:53:19 | data | tests.cpp:33:34:33:39 | call to getenv indirection | tests.cpp:53:16:53:19 | data indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | tests.cpp:33:34:33:39 | call to getenv indirection | user input (an environment variable) | tests.cpp:38:25:38:36 | strncat output argument | strncat output argument |
+| tests.cpp:53:16:53:19 | data | tests.cpp:33:34:33:39 | *call to getenv | tests.cpp:53:16:53:19 | *data | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | tests.cpp:33:34:33:39 | *call to getenv | user input (an environment variable) | tests.cpp:38:25:38:36 | strncat output argument | strncat output argument |

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected

@@ -1,164 +1,164 @@
 edges
-| test.cpp:15:27:15:30 | argv indirection | test.cpp:22:45:22:52 | userName indirection |
-| test.cpp:22:13:22:20 | sprintf output argument | test.cpp:23:12:23:19 | command1 indirection |
-| test.cpp:22:45:22:52 | userName indirection | test.cpp:22:13:22:20 | sprintf output argument |
-| test.cpp:47:21:47:26 | call to getenv indirection | test.cpp:50:35:50:43 | envCflags indirection |
-| test.cpp:50:11:50:17 | sprintf output argument | test.cpp:51:10:51:16 | command indirection |
-| test.cpp:50:35:50:43 | envCflags indirection | test.cpp:50:11:50:17 | sprintf output argument |
-| test.cpp:62:9:62:16 | fread output argument | test.cpp:64:20:64:27 | filename indirection |
-| test.cpp:64:11:64:17 | strncat output argument | test.cpp:65:10:65:16 | command indirection |
-| test.cpp:64:20:64:27 | filename indirection | test.cpp:64:11:64:17 | strncat output argument |
-| test.cpp:82:9:82:16 | fread output argument | test.cpp:84:20:84:27 | filename indirection |
-| test.cpp:84:11:84:17 | strncat output argument | test.cpp:85:32:85:38 | command indirection |
-| test.cpp:84:20:84:27 | filename indirection | test.cpp:84:11:84:17 | strncat output argument |
-| test.cpp:91:9:91:16 | fread output argument | test.cpp:93:17:93:24 | filename indirection |
-| test.cpp:93:11:93:14 | strncat output argument | test.cpp:94:45:94:48 | path indirection |
-| test.cpp:93:17:93:24 | filename indirection | test.cpp:93:11:93:14 | strncat output argument |
-| test.cpp:106:20:106:38 | call to getenv indirection | test.cpp:107:33:107:36 | path indirection |
-| test.cpp:107:31:107:31 | call to operator+ | test.cpp:108:18:108:22 | call to c_str indirection |
-| test.cpp:107:33:107:36 | path indirection | test.cpp:107:31:107:31 | call to operator+ |
-| test.cpp:113:20:113:38 | call to getenv indirection | test.cpp:114:19:114:22 | path indirection |
-| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | call to c_str indirection |
-| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | call to c_str indirection |
+| test.cpp:15:27:15:30 | **argv | test.cpp:22:45:22:52 | *userName |
+| test.cpp:22:13:22:20 | sprintf output argument | test.cpp:23:12:23:19 | *command1 |
+| test.cpp:22:45:22:52 | *userName | test.cpp:22:13:22:20 | sprintf output argument |
+| test.cpp:47:21:47:26 | *call to getenv | test.cpp:50:35:50:43 | *envCflags |
+| test.cpp:50:11:50:17 | sprintf output argument | test.cpp:51:10:51:16 | *command |
+| test.cpp:50:35:50:43 | *envCflags | test.cpp:50:11:50:17 | sprintf output argument |
+| test.cpp:62:9:62:16 | fread output argument | test.cpp:64:20:64:27 | *filename |
+| test.cpp:64:11:64:17 | strncat output argument | test.cpp:65:10:65:16 | *command |
+| test.cpp:64:20:64:27 | *filename | test.cpp:64:11:64:17 | strncat output argument |
+| test.cpp:82:9:82:16 | fread output argument | test.cpp:84:20:84:27 | *filename |
+| test.cpp:84:11:84:17 | strncat output argument | test.cpp:85:32:85:38 | *command |
+| test.cpp:84:20:84:27 | *filename | test.cpp:84:11:84:17 | strncat output argument |
+| test.cpp:91:9:91:16 | fread output argument | test.cpp:93:17:93:24 | *filename |
+| test.cpp:93:11:93:14 | strncat output argument | test.cpp:94:45:94:48 | *path |
+| test.cpp:93:17:93:24 | *filename | test.cpp:93:11:93:14 | strncat output argument |
+| test.cpp:106:20:106:38 | *call to getenv | test.cpp:107:33:107:36 | *path |
+| test.cpp:107:31:107:31 | call to operator+ | test.cpp:108:18:108:22 | *call to c_str |
+| test.cpp:107:33:107:36 | *path | test.cpp:107:31:107:31 | call to operator+ |
+| test.cpp:113:20:113:38 | *call to getenv | test.cpp:114:19:114:22 | *path |
+| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | *call to c_str |
+| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | *call to c_str |
 | test.cpp:114:17:114:17 | call to operator+ | test.cpp:114:10:114:23 | call to operator+ |
-| test.cpp:114:19:114:22 | path indirection | test.cpp:114:10:114:23 | call to operator+ |
-| test.cpp:114:19:114:22 | path indirection | test.cpp:114:17:114:17 | call to operator+ |
-| test.cpp:119:20:119:38 | call to getenv indirection | test.cpp:120:19:120:22 | path indirection |
-| test.cpp:120:17:120:17 | call to operator+ | test.cpp:120:10:120:30 | call to data indirection |
-| test.cpp:120:19:120:22 | path indirection | test.cpp:120:17:120:17 | call to operator+ |
-| test.cpp:140:9:140:11 | fread output argument | test.cpp:142:31:142:33 | str indirection |
-| test.cpp:142:11:142:17 | sprintf output argument | test.cpp:143:10:143:16 | command indirection |
-| test.cpp:142:31:142:33 | str indirection | test.cpp:142:11:142:17 | sprintf output argument |
-| test.cpp:174:9:174:16 | fread output argument | test.cpp:177:20:177:27 | filename indirection |
-| test.cpp:174:9:174:16 | fread output argument | test.cpp:180:22:180:29 | filename indirection |
-| test.cpp:177:13:177:17 | strncat output argument | test.cpp:178:22:178:26 | flags indirection |
-| test.cpp:177:13:177:17 | strncat output argument | test.cpp:178:22:178:26 | flags indirection |
-| test.cpp:177:20:177:27 | filename indirection | test.cpp:177:13:177:17 | strncat output argument |
-| test.cpp:177:20:177:27 | filename indirection | test.cpp:177:13:177:17 | strncat output argument |
-| test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | command indirection |
-| test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | command indirection |
-| test.cpp:178:22:178:26 | flags indirection | test.cpp:178:13:178:19 | strncat output argument |
-| test.cpp:178:22:178:26 | flags indirection | test.cpp:178:13:178:19 | strncat output argument |
-| test.cpp:180:13:180:19 | strncat output argument | test.cpp:183:32:183:38 | command indirection |
-| test.cpp:180:22:180:29 | filename indirection | test.cpp:180:13:180:19 | strncat output argument |
-| test.cpp:186:47:186:54 | filename indirection | test.cpp:187:18:187:25 | filename indirection |
-| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:20:188:24 | flags indirection |
-| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:20:188:24 | flags indirection |
-| test.cpp:187:18:187:25 | filename indirection | test.cpp:187:11:187:15 | strncat output argument |
-| test.cpp:187:18:187:25 | filename indirection | test.cpp:187:11:187:15 | strncat output argument |
-| test.cpp:188:20:188:24 | flags indirection | test.cpp:188:11:188:17 | strncat output argument |
-| test.cpp:188:20:188:24 | flags indirection | test.cpp:188:11:188:17 | strncat output argument |
-| test.cpp:194:9:194:16 | fread output argument | test.cpp:196:26:196:33 | filename indirection |
-| test.cpp:196:10:196:16 | concat output argument | test.cpp:198:32:198:38 | command indirection |
-| test.cpp:196:10:196:16 | concat output argument | test.cpp:198:32:198:38 | command indirection |
-| test.cpp:196:26:196:33 | filename indirection | test.cpp:186:47:186:54 | filename indirection |
-| test.cpp:196:26:196:33 | filename indirection | test.cpp:196:10:196:16 | concat output argument |
-| test.cpp:196:26:196:33 | filename indirection | test.cpp:196:10:196:16 | concat output argument |
-| test.cpp:218:9:218:16 | fread output argument | test.cpp:220:19:220:26 | filename indirection |
+| test.cpp:114:19:114:22 | *path | test.cpp:114:10:114:23 | call to operator+ |
+| test.cpp:114:19:114:22 | *path | test.cpp:114:17:114:17 | call to operator+ |
+| test.cpp:119:20:119:38 | *call to getenv | test.cpp:120:19:120:22 | *path |
+| test.cpp:120:17:120:17 | call to operator+ | test.cpp:120:10:120:30 | *call to data |
+| test.cpp:120:19:120:22 | *path | test.cpp:120:17:120:17 | call to operator+ |
+| test.cpp:140:9:140:11 | fread output argument | test.cpp:142:31:142:33 | *str |
+| test.cpp:142:11:142:17 | sprintf output argument | test.cpp:143:10:143:16 | *command |
+| test.cpp:142:31:142:33 | *str | test.cpp:142:11:142:17 | sprintf output argument |
+| test.cpp:174:9:174:16 | fread output argument | test.cpp:177:20:177:27 | *filename |
+| test.cpp:174:9:174:16 | fread output argument | test.cpp:180:22:180:29 | *filename |
+| test.cpp:177:13:177:17 | strncat output argument | test.cpp:178:22:178:26 | *flags |
+| test.cpp:177:13:177:17 | strncat output argument | test.cpp:178:22:178:26 | *flags |
+| test.cpp:177:20:177:27 | *filename | test.cpp:177:13:177:17 | strncat output argument |
+| test.cpp:177:20:177:27 | *filename | test.cpp:177:13:177:17 | strncat output argument |
+| test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | *command |
+| test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | *command |
+| test.cpp:178:22:178:26 | *flags | test.cpp:178:13:178:19 | strncat output argument |
+| test.cpp:178:22:178:26 | *flags | test.cpp:178:13:178:19 | strncat output argument |
+| test.cpp:180:13:180:19 | strncat output argument | test.cpp:183:32:183:38 | *command |
+| test.cpp:180:22:180:29 | *filename | test.cpp:180:13:180:19 | strncat output argument |
+| test.cpp:186:47:186:54 | *filename | test.cpp:187:18:187:25 | *filename |
+| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:20:188:24 | *flags |
+| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:20:188:24 | *flags |
+| test.cpp:187:18:187:25 | *filename | test.cpp:187:11:187:15 | strncat output argument |
+| test.cpp:187:18:187:25 | *filename | test.cpp:187:11:187:15 | strncat output argument |
+| test.cpp:188:20:188:24 | *flags | test.cpp:188:11:188:17 | strncat output argument |
+| test.cpp:188:20:188:24 | *flags | test.cpp:188:11:188:17 | strncat output argument |
+| test.cpp:194:9:194:16 | fread output argument | test.cpp:196:26:196:33 | *filename |
+| test.cpp:196:10:196:16 | concat output argument | test.cpp:198:32:198:38 | *command |
+| test.cpp:196:10:196:16 | concat output argument | test.cpp:198:32:198:38 | *command |
+| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename |
+| test.cpp:196:26:196:33 | *filename | test.cpp:196:10:196:16 | concat output argument |
+| test.cpp:196:26:196:33 | *filename | test.cpp:196:10:196:16 | concat output argument |
+| test.cpp:218:9:218:16 | fread output argument | test.cpp:220:19:220:26 | *filename |
 | test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument |
 | test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument |
 | test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument |
-| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | command indirection |
-| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | command indirection |
-| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | command indirection |
-| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | command indirection |
-| test.cpp:220:19:220:26 | filename indirection | test.cpp:220:10:220:16 | strncat output argument |
-| test.cpp:220:19:220:26 | filename indirection | test.cpp:220:10:220:16 | strncat output argument |
-| test.cpp:220:19:220:26 | filename indirection | test.cpp:220:19:220:26 | filename indirection |
+| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command |
+| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command |
+| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command |
+| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command |
+| test.cpp:220:19:220:26 | *filename | test.cpp:220:10:220:16 | strncat output argument |
+| test.cpp:220:19:220:26 | *filename | test.cpp:220:10:220:16 | strncat output argument |
+| test.cpp:220:19:220:26 | *filename | test.cpp:220:19:220:26 | *filename |
 nodes
-| test.cpp:15:27:15:30 | argv indirection | semmle.label | argv indirection |
+| test.cpp:15:27:15:30 | **argv | semmle.label | **argv |
 | test.cpp:22:13:22:20 | sprintf output argument | semmle.label | sprintf output argument |
-| test.cpp:22:45:22:52 | userName indirection | semmle.label | userName indirection |
-| test.cpp:23:12:23:19 | command1 indirection | semmle.label | command1 indirection |
-| test.cpp:47:21:47:26 | call to getenv indirection | semmle.label | call to getenv indirection |
+| test.cpp:22:45:22:52 | *userName | semmle.label | *userName |
+| test.cpp:23:12:23:19 | *command1 | semmle.label | *command1 |
+| test.cpp:47:21:47:26 | *call to getenv | semmle.label | *call to getenv |
 | test.cpp:50:11:50:17 | sprintf output argument | semmle.label | sprintf output argument |
-| test.cpp:50:35:50:43 | envCflags indirection | semmle.label | envCflags indirection |
-| test.cpp:51:10:51:16 | command indirection | semmle.label | command indirection |
+| test.cpp:50:35:50:43 | *envCflags | semmle.label | *envCflags |
+| test.cpp:51:10:51:16 | *command | semmle.label | *command |
 | test.cpp:62:9:62:16 | fread output argument | semmle.label | fread output argument |
 | test.cpp:64:11:64:17 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:64:20:64:27 | filename indirection | semmle.label | filename indirection |
-| test.cpp:65:10:65:16 | command indirection | semmle.label | command indirection |
+| test.cpp:64:20:64:27 | *filename | semmle.label | *filename |
+| test.cpp:65:10:65:16 | *command | semmle.label | *command |
 | test.cpp:82:9:82:16 | fread output argument | semmle.label | fread output argument |
 | test.cpp:84:11:84:17 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:84:20:84:27 | filename indirection | semmle.label | filename indirection |
-| test.cpp:85:32:85:38 | command indirection | semmle.label | command indirection |
+| test.cpp:84:20:84:27 | *filename | semmle.label | *filename |
+| test.cpp:85:32:85:38 | *command | semmle.label | *command |
 | test.cpp:91:9:91:16 | fread output argument | semmle.label | fread output argument |
 | test.cpp:93:11:93:14 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:93:17:93:24 | filename indirection | semmle.label | filename indirection |
-| test.cpp:94:45:94:48 | path indirection | semmle.label | path indirection |
-| test.cpp:106:20:106:38 | call to getenv indirection | semmle.label | call to getenv indirection |
+| test.cpp:93:17:93:24 | *filename | semmle.label | *filename |
+| test.cpp:94:45:94:48 | *path | semmle.label | *path |
+| test.cpp:106:20:106:38 | *call to getenv | semmle.label | *call to getenv |
 | test.cpp:107:31:107:31 | call to operator+ | semmle.label | call to operator+ |
-| test.cpp:107:33:107:36 | path indirection | semmle.label | path indirection |
-| test.cpp:108:18:108:22 | call to c_str indirection | semmle.label | call to c_str indirection |
-| test.cpp:113:20:113:38 | call to getenv indirection | semmle.label | call to getenv indirection |
+| test.cpp:107:33:107:36 | *path | semmle.label | *path |
+| test.cpp:108:18:108:22 | *call to c_str | semmle.label | *call to c_str |
+| test.cpp:113:20:113:38 | *call to getenv | semmle.label | *call to getenv |
 | test.cpp:114:10:114:23 | call to operator+ | semmle.label | call to operator+ |
 | test.cpp:114:10:114:23 | call to operator+ | semmle.label | call to operator+ |
 | test.cpp:114:17:114:17 | call to operator+ | semmle.label | call to operator+ |
-| test.cpp:114:19:114:22 | path indirection | semmle.label | path indirection |
-| test.cpp:114:25:114:29 | call to c_str indirection | semmle.label | call to c_str indirection |
-| test.cpp:114:25:114:29 | call to c_str indirection | semmle.label | call to c_str indirection |
-| test.cpp:119:20:119:38 | call to getenv indirection | semmle.label | call to getenv indirection |
-| test.cpp:120:10:120:30 | call to data indirection | semmle.label | call to data indirection |
+| test.cpp:114:19:114:22 | *path | semmle.label | *path |
+| test.cpp:114:25:114:29 | *call to c_str | semmle.label | *call to c_str |
+| test.cpp:114:25:114:29 | *call to c_str | semmle.label | *call to c_str |
+| test.cpp:119:20:119:38 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:120:10:120:30 | *call to data | semmle.label | *call to data |
 | test.cpp:120:17:120:17 | call to operator+ | semmle.label | call to operator+ |
-| test.cpp:120:19:120:22 | path indirection | semmle.label | path indirection |
+| test.cpp:120:19:120:22 | *path | semmle.label | *path |
 | test.cpp:140:9:140:11 | fread output argument | semmle.label | fread output argument |
 | test.cpp:142:11:142:17 | sprintf output argument | semmle.label | sprintf output argument |
-| test.cpp:142:31:142:33 | str indirection | semmle.label | str indirection |
-| test.cpp:143:10:143:16 | command indirection | semmle.label | command indirection |
+| test.cpp:142:31:142:33 | *str | semmle.label | *str |
+| test.cpp:143:10:143:16 | *command | semmle.label | *command |
 | test.cpp:174:9:174:16 | fread output argument | semmle.label | fread output argument |
 | test.cpp:177:13:177:17 | strncat output argument | semmle.label | strncat output argument |
 | test.cpp:177:13:177:17 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:177:20:177:27 | filename indirection | semmle.label | filename indirection |
+| test.cpp:177:20:177:27 | *filename | semmle.label | *filename |
 | test.cpp:178:13:178:19 | strncat output argument | semmle.label | strncat output argument |
 | test.cpp:178:13:178:19 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:178:22:178:26 | flags indirection | semmle.label | flags indirection |
-| test.cpp:178:22:178:26 | flags indirection | semmle.label | flags indirection |
+| test.cpp:178:22:178:26 | *flags | semmle.label | *flags |
+| test.cpp:178:22:178:26 | *flags | semmle.label | *flags |
 | test.cpp:180:13:180:19 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:180:22:180:29 | filename indirection | semmle.label | filename indirection |
-| test.cpp:183:32:183:38 | command indirection | semmle.label | command indirection |
-| test.cpp:183:32:183:38 | command indirection | semmle.label | command indirection |
-| test.cpp:183:32:183:38 | command indirection | semmle.label | command indirection |
-| test.cpp:186:47:186:54 | filename indirection | semmle.label | filename indirection |
+| test.cpp:180:22:180:29 | *filename | semmle.label | *filename |
+| test.cpp:183:32:183:38 | *command | semmle.label | *command |
+| test.cpp:183:32:183:38 | *command | semmle.label | *command |
+| test.cpp:183:32:183:38 | *command | semmle.label | *command |
+| test.cpp:186:47:186:54 | *filename | semmle.label | *filename |
 | test.cpp:187:11:187:15 | strncat output argument | semmle.label | strncat output argument |
 | test.cpp:187:11:187:15 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:187:18:187:25 | filename indirection | semmle.label | filename indirection |
+| test.cpp:187:18:187:25 | *filename | semmle.label | *filename |
 | test.cpp:188:11:188:17 | strncat output argument | semmle.label | strncat output argument |
 | test.cpp:188:11:188:17 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:188:20:188:24 | flags indirection | semmle.label | flags indirection |
-| test.cpp:188:20:188:24 | flags indirection | semmle.label | flags indirection |
+| test.cpp:188:20:188:24 | *flags | semmle.label | *flags |
+| test.cpp:188:20:188:24 | *flags | semmle.label | *flags |
 | test.cpp:194:9:194:16 | fread output argument | semmle.label | fread output argument |
 | test.cpp:196:10:196:16 | concat output argument | semmle.label | concat output argument |
 | test.cpp:196:10:196:16 | concat output argument | semmle.label | concat output argument |
-| test.cpp:196:26:196:33 | filename indirection | semmle.label | filename indirection |
-| test.cpp:198:32:198:38 | command indirection | semmle.label | command indirection |
-| test.cpp:198:32:198:38 | command indirection | semmle.label | command indirection |
+| test.cpp:196:26:196:33 | *filename | semmle.label | *filename |
+| test.cpp:198:32:198:38 | *command | semmle.label | *command |
+| test.cpp:198:32:198:38 | *command | semmle.label | *command |
 | test.cpp:218:9:218:16 | fread output argument | semmle.label | fread output argument |
 | test.cpp:220:10:220:16 | strncat output argument | semmle.label | strncat output argument |
 | test.cpp:220:10:220:16 | strncat output argument | semmle.label | strncat output argument |
 | test.cpp:220:10:220:16 | strncat output argument | semmle.label | strncat output argument |
 | test.cpp:220:10:220:16 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:220:19:220:26 | filename indirection | semmle.label | filename indirection |
-| test.cpp:220:19:220:26 | filename indirection | semmle.label | filename indirection |
-| test.cpp:222:32:222:38 | command indirection | semmle.label | command indirection |
-| test.cpp:222:32:222:38 | command indirection | semmle.label | command indirection |
+| test.cpp:220:19:220:26 | *filename | semmle.label | *filename |
+| test.cpp:220:19:220:26 | *filename | semmle.label | *filename |
+| test.cpp:222:32:222:38 | *command | semmle.label | *command |
+| test.cpp:222:32:222:38 | *command | semmle.label | *command |
 subpaths
-| test.cpp:196:26:196:33 | filename indirection | test.cpp:186:47:186:54 | filename indirection | test.cpp:188:11:188:17 | strncat output argument | test.cpp:196:10:196:16 | concat output argument |
-| test.cpp:196:26:196:33 | filename indirection | test.cpp:186:47:186:54 | filename indirection | test.cpp:188:11:188:17 | strncat output argument | test.cpp:196:10:196:16 | concat output argument |
+| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | test.cpp:188:11:188:17 | strncat output argument | test.cpp:196:10:196:16 | concat output argument |
+| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | test.cpp:188:11:188:17 | strncat output argument | test.cpp:196:10:196:16 | concat output argument |
 #select
-| test.cpp:23:12:23:19 | command1 | test.cpp:15:27:15:30 | argv indirection | test.cpp:23:12:23:19 | command1 indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:15:27:15:30 | argv indirection | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument |
-| test.cpp:51:10:51:16 | command | test.cpp:47:21:47:26 | call to getenv indirection | test.cpp:51:10:51:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:47:21:47:26 | call to getenv indirection | user input (an environment variable) | test.cpp:50:11:50:17 | sprintf output argument | sprintf output argument |
-| test.cpp:65:10:65:16 | command | test.cpp:62:9:62:16 | fread output argument | test.cpp:65:10:65:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:62:9:62:16 | fread output argument | user input (string read by fread) | test.cpp:64:11:64:17 | strncat output argument | strncat output argument |
-| test.cpp:85:32:85:38 | command | test.cpp:82:9:82:16 | fread output argument | test.cpp:85:32:85:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:82:9:82:16 | fread output argument | user input (string read by fread) | test.cpp:84:11:84:17 | strncat output argument | strncat output argument |
-| test.cpp:94:45:94:48 | path | test.cpp:91:9:91:16 | fread output argument | test.cpp:94:45:94:48 | path indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:91:9:91:16 | fread output argument | user input (string read by fread) | test.cpp:93:11:93:14 | strncat output argument | strncat output argument |
-| test.cpp:108:18:108:22 | call to c_str | test.cpp:106:20:106:38 | call to getenv indirection | test.cpp:108:18:108:22 | call to c_str indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:106:20:106:38 | call to getenv indirection | user input (an environment variable) | test.cpp:107:31:107:31 | call to operator+ | call to operator+ |
-| test.cpp:114:25:114:29 | call to c_str | test.cpp:113:20:113:38 | call to getenv indirection | test.cpp:114:25:114:29 | call to c_str indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:113:20:113:38 | call to getenv indirection | user input (an environment variable) | test.cpp:114:10:114:23 | call to operator+ | call to operator+ |
-| test.cpp:114:25:114:29 | call to c_str | test.cpp:113:20:113:38 | call to getenv indirection | test.cpp:114:25:114:29 | call to c_str indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:113:20:113:38 | call to getenv indirection | user input (an environment variable) | test.cpp:114:17:114:17 | call to operator+ | call to operator+ |
-| test.cpp:120:25:120:28 | call to data | test.cpp:119:20:119:38 | call to getenv indirection | test.cpp:120:10:120:30 | call to data indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:119:20:119:38 | call to getenv indirection | user input (an environment variable) | test.cpp:120:17:120:17 | call to operator+ | call to operator+ |
-| test.cpp:143:10:143:16 | command | test.cpp:140:9:140:11 | fread output argument | test.cpp:143:10:143:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:140:9:140:11 | fread output argument | user input (string read by fread) | test.cpp:142:11:142:17 | sprintf output argument | sprintf output argument |
-| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (string read by fread) | test.cpp:177:13:177:17 | strncat output argument | strncat output argument |
-| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (string read by fread) | test.cpp:178:13:178:19 | strncat output argument | strncat output argument |
-| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (string read by fread) | test.cpp:180:13:180:19 | strncat output argument | strncat output argument |
-| test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:194:9:194:16 | fread output argument | user input (string read by fread) | test.cpp:187:11:187:15 | strncat output argument | strncat output argument |
-| test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:194:9:194:16 | fread output argument | user input (string read by fread) | test.cpp:188:11:188:17 | strncat output argument | strncat output argument |
-| test.cpp:222:32:222:38 | command | test.cpp:218:9:218:16 | fread output argument | test.cpp:222:32:222:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:218:9:218:16 | fread output argument | user input (string read by fread) | test.cpp:220:10:220:16 | strncat output argument | strncat output argument |
-| test.cpp:222:32:222:38 | command | test.cpp:218:9:218:16 | fread output argument | test.cpp:222:32:222:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:218:9:218:16 | fread output argument | user input (string read by fread) | test.cpp:220:10:220:16 | strncat output argument | strncat output argument |
+| test.cpp:23:12:23:19 | command1 | test.cpp:15:27:15:30 | **argv | test.cpp:23:12:23:19 | *command1 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:15:27:15:30 | **argv | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument |
+| test.cpp:51:10:51:16 | command | test.cpp:47:21:47:26 | *call to getenv | test.cpp:51:10:51:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:47:21:47:26 | *call to getenv | user input (an environment variable) | test.cpp:50:11:50:17 | sprintf output argument | sprintf output argument |
+| test.cpp:65:10:65:16 | command | test.cpp:62:9:62:16 | fread output argument | test.cpp:65:10:65:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:62:9:62:16 | fread output argument | user input (string read by fread) | test.cpp:64:11:64:17 | strncat output argument | strncat output argument |
+| test.cpp:85:32:85:38 | command | test.cpp:82:9:82:16 | fread output argument | test.cpp:85:32:85:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:82:9:82:16 | fread output argument | user input (string read by fread) | test.cpp:84:11:84:17 | strncat output argument | strncat output argument |
+| test.cpp:94:45:94:48 | path | test.cpp:91:9:91:16 | fread output argument | test.cpp:94:45:94:48 | *path | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:91:9:91:16 | fread output argument | user input (string read by fread) | test.cpp:93:11:93:14 | strncat output argument | strncat output argument |
+| test.cpp:108:18:108:22 | call to c_str | test.cpp:106:20:106:38 | *call to getenv | test.cpp:108:18:108:22 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:106:20:106:38 | *call to getenv | user input (an environment variable) | test.cpp:107:31:107:31 | call to operator+ | call to operator+ |
+| test.cpp:114:25:114:29 | call to c_str | test.cpp:113:20:113:38 | *call to getenv | test.cpp:114:25:114:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:113:20:113:38 | *call to getenv | user input (an environment variable) | test.cpp:114:10:114:23 | call to operator+ | call to operator+ |
+| test.cpp:114:25:114:29 | call to c_str | test.cpp:113:20:113:38 | *call to getenv | test.cpp:114:25:114:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:113:20:113:38 | *call to getenv | user input (an environment variable) | test.cpp:114:17:114:17 | call to operator+ | call to operator+ |
+| test.cpp:120:25:120:28 | call to data | test.cpp:119:20:119:38 | *call to getenv | test.cpp:120:10:120:30 | *call to data | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:119:20:119:38 | *call to getenv | user input (an environment variable) | test.cpp:120:17:120:17 | call to operator+ | call to operator+ |
+| test.cpp:143:10:143:16 | command | test.cpp:140:9:140:11 | fread output argument | test.cpp:143:10:143:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:140:9:140:11 | fread output argument | user input (string read by fread) | test.cpp:142:11:142:17 | sprintf output argument | sprintf output argument |
+| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (string read by fread) | test.cpp:177:13:177:17 | strncat output argument | strncat output argument |
+| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (string read by fread) | test.cpp:178:13:178:19 | strncat output argument | strncat output argument |
+| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (string read by fread) | test.cpp:180:13:180:19 | strncat output argument | strncat output argument |
+| test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:194:9:194:16 | fread output argument | user input (string read by fread) | test.cpp:187:11:187:15 | strncat output argument | strncat output argument |
+| test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:194:9:194:16 | fread output argument | user input (string read by fread) | test.cpp:188:11:188:17 | strncat output argument | strncat output argument |
+| test.cpp:222:32:222:38 | command | test.cpp:218:9:218:16 | fread output argument | test.cpp:222:32:222:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:218:9:218:16 | fread output argument | user input (string read by fread) | test.cpp:220:10:220:16 | strncat output argument | strncat output argument |
+| test.cpp:222:32:222:38 | command | test.cpp:218:9:218:16 | fread output argument | test.cpp:222:32:222:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:218:9:218:16 | fread output argument | user input (string read by fread) | test.cpp:220:10:220:16 | strncat output argument | strncat output argument |

cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected

@@ -1,26 +1,26 @@
 edges
-| search.c:14:24:14:28 | query indirection | search.c:17:8:17:12 | query indirection |
-| search.c:22:24:22:28 | query indirection | search.c:23:39:23:43 | query indirection |
-| search.c:55:24:55:28 | query indirection | search.c:62:8:62:17 | query_text indirection |
-| search.c:67:21:67:26 | call to getenv indirection | search.c:71:17:71:25 | raw_query indirection |
-| search.c:67:21:67:26 | call to getenv indirection | search.c:73:17:73:25 | raw_query indirection |
-| search.c:67:21:67:26 | call to getenv indirection | search.c:77:17:77:25 | raw_query indirection |
-| search.c:71:17:71:25 | raw_query indirection | search.c:14:24:14:28 | query indirection |
-| search.c:73:17:73:25 | raw_query indirection | search.c:22:24:22:28 | query indirection |
-| search.c:77:17:77:25 | raw_query indirection | search.c:55:24:55:28 | query indirection |
+| search.c:14:24:14:28 | *query | search.c:17:8:17:12 | *query |
+| search.c:22:24:22:28 | *query | search.c:23:39:23:43 | *query |
+| search.c:55:24:55:28 | *query | search.c:62:8:62:17 | *query_text |
+| search.c:67:21:67:26 | *call to getenv | search.c:71:17:71:25 | *raw_query |
+| search.c:67:21:67:26 | *call to getenv | search.c:73:17:73:25 | *raw_query |
+| search.c:67:21:67:26 | *call to getenv | search.c:77:17:77:25 | *raw_query |
+| search.c:71:17:71:25 | *raw_query | search.c:14:24:14:28 | *query |
+| search.c:73:17:73:25 | *raw_query | search.c:22:24:22:28 | *query |
+| search.c:77:17:77:25 | *raw_query | search.c:55:24:55:28 | *query |
 nodes
-| search.c:14:24:14:28 | query indirection | semmle.label | query indirection |
-| search.c:17:8:17:12 | query indirection | semmle.label | query indirection |
-| search.c:22:24:22:28 | query indirection | semmle.label | query indirection |
-| search.c:23:39:23:43 | query indirection | semmle.label | query indirection |
-| search.c:55:24:55:28 | query indirection | semmle.label | query indirection |
-| search.c:62:8:62:17 | query_text indirection | semmle.label | query_text indirection |
-| search.c:67:21:67:26 | call to getenv indirection | semmle.label | call to getenv indirection |
-| search.c:71:17:71:25 | raw_query indirection | semmle.label | raw_query indirection |
-| search.c:73:17:73:25 | raw_query indirection | semmle.label | raw_query indirection |
-| search.c:77:17:77:25 | raw_query indirection | semmle.label | raw_query indirection |
+| search.c:14:24:14:28 | *query | semmle.label | *query |
+| search.c:17:8:17:12 | *query | semmle.label | *query |
+| search.c:22:24:22:28 | *query | semmle.label | *query |
+| search.c:23:39:23:43 | *query | semmle.label | *query |
+| search.c:55:24:55:28 | *query | semmle.label | *query |
+| search.c:62:8:62:17 | *query_text | semmle.label | *query_text |
+| search.c:67:21:67:26 | *call to getenv | semmle.label | *call to getenv |
+| search.c:71:17:71:25 | *raw_query | semmle.label | *raw_query |
+| search.c:73:17:73:25 | *raw_query | semmle.label | *raw_query |
+| search.c:77:17:77:25 | *raw_query | semmle.label | *raw_query |
 subpaths
 #select
-| search.c:17:8:17:12 | query indirection | search.c:67:21:67:26 | call to getenv indirection | search.c:17:8:17:12 | query indirection | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data |
-| search.c:23:39:23:43 | query indirection | search.c:67:21:67:26 | call to getenv indirection | search.c:23:39:23:43 | query indirection | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data |
-| search.c:62:8:62:17 | query_text indirection | search.c:67:21:67:26 | call to getenv indirection | search.c:62:8:62:17 | query_text indirection | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data |
+| search.c:17:8:17:12 | *query | search.c:67:21:67:26 | *call to getenv | search.c:17:8:17:12 | *query | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data |
+| search.c:23:39:23:43 | *query | search.c:67:21:67:26 | *call to getenv | search.c:23:39:23:43 | *query | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data |
+| search.c:62:8:62:17 | *query_text | search.c:67:21:67:26 | *call to getenv | search.c:62:8:62:17 | *query_text | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data |

cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected

@@ -1,28 +1,28 @@
 edges
-| test.c:14:27:14:30 | argv indirection | test.c:21:18:21:23 | query1 indirection |
-| test.c:14:27:14:30 | argv indirection | test.c:35:16:35:23 | userName indirection |
-| test.c:35:16:35:23 | userName indirection | test.c:40:25:40:32 | username indirection |
-| test.c:38:7:38:20 | globalUsername indirection | test.c:51:18:51:23 | query1 indirection |
-| test.c:40:25:40:32 | username indirection | test.c:38:7:38:20 | globalUsername indirection |
-| test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | userInput indirection |
-| test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | userInput indirection |
-| test.cpp:39:27:39:30 | argv indirection | test.cpp:43:27:43:33 | access to array indirection |
+| test.c:14:27:14:30 | **argv | test.c:21:18:21:23 | *query1 |
+| test.c:14:27:14:30 | **argv | test.c:35:16:35:23 | *userName |
+| test.c:35:16:35:23 | *userName | test.c:40:25:40:32 | *username |
+| test.c:38:7:38:20 | **globalUsername | test.c:51:18:51:23 | *query1 |
+| test.c:40:25:40:32 | *username | test.c:38:7:38:20 | **globalUsername |
+| test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | *userInput |
+| test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | *userInput |
+| test.cpp:39:27:39:30 | **argv | test.cpp:43:27:43:33 | *access to array |
 nodes
-| test.c:14:27:14:30 | argv indirection | semmle.label | argv indirection |
-| test.c:21:18:21:23 | query1 indirection | semmle.label | query1 indirection |
-| test.c:35:16:35:23 | userName indirection | semmle.label | userName indirection |
-| test.c:38:7:38:20 | globalUsername indirection | semmle.label | globalUsername indirection |
-| test.c:40:25:40:32 | username indirection | semmle.label | username indirection |
-| test.c:51:18:51:23 | query1 indirection | semmle.label | query1 indirection |
+| test.c:14:27:14:30 | **argv | semmle.label | **argv |
+| test.c:21:18:21:23 | *query1 | semmle.label | *query1 |
+| test.c:35:16:35:23 | *userName | semmle.label | *userName |
+| test.c:38:7:38:20 | **globalUsername | semmle.label | **globalUsername |
+| test.c:40:25:40:32 | *username | semmle.label | *username |
+| test.c:51:18:51:23 | *query1 | semmle.label | *query1 |
 | test.c:75:8:75:16 | gets output argument | semmle.label | gets output argument |
-| test.c:76:17:76:25 | userInput indirection | semmle.label | userInput indirection |
-| test.c:77:20:77:28 | userInput indirection | semmle.label | userInput indirection |
-| test.cpp:39:27:39:30 | argv indirection | semmle.label | argv indirection |
-| test.cpp:43:27:43:33 | access to array indirection | semmle.label | access to array indirection |
+| test.c:76:17:76:25 | *userInput | semmle.label | *userInput |
+| test.c:77:20:77:28 | *userInput | semmle.label | *userInput |
+| test.cpp:39:27:39:30 | **argv | semmle.label | **argv |
+| test.cpp:43:27:43:33 | *access to array | semmle.label | *access to array |
 subpaths
 #select
-| test.c:21:18:21:23 | query1 | test.c:14:27:14:30 | argv indirection | test.c:21:18:21:23 | query1 indirection | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | argv indirection | user input (a command-line argument) |
-| test.c:51:18:51:23 | query1 | test.c:14:27:14:30 | argv indirection | test.c:51:18:51:23 | query1 indirection | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | argv indirection | user input (a command-line argument) |
-| test.c:76:17:76:25 | userInput | test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | userInput indirection | This argument to a SQL query function is derived from $@ and then passed to SQLPrepare(StatementText). | test.c:75:8:75:16 | gets output argument | user input (string read by gets) |
-| test.c:77:20:77:28 | userInput | test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | userInput indirection | This argument to a SQL query function is derived from $@ and then passed to SQLExecDirect(StatementText). | test.c:75:8:75:16 | gets output argument | user input (string read by gets) |
-| test.cpp:43:27:43:33 | access to array | test.cpp:39:27:39:30 | argv indirection | test.cpp:43:27:43:33 | access to array indirection | This argument to a SQL query function is derived from $@ and then passed to pqxx::work::exec1((unnamed parameter 0)). | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
+| test.c:21:18:21:23 | query1 | test.c:14:27:14:30 | **argv | test.c:21:18:21:23 | *query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | **argv | user input (a command-line argument) |
+| test.c:51:18:51:23 | query1 | test.c:14:27:14:30 | **argv | test.c:51:18:51:23 | *query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | **argv | user input (a command-line argument) |
+| test.c:76:17:76:25 | userInput | test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | *userInput | This argument to a SQL query function is derived from $@ and then passed to SQLPrepare(StatementText). | test.c:75:8:75:16 | gets output argument | user input (string read by gets) |
+| test.c:77:20:77:28 | userInput | test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | *userInput | This argument to a SQL query function is derived from $@ and then passed to SQLExecDirect(StatementText). | test.c:75:8:75:16 | gets output argument | user input (string read by gets) |
+| test.cpp:43:27:43:33 | access to array | test.cpp:39:27:39:30 | **argv | test.cpp:43:27:43:33 | *access to array | This argument to a SQL query function is derived from $@ and then passed to pqxx::work::exec1((unnamed parameter 0)). | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |

cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected

@@ -1,12 +1,12 @@
 edges
-| test.cpp:37:73:37:76 | data indirection | test.cpp:43:32:43:35 | data indirection |
-| test.cpp:64:30:64:35 | call to getenv indirection | test.cpp:73:24:73:27 | data indirection |
-| test.cpp:73:24:73:27 | data indirection | test.cpp:37:73:37:76 | data indirection |
+| test.cpp:37:73:37:76 | *data | test.cpp:43:32:43:35 | *data |
+| test.cpp:64:30:64:35 | *call to getenv | test.cpp:73:24:73:27 | *data |
+| test.cpp:73:24:73:27 | *data | test.cpp:37:73:37:76 | *data |
 nodes
-| test.cpp:37:73:37:76 | data indirection | semmle.label | data indirection |
-| test.cpp:43:32:43:35 | data indirection | semmle.label | data indirection |
-| test.cpp:64:30:64:35 | call to getenv indirection | semmle.label | call to getenv indirection |
-| test.cpp:73:24:73:27 | data indirection | semmle.label | data indirection |
+| test.cpp:37:73:37:76 | *data | semmle.label | *data |
+| test.cpp:43:32:43:35 | *data | semmle.label | *data |
+| test.cpp:64:30:64:35 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:73:24:73:27 | *data | semmle.label | *data |
 subpaths
 #select
-| test.cpp:43:32:43:35 | data indirection | test.cpp:64:30:64:35 | call to getenv indirection | test.cpp:43:32:43:35 | data indirection | The value of this argument may come from $@ and is being passed to LoadLibraryA. | test.cpp:64:30:64:35 | call to getenv indirection | an environment variable |
+| test.cpp:43:32:43:35 | *data | test.cpp:64:30:64:35 | *call to getenv | test.cpp:43:32:43:35 | *data | The value of this argument may come from $@ and is being passed to LoadLibraryA. | test.cpp:64:30:64:35 | *call to getenv | an environment variable |

cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected

@@ -1,45 +1,45 @@
 edges
-| test.cpp:24:30:24:36 | command indirection | test.cpp:26:10:26:16 | command indirection |
-| test.cpp:29:30:29:36 | command indirection | test.cpp:31:10:31:16 | command indirection |
-| test.cpp:42:18:42:34 | call to getenv indirection | test.cpp:24:30:24:36 | command indirection |
-| test.cpp:43:18:43:34 | call to getenv indirection | test.cpp:29:30:29:36 | command indirection |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer indirection |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data indirection |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref indirection |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 indirection |
-| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer indirection |
-| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer indirection |
-| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer indirection |
-| test.cpp:113:8:113:12 | call to fgets indirection | test.cpp:114:9:114:11 | ptr indirection |
+| test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | *command |
+| test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | *command |
+| test.cpp:42:18:42:34 | *call to getenv | test.cpp:24:30:24:36 | *command |
+| test.cpp:43:18:43:34 | *call to getenv | test.cpp:29:30:29:36 | *command |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | *buffer |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | *data |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | *dataref |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | *data2 |
+| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | *buffer |
+| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | *buffer |
+| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | *buffer |
+| test.cpp:113:8:113:12 | *call to fgets | test.cpp:114:9:114:11 | *ptr |
 nodes
-| test.cpp:24:30:24:36 | command indirection | semmle.label | command indirection |
-| test.cpp:26:10:26:16 | command indirection | semmle.label | command indirection |
-| test.cpp:29:30:29:36 | command indirection | semmle.label | command indirection |
-| test.cpp:31:10:31:16 | command indirection | semmle.label | command indirection |
-| test.cpp:42:18:42:34 | call to getenv indirection | semmle.label | call to getenv indirection |
-| test.cpp:43:18:43:34 | call to getenv indirection | semmle.label | call to getenv indirection |
+| test.cpp:24:30:24:36 | *command | semmle.label | *command |
+| test.cpp:26:10:26:16 | *command | semmle.label | *command |
+| test.cpp:29:30:29:36 | *command | semmle.label | *command |
+| test.cpp:31:10:31:16 | *command | semmle.label | *command |
+| test.cpp:42:18:42:34 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:43:18:43:34 | *call to getenv | semmle.label | *call to getenv |
 | test.cpp:56:12:56:17 | fgets output argument | semmle.label | fgets output argument |
-| test.cpp:62:10:62:15 | buffer indirection | semmle.label | buffer indirection |
-| test.cpp:63:10:63:13 | data indirection | semmle.label | data indirection |
-| test.cpp:64:10:64:16 | dataref indirection | semmle.label | dataref indirection |
-| test.cpp:65:10:65:14 | data2 indirection | semmle.label | data2 indirection |
+| test.cpp:62:10:62:15 | *buffer | semmle.label | *buffer |
+| test.cpp:63:10:63:13 | *data | semmle.label | *data |
+| test.cpp:64:10:64:16 | *dataref | semmle.label | *dataref |
+| test.cpp:65:10:65:14 | *data2 | semmle.label | *data2 |
 | test.cpp:76:12:76:17 | fgets output argument | semmle.label | fgets output argument |
-| test.cpp:78:10:78:15 | buffer indirection | semmle.label | buffer indirection |
+| test.cpp:78:10:78:15 | *buffer | semmle.label | *buffer |
 | test.cpp:98:17:98:22 | recv output argument | semmle.label | recv output argument |
-| test.cpp:99:15:99:20 | buffer indirection | semmle.label | buffer indirection |
+| test.cpp:99:15:99:20 | *buffer | semmle.label | *buffer |
 | test.cpp:106:17:106:22 | recv output argument | semmle.label | recv output argument |
-| test.cpp:107:15:107:20 | buffer indirection | semmle.label | buffer indirection |
-| test.cpp:113:8:113:12 | call to fgets indirection | semmle.label | call to fgets indirection |
-| test.cpp:114:9:114:11 | ptr indirection | semmle.label | ptr indirection |
+| test.cpp:107:15:107:20 | *buffer | semmle.label | *buffer |
+| test.cpp:113:8:113:12 | *call to fgets | semmle.label | *call to fgets |
+| test.cpp:114:9:114:11 | *ptr | semmle.label | *ptr |
 subpaths
 #select
-| test.cpp:26:10:26:16 | command indirection | test.cpp:42:18:42:34 | call to getenv indirection | test.cpp:26:10:26:16 | command indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:42:18:42:34 | call to getenv indirection | an environment variable |
-| test.cpp:31:10:31:16 | command indirection | test.cpp:43:18:43:34 | call to getenv indirection | test.cpp:31:10:31:16 | command indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:43:18:43:34 | call to getenv indirection | an environment variable |
-| test.cpp:62:10:62:15 | buffer indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
-| test.cpp:63:10:63:13 | data indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
-| test.cpp:64:10:64:16 | dataref indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
-| test.cpp:65:10:65:14 | data2 indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
-| test.cpp:78:10:78:15 | buffer indirection | test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:76:12:76:17 | fgets output argument | string read by fgets |
-| test.cpp:99:15:99:20 | buffer indirection | test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer indirection | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:98:17:98:22 | recv output argument | buffer read by recv |
-| test.cpp:107:15:107:20 | buffer indirection | test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer indirection | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:106:17:106:22 | recv output argument | buffer read by recv |
-| test.cpp:114:9:114:11 | ptr indirection | test.cpp:113:8:113:12 | call to fgets indirection | test.cpp:114:9:114:11 | ptr indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:113:8:113:12 | call to fgets indirection | string read by fgets |
+| test.cpp:26:10:26:16 | *command | test.cpp:42:18:42:34 | *call to getenv | test.cpp:26:10:26:16 | *command | The value of this argument may come from $@ and is being passed to system. | test.cpp:42:18:42:34 | *call to getenv | an environment variable |
+| test.cpp:31:10:31:16 | *command | test.cpp:43:18:43:34 | *call to getenv | test.cpp:31:10:31:16 | *command | The value of this argument may come from $@ and is being passed to system. | test.cpp:43:18:43:34 | *call to getenv | an environment variable |
+| test.cpp:62:10:62:15 | *buffer | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | *buffer | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
+| test.cpp:63:10:63:13 | *data | test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | *data | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
+| test.cpp:64:10:64:16 | *dataref | test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | *dataref | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
+| test.cpp:65:10:65:14 | *data2 | test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | *data2 | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
+| test.cpp:78:10:78:15 | *buffer | test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | *buffer | The value of this argument may come from $@ and is being passed to system. | test.cpp:76:12:76:17 | fgets output argument | string read by fgets |
+| test.cpp:99:15:99:20 | *buffer | test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | *buffer | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:98:17:98:22 | recv output argument | buffer read by recv |
+| test.cpp:107:15:107:20 | *buffer | test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | *buffer | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:106:17:106:22 | recv output argument | buffer read by recv |
+| test.cpp:114:9:114:11 | *ptr | test.cpp:113:8:113:12 | *call to fgets | test.cpp:114:9:114:11 | *ptr | The value of this argument may come from $@ and is being passed to system. | test.cpp:113:8:113:12 | *call to fgets | string read by fgets |

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected

@@ -1,108 +1,108 @@
 edges
-| test.cpp:16:11:16:21 | mk_string_t indirection [string] | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] |
-| test.cpp:18:5:18:7 | str indirection [post update] [string] | test.cpp:19:5:19:7 | str indirection [string] |
-| test.cpp:18:5:18:30 | ... = ... | test.cpp:18:5:18:7 | str indirection [post update] [string] |
+| test.cpp:16:11:16:21 | **mk_string_t [string] | test.cpp:39:21:39:31 | *call to mk_string_t [string] |
+| test.cpp:18:5:18:7 | *str [post update] [string] | test.cpp:19:5:19:7 | *str [string] |
+| test.cpp:18:5:18:30 | ... = ... | test.cpp:18:5:18:7 | *str [post update] [string] |
 | test.cpp:18:19:18:24 | call to malloc | test.cpp:18:5:18:30 | ... = ... |
-| test.cpp:19:5:19:7 | str indirection [string] | test.cpp:16:11:16:21 | mk_string_t indirection [string] |
-| test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:42:13:42:15 | str indirection [string] |
-| test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:72:17:72:19 | str indirection [string] |
-| test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:80:17:80:19 | str indirection [string] |
-| test.cpp:42:13:42:15 | str indirection [string] | test.cpp:42:18:42:23 | string |
-| test.cpp:72:17:72:19 | str indirection [string] | test.cpp:72:22:72:27 | string |
-| test.cpp:80:17:80:19 | str indirection [string] | test.cpp:80:22:80:27 | string |
-| test.cpp:88:11:88:30 | mk_string_t_plus_one indirection [string] | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] |
-| test.cpp:90:5:90:7 | str indirection [post update] [string] | test.cpp:91:5:91:7 | str indirection [string] |
-| test.cpp:90:5:90:34 | ... = ... | test.cpp:90:5:90:7 | str indirection [post update] [string] |
+| test.cpp:19:5:19:7 | *str [string] | test.cpp:16:11:16:21 | **mk_string_t [string] |
+| test.cpp:39:21:39:31 | *call to mk_string_t [string] | test.cpp:42:13:42:15 | *str [string] |
+| test.cpp:39:21:39:31 | *call to mk_string_t [string] | test.cpp:72:17:72:19 | *str [string] |
+| test.cpp:39:21:39:31 | *call to mk_string_t [string] | test.cpp:80:17:80:19 | *str [string] |
+| test.cpp:42:13:42:15 | *str [string] | test.cpp:42:18:42:23 | string |
+| test.cpp:72:17:72:19 | *str [string] | test.cpp:72:22:72:27 | string |
+| test.cpp:80:17:80:19 | *str [string] | test.cpp:80:22:80:27 | string |
+| test.cpp:88:11:88:30 | **mk_string_t_plus_one [string] | test.cpp:96:21:96:40 | *call to mk_string_t_plus_one [string] |
+| test.cpp:90:5:90:7 | *str [post update] [string] | test.cpp:91:5:91:7 | *str [string] |
+| test.cpp:90:5:90:34 | ... = ... | test.cpp:90:5:90:7 | *str [post update] [string] |
 | test.cpp:90:19:90:24 | call to malloc | test.cpp:90:5:90:34 | ... = ... |
-| test.cpp:91:5:91:7 | str indirection [string] | test.cpp:88:11:88:30 | mk_string_t_plus_one indirection [string] |
-| test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:99:13:99:15 | str indirection [string] |
-| test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:129:17:129:19 | str indirection [string] |
-| test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:137:17:137:19 | str indirection [string] |
-| test.cpp:99:13:99:15 | str indirection [string] | test.cpp:99:18:99:23 | string |
-| test.cpp:129:17:129:19 | str indirection [string] | test.cpp:129:22:129:27 | string |
-| test.cpp:137:17:137:19 | str indirection [string] | test.cpp:137:22:137:27 | string |
-| test.cpp:147:5:147:7 | str indirection [post update] [string] | test.cpp:148:5:148:7 | str indirection [string] |
-| test.cpp:147:5:147:34 | ... = ... | test.cpp:147:5:147:7 | str indirection [post update] [string] |
+| test.cpp:91:5:91:7 | *str [string] | test.cpp:88:11:88:30 | **mk_string_t_plus_one [string] |
+| test.cpp:96:21:96:40 | *call to mk_string_t_plus_one [string] | test.cpp:99:13:99:15 | *str [string] |
+| test.cpp:96:21:96:40 | *call to mk_string_t_plus_one [string] | test.cpp:129:17:129:19 | *str [string] |
+| test.cpp:96:21:96:40 | *call to mk_string_t_plus_one [string] | test.cpp:137:17:137:19 | *str [string] |
+| test.cpp:99:13:99:15 | *str [string] | test.cpp:99:18:99:23 | string |
+| test.cpp:129:17:129:19 | *str [string] | test.cpp:129:22:129:27 | string |
+| test.cpp:137:17:137:19 | *str [string] | test.cpp:137:22:137:27 | string |
+| test.cpp:147:5:147:7 | *str [post update] [string] | test.cpp:148:5:148:7 | *str [string] |
+| test.cpp:147:5:147:34 | ... = ... | test.cpp:147:5:147:7 | *str [post update] [string] |
 | test.cpp:147:19:147:24 | call to malloc | test.cpp:147:5:147:34 | ... = ... |
-| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:152:13:152:15 | str indirection [string] |
-| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:154:13:154:15 | str indirection [string] |
-| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:156:13:156:15 | str indirection [string] |
-| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:175:17:175:19 | str indirection [string] |
-| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:187:17:187:19 | str indirection [string] |
-| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:195:17:195:19 | str indirection [string] |
-| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:199:17:199:19 | str indirection [string] |
-| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:203:17:203:19 | str indirection [string] |
-| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:207:17:207:19 | str indirection [string] |
-| test.cpp:152:13:152:15 | str indirection [string] | test.cpp:152:18:152:23 | string |
-| test.cpp:154:13:154:15 | str indirection [string] | test.cpp:154:18:154:23 | string |
-| test.cpp:156:13:156:15 | str indirection [string] | test.cpp:156:18:156:23 | string |
-| test.cpp:175:17:175:19 | str indirection [string] | test.cpp:175:22:175:27 | string |
-| test.cpp:187:17:187:19 | str indirection [string] | test.cpp:187:22:187:27 | string |
-| test.cpp:195:17:195:19 | str indirection [string] | test.cpp:195:22:195:27 | string |
-| test.cpp:199:17:199:19 | str indirection [string] | test.cpp:199:22:199:27 | string |
-| test.cpp:203:17:203:19 | str indirection [string] | test.cpp:203:22:203:27 | string |
-| test.cpp:207:17:207:19 | str indirection [string] | test.cpp:207:22:207:27 | string |
+| test.cpp:148:5:148:7 | *str [string] | test.cpp:152:13:152:15 | *str [string] |
+| test.cpp:148:5:148:7 | *str [string] | test.cpp:154:13:154:15 | *str [string] |
+| test.cpp:148:5:148:7 | *str [string] | test.cpp:156:13:156:15 | *str [string] |
+| test.cpp:148:5:148:7 | *str [string] | test.cpp:175:17:175:19 | *str [string] |
+| test.cpp:148:5:148:7 | *str [string] | test.cpp:187:17:187:19 | *str [string] |
+| test.cpp:148:5:148:7 | *str [string] | test.cpp:195:17:195:19 | *str [string] |
+| test.cpp:148:5:148:7 | *str [string] | test.cpp:199:17:199:19 | *str [string] |
+| test.cpp:148:5:148:7 | *str [string] | test.cpp:203:17:203:19 | *str [string] |
+| test.cpp:148:5:148:7 | *str [string] | test.cpp:207:17:207:19 | *str [string] |
+| test.cpp:152:13:152:15 | *str [string] | test.cpp:152:18:152:23 | string |
+| test.cpp:154:13:154:15 | *str [string] | test.cpp:154:18:154:23 | string |
+| test.cpp:156:13:156:15 | *str [string] | test.cpp:156:18:156:23 | string |
+| test.cpp:175:17:175:19 | *str [string] | test.cpp:175:22:175:27 | string |
+| test.cpp:187:17:187:19 | *str [string] | test.cpp:187:22:187:27 | string |
+| test.cpp:195:17:195:19 | *str [string] | test.cpp:195:22:195:27 | string |
+| test.cpp:199:17:199:19 | *str [string] | test.cpp:199:22:199:27 | string |
+| test.cpp:203:17:203:19 | *str [string] | test.cpp:203:22:203:27 | string |
+| test.cpp:207:17:207:19 | *str [string] | test.cpp:207:22:207:27 | string |
 | test.cpp:214:24:214:24 | p | test.cpp:216:10:216:10 | p |
 | test.cpp:220:27:220:54 | call to malloc | test.cpp:222:15:222:20 | buffer |
 | test.cpp:222:15:222:20 | buffer | test.cpp:214:24:214:24 | p |
 | test.cpp:228:27:228:54 | call to malloc | test.cpp:232:10:232:15 | buffer |
 | test.cpp:235:40:235:45 | buffer | test.cpp:236:5:236:26 | ... = ... |
-| test.cpp:236:5:236:26 | ... = ... | test.cpp:236:5:236:9 | p_str indirection [post update] [string] |
+| test.cpp:236:5:236:26 | ... = ... | test.cpp:236:5:236:9 | *p_str [post update] [string] |
 | test.cpp:241:20:241:38 | call to malloc | test.cpp:242:22:242:27 | buffer |
-| test.cpp:242:16:242:19 | set_string output argument [string] | test.cpp:243:12:243:14 | str indirection [string] |
+| test.cpp:242:16:242:19 | set_string output argument [string] | test.cpp:243:12:243:14 | *str [string] |
 | test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer |
 | test.cpp:242:22:242:27 | buffer | test.cpp:242:16:242:19 | set_string output argument [string] |
-| test.cpp:243:12:243:14 | str indirection [string] | test.cpp:243:12:243:21 | string |
+| test.cpp:243:12:243:14 | *str [string] | test.cpp:243:12:243:21 | string |
 | test.cpp:249:14:249:33 | call to my_alloc | test.cpp:250:12:250:12 | p |
 | test.cpp:256:9:256:25 | call to malloc | test.cpp:257:12:257:12 | p |
 | test.cpp:262:15:262:30 | call to malloc | test.cpp:266:12:266:12 | p |
 | test.cpp:264:13:264:30 | call to malloc | test.cpp:266:12:266:12 | p |
 nodes
-| test.cpp:16:11:16:21 | mk_string_t indirection [string] | semmle.label | mk_string_t indirection [string] |
-| test.cpp:18:5:18:7 | str indirection [post update] [string] | semmle.label | str indirection [post update] [string] |
+| test.cpp:16:11:16:21 | **mk_string_t [string] | semmle.label | **mk_string_t [string] |
+| test.cpp:18:5:18:7 | *str [post update] [string] | semmle.label | *str [post update] [string] |
 | test.cpp:18:5:18:30 | ... = ... | semmle.label | ... = ... |
 | test.cpp:18:19:18:24 | call to malloc | semmle.label | call to malloc |
-| test.cpp:19:5:19:7 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | semmle.label | call to mk_string_t indirection [string] |
-| test.cpp:42:13:42:15 | str indirection [string] | semmle.label | str indirection [string] |
+| test.cpp:19:5:19:7 | *str [string] | semmle.label | *str [string] |
+| test.cpp:39:21:39:31 | *call to mk_string_t [string] | semmle.label | *call to mk_string_t [string] |
+| test.cpp:42:13:42:15 | *str [string] | semmle.label | *str [string] |
 | test.cpp:42:18:42:23 | string | semmle.label | string |
-| test.cpp:72:17:72:19 | str indirection [string] | semmle.label | str indirection [string] |
+| test.cpp:72:17:72:19 | *str [string] | semmle.label | *str [string] |
 | test.cpp:72:22:72:27 | string | semmle.label | string |
-| test.cpp:80:17:80:19 | str indirection [string] | semmle.label | str indirection [string] |
+| test.cpp:80:17:80:19 | *str [string] | semmle.label | *str [string] |
 | test.cpp:80:22:80:27 | string | semmle.label | string |
-| test.cpp:88:11:88:30 | mk_string_t_plus_one indirection [string] | semmle.label | mk_string_t_plus_one indirection [string] |
-| test.cpp:90:5:90:7 | str indirection [post update] [string] | semmle.label | str indirection [post update] [string] |
+| test.cpp:88:11:88:30 | **mk_string_t_plus_one [string] | semmle.label | **mk_string_t_plus_one [string] |
+| test.cpp:90:5:90:7 | *str [post update] [string] | semmle.label | *str [post update] [string] |
 | test.cpp:90:5:90:34 | ... = ... | semmle.label | ... = ... |
 | test.cpp:90:19:90:24 | call to malloc | semmle.label | call to malloc |
-| test.cpp:91:5:91:7 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | semmle.label | call to mk_string_t_plus_one indirection [string] |
-| test.cpp:99:13:99:15 | str indirection [string] | semmle.label | str indirection [string] |
+| test.cpp:91:5:91:7 | *str [string] | semmle.label | *str [string] |
+| test.cpp:96:21:96:40 | *call to mk_string_t_plus_one [string] | semmle.label | *call to mk_string_t_plus_one [string] |
+| test.cpp:99:13:99:15 | *str [string] | semmle.label | *str [string] |
 | test.cpp:99:18:99:23 | string | semmle.label | string |
-| test.cpp:129:17:129:19 | str indirection [string] | semmle.label | str indirection [string] |
+| test.cpp:129:17:129:19 | *str [string] | semmle.label | *str [string] |
 | test.cpp:129:22:129:27 | string | semmle.label | string |
-| test.cpp:137:17:137:19 | str indirection [string] | semmle.label | str indirection [string] |
+| test.cpp:137:17:137:19 | *str [string] | semmle.label | *str [string] |
 | test.cpp:137:22:137:27 | string | semmle.label | string |
-| test.cpp:147:5:147:7 | str indirection [post update] [string] | semmle.label | str indirection [post update] [string] |
+| test.cpp:147:5:147:7 | *str [post update] [string] | semmle.label | *str [post update] [string] |
 | test.cpp:147:5:147:34 | ... = ... | semmle.label | ... = ... |
 | test.cpp:147:19:147:24 | call to malloc | semmle.label | call to malloc |
-| test.cpp:148:5:148:7 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:152:13:152:15 | str indirection [string] | semmle.label | str indirection [string] |
+| test.cpp:148:5:148:7 | *str [string] | semmle.label | *str [string] |
+| test.cpp:152:13:152:15 | *str [string] | semmle.label | *str [string] |
 | test.cpp:152:18:152:23 | string | semmle.label | string |
-| test.cpp:154:13:154:15 | str indirection [string] | semmle.label | str indirection [string] |
+| test.cpp:154:13:154:15 | *str [string] | semmle.label | *str [string] |
 | test.cpp:154:18:154:23 | string | semmle.label | string |
-| test.cpp:156:13:156:15 | str indirection [string] | semmle.label | str indirection [string] |
+| test.cpp:156:13:156:15 | *str [string] | semmle.label | *str [string] |
 | test.cpp:156:18:156:23 | string | semmle.label | string |
-| test.cpp:175:17:175:19 | str indirection [string] | semmle.label | str indirection [string] |
+| test.cpp:175:17:175:19 | *str [string] | semmle.label | *str [string] |
 | test.cpp:175:22:175:27 | string | semmle.label | string |
-| test.cpp:187:17:187:19 | str indirection [string] | semmle.label | str indirection [string] |
+| test.cpp:187:17:187:19 | *str [string] | semmle.label | *str [string] |
 | test.cpp:187:22:187:27 | string | semmle.label | string |
-| test.cpp:195:17:195:19 | str indirection [string] | semmle.label | str indirection [string] |
+| test.cpp:195:17:195:19 | *str [string] | semmle.label | *str [string] |
 | test.cpp:195:22:195:27 | string | semmle.label | string |
-| test.cpp:199:17:199:19 | str indirection [string] | semmle.label | str indirection [string] |
+| test.cpp:199:17:199:19 | *str [string] | semmle.label | *str [string] |
 | test.cpp:199:22:199:27 | string | semmle.label | string |
-| test.cpp:203:17:203:19 | str indirection [string] | semmle.label | str indirection [string] |
+| test.cpp:203:17:203:19 | *str [string] | semmle.label | *str [string] |
 | test.cpp:203:22:203:27 | string | semmle.label | string |
-| test.cpp:207:17:207:19 | str indirection [string] | semmle.label | str indirection [string] |
+| test.cpp:207:17:207:19 | *str [string] | semmle.label | *str [string] |
 | test.cpp:207:22:207:27 | string | semmle.label | string |
 | test.cpp:214:24:214:24 | p | semmle.label | p |
 | test.cpp:216:10:216:10 | p | semmle.label | p |
@@ -111,12 +111,12 @@ nodes
 | test.cpp:228:27:228:54 | call to malloc | semmle.label | call to malloc |
 | test.cpp:232:10:232:15 | buffer | semmle.label | buffer |
 | test.cpp:235:40:235:45 | buffer | semmle.label | buffer |
-| test.cpp:236:5:236:9 | p_str indirection [post update] [string] | semmle.label | p_str indirection [post update] [string] |
+| test.cpp:236:5:236:9 | *p_str [post update] [string] | semmle.label | *p_str [post update] [string] |
 | test.cpp:236:5:236:26 | ... = ... | semmle.label | ... = ... |
 | test.cpp:241:20:241:38 | call to malloc | semmle.label | call to malloc |
 | test.cpp:242:16:242:19 | set_string output argument [string] | semmle.label | set_string output argument [string] |
 | test.cpp:242:22:242:27 | buffer | semmle.label | buffer |
-| test.cpp:243:12:243:14 | str indirection [string] | semmle.label | str indirection [string] |
+| test.cpp:243:12:243:14 | *str [string] | semmle.label | *str [string] |
 | test.cpp:243:12:243:21 | string | semmle.label | string |
 | test.cpp:249:14:249:33 | call to my_alloc | semmle.label | call to my_alloc |
 | test.cpp:250:12:250:12 | p | semmle.label | p |
@@ -126,7 +126,7 @@ nodes
 | test.cpp:264:13:264:30 | call to malloc | semmle.label | call to malloc |
 | test.cpp:266:12:266:12 | p | semmle.label | p |
 subpaths
-| test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer | test.cpp:236:5:236:9 | p_str indirection [post update] [string] | test.cpp:242:16:242:19 | set_string output argument [string] |
+| test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer | test.cpp:236:5:236:9 | *p_str [post update] [string] | test.cpp:242:16:242:19 | set_string output argument [string] |
 #select
 | test.cpp:42:5:42:11 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:42:18:42:23 | string | This write may overflow $@ by 1 element. | test.cpp:42:18:42:23 | string | string |
 | test.cpp:72:9:72:15 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:72:22:72:27 | string | This write may overflow $@ by 1 element. | test.cpp:72:22:72:27 | string | string |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected

@@ -1,42 +1,42 @@
 edges
-| main.cpp:6:27:6:30 | argv indirection | main.cpp:7:33:7:36 | argv indirection |
-| main.cpp:7:33:7:36 | argv indirection | overflowdestination.cpp:23:45:23:48 | argv indirection |
-| overflowdestination.cpp:23:45:23:48 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection |
-| overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | src indirection |
-| overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:53:9:53:12 | memcpy output argument |
-| overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:53:15:53:17 | src indirection |
-| overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:54:9:54:12 | memcpy output argument |
+| main.cpp:6:27:6:30 | **argv | main.cpp:7:33:7:36 | **argv |
+| main.cpp:7:33:7:36 | **argv | overflowdestination.cpp:23:45:23:48 | **argv |
+| overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:30:17:30:20 | *arg1 |
+| overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | *src |
+| overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:53:9:53:12 | memcpy output argument |
+| overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:53:15:53:17 | *src |
+| overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:54:9:54:12 | memcpy output argument |
 | overflowdestination.cpp:53:9:53:12 | memcpy output argument | overflowdestination.cpp:54:9:54:12 | memcpy output argument |
 | overflowdestination.cpp:54:9:54:12 | memcpy output argument | overflowdestination.cpp:54:9:54:12 | memcpy output argument |
-| overflowdestination.cpp:57:52:57:54 | src indirection | overflowdestination.cpp:64:16:64:19 | src2 indirection |
-| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:75:30:75:32 | src indirection |
-| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:76:30:76:32 | src indirection |
-| overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | overflowdestination.cpp:76:30:76:32 | src indirection |
-| overflowdestination.cpp:75:30:75:32 | src indirection | overflowdestination.cpp:50:52:50:54 | src indirection |
-| overflowdestination.cpp:75:30:75:32 | src indirection | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument |
-| overflowdestination.cpp:76:30:76:32 | src indirection | overflowdestination.cpp:57:52:57:54 | src indirection |
+| overflowdestination.cpp:57:52:57:54 | *src | overflowdestination.cpp:64:16:64:19 | *src2 |
+| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:75:30:75:32 | *src |
+| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:76:30:76:32 | *src |
+| overflowdestination.cpp:75:30:75:32 | *src | overflowdestination.cpp:50:52:50:54 | *src |
+| overflowdestination.cpp:75:30:75:32 | *src | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument |
+| overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | overflowdestination.cpp:76:30:76:32 | *src |
+| overflowdestination.cpp:76:30:76:32 | *src | overflowdestination.cpp:57:52:57:54 | *src |
 nodes
-| main.cpp:6:27:6:30 | argv indirection | semmle.label | argv indirection |
-| main.cpp:7:33:7:36 | argv indirection | semmle.label | argv indirection |
-| overflowdestination.cpp:23:45:23:48 | argv indirection | semmle.label | argv indirection |
-| overflowdestination.cpp:30:17:30:20 | arg1 indirection | semmle.label | arg1 indirection |
+| main.cpp:6:27:6:30 | **argv | semmle.label | **argv |
+| main.cpp:7:33:7:36 | **argv | semmle.label | **argv |
+| overflowdestination.cpp:23:45:23:48 | **argv | semmle.label | **argv |
+| overflowdestination.cpp:30:17:30:20 | *arg1 | semmle.label | *arg1 |
 | overflowdestination.cpp:43:8:43:10 | fgets output argument | semmle.label | fgets output argument |
-| overflowdestination.cpp:46:15:46:17 | src indirection | semmle.label | src indirection |
-| overflowdestination.cpp:50:52:50:54 | src indirection | semmle.label | src indirection |
+| overflowdestination.cpp:46:15:46:17 | *src | semmle.label | *src |
+| overflowdestination.cpp:50:52:50:54 | *src | semmle.label | *src |
 | overflowdestination.cpp:53:9:53:12 | memcpy output argument | semmle.label | memcpy output argument |
-| overflowdestination.cpp:53:15:53:17 | src indirection | semmle.label | src indirection |
+| overflowdestination.cpp:53:15:53:17 | *src | semmle.label | *src |
 | overflowdestination.cpp:54:9:54:12 | memcpy output argument | semmle.label | memcpy output argument |
-| overflowdestination.cpp:57:52:57:54 | src indirection | semmle.label | src indirection |
-| overflowdestination.cpp:64:16:64:19 | src2 indirection | semmle.label | src2 indirection |
+| overflowdestination.cpp:57:52:57:54 | *src | semmle.label | *src |
+| overflowdestination.cpp:64:16:64:19 | *src2 | semmle.label | *src2 |
 | overflowdestination.cpp:73:8:73:10 | fgets output argument | semmle.label | fgets output argument |
+| overflowdestination.cpp:75:30:75:32 | *src | semmle.label | *src |
 | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | semmle.label | overflowdest_test2 output argument |
-| overflowdestination.cpp:75:30:75:32 | src indirection | semmle.label | src indirection |
-| overflowdestination.cpp:76:30:76:32 | src indirection | semmle.label | src indirection |
+| overflowdestination.cpp:76:30:76:32 | *src | semmle.label | *src |
 subpaths
-| overflowdestination.cpp:75:30:75:32 | src indirection | overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:53:9:53:12 | memcpy output argument | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument |
-| overflowdestination.cpp:75:30:75:32 | src indirection | overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:54:9:54:12 | memcpy output argument | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument |
+| overflowdestination.cpp:75:30:75:32 | *src | overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:53:9:53:12 | memcpy output argument | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument |
+| overflowdestination.cpp:75:30:75:32 | *src | overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:54:9:54:12 | memcpy output argument | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument |
 #select
-| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
-| overflowdestination.cpp:46:2:46:7 | call to memcpy | overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | src indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
-| overflowdestination.cpp:53:2:53:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:53:15:53:17 | src indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
-| overflowdestination.cpp:64:2:64:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:64:16:64:19 | src2 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
+| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | **argv | overflowdestination.cpp:30:17:30:20 | *arg1 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
+| overflowdestination.cpp:46:2:46:7 | call to memcpy | overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | *src | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
+| overflowdestination.cpp:53:2:53:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:53:15:53:17 | *src | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
+| overflowdestination.cpp:64:2:64:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:64:16:64:19 | *src2 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected

@@ -1,32 +1,32 @@
 edges
-| main.cpp:6:27:6:30 | argv indirection | main.cpp:10:20:10:23 | argv indirection |
-| main.cpp:10:20:10:23 | argv indirection | tests.cpp:657:32:657:35 | argv indirection |
-| tests.cpp:613:19:613:24 | source indirection | tests.cpp:615:17:615:22 | source indirection |
-| tests.cpp:622:19:622:24 | source indirection | tests.cpp:625:2:625:16 | ... = ... indirection |
-| tests.cpp:625:2:625:2 | s indirection [post update] [home indirection] | tests.cpp:628:14:628:14 | s indirection [home indirection] |
-| tests.cpp:625:2:625:16 | ... = ... indirection | tests.cpp:625:2:625:2 | s indirection [post update] [home indirection] |
-| tests.cpp:628:14:628:14 | s indirection [home indirection] | tests.cpp:628:14:628:19 | home indirection |
-| tests.cpp:628:14:628:14 | s indirection [home indirection] | tests.cpp:628:16:628:19 | home indirection |
-| tests.cpp:628:16:628:19 | home indirection | tests.cpp:628:14:628:19 | home indirection |
-| tests.cpp:657:32:657:35 | argv indirection | tests.cpp:682:9:682:15 | access to array indirection |
-| tests.cpp:657:32:657:35 | argv indirection | tests.cpp:683:9:683:15 | access to array indirection |
-| tests.cpp:682:9:682:15 | access to array indirection | tests.cpp:613:19:613:24 | source indirection |
-| tests.cpp:683:9:683:15 | access to array indirection | tests.cpp:622:19:622:24 | source indirection |
+| main.cpp:6:27:6:30 | **argv | main.cpp:10:20:10:23 | **argv |
+| main.cpp:10:20:10:23 | **argv | tests.cpp:657:32:657:35 | **argv |
+| tests.cpp:613:19:613:24 | *source | tests.cpp:615:17:615:22 | *source |
+| tests.cpp:622:19:622:24 | *source | tests.cpp:625:2:625:16 | *... = ... |
+| tests.cpp:625:2:625:2 | *s [post update] [*home] | tests.cpp:628:14:628:14 | *s [*home] |
+| tests.cpp:625:2:625:16 | *... = ... | tests.cpp:625:2:625:2 | *s [post update] [*home] |
+| tests.cpp:628:14:628:14 | *s [*home] | tests.cpp:628:14:628:19 | *home |
+| tests.cpp:628:14:628:14 | *s [*home] | tests.cpp:628:16:628:19 | *home |
+| tests.cpp:628:16:628:19 | *home | tests.cpp:628:14:628:19 | *home |
+| tests.cpp:657:32:657:35 | **argv | tests.cpp:682:9:682:15 | *access to array |
+| tests.cpp:657:32:657:35 | **argv | tests.cpp:683:9:683:15 | *access to array |
+| tests.cpp:682:9:682:15 | *access to array | tests.cpp:613:19:613:24 | *source |
+| tests.cpp:683:9:683:15 | *access to array | tests.cpp:622:19:622:24 | *source |
 nodes
-| main.cpp:6:27:6:30 | argv indirection | semmle.label | argv indirection |
-| main.cpp:10:20:10:23 | argv indirection | semmle.label | argv indirection |
-| tests.cpp:613:19:613:24 | source indirection | semmle.label | source indirection |
-| tests.cpp:615:17:615:22 | source indirection | semmle.label | source indirection |
-| tests.cpp:622:19:622:24 | source indirection | semmle.label | source indirection |
-| tests.cpp:625:2:625:2 | s indirection [post update] [home indirection] | semmle.label | s indirection [post update] [home indirection] |
-| tests.cpp:625:2:625:16 | ... = ... indirection | semmle.label | ... = ... indirection |
-| tests.cpp:628:14:628:14 | s indirection [home indirection] | semmle.label | s indirection [home indirection] |
-| tests.cpp:628:14:628:19 | home indirection | semmle.label | home indirection |
-| tests.cpp:628:16:628:19 | home indirection | semmle.label | home indirection |
-| tests.cpp:657:32:657:35 | argv indirection | semmle.label | argv indirection |
-| tests.cpp:682:9:682:15 | access to array indirection | semmle.label | access to array indirection |
-| tests.cpp:683:9:683:15 | access to array indirection | semmle.label | access to array indirection |
+| main.cpp:6:27:6:30 | **argv | semmle.label | **argv |
+| main.cpp:10:20:10:23 | **argv | semmle.label | **argv |
+| tests.cpp:613:19:613:24 | *source | semmle.label | *source |
+| tests.cpp:615:17:615:22 | *source | semmle.label | *source |
+| tests.cpp:622:19:622:24 | *source | semmle.label | *source |
+| tests.cpp:625:2:625:2 | *s [post update] [*home] | semmle.label | *s [post update] [*home] |
+| tests.cpp:625:2:625:16 | *... = ... | semmle.label | *... = ... |
+| tests.cpp:628:14:628:14 | *s [*home] | semmle.label | *s [*home] |
+| tests.cpp:628:14:628:19 | *home | semmle.label | *home |
+| tests.cpp:628:16:628:19 | *home | semmle.label | *home |
+| tests.cpp:657:32:657:35 | **argv | semmle.label | **argv |
+| tests.cpp:682:9:682:15 | *access to array | semmle.label | *access to array |
+| tests.cpp:683:9:683:15 | *access to array | semmle.label | *access to array |
 subpaths
 #select
-| tests.cpp:615:2:615:7 | call to strcpy | main.cpp:6:27:6:30 | argv indirection | tests.cpp:615:17:615:22 | source indirection | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | argv indirection | a command-line argument |
-| tests.cpp:628:2:628:7 | call to strcpy | main.cpp:6:27:6:30 | argv indirection | tests.cpp:628:14:628:19 | home indirection | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | argv indirection | a command-line argument |
+| tests.cpp:615:2:615:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:615:17:615:22 | *source | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument |
+| tests.cpp:628:2:628:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:628:14:628:19 | *home | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument |

cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/BadlyBoundedWrite.expected

@@ -1,4 +1,2 @@
-| tests2.cpp:59:3:59:10 | call to snprintf | This 'call to snprintf' operation is limited to 13 bytes but the destination is only 2 bytes. |
-| tests2.cpp:63:3:63:10 | call to snprintf | This 'call to snprintf' operation is limited to 13 bytes but the destination is only 3 bytes. |
 | tests.c:43:3:43:10 | call to snprintf | This 'call to snprintf' operation is limited to 111 bytes but the destination is only 110 bytes. |
 | tests.c:46:3:46:10 | call to snprintf | This 'call to snprintf' operation is limited to 111 bytes but the destination is only 110 bytes. |

cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected

@@ -1,18 +1,18 @@
 edges
-| tests.c:16:26:16:29 | argv indirection | tests.c:28:22:28:28 | access to array indirection |
-| tests.c:16:26:16:29 | argv indirection | tests.c:29:28:29:34 | access to array indirection |
-| tests.c:16:26:16:29 | argv indirection | tests.c:34:10:34:16 | access to array indirection |
+| tests.c:16:26:16:29 | **argv | tests.c:28:22:28:28 | *access to array |
+| tests.c:16:26:16:29 | **argv | tests.c:29:28:29:34 | *access to array |
+| tests.c:16:26:16:29 | **argv | tests.c:34:10:34:16 | *access to array |
 nodes
-| tests.c:16:26:16:29 | argv indirection | semmle.label | argv indirection |
-| tests.c:28:22:28:28 | access to array indirection | semmle.label | access to array indirection |
-| tests.c:29:28:29:34 | access to array indirection | semmle.label | access to array indirection |
+| tests.c:16:26:16:29 | **argv | semmle.label | **argv |
+| tests.c:28:22:28:28 | *access to array | semmle.label | *access to array |
+| tests.c:29:28:29:34 | *access to array | semmle.label | *access to array |
 | tests.c:31:15:31:23 | scanf output argument | semmle.label | scanf output argument |
 | tests.c:33:21:33:29 | scanf output argument | semmle.label | scanf output argument |
-| tests.c:34:10:34:16 | access to array indirection | semmle.label | access to array indirection |
+| tests.c:34:10:34:16 | *access to array | semmle.label | *access to array |
 subpaths
 #select
-| tests.c:28:3:28:9 | call to sprintf | tests.c:16:26:16:29 | argv indirection | tests.c:28:22:28:28 | access to array indirection | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | argv indirection | a command-line argument |
-| tests.c:29:3:29:9 | call to sprintf | tests.c:16:26:16:29 | argv indirection | tests.c:29:28:29:34 | access to array indirection | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | argv indirection | a command-line argument |
+| tests.c:28:3:28:9 | call to sprintf | tests.c:16:26:16:29 | **argv | tests.c:28:22:28:28 | *access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | **argv | a command-line argument |
+| tests.c:29:3:29:9 | call to sprintf | tests.c:16:26:16:29 | **argv | tests.c:29:28:29:34 | *access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | **argv | a command-line argument |
 | tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | scanf output argument | tests.c:31:15:31:23 | scanf output argument | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | scanf output argument | value read by scanf |
 | tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | scanf output argument | tests.c:33:21:33:29 | scanf output argument | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:33:21:33:29 | scanf output argument | value read by scanf |
-| tests.c:34:25:34:33 | buffer100 | tests.c:16:26:16:29 | argv indirection | tests.c:34:10:34:16 | access to array indirection | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | argv indirection | a command-line argument |
+| tests.c:34:25:34:33 | buffer100 | tests.c:16:26:16:29 | **argv | tests.c:34:10:34:16 | *access to array | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | **argv | a command-line argument |

cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/tests2.cpp

@@ -56,9 +56,9 @@ void test3() {
   dest1 = (char*)malloc(sizeof(src));
   if (!dest1)
     return;
-  snprintf(dest1, sizeof(src), "%s", src); // GOOD [FALSE POSITIVE]
+  snprintf(dest1, sizeof(src), "%s", src); // GOOD
   dest2 = (char*)malloc(3);
   if (!dest2)
     return;
-  snprintf(dest2, sizeof(src), "%s", src); // BAD (but with duplicate alerts)
+  snprintf(dest2, sizeof(src), "%s", src); // BAD [NOT DETECTED]
 }

cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected

@@ -1,7 +1,7 @@
 edges
-| test1.c:7:26:7:29 | argv indirection | test1.c:9:9:9:9 | i |
-| test1.c:7:26:7:29 | argv indirection | test1.c:11:9:11:9 | i |
-| test1.c:7:26:7:29 | argv indirection | test1.c:13:9:13:9 | i |
+| test1.c:7:26:7:29 | **argv | test1.c:9:9:9:9 | i |
+| test1.c:7:26:7:29 | **argv | test1.c:11:9:11:9 | i |
+| test1.c:7:26:7:29 | **argv | test1.c:13:9:13:9 | i |
 | test1.c:9:9:9:9 | i | test1.c:16:16:16:16 | i |
 | test1.c:11:9:11:9 | i | test1.c:32:16:32:16 | i |
 | test1.c:13:9:13:9 | i | test1.c:48:16:48:16 | i |
@@ -9,7 +9,7 @@ edges
 | test1.c:32:16:32:16 | i | test1.c:33:11:33:11 | i |
 | test1.c:48:16:48:16 | i | test1.c:53:15:53:15 | j |
 nodes
-| test1.c:7:26:7:29 | argv indirection | semmle.label | argv indirection |
+| test1.c:7:26:7:29 | **argv | semmle.label | **argv |
 | test1.c:9:9:9:9 | i | semmle.label | i |
 | test1.c:11:9:11:9 | i | semmle.label | i |
 | test1.c:13:9:13:9 | i | semmle.label | i |
@@ -21,6 +21,6 @@ nodes
 | test1.c:53:15:53:15 | j | semmle.label | j |
 subpaths
 #select
-| test1.c:18:16:18:16 | i | test1.c:7:26:7:29 | argv indirection | test1.c:18:16:18:16 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
-| test1.c:33:11:33:11 | i | test1.c:7:26:7:29 | argv indirection | test1.c:33:11:33:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
-| test1.c:53:15:53:15 | j | test1.c:7:26:7:29 | argv indirection | test1.c:53:15:53:15 | j | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
+| test1.c:18:16:18:16 | i | test1.c:7:26:7:29 | **argv | test1.c:18:16:18:16 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument |
+| test1.c:33:11:33:11 | i | test1.c:7:26:7:29 | **argv | test1.c:33:11:33:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument |
+| test1.c:53:15:53:15 | j | test1.c:7:26:7:29 | **argv | test1.c:53:15:53:15 | j | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument |

cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected

@@ -1,16 +1,16 @@
 edges
-| char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data indirection |
-| char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | data indirection |
-| char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv indirection | char_environment_fprintf_01_bad.c:36:21:36:24 | data indirection |
+| char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data |
+| char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | *data |
+| char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | *data |
 nodes
 | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | semmle.label | recv output argument |
-| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data indirection | semmle.label | data indirection |
+| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | semmle.label | *data |
 | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | semmle.label | fgets output argument |
-| char_console_fprintf_01_bad.c:49:21:49:24 | data indirection | semmle.label | data indirection |
-| char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv indirection | semmle.label | call to getenv indirection |
-| char_environment_fprintf_01_bad.c:36:21:36:24 | data indirection | semmle.label | data indirection |
+| char_console_fprintf_01_bad.c:49:21:49:24 | *data | semmle.label | *data |
+| char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | semmle.label | *call to getenv |
+| char_environment_fprintf_01_bad.c:36:21:36:24 | *data | semmle.label | *data |
 subpaths
 #select
-| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data indirection | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data indirection | The value of this argument may come from $@ and is being used as a formatting argument to badVaSink(data), which calls vsnprintf(format). | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | buffer read by recv |
-| char_console_fprintf_01_bad.c:49:21:49:24 | data indirection | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | data indirection | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | string read by fgets |
-| char_environment_fprintf_01_bad.c:36:21:36:24 | data indirection | char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv indirection | char_environment_fprintf_01_bad.c:36:21:36:24 | data indirection | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv indirection | an environment variable |
+| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | The value of this argument may come from $@ and is being used as a formatting argument to badVaSink(data), which calls vsnprintf(format). | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | buffer read by recv |
+| char_console_fprintf_01_bad.c:49:21:49:24 | *data | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | *data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | string read by fgets |
+| char_environment_fprintf_01_bad.c:36:21:36:24 | *data | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | *data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | an environment variable |