Merge remote-tracking branch 'origin/main' into nickrolfe/extractor-performance

C++: Upgrade cpp/cleartext-storage-buffer

.github/workflows/ruby-qltest.yml

@@ -32,14 +32,14 @@ jobs:
       - uses: ./ruby/actions/create-extractor-pack
       - name: Run QL tests
         run: |
-          codeql test run --search-path "${{ github.workspace }}/ruby/extractor-pack" --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test
+          codeql test run --threads=0 --ram 5000 --search-path "${{ github.workspace }}/ruby/extractor-pack" --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test
         env:
           GITHUB_TOKEN: ${{ github.token }}
       - name: Check QL formatting
         run: find ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 codeql query format --check-only
       - name: Check QL compilation
         run: |
-          codeql query compile --check-only --threads=4 --warnings=error "ql/src" "ql/examples"
+          codeql query compile --check-only --threads=0 --ram 5000 --warnings=error "ql/src" "ql/examples"
         env:
           GITHUB_TOKEN: ${{ github.token }}
       - name: Check DB upgrade scripts

config/identical-files.json

@@ -7,6 +7,7 @@
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForOnActivityResult.qll",
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,5 @@
+## 0.0.7
+
 ## 0.0.6
 
 ## 0.0.5

cpp/ql/lib/change-notes/released/0.0.7.md

@@ -0,0 +1 @@
+## 0.0.7

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.6
+lastReleaseVersion: 0.0.7

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.0.7-dev
+version: 0.0.8-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Class.qll

@@ -206,9 +206,7 @@ class Class extends UserType {
    * it is callable by a particular caller. For C++11, there's also a question
    * of whether to include members that are defaulted or deleted.
    */
-  deprecated predicate hasCopyConstructor() {
-    exists(CopyConstructor cc | cc = this.getAMemberFunction())
-  }
+  deprecated predicate hasCopyConstructor() { this.getAMemberFunction() instanceof CopyConstructor }
 
   /**
    * Holds if this class has a copy assignment operator that is either
@@ -224,7 +222,7 @@ class Class extends UserType {
    * or deleted.
    */
   deprecated predicate hasCopyAssignmentOperator() {
-    exists(CopyAssignmentOperator coa | coa = this.getAMemberFunction())
+    this.getAMemberFunction() instanceof CopyAssignmentOperator
   }
 
   /**
@@ -887,7 +885,7 @@ class NestedClass extends Class {
  * pure virtual function.
  */
 class AbstractClass extends Class {
-  AbstractClass() { exists(PureVirtualFunction f | this.getAMemberFunction() = f) }
+  AbstractClass() { this.getAMemberFunction() instanceof PureVirtualFunction }
 
   override string getAPrimaryQlClass() { result = "AbstractClass" }
 }

cpp/ql/lib/semmle/code/cpp/Specifier.qll

@@ -286,13 +286,13 @@ class AttributeArgument extends Element, @attribute_arg {
   override Location getLocation() { attribute_args(underlyingElement(this), _, _, _, result) }
 
   override string toString() {
-    if exists(@attribute_arg_empty self | self = underlyingElement(this))
+    if underlyingElement(this) instanceof @attribute_arg_empty
     then result = "empty argument"
     else
       exists(string prefix, string tail |
         (if exists(this.getName()) then prefix = this.getName() + "=" else prefix = "") and
         (
-          if exists(@attribute_arg_type self | self = underlyingElement(this))
+          if underlyingElement(this) instanceof @attribute_arg_type
           then tail = this.getValueType().getName()
           else tail = this.getValueText()
         ) and

cpp/ql/lib/semmle/code/cpp/XML.qll

@@ -233,7 +233,7 @@ class XMLElement extends @xmlelement, XMLParent, XMLLocatable {
   XMLAttribute getAttribute(string name) { result.getElement() = this and result.getName() = name }
 
   /** Holds if this XML element has an attribute with the specified `name`. */
-  predicate hasAttribute(string name) { exists(XMLAttribute a | a = this.getAttribute(name)) }
+  predicate hasAttribute(string name) { exists(this.getAttribute(name)) }
 
   /** Gets the value of the attribute with the specified `name`, if any. */
   string getAttributeValue(string name) { result = this.getAttribute(name).getValue() }

cpp/ql/lib/semmle/code/cpp/commons/Printf.qll

@@ -1122,7 +1122,7 @@ class FormatLiteral extends Literal {
    * conversion specifier of this format string; has no result if this cannot
    * be determined.
    */
-  int getMaxConvertedLength(int n) { result = max(getMaxConvertedLength(n, _)) }
+  int getMaxConvertedLength(int n) { result = max(this.getMaxConvertedLength(n, _)) }
 
   /**
    * Gets the maximum length of the string that can be produced by the nth
@@ -1353,7 +1353,7 @@ class FormatLiteral extends Literal {
    * determining whether a buffer overflow is caused by long float to string
    * conversions.
    */
-  int getMaxConvertedLengthLimited(int n) { result = max(getMaxConvertedLengthLimited(n, _)) }
+  int getMaxConvertedLengthLimited(int n) { result = max(this.getMaxConvertedLengthLimited(n, _)) }
 
   /**
    * Gets the maximum length of the string that can be produced by the nth

cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll

@@ -29,7 +29,7 @@ class GuardCondition extends Expr {
     exists(IRGuardCondition ir | this = ir.getUnconvertedResultExpression())
     or
     // no binary operators in the IR
-    exists(GuardCondition gc | this.(BinaryLogicalOperation).getAnOperand() = gc)
+    this.(BinaryLogicalOperation).getAnOperand() instanceof GuardCondition
     or
     // the IR short-circuits if(!x)
     // don't produce a guard condition for `y = !x` and other non-short-circuited cases
@@ -98,7 +98,7 @@ class GuardCondition extends Expr {
  */
 private class GuardConditionFromBinaryLogicalOperator extends GuardCondition {
   GuardConditionFromBinaryLogicalOperator() {
-    exists(GuardCondition gc | this.(BinaryLogicalOperation).getAnOperand() = gc)
+    this.(BinaryLogicalOperation).getAnOperand() instanceof GuardCondition
   }
 
   override predicate controls(BasicBlock controlled, boolean testIsTrue) {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll

@@ -48,7 +48,7 @@ private class Argument extends Expr {
  */
 class ArgumentNode extends Node {
   ArgumentNode() {
-    exists(Argument arg | this.asExpr() = arg) or
+    this.asExpr() instanceof Argument or
     this = getInstanceArgument(_)
   }
 

cpp/ql/lib/semmle/code/cpp/exprs/Access.qll

@@ -84,8 +84,8 @@ class VariableAccess extends Access, @varaccess {
     exists(Assignment a | a.getLValue() = this) or
     exists(CrementOperation c | c.getOperand() = this) or
     exists(AddressOfExpr addof | addof.getOperand() = this) or
-    exists(ReferenceToExpr rte | this.getConversion() = rte) or
-    exists(ArrayToPointerConversion atpc | this.getConversion() = atpc)
+    this.getConversion() instanceof ReferenceToExpr or
+    this.getConversion() instanceof ArrayToPointerConversion
   }
 
   /**
@@ -104,8 +104,8 @@ class VariableAccess extends Access, @varaccess {
   predicate isRValue() {
     not exists(AssignExpr ae | ae.getLValue() = this) and
     not exists(AddressOfExpr addof | addof.getOperand() = this) and
-    not exists(ReferenceToExpr rte | this.getConversion() = rte) and
-    not exists(ArrayToPointerConversion atpc | this.getConversion() = atpc)
+    not this.getConversion() instanceof ReferenceToExpr and
+    not this.getConversion() instanceof ArrayToPointerConversion
   }
 
   /**
@@ -218,9 +218,7 @@ class PointerFieldAccess extends FieldAccess {
 class DotFieldAccess extends FieldAccess {
   override string getAPrimaryQlClass() { result = "DotFieldAccess" }
 
-  DotFieldAccess() {
-    exists(Class c | c = this.getQualifier().getFullyConverted().getUnspecifiedType())
-  }
+  DotFieldAccess() { this.getQualifier().getFullyConverted().getUnspecifiedType() instanceof Class }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/exprs/Call.qll

@@ -35,7 +35,7 @@ class Call extends Expr, NameQualifiableElement, TCall {
    *
    * For example, `ptr->f()` has a qualifier, whereas plain `f()` does not.
    */
-  predicate hasQualifier() { exists(Expr e | this.getChild(-1) = e) }
+  predicate hasQualifier() { exists(this.getChild(-1)) }
 
   /**
    * Gets the expression to the left of the function name or function pointer variable name.

cpp/ql/lib/semmle/code/cpp/exprs/Cast.qll

@@ -724,7 +724,7 @@ class SizeofOperator extends Expr, @runtime_sizeof {
  * ```
  */
 class SizeofExprOperator extends SizeofOperator {
-  SizeofExprOperator() { exists(Expr e | this.getChild(0) = e) }
+  SizeofExprOperator() { exists(this.getChild(0)) }
 
   override string getAPrimaryQlClass() { result = "SizeofExprOperator" }
 
@@ -787,7 +787,7 @@ class AlignofOperator extends Expr, @runtime_alignof {
  * ```
  */
 class AlignofExprOperator extends AlignofOperator {
-  AlignofExprOperator() { exists(Expr e | this.getChild(0) = e) }
+  AlignofExprOperator() { exists(this.getChild(0)) }
 
   /**
    * Gets the contained expression.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll

@@ -1,3 +1,8 @@
+/**
+ * An IR taint tracking library that uses an IR DataFlow configuration to track
+ * taint from user inputs as defined by `semmle.code.cpp.security.Security`.
+ */
+
 import cpp
 import semmle.code.cpp.security.Security
 private import semmle.code.cpp.ir.dataflow.DataFlow

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll

@@ -111,6 +111,45 @@ private predicate hasDefaultSideEffect(Call call, ParameterIndex i, boolean buff
   )
 }
 
+/**
+ * A `Call` or `NewOrNewArrayExpr`.
+ *
+ * Both kinds of expression invoke a function as part of their evaluation. This class provides a
+ * way to treat both kinds of function similarly, and to get the invoked `Function`.
+ */
+class CallOrAllocationExpr extends Expr {
+  CallOrAllocationExpr() {
+    this instanceof Call
+    or
+    this instanceof NewOrNewArrayExpr
+  }
+
+  /** Gets the `Function` invoked by this expression, if known. */
+  final Function getTarget() {
+    result = this.(Call).getTarget()
+    or
+    result = this.(NewOrNewArrayExpr).getAllocator()
+  }
+}
+
+/**
+ * Returns the side effect opcode, if any, that represents any side effects not specifically modeled
+ * by an argument side effect.
+ */
+Opcode getCallSideEffectOpcode(CallOrAllocationExpr expr) {
+  not exists(expr.getTarget().(SideEffectFunction)) and result instanceof Opcode::CallSideEffect
+  or
+  exists(SideEffectFunction sideEffectFunction |
+    sideEffectFunction = expr.getTarget() and
+    if not sideEffectFunction.hasOnlySpecificWriteSideEffects()
+    then result instanceof Opcode::CallSideEffect
+    else (
+      not sideEffectFunction.hasOnlySpecificReadSideEffects() and
+      result instanceof Opcode::CallReadSideEffect
+    )
+  )
+}
+
 /**
  * Returns a side effect opcode for parameter index `i` of the specified call.
  *

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll

@@ -49,19 +49,6 @@ abstract class TranslatedCall extends TranslatedExpr {
     tag = CallTag() and
     opcode instanceof Opcode::Call and
     resultType = getTypeForPRValue(getCallResultType())
-    or
-    hasSideEffect() and
-    tag = CallSideEffectTag() and
-    (
-      if hasWriteSideEffect()
-      then (
-        opcode instanceof Opcode::CallSideEffect and
-        resultType = getUnknownType()
-      ) else (
-        opcode instanceof Opcode::CallReadSideEffect and
-        resultType = getVoidType()
-      )
-    )
   }
 
   override Instruction getChildSuccessor(TranslatedElement child) {
@@ -84,25 +71,8 @@ abstract class TranslatedCall extends TranslatedExpr {
 
   override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
     kind instanceof GotoEdge and
-    (
-      (
-        tag = CallTag() and
-        if hasSideEffect()
-        then result = getInstruction(CallSideEffectTag())
-        else
-          if hasPreciseSideEffect()
-          then result = getSideEffects().getFirstInstruction()
-          else result = getParent().getChildSuccessor(this)
-      )
-      or
-      (
-        hasSideEffect() and
-        tag = CallSideEffectTag() and
-        if hasPreciseSideEffect()
-        then result = getSideEffects().getFirstInstruction()
-        else result = getParent().getChildSuccessor(this)
-      )
-    )
+    tag = CallTag() and
+    result = getSideEffects().getFirstInstruction()
   }
 
   override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
@@ -121,15 +91,6 @@ abstract class TranslatedCall extends TranslatedExpr {
     )
   }
 
-  final override CppType getInstructionMemoryOperandType(
-    InstructionTag tag, TypedOperandTag operandTag
-  ) {
-    tag = CallSideEffectTag() and
-    hasSideEffect() and
-    operandTag instanceof SideEffectOperandTag and
-    result = getUnknownType()
-  }
-
   final override Instruction getResult() { result = getInstruction(CallTag()) }
 
   /**
@@ -200,40 +161,31 @@ abstract class TranslatedCall extends TranslatedExpr {
    */
   abstract predicate hasArguments();
 
-  predicate hasReadSideEffect() { any() }
-
-  predicate hasWriteSideEffect() { any() }
-
-  private predicate hasSideEffect() { hasReadSideEffect() or hasWriteSideEffect() }
-
-  override Instruction getPrimaryInstructionForSideEffect(InstructionTag tag) {
-    hasSideEffect() and
-    tag = CallSideEffectTag() and
-    result = getResult()
-  }
-
-  predicate hasPreciseSideEffect() { exists(getSideEffects()) }
-
   final TranslatedSideEffects getSideEffects() { result.getExpr() = expr }
 }
 
+/**
+ * The IR translation of the side effects of the parent `TranslatedElement`.
+ *
+ * This object does not itself generate the side effect instructions. Instead, its children provide
+ * the actual side effects, with this object acting as a placeholder so the parent only needs to
+ * insert this one element at the point where all the side effects are supposed to occur.
+ */
 abstract class TranslatedSideEffects extends TranslatedElement {
+  /** Gets the expression whose side effects are being modeled. */
   abstract Expr getExpr();
 
   final override Locatable getAST() { result = getExpr() }
 
   final override Function getFunction() { result = getExpr().getEnclosingFunction() }
 
-  override TranslatedElement getChild(int i) {
+  final override TranslatedElement getChild(int i) {
     result =
-      rank[i + 1](TranslatedSideEffect tse, int isWrite, int index |
-        (
-          tse.getCall() = getExpr() and
-          tse.getArgumentIndex() = index and
-          if tse.isWrite() then isWrite = 1 else isWrite = 0
-        )
+      rank[i + 1](TranslatedSideEffect tse, int group, int indexInGroup |
+        tse.getPrimaryExpr() = getExpr() and
+        tse.sortOrder(group, indexInGroup)
       |
-        tse order by isWrite, index
+        tse order by group, indexInGroup
       )
   }
 
@@ -246,12 +198,21 @@ abstract class TranslatedSideEffects extends TranslatedElement {
     )
   }
 
-  /**
-   * Gets the `TranslatedFunction` containing this expression.
-   */
-  final TranslatedFunction getEnclosingFunction() {
-    result = getTranslatedFunction(getExpr().getEnclosingFunction())
+  final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType type) {
+    none()
   }
+
+  final override Instruction getFirstInstruction() {
+    result = getChild(0).getFirstInstruction()
+    or
+    // Some functions, like `std::move()`, have no side effects whatsoever.
+    not exists(getChild(0)) and result = getParent().getChildSuccessor(this)
+  }
+
+  final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { none() }
+
+  /** Gets the primary instruction to be associated with each side effect instruction. */
+  abstract Instruction getPrimaryInstruction();
 }
 
 /**
@@ -325,14 +286,6 @@ class TranslatedFunctionCall extends TranslatedCallExpr, TranslatedDirectCall {
     tag = CallTargetTag() and result = expr.getTarget()
   }
 
-  override predicate hasReadSideEffect() {
-    not expr.getTarget().(SideEffectFunction).hasOnlySpecificReadSideEffects()
-  }
-
-  override predicate hasWriteSideEffect() {
-    not expr.getTarget().(SideEffectFunction).hasOnlySpecificWriteSideEffects()
-  }
-
   override Instruction getQualifierResult() {
     hasQualifier() and
     result = getQualifier().getResult()
@@ -363,209 +316,116 @@ class TranslatedStructorCall extends TranslatedFunctionCall {
   override predicate hasQualifier() { any() }
 }
 
-class TranslatedAllocationSideEffects extends TranslatedSideEffects,
-  TTranslatedAllocationSideEffects {
-  AllocationExpr expr;
-
-  TranslatedAllocationSideEffects() { this = TTranslatedAllocationSideEffects(expr) }
-
-  final override AllocationExpr getExpr() { result = expr }
-
-  override string toString() { result = "(allocation side effects for " + expr.toString() + ")" }
-
-  override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) }
-
-  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType type) {
-    opcode instanceof Opcode::InitializeDynamicAllocation and
-    tag = OnlyInstructionTag() and
-    type = getUnknownType()
-  }
-
-  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
-    tag = OnlyInstructionTag() and
-    kind = EdgeKind::gotoEdge() and
-    if exists(getChild(0))
-    then result = getChild(0).getFirstInstruction()
-    else result = getParent().getChildSuccessor(this)
-  }
-
-  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
-    tag = OnlyInstructionTag() and
-    operandTag = addressOperand() and
-    result = getPrimaryInstructionForSideEffect(OnlyInstructionTag())
-  }
-
-  override Instruction getPrimaryInstructionForSideEffect(InstructionTag tag) {
-    tag = OnlyInstructionTag() and
-    if expr instanceof NewOrNewArrayExpr
-    then result = getTranslatedAllocatorCall(expr).getInstruction(CallTag())
-    else result = getTranslatedCallInstruction(expr)
-  }
-}
-
+/**
+ * The IR translation of the side effects of a function call, including the implicit allocator
+ * call in a `new` or `new[]` expression.
+ */
 class TranslatedCallSideEffects extends TranslatedSideEffects, TTranslatedCallSideEffects {
-  Call expr;
+  Expr expr;
 
   TranslatedCallSideEffects() { this = TTranslatedCallSideEffects(expr) }
 
-  override string toString() { result = "(side effects  for " + expr.toString() + ")" }
+  final override string toString() { result = "(side effects  for " + expr.toString() + ")" }
 
-  override Call getExpr() { result = expr }
+  final override Expr getExpr() { result = expr }
 
-  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType type) { none() }
-
-  override Instruction getFirstInstruction() { result = getChild(0).getFirstInstruction() }
-
-  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { none() }
-
-  override Instruction getPrimaryInstructionForSideEffect(InstructionTag tag) {
-    tag = OnlyInstructionTag() and
-    result = getTranslatedCallInstruction(expr)
-  }
-}
-
-class TranslatedStructorCallSideEffects extends TranslatedCallSideEffects {
-  TranslatedStructorCallSideEffects() {
-    getParent().(TranslatedStructorCall).hasQualifier() and
-    getASideEffectOpcode(expr, -1) instanceof WriteSideEffectOpcode
-  }
-
-  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType t) {
-    tag instanceof OnlyInstructionTag and
-    t = getTypeForPRValue(expr.getTarget().getDeclaringType()) and
-    opcode = getASideEffectOpcode(expr, -1).(WriteSideEffectOpcode)
-  }
-
-  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
-    (
-      if exists(getChild(0))
-      then result = getChild(0).getFirstInstruction()
-      else result = getParent().getChildSuccessor(this)
-    ) and
-    tag = OnlyInstructionTag() and
-    kind instanceof GotoEdge
-  }
-
-  override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) }
-
-  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
-    tag instanceof OnlyInstructionTag and
-    operandTag instanceof AddressOperandTag and
-    result = getParent().(TranslatedStructorCall).getQualifierResult()
-  }
-
-  final override int getInstructionIndex(InstructionTag tag) {
-    tag = OnlyInstructionTag() and
-    result = -1
-  }
-}
-
-class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEffect {
-  Call call;
-  Expr arg;
-  int index;
-  SideEffectOpcode sideEffectOpcode;
-
-  TranslatedSideEffect() {
-    this = TTranslatedArgumentSideEffect(call, arg, index, sideEffectOpcode)
-  }
-
-  override Locatable getAST() { result = arg }
-
-  Expr getExpr() { result = arg }
-
-  Call getCall() { result = call }
-
-  int getArgumentIndex() { result = index }
-
-  predicate isWrite() { sideEffectOpcode instanceof WriteSideEffectOpcode }
-
-  override string toString() {
-    isWrite() and
-    result = "(write side effect for " + arg.toString() + ")"
+  final override Instruction getPrimaryInstruction() {
+    expr instanceof Call and result = getTranslatedCallInstruction(expr)
     or
-    not isWrite() and
-    result = "(read side effect for " + arg.toString() + ")"
+    expr instanceof NewOrNewArrayExpr and
+    result = getTranslatedAllocatorCall(expr).getInstruction(CallTag())
   }
+}
 
-  override TranslatedElement getChild(int n) { none() }
+/** Returns the sort group index for argument read side effects. */
+private int argumentReadGroup() { result = 1 }
 
-  override Instruction getChildSuccessor(TranslatedElement child) { none() }
+/** Returns the sort group index for conservative call side effects. */
+private int callSideEffectGroup() {
+  result = 0 // Make this group first for now to preserve the existing ordering
+}
 
-  override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) }
+/** Returns the sort group index for argument write side effects. */
+private int argumentWriteGroup() { result = 2 }
 
-  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType type) {
+/** Returns the sort group index for dynamic allocation side effects. */
+private int initializeAllocationGroup() { result = 3 }
+
+/**
+ * The IR translation of a single side effect of a call.
+ */
+abstract class TranslatedSideEffect extends TranslatedElement {
+  final override TranslatedElement getChild(int n) { none() }
+
+  final override Instruction getChildSuccessor(TranslatedElement child) { none() }
+
+  final override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) }
+
+  final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType type) {
     tag = OnlyInstructionTag() and
-    opcode = sideEffectOpcode and
-    (
-      isWrite() and
-      (
-        opcode instanceof BufferAccessOpcode and
-        type = getUnknownType()
-        or
-        not opcode instanceof BufferAccessOpcode and
-        exists(Type baseType | baseType = arg.getUnspecifiedType().(DerivedType).getBaseType() |
-          if baseType instanceof VoidType
-          then type = getUnknownType()
-          else type = getTypeForPRValueOrUnknown(baseType)
-        )
-        or
-        index = -1 and
-        not arg.getUnspecifiedType() instanceof DerivedType and
-        type = getTypeForPRValueOrUnknown(arg.getUnspecifiedType())
-      )
-      or
-      not isWrite() and
-      type = getVoidType()
-    )
+    sideEffectInstruction(opcode, type)
   }
 
-  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
+  final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
     result = getParent().getChildSuccessor(this) and
     tag = OnlyInstructionTag() and
     kind instanceof GotoEdge
   }
 
-  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
-    tag instanceof OnlyInstructionTag and
-    operandTag instanceof AddressOperandTag and
-    result = getTranslatedExpr(arg).getResult()
-    or
-    tag instanceof OnlyInstructionTag and
-    operandTag instanceof BufferSizeOperandTag and
-    result =
-      getTranslatedExpr(call.getArgument(call.getTarget()
-              .(SideEffectFunction)
-              .getParameterSizeIndex(index)).getFullyConverted()).getResult()
-  }
+  final override Function getFunction() { result = getParent().getFunction() }
 
-  override CppType getInstructionMemoryOperandType(InstructionTag tag, TypedOperandTag operandTag) {
-    not isWrite() and
-    if sideEffectOpcode instanceof BufferAccessOpcode
-    then
-      result = getUnknownType() and
-      tag instanceof OnlyInstructionTag and
-      operandTag instanceof SideEffectOperandTag
-    else
-      exists(Type operandType |
-        tag instanceof OnlyInstructionTag and
-        operandType = arg.getType().getUnspecifiedType().(DerivedType).getBaseType() and
-        operandTag instanceof SideEffectOperandTag
-        or
-        tag instanceof OnlyInstructionTag and
-        operandType = arg.getType().getUnspecifiedType() and
-        not operandType instanceof DerivedType and
-        operandTag instanceof SideEffectOperandTag
-      |
-        // If the type we select is an incomplete type (e.g. a forward-declared `struct`), there will
-        // not be a `CppType` that represents that type. In that case, fall back to `UnknownCppType`.
-        result = getTypeForPRValueOrUnknown(operandType)
-      )
-  }
-
-  override Instruction getPrimaryInstructionForSideEffect(InstructionTag tag) {
+  final override Instruction getPrimaryInstructionForSideEffect(InstructionTag tag) {
     tag = OnlyInstructionTag() and
-    result = getTranslatedCallInstruction(call)
+    result = getParent().(TranslatedSideEffects).getPrimaryInstruction()
+  }
+
+  /**
+   * Gets the expression that caused this side effect.
+   *
+   * All side effects with the same `getPrimaryExpr()` will appear in the same contiguous sequence
+   * in the IR.
+   */
+  abstract Expr getPrimaryExpr();
+
+  /**
+   * Gets the order in which this side effect should be sorted with respect to other side effects
+   * for the same expression.
+   *
+   * Side effects are sorted first by `group`, and then by `indexInGroup`.
+   */
+  abstract predicate sortOrder(int group, int indexInGroup);
+
+  /**
+   * Gets the opcode and result type for the side effect instruction.
+   */
+  abstract predicate sideEffectInstruction(Opcode opcode, CppType type);
+}
+
+/**
+ * The IR translation of a single argument side effect for a call.
+ */
+abstract class TranslatedArgumentSideEffect extends TranslatedSideEffect {
+  Call call;
+  int index;
+  SideEffectOpcode sideEffectOpcode;
+
+  // All subclass charpreds must bind the `index` field.
+  bindingset[index]
+  TranslatedArgumentSideEffect() { any() }
+
+  override string toString() {
+    isWrite() and
+    result = "(write side effect for " + getArgString() + ")"
+    or
+    not isWrite() and
+    result = "(read side effect for " + getArgString() + ")"
+  }
+
+  override Call getPrimaryExpr() { result = call }
+
+  override predicate sortOrder(int group, int indexInGroup) {
+    indexInGroup = index and
+    if isWrite() then group = argumentWriteGroup() else group = argumentReadGroup()
   }
 
   final override int getInstructionIndex(InstructionTag tag) {
@@ -577,11 +437,199 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff
    * Gets the `TranslatedFunction` containing this expression.
    */
   final TranslatedFunction getEnclosingFunction() {
-    result = getTranslatedFunction(arg.getEnclosingFunction())
+    result = getTranslatedFunction(call.getEnclosingFunction())
   }
 
-  /**
-   * Gets the `Function` containing this expression.
-   */
-  override Function getFunction() { result = arg.getEnclosingFunction() }
+  final override predicate sideEffectInstruction(Opcode opcode, CppType type) {
+    opcode = sideEffectOpcode and
+    (
+      isWrite() and
+      (
+        opcode instanceof BufferAccessOpcode and
+        type = getUnknownType()
+        or
+        not opcode instanceof BufferAccessOpcode and
+        exists(Type indirectionType | indirectionType = getIndirectionType() |
+          if indirectionType instanceof VoidType
+          then type = getUnknownType()
+          else type = getTypeForPRValueOrUnknown(indirectionType)
+        )
+      )
+      or
+      not isWrite() and
+      type = getVoidType()
+    )
+  }
+
+  final override CppType getInstructionMemoryOperandType(
+    InstructionTag tag, TypedOperandTag operandTag
+  ) {
+    not isWrite() and
+    if sideEffectOpcode instanceof BufferAccessOpcode
+    then
+      result = getUnknownType() and
+      tag instanceof OnlyInstructionTag and
+      operandTag instanceof SideEffectOperandTag
+    else
+      exists(Type operandType |
+        tag instanceof OnlyInstructionTag and
+        operandType = getIndirectionType() and
+        operandTag instanceof SideEffectOperandTag
+      |
+        // If the type we select is an incomplete type (e.g. a forward-declared `struct`), there will
+        // not be a `CppType` that represents that type. In that case, fall back to `UnknownCppType`.
+        result = getTypeForPRValueOrUnknown(operandType)
+      )
+  }
+
+  final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
+    tag instanceof OnlyInstructionTag and
+    operandTag instanceof AddressOperandTag and
+    result = getArgInstruction()
+    or
+    tag instanceof OnlyInstructionTag and
+    operandTag instanceof BufferSizeOperandTag and
+    result =
+      getTranslatedExpr(call.getArgument(call.getTarget()
+              .(SideEffectFunction)
+              .getParameterSizeIndex(index)).getFullyConverted()).getResult()
+  }
+
+  /** Holds if this side effect is a write side effect, rather than a read side effect. */
+  final predicate isWrite() { sideEffectOpcode instanceof WriteSideEffectOpcode }
+
+  /** Gets a text representation of the argument. */
+  abstract string getArgString();
+
+  /** Gets the `Instruction` whose result is the value of the argument. */
+  abstract Instruction getArgInstruction();
+
+  /** Gets the type pointed to by the argument. */
+  abstract Type getIndirectionType();
+}
+
+/**
+ * The IR translation of an argument side effect where the argument has an `Expr` object in the AST.
+ *
+ * This generally applies to all positional arguments, as well as qualifier (`this`) arguments for
+ * calls other than constructor calls.
+ */
+class TranslatedArgumentExprSideEffect extends TranslatedArgumentSideEffect,
+  TTranslatedArgumentExprSideEffect {
+  Expr arg;
+
+  TranslatedArgumentExprSideEffect() {
+    this = TTranslatedArgumentExprSideEffect(call, arg, index, sideEffectOpcode)
+  }
+
+  final override Locatable getAST() { result = arg }
+
+  final override Type getIndirectionType() {
+    result = arg.getUnspecifiedType().(DerivedType).getBaseType()
+    or
+    // Sometimes the qualifier type gets the type of the class itself, rather than a pointer to the
+    // class.
+    index = -1 and
+    not arg.getUnspecifiedType() instanceof DerivedType and
+    result = arg.getUnspecifiedType()
+  }
+
+  final override string getArgString() { result = arg.toString() }
+
+  final override Instruction getArgInstruction() { result = getTranslatedExpr(arg).getResult() }
+}
+
+/**
+ * The IR translation of an argument side effect for `*this` on a call, where there is no `Expr`
+ * object that represents the `this` argument.
+ *
+ * The applies only to constructor calls, as the AST has explioit qualifier `Expr`s for all other
+ * calls to non-static member functions.
+ */
+class TranslatedStructorQualifierSideEffect extends TranslatedArgumentSideEffect,
+  TTranslatedStructorQualifierSideEffect {
+  TranslatedStructorQualifierSideEffect() {
+    this = TTranslatedStructorQualifierSideEffect(call, sideEffectOpcode) and
+    index = -1
+  }
+
+  final override Locatable getAST() { result = call }
+
+  final override Type getIndirectionType() { result = call.getTarget().getDeclaringType() }
+
+  final override string getArgString() { result = "this" }
+
+  final override Instruction getArgInstruction() {
+    exists(TranslatedStructorCall structorCall |
+      structorCall.getExpr() = call and
+      result = structorCall.getQualifierResult()
+    )
+  }
+}
+
+/** The IR translation of the non-argument-specific side effect of a call. */
+class TranslatedCallSideEffect extends TranslatedSideEffect, TTranslatedCallSideEffect {
+  Expr expr;
+  SideEffectOpcode sideEffectOpcode;
+
+  TranslatedCallSideEffect() { this = TTranslatedCallSideEffect(expr, sideEffectOpcode) }
+
+  override Locatable getAST() { result = expr }
+
+  override Expr getPrimaryExpr() { result = expr }
+
+  override predicate sortOrder(int group, int indexInGroup) {
+    group = callSideEffectGroup() and indexInGroup = 0
+  }
+
+  override string toString() { result = "(call side effect for '" + expr.toString() + "')" }
+
+  override predicate sideEffectInstruction(Opcode opcode, CppType type) {
+    opcode = sideEffectOpcode and
+    (
+      opcode instanceof Opcode::CallSideEffect and
+      type = getUnknownType()
+      or
+      opcode instanceof Opcode::CallReadSideEffect and
+      type = getVoidType()
+    )
+  }
+
+  override CppType getInstructionMemoryOperandType(InstructionTag tag, TypedOperandTag operandTag) {
+    tag instanceof OnlyInstructionTag and
+    operandTag instanceof SideEffectOperandTag and
+    result = getUnknownType()
+  }
+}
+
+/**
+ * The IR translation of the allocation side effect of a call to a memory allocation function.
+ *
+ * This side effect provides a definition for the newly-allocated memory.
+ */
+class TranslatedAllocationSideEffect extends TranslatedSideEffect, TTranslatedAllocationSideEffect {
+  AllocationExpr expr;
+
+  TranslatedAllocationSideEffect() { this = TTranslatedAllocationSideEffect(expr) }
+
+  override Locatable getAST() { result = expr }
+
+  override Expr getPrimaryExpr() { result = expr }
+
+  override predicate sortOrder(int group, int indexInGroup) {
+    group = initializeAllocationGroup() and indexInGroup = 0
+  }
+
+  override string toString() { result = "(allocation side effect for '" + expr.toString() + "')" }
+
+  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = OnlyInstructionTag() and
+    operandTag = addressOperand() and
+    result = getPrimaryInstructionForSideEffect(OnlyInstructionTag())
+  }
+
+  override predicate sideEffectInstruction(Opcode opcode, CppType type) {
+    opcode instanceof Opcode::InitializeDynamicAllocation and
+    type = getUnknownType()
+  }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -135,6 +135,20 @@ private predicate ignoreExpr(Expr expr) {
   ignoreExprAndDescendants(expr)
 }
 
+/**
+ * Holds if the side effects of `expr` should be ignoredf for the purposes of IR generation.
+ *
+ * In cases involving `constexpr`, a call can wind up as a constant expression. `ignoreExpr()` will
+ * not hold for such a call, since we do need to translate the call (as a constant), but we need to
+ * ignore all of the side effects of that call, since we will not actually be generating a `Call`
+ * instruction.
+ */
+private predicate ignoreSideEffects(Expr expr) {
+  ignoreExpr(expr)
+  or
+  isIRConstant(expr)
+}
+
 /**
  * Holds if `func` contains an AST that cannot be translated into IR. This is mostly used to work
  * around extractor bugs. Once the relevant extractor bugs are fixed, this predicate can be removed.
@@ -621,32 +635,34 @@ newtype TTranslatedElement =
   // The declaration/initialization part of a `ConditionDeclExpr`
   TTranslatedConditionDecl(ConditionDeclExpr expr) { not ignoreExpr(expr) } or
   // The side effects of a `Call`
-  TTranslatedCallSideEffects(Call expr) {
-    // Exclude allocations such as `malloc` (which happen to also be function calls).
-    // Both `TranslatedCallSideEffects` and `TranslatedAllocationSideEffects` generate
-    // the same side effects for its children as they both extend the `TranslatedSideEffects`
-    // class.
-    // Note: We can separate allocation side effects and call side effects into two
-    // translated elements as no call can be both a `ConstructorCall` and an `AllocationExpr`.
-    not expr instanceof AllocationExpr and
-    (
-      exists(TTranslatedArgumentSideEffect(expr, _, _, _)) or
-      expr instanceof ConstructorCall
-    )
+  TTranslatedCallSideEffects(CallOrAllocationExpr expr) { not ignoreSideEffects(expr) } or
+  // The non-argument-specific side effect of a `Call`
+  TTranslatedCallSideEffect(Expr expr, SideEffectOpcode opcode) {
+    not ignoreSideEffects(expr) and
+    opcode = getCallSideEffectOpcode(expr)
   } or
-  // The side effects of an allocation, i.e. `new`, `new[]` or `malloc`
-  TTranslatedAllocationSideEffects(AllocationExpr expr) { not ignoreExpr(expr) } or
   // A precise side effect of an argument to a `Call`
-  TTranslatedArgumentSideEffect(Call call, Expr expr, int n, SideEffectOpcode opcode) {
+  TTranslatedArgumentExprSideEffect(Call call, Expr expr, int n, SideEffectOpcode opcode) {
     not ignoreExpr(expr) and
-    not ignoreExpr(call) and
+    not ignoreSideEffects(call) and
     (
       n >= 0 and expr = call.getArgument(n).getFullyConverted()
       or
       n = -1 and expr = call.getQualifier().getFullyConverted()
     ) and
     opcode = getASideEffectOpcode(call, n)
-  }
+  } or
+  // Constructor calls lack a qualifier (`this`) expression, so we need to handle the side effects
+  // on `*this` without an `Expr`.
+  TTranslatedStructorQualifierSideEffect(Call call, SideEffectOpcode opcode) {
+    not ignoreSideEffects(call) and
+    // Don't bother with destructor calls for now, since we won't see very many of them in the IR
+    // until we start injecting implicit destructor calls.
+    call instanceof ConstructorCall and
+    opcode = getASideEffectOpcode(call, -1)
+  } or
+  // The side effect that initializes newly-allocated memory.
+  TTranslatedAllocationSideEffect(AllocationExpr expr) { not ignoreSideEffects(expr) }
 
 /**
  * Gets the index of the first explicitly initialized element in `initList`

cpp/ql/lib/semmle/code/cpp/metrics/MetricClass.qll

@@ -308,45 +308,45 @@ class MetricClass extends Class {
   }
 
   private string getAUsedHalsteadN1Operator() {
-    exists(CommaExpr e | e = this.getAnEnclosedExpression()) and result = "comma"
+    this.getAnEnclosedExpression() instanceof CommaExpr and result = "comma"
     or
-    exists(ReferenceToExpr e | e = this.getAnEnclosedExpression()) and result = "refTo"
+    this.getAnEnclosedExpression() instanceof ReferenceToExpr and result = "refTo"
     or
-    exists(PointerDereferenceExpr e | e = this.getAnEnclosedExpression()) and result = "dereference"
+    this.getAnEnclosedExpression() instanceof PointerDereferenceExpr and result = "dereference"
     or
-    exists(CStyleCast e | e = this.getAnEnclosedExpression()) and result = "cCast"
+    this.getAnEnclosedExpression() instanceof CStyleCast and result = "cCast"
     or
-    exists(StaticCast e | e = this.getAnEnclosedExpression()) and result = "staticCast"
+    this.getAnEnclosedExpression() instanceof StaticCast and result = "staticCast"
     or
-    exists(ConstCast e | e = this.getAnEnclosedExpression()) and result = "constCast"
+    this.getAnEnclosedExpression() instanceof ConstCast and result = "constCast"
     or
-    exists(ReinterpretCast e | e = this.getAnEnclosedExpression()) and result = "reinterpretCast"
+    this.getAnEnclosedExpression() instanceof ReinterpretCast and result = "reinterpretCast"
     or
-    exists(DynamicCast e | e = this.getAnEnclosedExpression()) and result = "dynamicCast"
+    this.getAnEnclosedExpression() instanceof DynamicCast and result = "dynamicCast"
     or
-    exists(SizeofExprOperator e | e = this.getAnEnclosedExpression()) and result = "sizeofExpr"
+    this.getAnEnclosedExpression() instanceof SizeofExprOperator and result = "sizeofExpr"
     or
-    exists(SizeofTypeOperator e | e = this.getAnEnclosedExpression()) and result = "sizeofType"
+    this.getAnEnclosedExpression() instanceof SizeofTypeOperator and result = "sizeofType"
     or
-    exists(IfStmt e | e = this.getAnEnclosedStmt()) and result = "ifVal"
+    this.getAnEnclosedStmt() instanceof IfStmt and result = "ifVal"
     or
-    exists(SwitchStmt e | e = this.getAnEnclosedStmt()) and result = "switchVal"
+    this.getAnEnclosedStmt() instanceof SwitchStmt and result = "switchVal"
     or
-    exists(ForStmt e | e = this.getAnEnclosedStmt()) and result = "forVal"
+    this.getAnEnclosedStmt() instanceof ForStmt and result = "forVal"
     or
-    exists(DoStmt e | e = this.getAnEnclosedStmt()) and result = "doVal"
+    this.getAnEnclosedStmt() instanceof DoStmt and result = "doVal"
     or
-    exists(WhileStmt e | e = this.getAnEnclosedStmt()) and result = "whileVal"
+    this.getAnEnclosedStmt() instanceof WhileStmt and result = "whileVal"
     or
-    exists(GotoStmt e | e = this.getAnEnclosedStmt()) and result = "gotoVal"
+    this.getAnEnclosedStmt() instanceof GotoStmt and result = "gotoVal"
     or
-    exists(ContinueStmt e | e = this.getAnEnclosedStmt()) and result = "continueVal"
+    this.getAnEnclosedStmt() instanceof ContinueStmt and result = "continueVal"
     or
-    exists(BreakStmt e | e = this.getAnEnclosedStmt()) and result = "breakVal"
+    this.getAnEnclosedStmt() instanceof BreakStmt and result = "breakVal"
     or
-    exists(ReturnStmt e | e = this.getAnEnclosedStmt()) and result = "returnVal"
+    this.getAnEnclosedStmt() instanceof ReturnStmt and result = "returnVal"
     or
-    exists(SwitchCase e | e = this.getAnEnclosedStmt()) and result = "caseVal"
+    this.getAnEnclosedStmt() instanceof SwitchCase and result = "caseVal"
     or
     exists(IfStmt s | s = this.getAnEnclosedStmt() and s.hasElse()) and
     result = "elseVal"

cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll

@@ -65,4 +65,6 @@ private class GetsFunction extends DataFlowFunction, TaintFunction, ArrayFunctio
   }
 
   override predicate hasArrayOutput(int bufParam) { bufParam = 0 }
+
+  override predicate hasSocketInput(FunctionInput input) { input.isParameter(2) }
 }

cpp/ql/lib/semmle/code/cpp/models/interfaces/FlowSource.qll

@@ -20,8 +20,9 @@ abstract class RemoteFlowSourceFunction extends Function {
   abstract predicate hasRemoteFlowSource(FunctionOutput output, string description);
 
   /**
-   * Holds if remote data from this source comes from a socket described by
-   * `input`. There is no result if a socket is not specified.
+   * Holds if remote data from this source comes from a socket or stream
+   * described by `input`. There is no result if none is specified by a
+   * parameter.
    */
   predicate hasSocketInput(FunctionInput input) { none() }
 }
@@ -59,8 +60,9 @@ abstract class RemoteFlowSinkFunction extends Function {
   abstract predicate hasRemoteFlowSink(FunctionInput input, string description);
 
   /**
-   * Holds if data put into this sink is transmitted through a socket described
-   * by `input`. There is no result if a socket is not specified.
+   * Holds if data put into this sink is transmitted through a socket or stream
+   * described by `input`. There is no result if none is specified by a
+   * parameter.
    */
   predicate hasSocketInput(FunctionInput input) { none() }
 }

cpp/ql/lib/semmle/code/cpp/padding/Padding.qll

@@ -397,7 +397,7 @@ class PaddedType extends Class {
     // Support only single inheritance for now. If multiple inheritance is
     // supported, be sure to fix up the calls to getABaseClass*() to correctly
     // handle the presence of multiple base class subojects with the same type.
-    not exists(ClassDerivation cd | cd = this.getDerivation(1))
+    not exists(this.getDerivation(1))
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/pointsto/PointsTo.qll

@@ -72,7 +72,7 @@ predicate lvalue(Element e) {
   or
   exists(Cast c | lvalue(c) and e.(Expr).getConversion() = c)
   or
-  exists(ReferenceToExpr toref | e.(Expr).getConversion() = toref)
+  e.(Expr).getConversion() instanceof ReferenceToExpr
   or
   // If f is a function-pointer, then the following two
   // calls are equivalent:  f()  and  (*f)()

cpp/ql/lib/semmle/code/cpp/security/BufferWrite.qll

@@ -76,7 +76,7 @@ abstract class BufferWrite extends Expr {
    * can be found), specifying the reason for the estimation.
    */
   int getMaxData(BufferWriteEstimationReason reason) {
-    reason instanceof UnspecifiedEstimateReason and result = getMaxData()
+    reason instanceof UnspecifiedEstimateReason and result = this.getMaxData()
   }
 
   /**
@@ -85,7 +85,7 @@ abstract class BufferWrite extends Expr {
    * much smaller (8 bytes) than their true maximum length.  This can be
    * helpful in determining the cause of a buffer overflow issue.
    */
-  int getMaxDataLimited() { result = getMaxData() }
+  int getMaxDataLimited() { result = this.getMaxData() }
 
   /**
    * Gets an upper bound to the amount of data that's being written (if one
@@ -94,7 +94,7 @@ abstract class BufferWrite extends Expr {
    * than their true maximum length.  This can be helpful in determining the
    * cause of a buffer overflow issue.
    */
-  int getMaxDataLimited(BufferWriteEstimationReason reason) { result = getMaxData(reason) }
+  int getMaxDataLimited(BufferWriteEstimationReason reason) { result = this.getMaxData(reason) }
 
   /**
    * Gets the size of a single character of the type this
@@ -159,9 +159,11 @@ class StrCopyBW extends BufferWriteCall {
       this.getArgument(this.getParamSrc()).(AnalysedString).getMaxLength() * this.getCharSize()
   }
 
-  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+  override int getMaxData(BufferWriteEstimationReason reason) {
+    result = this.getMaxDataImpl(reason)
+  }
 
-  override int getMaxData() { result = max(getMaxDataImpl(_)) }
+  override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
 }
 
 /**
@@ -203,9 +205,11 @@ class StrCatBW extends BufferWriteCall {
       this.getArgument(this.getParamSrc()).(AnalysedString).getMaxLength() * this.getCharSize()
   }
 
-  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+  override int getMaxData(BufferWriteEstimationReason reason) {
+    result = this.getMaxDataImpl(reason)
+  }
 
-  override int getMaxData() { result = max(getMaxDataImpl(_)) }
+  override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
 }
 
 /**
@@ -269,9 +273,11 @@ class SprintfBW extends BufferWriteCall {
     )
   }
 
-  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+  override int getMaxData(BufferWriteEstimationReason reason) {
+    result = this.getMaxDataImpl(reason)
+  }
 
-  override int getMaxData() { result = max(getMaxDataImpl(_)) }
+  override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
 
   private int getMaxDataLimitedImpl(BufferWriteEstimationReason reason) {
     exists(FormatLiteral fl |
@@ -281,10 +287,10 @@ class SprintfBW extends BufferWriteCall {
   }
 
   override int getMaxDataLimited(BufferWriteEstimationReason reason) {
-    result = getMaxDataLimitedImpl(reason)
+    result = this.getMaxDataLimitedImpl(reason)
   }
 
-  override int getMaxDataLimited() { result = max(getMaxDataLimitedImpl(_)) }
+  override int getMaxDataLimited() { result = max(this.getMaxDataLimitedImpl(_)) }
 }
 
 /**
@@ -382,9 +388,11 @@ class SnprintfBW extends BufferWriteCall {
     )
   }
 
-  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+  override int getMaxData(BufferWriteEstimationReason reason) {
+    result = this.getMaxDataImpl(reason)
+  }
 
-  override int getMaxData() { result = max(getMaxDataImpl(_)) }
+  override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
 
   private int getMaxDataLimitedImpl(BufferWriteEstimationReason reason) {
     exists(FormatLiteral fl |
@@ -394,10 +402,10 @@ class SnprintfBW extends BufferWriteCall {
   }
 
   override int getMaxDataLimited(BufferWriteEstimationReason reason) {
-    result = getMaxDataLimitedImpl(reason)
+    result = this.getMaxDataLimitedImpl(reason)
   }
 
-  override int getMaxDataLimited() { result = max(getMaxDataLimitedImpl(_)) }
+  override int getMaxDataLimited() { result = max(this.getMaxDataLimitedImpl(_)) }
 }
 
 /**
@@ -495,9 +503,11 @@ class ScanfBW extends BufferWrite {
     )
   }
 
-  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+  override int getMaxData(BufferWriteEstimationReason reason) {
+    result = this.getMaxDataImpl(reason)
+  }
 
-  override int getMaxData() { result = max(getMaxDataImpl(_)) }
+  override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
 
   override string getBWDesc() {
     exists(FunctionCall fc |
@@ -536,7 +546,9 @@ class RealpathBW extends BufferWriteCall {
     this = this // Suppress a compiler warning
   }
 
-  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+  override int getMaxData(BufferWriteEstimationReason reason) {
+    result = this.getMaxDataImpl(reason)
+  }
 
-  override int getMaxData() { result = max(getMaxDataImpl(_)) }
+  override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
 }

cpp/ql/lib/semmle/code/cpp/security/TaintTracking.qll

@@ -1,7 +1,10 @@
 /*
- * Support for tracking tainted data through the program.
+ * Support for tracking tainted data through the program. This is an alias for
+ * `semmle.code.cpp.ir.dataflow.DefaultTaintTracking` provided for backwards
+ * compatibility.
  *
- * Prefer to use `semmle.code.cpp.dataflow.TaintTracking` when designing new queries.
+ * Prefer to use `semmle.code.cpp.dataflow.TaintTracking` or
+ * `semmle.code.cpp.ir.dataflow.TaintTracking` when designing new queries.
  */
 
 import semmle.code.cpp.ir.dataflow.DefaultTaintTracking

cpp/ql/lib/semmle/code/cpp/security/TaintTrackingImpl.qll

@@ -258,7 +258,7 @@ private predicate insideFunctionValueMoveTo(Element src, Element dest) {
           format.getConversionChar(sourceArg - ffc.getTarget().getNumberOfParameters()) = ["s", "S"]
         )
         or
-        not exists(FormatLiteral fl | fl = c.(FormattingFunctionCall).getFormat())
+        not c.(FormattingFunctionCall).getFormat() instanceof FormatLiteral
         or
         not c instanceof FormattingFunctionCall
       ) and

cpp/ql/lib/semmle/code/cpp/stmts/Stmt.qll

@@ -271,7 +271,7 @@ class IfStmt extends ConditionalStmt, @stmt_if {
    * if (b) { x = 1; }
    * ```
    */
-  predicate hasElse() { exists(Stmt s | this.getElse() = s) }
+  predicate hasElse() { exists(this.getElse()) }
 
   override string toString() { result = "if (...) ... " }
 
@@ -357,7 +357,7 @@ class ConstexprIfStmt extends ConditionalStmt, @stmt_constexpr_if {
    * if constexpr (b) { x = 1; }
    * ```
    */
-  predicate hasElse() { exists(Stmt s | this.getElse() = s) }
+  predicate hasElse() { exists(this.getElse()) }
 
   override string toString() { result = "if constexpr (...) ... " }
 

cpp/ql/src/Best Practices/Hiding/DeclarationHidesVariable.ql

@@ -18,6 +18,7 @@ where
   not lv1.isCompilerGenerated() and
   not lv2.isCompilerGenerated() and
   not lv1.getParentScope().(BlockStmt).isInMacroExpansion() and
-  not lv2.getParentScope().(BlockStmt).isInMacroExpansion()
+  not lv2.getParentScope().(BlockStmt).isInMacroExpansion() and
+  not lv1.getName() = "(unnamed local variable)"
 select lv1, "Variable " + lv1.getName() + " hides another variable of the same name (on $@).", lv2,
   "line " + lv2.getLocation().getStartLine().toString()

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,5 @@
+## 0.0.7
+
 ## 0.0.6
 
 ## 0.0.5

cpp/ql/src/Critical/DeadCodeGoto.ql

@@ -30,8 +30,8 @@ where
   // the next statement isn't breaking out of a switch
   not s.(BreakStmt).getBreakable() instanceof SwitchStmt and
   // the next statement isn't a loop that can be jumped into
-  not exists(LabelStmt ls | s.(Loop).getStmt().getAChild*() = ls) and
-  not exists(SwitchCase sc | s.(Loop).getStmt().getAChild*() = sc) and
+  not s.(Loop).getStmt().getAChild*() instanceof LabelStmt and
+  not s.(Loop).getStmt().getAChild*() instanceof SwitchCase and
   // no preprocessor logic applies
   not functionContainsPreprocCode(js.getEnclosingFunction())
 select js, "This statement makes $@ unreachable.", s, s.toString()

cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll

@@ -55,7 +55,7 @@ abstract class LeapYearFieldAccess extends YearFieldAccess {
       op.getAnOperand() = this and
       (
         op instanceof AssignArithmeticOperation or
-        exists(BinaryArithmeticOperation bao | bao = op.getAnOperand()) or
+        op.getAnOperand() instanceof BinaryArithmeticOperation or
         op instanceof CrementOperation
       )
     )
@@ -212,9 +212,7 @@ class ChecksForLeapYearFunctionCall extends FunctionCall {
 class LeapYearCheckConfiguration extends DataFlow::Configuration {
   LeapYearCheckConfiguration() { this = "LeapYearCheckConfiguration" }
 
-  override predicate isSource(DataFlow::Node source) {
-    exists(VariableAccess va | va = source.asExpr())
-  }
+  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof VariableAccess }
 
   override predicate isSink(DataFlow::Node sink) {
     exists(ChecksForLeapYearFunctionCall fc | sink.asExpr() = fc.getAnArgument())

cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.cpp

@@ -4,4 +4,4 @@ Record* fixRecord(Record* r) {
 
 	myRecord.fix();
 	return &myRecord; //returns reference to myRecord, which is a stack-allocated object
-}
+}

cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql

@@ -3,68 +3,169 @@
  * @description A function returns a pointer to a stack-allocated region of
  *              memory. This memory is deallocated at the end of the function,
  *              which may lead the caller to dereference a dangling pointer.
- * @kind problem
+ * @kind path-problem
  * @id cpp/return-stack-allocated-memory
  * @problem.severity warning
+ * @security-severity 9.3
  * @precision high
  * @tags reliability
+ *       security
  *       external/cwe/cwe-825
  */
 
 import cpp
-import semmle.code.cpp.dataflow.EscapesTree
-import semmle.code.cpp.models.interfaces.PointerWrapper
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.ir.IR
+import semmle.code.cpp.ir.dataflow.DataFlow::DataFlow
 
-/**
- * Holds if `n1` may flow to `n2`, ignoring flow through fields because these
- * are currently modeled as an overapproximation that assumes all objects may
- * alias.
- */
-predicate conservativeDataFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
-  DataFlow::localFlowStep(n1, n2) and
-  not n2.asExpr() instanceof FieldAccess and
-  not hasNontrivialConversion(n2.asExpr())
+/** Holds if `f` has a name that we intrepret as evidence of intentionally returning the value of the stack pointer. */
+predicate intentionallyReturnsStackPointer(Function f) {
+  f.getName().toLowerCase().matches(["%stack%", "%sp%"])
 }
 
 /**
- * Holds if `e` has a conversion that changes it from lvalue to pointer or
- * back. As the data-flow library does not support conversions, we cannot track
- * data flow through such expressions.
+ * Holds if `source` is a node that represents the use of a stack variable
  */
-predicate hasNontrivialConversion(Expr e) {
-  e instanceof Conversion and
-  not (
-    e instanceof Cast
-    or
-    e instanceof ParenthesisExpr
+predicate isSource(Node source) {
+  exists(VariableAddressInstruction var, Function func |
+    var = source.asInstruction() and
+    func = var.getEnclosingFunction() and
+    var.getASTVariable() instanceof StackVariable and
+    // Pointer-to-member types aren't properly handled in the dbscheme.
+    not var.getResultType() instanceof PointerToMemberType and
+    // Rule out FPs caused by extraction errors.
+    not any(ErrorExpr e).getEnclosingFunction() = func and
+    not intentionallyReturnsStackPointer(func)
   )
-  or
-  // A smart pointer can be stack-allocated while the data it points to is heap-allocated.
-  // So we exclude such "conversions" from this predicate.
-  e = any(PointerWrapper wrapper).getAnUnwrapperFunction().getACallToThisFunction()
-  or
-  hasNontrivialConversion(e.getConversion())
 }
 
-from StackVariable var, VariableAccess va, ReturnStmt r
-where
-  not var.getUnspecifiedType() instanceof ReferenceType and
-  not r.isFromUninstantiatedTemplate(_) and
-  va = var.getAnAccess() and
+/**
+ * Holds if `sink` is a node that represents the `StoreInstruction` that is subsequently used in
+ * a `ReturnValueInstruction`. We use the `StoreInstruction` instead of the instruction that defines the
+ * `ReturnValueInstruction`'s source value oprand because the former has better location information.
+ */
+predicate isSink(Node sink) {
+  exists(StoreInstruction store |
+    store.getDestinationAddress().(VariableAddressInstruction).getIRVariable() instanceof
+      IRReturnVariable and
+    sink.asOperand() = store.getSourceValueOperand()
+  )
+}
+
+/** Holds if `node1` _must_ flow to `node2`. */
+predicate step(Node node1, Node node2) {
+  instructionToOperandStep(node1.asInstruction(), node2.asOperand())
+  or
+  operandToInstructionStep(node1.asOperand(), node2.asInstruction())
+}
+
+predicate instructionToOperandStep(Instruction instr, Operand operand) { operand.getDef() = instr }
+
+/**
+ * Holds if `operand` flows to the result of `instr`.
+ *
+ * This predicate ignores flow through `PhiInstruction`s to create a 'must flow' relation. It also
+ * intentionally conflates addresses of fields and their object, and pointer offsets with their
+ * base pointer as this allows us to detect cases where an object's address flows to a return statement
+ * via a field. For example:
+ *
+ * ```cpp
+ * struct S { int x, y };
+ * int* test() {
+ *   S s;
+ *   return &s.x; // BAD: &s.x is an address of a variable on the stack.
+ * }
+ * ```
+ */
+predicate operandToInstructionStep(Operand operand, Instruction instr) {
+  instr.(CopyInstruction).getSourceValueOperand() = operand
+  or
+  instr.(ConvertInstruction).getUnaryOperand() = operand
+  or
+  instr.(CheckedConvertOrNullInstruction).getUnaryOperand() = operand
+  or
+  instr.(InheritanceConversionInstruction).getUnaryOperand() = operand
+  or
+  instr.(FieldAddressInstruction).getObjectAddressOperand() = operand
+  or
+  instr.(PointerOffsetInstruction).getLeftOperand() = operand
+}
+
+/** Holds if a source node flows to `n`. */
+predicate branchlessLocalFlow0(Node n) {
+  isSource(n)
+  or
+  exists(Node mid |
+    branchlessLocalFlow0(mid) and
+    step(mid, n)
+  )
+}
+
+/** Holds if `n` is reachable through some source node, and `n` also eventually reaches a sink. */
+predicate branchlessLocalFlow1(Node n) {
+  branchlessLocalFlow0(n) and
   (
-    // To check if the address escapes directly from `e` in `return e`, we need
-    // to check the fully-converted `e` in case there are implicit
-    // array-to-pointer conversions or reference conversions.
-    variableAddressEscapesTree(va, r.getExpr().getFullyConverted())
+    isSink(n)
     or
-    // The data flow library doesn't support conversions, so here we check that
-    // the address escapes into some expression `pointerToLocal`, which flows
-    // in one or more steps to a returned expression.
-    exists(Expr pointerToLocal |
-      variableAddressEscapesTree(va, pointerToLocal.getFullyConverted()) and
-      not hasNontrivialConversion(pointerToLocal) and
-      conservativeDataFlowStep+(DataFlow::exprNode(pointerToLocal), DataFlow::exprNode(r.getExpr()))
+    exists(Node mid |
+      branchlessLocalFlow1(mid) and
+      step(n, mid)
     )
   )
-select r, "May return stack-allocated memory from $@.", va, va.toString()
+}
+
+newtype TLocalPathNode =
+  TLocalPathNodeMid(Node n) {
+    branchlessLocalFlow1(n) and
+    (
+      isSource(n) or
+      exists(LocalPathNodeMid mid | step(mid.getNode(), n))
+    )
+  }
+
+abstract class LocalPathNode extends TLocalPathNode {
+  Node n;
+
+  /** Gets the underlying node. */
+  Node getNode() { result = n }
+
+  /** Gets a textual representation of this node. */
+  string toString() { result = n.toString() }
+
+  /** Gets the location of this element. */
+  Location getLocation() { result = n.getLocation() }
+
+  /** Gets a successor `LocalPathNode`, if any. */
+  LocalPathNode getASuccessor() { step(this.getNode(), result.getNode()) }
+}
+
+class LocalPathNodeMid extends LocalPathNode, TLocalPathNodeMid {
+  LocalPathNodeMid() { this = TLocalPathNodeMid(n) }
+}
+
+class LocalPathNodeSink extends LocalPathNodeMid {
+  LocalPathNodeSink() { isSink(this.getNode()) }
+}
+
+/**
+ * Holds if `source` is a source node, `sink` is a sink node, and there's flow
+ * from `source` to `sink` using `step` relation.
+ */
+predicate hasFlow(LocalPathNode source, LocalPathNodeSink sink) {
+  isSource(source.getNode()) and
+  source.getASuccessor+() = sink
+}
+
+predicate reach(LocalPathNode n) { n instanceof LocalPathNodeSink or reach(n.getASuccessor()) }
+
+query predicate edges(LocalPathNode a, LocalPathNode b) { a.getASuccessor() = b and reach(b) }
+
+query predicate nodes(LocalPathNode n, string key, string val) {
+  reach(n) and key = "semmle.label" and val = n.toString()
+}
+
+from LocalPathNode source, LocalPathNodeSink sink, VariableAddressInstruction var
+where
+  hasFlow(source, sink) and
+  source.getNode().asInstruction() = var
+select sink.getNode(), source, sink, "May return stack-allocated memory from $@.", var.getAST(),
+  var.getAST().toString()

cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql

@@ -12,23 +12,33 @@
  */
 
 import cpp
-import semmle.code.cpp.security.BufferWrite
-import semmle.code.cpp.security.TaintTracking
+import semmle.code.cpp.security.BufferWrite as BufferWrite
 import semmle.code.cpp.security.SensitiveExprs
-import TaintedWithPath
+import semmle.code.cpp.security.FlowSources
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import DataFlow::PathGraph
 
-class Configuration extends TaintTrackingConfiguration {
-  override predicate isSink(Element tainted) { exists(BufferWrite w | w.getASource() = tainted) }
+/**
+ * Taint flow from user input to a buffer write.
+ */
+class ToBufferConfiguration extends TaintTracking::Configuration {
+  ToBufferConfiguration() { this = "ToBufferConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof FlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(BufferWrite::BufferWrite w | w.getASource() = sink.asExpr())
+  }
 }
 
 from
-  BufferWrite w, Expr taintedArg, Expr taintSource, PathNode sourceNode, PathNode sinkNode,
-  string taintCause, SensitiveExpr dest
+  ToBufferConfiguration config, BufferWrite::BufferWrite w, DataFlow::PathNode sourceNode,
+  DataFlow::PathNode sinkNode, FlowSource source, SensitiveExpr dest
 where
-  taintedWithPath(taintSource, taintedArg, sourceNode, sinkNode) and
-  isUserInput(taintSource, taintCause) and
-  w.getASource() = taintedArg and
+  config.hasFlowPath(sourceNode, sinkNode) and
+  sourceNode.getNode() = source and
+  w.getASource() = sinkNode.getNode().asExpr() and
   dest = w.getDest()
 select w, sourceNode, sinkNode,
-  "This write into buffer '" + dest.toString() + "' may contain unencrypted data from $@",
-  taintSource, "user input (" + taintCause + ")"
+  "This write into buffer '" + dest.toString() + "' may contain unencrypted data from $@", source,
+  "user input (" + source.getSourceType() + ")"

cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql

@@ -2,7 +2,7 @@
  * @name Cleartext storage of sensitive information in file
  * @description Storing sensitive information in cleartext can expose it
  *              to an attacker.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
  * @security-severity 7.5
  * @precision high
@@ -17,6 +17,19 @@ import semmle.code.cpp.security.SensitiveExprs
 import semmle.code.cpp.security.FileWrite
 import semmle.code.cpp.dataflow.DataFlow
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+import semmle.code.cpp.dataflow.TaintTracking
+import DataFlow::PathGraph
+
+/**
+ * Taint flow from a sensitive expression to a `FileWrite` sink.
+ */
+class FromSensitiveConfiguration extends TaintTracking::Configuration {
+  FromSensitiveConfiguration() { this = "FromSensitiveConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr }
+
+  override predicate isSink(DataFlow::Node sink) { any(FileWrite w).getASource() = sink.asExpr() }
+}
 
 /**
  * An operation on a filename.
@@ -43,12 +56,17 @@ predicate isFileName(GVN gvn) {
   )
 }
 
-from FileWrite w, SensitiveExpr source, Expr mid, Expr dest
+from
+  FromSensitiveConfiguration config, SensitiveExpr source, DataFlow::PathNode sourceNode, Expr mid,
+  DataFlow::PathNode midNode, FileWrite w, Expr dest
 where
-  DataFlow::localFlow(DataFlow::exprNode(source), DataFlow::exprNode(mid)) and
+  config.hasFlowPath(sourceNode, midNode) and
+  sourceNode.getNode().asExpr() = source and
+  midNode.getNode().asExpr() = mid and
   mid = w.getASource() and
   dest = w.getDest() and
   not isFileName(globalValueNumber(source)) and // file names are not passwords
   not exists(string convChar | convChar = w.getSourceConvChar(mid) | not convChar = ["s", "S"]) // ignore things written with other conversion characters
-select w, "This write into file '" + dest.toString() + "' may contain unencrypted data from $@",
-  source, "this source."
+select w, sourceNode, midNode,
+  "This write into file '" + dest.toString() + "' may contain unencrypted data from $@", source,
+  "this source."

cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql

@@ -105,8 +105,8 @@ class Recv extends SendRecv instanceof RemoteFlowSourceFunction {
  * practice it usually isn't very important which query reports a result as
  * long as its reported exactly once.
  *
- * We do exclude function calls that specify a constant socket, which is
- * likely to mean standard input, standard output or a similar channel.
+ * We do exclude function calls that specify an apparently constant socket,
+ * which is likely to mean standard input, standard output or a similar channel.
  */
 abstract class NetworkSendRecv extends FunctionCall {
   SendRecv target;
@@ -125,6 +125,13 @@ abstract class NetworkSendRecv extends FunctionCall {
           v.getInitializer().getExpr() instanceof Literal and
           g = globalValueNumber(v.getAnAccess())
         )
+        or
+        // result of a function call with literal inputs (likely constant)
+        exists(FunctionCall fc |
+          forex(Expr arg | arg = fc.getAnArgument() | arg instanceof Literal) and
+          g = globalValueNumber(fc)
+        )
+        // (this is far from exhaustive)
       )
     )
   }
@@ -147,18 +154,28 @@ class NetworkRecv extends NetworkSendRecv {
 }
 
 /**
- * An expression that is an argument or return value from an encryption or
- * decryption call.
+ * An expression that is an argument or return value from an encryption /
+ * decryption call. This is quite inclusive to minimize false positives, for
+ * example `SecureZeroMemory` is not an encryption routine but a clue that
+ * encryption may be present.
  */
 class Encrypted extends Expr {
   Encrypted() {
     exists(FunctionCall fc |
-      fc.getTarget().getName().toLowerCase().regexpMatch(".*(crypt|encode|decode).*") and
+      fc.getTarget()
+          .getName()
+          .toLowerCase()
+          .regexpMatch(".*(crypt|encode|decode|hash|securezero).*") and
       (
         this = fc or
         this = fc.getAnArgument()
       )
     )
+    or
+    exists(Type t |
+      this.getType().refersTo(t) and
+      t.getName().toLowerCase().regexpMatch(".*(crypt|encode|decode|hash|securezero).*")
+    )
   }
 }
 

cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql

@@ -34,9 +34,7 @@ class SetSecurityDescriptorDaclFunctionCall extends FunctionCall {
 class NullDaclConfig extends DataFlow::Configuration {
   NullDaclConfig() { this = "NullDaclConfig" }
 
-  override predicate isSource(DataFlow::Node source) {
-    exists(NullValue nullExpr | source.asExpr() = nullExpr)
-  }
+  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof NullValue }
 
   override predicate isSink(DataFlow::Node sink) {
     exists(SetSecurityDescriptorDaclFunctionCall call, VariableAccess val | val = sink.asExpr() |

cpp/ql/src/change-notes/2022-01-19-cleartext-transmission.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Cleartext transmission of sensitive information" (`cpp/cleartext-transmission`) query has been improved in several ways to reduce false positive results.

cpp/ql/src/change-notes/2022-01-20-return-stack-allocated-memory.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* The `cpp/return-stack-allocated-memory` query has been improved to produce fewer false positives. The
+  query has also been converted to a `path-problem` query.

cpp/ql/src/change-notes/2022-01-24-cleartext-storage-file.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `cpp/cleartext-storage-file` query has been upgraded with non-local taint flow and has been converted to a `path-problem` query.

cpp/ql/src/change-notes/2022-01-24-return-stack-allocated-memory.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* The `security` tag has been added to the `cpp/return-stack-allocated-memory` query. As a result, its results will now appear by default.

cpp/ql/src/change-notes/2022-01-25-cleartext-storage-buffer.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `cpp/cleartext-storage-buffer` query has been updated to use the `semmle.code.cpp.dataflow.TaintTracking` library.

cpp/ql/src/change-notes/2022-01-26-unnamed-variable-declaration-hiding.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fix an issue with the `cpp/declaration-hides-variable` query where it would report variables that are unnamed in a database.

cpp/ql/src/change-notes/released/0.0.7.md

@@ -0,0 +1 @@
+## 0.0.7

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.6
+lastReleaseVersion: 0.0.7

cpp/ql/src/experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql

@@ -24,10 +24,10 @@ class CallUsedToHandleErrors extends FunctionCall {
     not exists(this.(ControlFlowNode).getASuccessor())
     or
     // call throwing an exception
-    exists(ThrowExpr tex | tex = this.(ControlFlowNode).getASuccessor())
+    this.(ControlFlowNode).getASuccessor() instanceof ThrowExpr
     or
     // call logging a message, possibly an error
-    exists(FormattingFunction ff | ff = this.(ControlFlowNode).getASuccessor())
+    this.(ControlFlowNode).getASuccessor() instanceof FormattingFunction
     or
     // enabling recursive search
     exists(CallUsedToHandleErrors fr | getTarget() = fr.getEnclosingFunction())
@@ -37,9 +37,9 @@ class CallUsedToHandleErrors extends FunctionCall {
 /** Holds if the conditions for a call outside the wrapper function are met. */
 predicate conditionsOutsideWrapper(FunctionCall fcp) {
   fcp.getNumberOfArguments() > 0 and
-  not exists(ConditionalStmt cdtmp | fcp.getEnclosingStmt().getParentStmt*() = cdtmp) and
-  not exists(Loop lptmp | fcp.getEnclosingStmt().getParentStmt*() = lptmp) and
-  not exists(ReturnStmt rttmp | fcp.getEnclosingStmt().getParentStmt*() = rttmp) and
+  not fcp.getEnclosingStmt().getParentStmt*() instanceof ConditionalStmt and
+  not fcp.getEnclosingStmt().getParentStmt*() instanceof Loop and
+  not fcp.getEnclosingStmt().getParentStmt*() instanceof ReturnStmt and
   not exists(FunctionCall fctmp2 | fcp = fctmp2.getAnArgument().getAChild*()) and
   not exists(Assignment astmp | fcp = astmp.getRValue().getAChild*()) and
   not exists(Initializer intmp | fcp = intmp.getExpr().getAChild*()) and

cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql

@@ -92,7 +92,7 @@ where
     ) and
     exists(Variable vrtmp |
       vrtmp = fc.getArgument(0).(VariableAccess).getTarget() and
-      vrtmp = fctmp.getArgument(0).(AddressOfExpr).getAddressable().(Variable) and
+      vrtmp = fctmp.getArgument(0).(AddressOfExpr).getAddressable() and
       not vrtmp instanceof Field
     )
   ) and

cpp/ql/src/experimental/Security/CWE/CWE-675/DoubleRelease.ql

@@ -26,7 +26,7 @@ class CallMayNotReturn extends FunctionCall {
     // call to another function that may not return
     exists(CallMayNotReturn exit | getTarget() = exit.getEnclosingFunction())
     or
-    exists(ThrowExpr tex | tex = this.(ControlFlowNode).getASuccessor())
+    this.(ControlFlowNode).getASuccessor() instanceof ThrowExpr
   }
 }
 
@@ -127,7 +127,7 @@ predicate similarArguments(FunctionCall fc, FunctionCall fc1) {
 
 from FunctionCall fc, FunctionCall fc1
 where
-  not exists(CallMayNotReturn fctmp | fctmp = fc.getASuccessor*()) and
+  not fc.getASuccessor*() instanceof CallMayNotReturn and
   not exists(IfStmt ifs | ifs.getCondition().getAChild*() = fc) and
   (
     // detecting a repeated call situation within one function

cpp/ql/src/jsf/4.10 Classes/AV Rule 97.1.ql

@@ -15,6 +15,6 @@ from EqualityOperation e, PointerToMemberType t, Class c
 where
   e.getAnOperand().getType() = t and
   t.getClass() = c and
-  exists(VirtualFunction f | c.getAMemberFunction() = f)
+  c.getAMemberFunction() instanceof VirtualFunction
 select e,
   "AV Rule 97.1: Neither operand of an equality operator shall be a pointer to a virtual member function."

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.0.7-dev
+version: 0.0.8-dev
 groups: cpp
 dependencies:
     codeql/cpp-all: "*"

cpp/ql/test/library-tests/ir/ir/operand_locations.expected

@@ -2665,7 +2665,7 @@
 | ir.cpp:617:15:617:21 | Unary | r617_4 |
 | ir.cpp:617:15:617:22 | CallTarget | func:r617_3 |
 | ir.cpp:617:15:617:22 | ChiPartial | partial:m617_7 |
-| ir.cpp:617:15:617:22 | ChiPartial | partial:m617_9 |
+| ir.cpp:617:15:617:22 | ChiPartial | partial:m617_10 |
 | ir.cpp:617:15:617:22 | ChiTotal | total:m616_6 |
 | ir.cpp:617:15:617:22 | ChiTotal | total:m617_2 |
 | ir.cpp:617:15:617:22 | SideEffect | ~m616_6 |
@@ -2680,7 +2680,7 @@
 | ir.cpp:619:12:619:13 | Arg(this) | this:r619_1 |
 | ir.cpp:619:16:619:30 | CallTarget | func:r619_3 |
 | ir.cpp:619:16:619:30 | ChiPartial | partial:m619_7 |
-| ir.cpp:619:16:619:30 | ChiPartial | partial:m619_9 |
+| ir.cpp:619:16:619:30 | ChiPartial | partial:m619_10 |
 | ir.cpp:619:16:619:30 | ChiTotal | total:m618_5 |
 | ir.cpp:619:16:619:30 | ChiTotal | total:m619_2 |
 | ir.cpp:619:16:619:30 | SideEffect | ~m618_5 |
@@ -2906,7 +2906,7 @@
 | ir.cpp:658:5:658:5 | ChiPartial | partial:m658_3 |
 | ir.cpp:658:5:658:5 | ChiTotal | total:m658_2 |
 | ir.cpp:658:5:658:5 | Load | m658_6 |
-| ir.cpp:658:5:658:5 | SideEffect | m662_9 |
+| ir.cpp:658:5:658:5 | SideEffect | m662_10 |
 | ir.cpp:658:5:658:5 | SideEffect | ~m662_7 |
 | ir.cpp:658:5:658:5 | Unary | m658_6 |
 | ir.cpp:658:5:658:5 | Unary | m658_6 |
@@ -2929,7 +2929,7 @@
 | ir.cpp:662:9:662:19 | Arg(this) | this:r662_1 |
 | ir.cpp:662:9:662:19 | CallTarget | func:r662_2 |
 | ir.cpp:662:9:662:19 | ChiPartial | partial:m662_6 |
-| ir.cpp:662:9:662:19 | ChiPartial | partial:m662_8 |
+| ir.cpp:662:9:662:19 | ChiPartial | partial:m662_9 |
 | ir.cpp:662:9:662:19 | ChiTotal | total:m661_4 |
 | ir.cpp:662:9:662:19 | ChiTotal | total:m663_5 |
 | ir.cpp:662:9:662:19 | SideEffect | ~m663_5 |
@@ -3147,10 +3147,10 @@
 | ir.cpp:736:5:736:19 | Arg(this) | this:r736_1 |
 | ir.cpp:736:5:736:19 | CallTarget | func:r736_3 |
 | ir.cpp:736:5:736:19 | ChiPartial | partial:m736_7 |
-| ir.cpp:736:5:736:19 | ChiPartial | partial:m736_9 |
+| ir.cpp:736:5:736:19 | ChiPartial | partial:m736_10 |
 | ir.cpp:736:5:736:19 | ChiTotal | total:m724_4 |
 | ir.cpp:736:5:736:19 | ChiTotal | total:m736_2 |
-| ir.cpp:736:5:736:19 | Load | m736_10 |
+| ir.cpp:736:5:736:19 | Load | m736_11 |
 | ir.cpp:736:5:736:19 | SideEffect | ~m724_4 |
 | ir.cpp:736:18:736:18 | Address | &:r736_4 |
 | ir.cpp:736:18:736:18 | Address | &:r736_5 |
@@ -3673,11 +3673,11 @@
 | ir.cpp:809:7:809:13 | Arg(this) | this:r809_3 |
 | ir.cpp:809:7:809:13 | CallTarget | func:r809_5 |
 | ir.cpp:809:7:809:13 | ChiPartial | partial:m809_10 |
-| ir.cpp:809:7:809:13 | ChiPartial | partial:m809_12 |
+| ir.cpp:809:7:809:13 | ChiPartial | partial:m809_13 |
 | ir.cpp:809:7:809:13 | ChiTotal | total:m808_8 |
 | ir.cpp:809:7:809:13 | ChiTotal | total:m809_4 |
 | ir.cpp:809:7:809:13 | SideEffect | ~m808_8 |
-| ir.cpp:809:7:809:13 | SideEffect | ~m809_13 |
+| ir.cpp:809:7:809:13 | SideEffect | ~m809_14 |
 | ir.cpp:809:7:809:13 | Unary | r809_3 |
 | ir.cpp:809:7:809:13 | Unary | r809_15 |
 | ir.cpp:809:13:809:13 | Address | &:r809_8 |
@@ -3703,11 +3703,11 @@
 | ir.cpp:810:7:810:26 | Arg(this) | this:r810_3 |
 | ir.cpp:810:7:810:26 | CallTarget | func:r810_5 |
 | ir.cpp:810:7:810:26 | ChiPartial | partial:m810_10 |
-| ir.cpp:810:7:810:26 | ChiPartial | partial:m810_12 |
+| ir.cpp:810:7:810:26 | ChiPartial | partial:m810_13 |
 | ir.cpp:810:7:810:26 | ChiTotal | total:m809_19 |
 | ir.cpp:810:7:810:26 | ChiTotal | total:m810_4 |
 | ir.cpp:810:7:810:26 | SideEffect | ~m809_19 |
-| ir.cpp:810:7:810:26 | SideEffect | ~m810_13 |
+| ir.cpp:810:7:810:26 | SideEffect | ~m810_14 |
 | ir.cpp:810:7:810:26 | Unary | r810_3 |
 | ir.cpp:810:7:810:26 | Unary | r810_15 |
 | ir.cpp:810:25:810:25 | Address | &:r810_8 |
@@ -3819,11 +3819,11 @@
 | ir.cpp:823:7:823:13 | Arg(this) | this:r823_3 |
 | ir.cpp:823:7:823:13 | CallTarget | func:r823_5 |
 | ir.cpp:823:7:823:13 | ChiPartial | partial:m823_11 |
-| ir.cpp:823:7:823:13 | ChiPartial | partial:m823_13 |
+| ir.cpp:823:7:823:13 | ChiPartial | partial:m823_14 |
 | ir.cpp:823:7:823:13 | ChiTotal | total:m822_9 |
 | ir.cpp:823:7:823:13 | ChiTotal | total:m823_4 |
 | ir.cpp:823:7:823:13 | SideEffect | ~m822_9 |
-| ir.cpp:823:7:823:13 | SideEffect | ~m823_14 |
+| ir.cpp:823:7:823:13 | SideEffect | ~m823_15 |
 | ir.cpp:823:7:823:13 | Unary | r823_3 |
 | ir.cpp:823:7:823:13 | Unary | r823_16 |
 | ir.cpp:823:13:823:13 | Address | &:r823_9 |
@@ -3850,11 +3850,11 @@
 | ir.cpp:824:7:824:26 | Arg(this) | this:r824_3 |
 | ir.cpp:824:7:824:26 | CallTarget | func:r824_5 |
 | ir.cpp:824:7:824:26 | ChiPartial | partial:m824_11 |
-| ir.cpp:824:7:824:26 | ChiPartial | partial:m824_13 |
+| ir.cpp:824:7:824:26 | ChiPartial | partial:m824_14 |
 | ir.cpp:824:7:824:26 | ChiTotal | total:m823_20 |
 | ir.cpp:824:7:824:26 | ChiTotal | total:m824_4 |
 | ir.cpp:824:7:824:26 | SideEffect | ~m823_20 |
-| ir.cpp:824:7:824:26 | SideEffect | ~m824_14 |
+| ir.cpp:824:7:824:26 | SideEffect | ~m824_15 |
 | ir.cpp:824:7:824:26 | Unary | r824_3 |
 | ir.cpp:824:7:824:26 | Unary | r824_16 |
 | ir.cpp:824:25:824:25 | Address | &:r824_9 |
@@ -4059,11 +4059,11 @@
 | ir.cpp:867:1:867:14 | ChiPartial | partial:m867_3 |
 | ir.cpp:867:1:867:14 | ChiTotal | total:m867_2 |
 | ir.cpp:867:1:867:14 | Load | m867_6 |
-| ir.cpp:867:1:867:14 | SideEffect | m868_8 |
+| ir.cpp:867:1:867:14 | SideEffect | m868_9 |
 | ir.cpp:867:1:867:14 | SideEffect | ~m868_6 |
 | ir.cpp:868:3:868:12 | CallTarget | func:r868_1 |
 | ir.cpp:868:3:868:12 | ChiPartial | partial:m868_5 |
-| ir.cpp:868:3:868:12 | ChiPartial | partial:m868_7 |
+| ir.cpp:868:3:868:12 | ChiPartial | partial:m868_8 |
 | ir.cpp:868:3:868:12 | ChiTotal | total:m867_4 |
 | ir.cpp:868:3:868:12 | ChiTotal | total:m867_8 |
 | ir.cpp:868:3:868:12 | SideEffect | ~m867_4 |
@@ -4310,7 +4310,7 @@
 | ir.cpp:954:3:954:27 | CallTarget | func:r954_9 |
 | ir.cpp:954:3:954:27 | ChiPartial | partial:m954_5 |
 | ir.cpp:954:3:954:27 | ChiPartial | partial:m954_13 |
-| ir.cpp:954:3:954:27 | ChiPartial | partial:m954_15 |
+| ir.cpp:954:3:954:27 | ChiPartial | partial:m954_16 |
 | ir.cpp:954:3:954:27 | ChiTotal | total:m953_11 |
 | ir.cpp:954:3:954:27 | ChiTotal | total:m954_6 |
 | ir.cpp:954:3:954:27 | ChiTotal | total:m954_7 |
@@ -5386,10 +5386,10 @@
 | ir.cpp:1154:5:1154:19 | Arg(this) | this:r1154_1 |
 | ir.cpp:1154:5:1154:19 | CallTarget | func:r1154_3 |
 | ir.cpp:1154:5:1154:19 | ChiPartial | partial:m1154_7 |
-| ir.cpp:1154:5:1154:19 | ChiPartial | partial:m1154_9 |
+| ir.cpp:1154:5:1154:19 | ChiPartial | partial:m1154_10 |
 | ir.cpp:1154:5:1154:19 | ChiTotal | total:m1142_4 |
 | ir.cpp:1154:5:1154:19 | ChiTotal | total:m1154_2 |
-| ir.cpp:1154:5:1154:19 | Load | m1154_10 |
+| ir.cpp:1154:5:1154:19 | Load | m1154_11 |
 | ir.cpp:1154:5:1154:19 | SideEffect | ~m1142_4 |
 | ir.cpp:1154:18:1154:18 | Address | &:r1154_4 |
 | ir.cpp:1154:18:1154:18 | Address | &:r1154_5 |
@@ -5496,14 +5496,14 @@
 | ir.cpp:1178:8:1178:23 | Address | &:r1178_5 |
 | ir.cpp:1178:8:1178:23 | ChiPartial | partial:m1178_3 |
 | ir.cpp:1178:8:1178:23 | ChiTotal | total:m1178_2 |
-| ir.cpp:1178:8:1178:23 | Load | m1179_10 |
+| ir.cpp:1178:8:1178:23 | Load | m1179_11 |
 | ir.cpp:1178:8:1178:23 | SideEffect | ~m1179_8 |
 | ir.cpp:1179:3:1179:23 | Address | &:r1179_1 |
 | ir.cpp:1179:3:1179:23 | Address | &:r1179_1 |
 | ir.cpp:1179:3:1179:23 | Arg(this) | this:r1179_1 |
 | ir.cpp:1179:3:1179:23 | CallTarget | func:r1179_3 |
 | ir.cpp:1179:3:1179:23 | ChiPartial | partial:m1179_7 |
-| ir.cpp:1179:3:1179:23 | ChiPartial | partial:m1179_9 |
+| ir.cpp:1179:3:1179:23 | ChiPartial | partial:m1179_10 |
 | ir.cpp:1179:3:1179:23 | ChiTotal | total:m1178_4 |
 | ir.cpp:1179:3:1179:23 | ChiTotal | total:m1179_2 |
 | ir.cpp:1179:3:1179:23 | SideEffect | ~m1178_4 |
@@ -5651,7 +5651,7 @@
 | ir.cpp:1242:19:1242:19 | Address | &:r1242_5 |
 | ir.cpp:1242:19:1242:19 | Arg(this) | this:r1242_5 |
 | ir.cpp:1242:19:1242:19 | ChiPartial | partial:m1242_16 |
-| ir.cpp:1242:19:1242:19 | ChiTotal | total:m1242_13 |
+| ir.cpp:1242:19:1242:19 | ChiTotal | total:m1242_14 |
 | ir.cpp:1242:19:1242:19 | Condition | r1242_3 |
 | ir.cpp:1242:19:1242:19 | Load | ~m1242_1 |
 | ir.cpp:1242:19:1242:19 | Phi | from 0:~m1240_4 |
@@ -5659,7 +5659,7 @@
 | ir.cpp:1242:19:1242:19 | StoreValue | r1242_15 |
 | ir.cpp:1242:20:1242:29 | CallTarget | func:r1242_6 |
 | ir.cpp:1242:20:1242:29 | ChiPartial | partial:m1242_10 |
-| ir.cpp:1242:20:1242:29 | ChiPartial | partial:m1242_12 |
+| ir.cpp:1242:20:1242:29 | ChiPartial | partial:m1242_13 |
 | ir.cpp:1242:20:1242:29 | ChiTotal | total:m1242_1 |
 | ir.cpp:1242:20:1242:29 | ChiTotal | total:m1242_11 |
 | ir.cpp:1242:20:1242:29 | SideEffect | ~m1242_1 |
@@ -5672,7 +5672,7 @@
 | ir.cpp:1243:19:1243:19 | Address | &:r1243_5 |
 | ir.cpp:1243:19:1243:19 | Arg(this) | this:r1243_5 |
 | ir.cpp:1243:19:1243:19 | ChiPartial | partial:m1243_16 |
-| ir.cpp:1243:19:1243:19 | ChiTotal | total:m1243_13 |
+| ir.cpp:1243:19:1243:19 | ChiTotal | total:m1243_14 |
 | ir.cpp:1243:19:1243:19 | Condition | r1243_3 |
 | ir.cpp:1243:19:1243:19 | Load | ~m1243_1 |
 | ir.cpp:1243:19:1243:19 | Phi | from 2:~m1242_1 |
@@ -5680,7 +5680,7 @@
 | ir.cpp:1243:19:1243:19 | StoreValue | r1243_15 |
 | ir.cpp:1243:20:1243:28 | CallTarget | func:r1243_6 |
 | ir.cpp:1243:20:1243:28 | ChiPartial | partial:m1243_10 |
-| ir.cpp:1243:20:1243:28 | ChiPartial | partial:m1243_12 |
+| ir.cpp:1243:20:1243:28 | ChiPartial | partial:m1243_13 |
 | ir.cpp:1243:20:1243:28 | ChiTotal | total:m1243_1 |
 | ir.cpp:1243:20:1243:28 | ChiTotal | total:m1243_11 |
 | ir.cpp:1243:20:1243:28 | SideEffect | ~m1243_1 |
@@ -6200,12 +6200,12 @@
 | ir.cpp:1370:23:1370:27 | Arg(this) | this:r1370_2 |
 | ir.cpp:1370:23:1370:27 | CallTarget | func:r1370_4 |
 | ir.cpp:1370:23:1370:27 | ChiPartial | partial:m1370_8 |
-| ir.cpp:1370:23:1370:27 | ChiPartial | partial:m1370_10 |
+| ir.cpp:1370:23:1370:27 | ChiPartial | partial:m1370_11 |
 | ir.cpp:1370:23:1370:27 | ChiTotal | total:m1369_7 |
 | ir.cpp:1370:23:1370:27 | ChiTotal | total:m1370_3 |
 | ir.cpp:1370:23:1370:27 | SideEffect | ~m1365_3 |
 | ir.cpp:1370:23:1370:27 | SideEffect | ~m1369_7 |
-| ir.cpp:1370:23:1370:27 | SideEffect | ~m1370_11 |
+| ir.cpp:1370:23:1370:27 | SideEffect | ~m1370_12 |
 | ir.cpp:1370:23:1370:27 | Unary | r1370_2 |
 | ir.cpp:1370:23:1370:27 | Unary | r1370_5 |
 | ir.cpp:1371:5:1371:15 | CallTarget | func:r1371_1 |
@@ -6221,10 +6221,10 @@
 | ir.cpp:1371:17:1371:17 | Arg(this) | this:r1371_2 |
 | ir.cpp:1371:17:1371:17 | CallTarget | func:r1371_4 |
 | ir.cpp:1371:17:1371:17 | ChiPartial | partial:m1371_9 |
-| ir.cpp:1371:17:1371:17 | ChiPartial | partial:m1371_11 |
+| ir.cpp:1371:17:1371:17 | ChiPartial | partial:m1371_12 |
 | ir.cpp:1371:17:1371:17 | ChiTotal | total:m1370_16 |
 | ir.cpp:1371:17:1371:17 | ChiTotal | total:m1371_3 |
-| ir.cpp:1371:17:1371:17 | Load | m1371_12 |
+| ir.cpp:1371:17:1371:17 | Load | m1371_13 |
 | ir.cpp:1371:17:1371:17 | SideEffect | ~m1366_6 |
 | ir.cpp:1371:17:1371:17 | SideEffect | ~m1370_16 |
 | ir.cpp:1371:17:1371:17 | Unary | r1371_5 |
@@ -6242,10 +6242,10 @@
 | ir.cpp:1372:25:1372:29 | Arg(this) | this:r1372_2 |
 | ir.cpp:1372:25:1372:29 | CallTarget | func:r1372_4 |
 | ir.cpp:1372:25:1372:29 | ChiPartial | partial:m1372_8 |
-| ir.cpp:1372:25:1372:29 | ChiPartial | partial:m1372_10 |
+| ir.cpp:1372:25:1372:29 | ChiPartial | partial:m1372_11 |
 | ir.cpp:1372:25:1372:29 | ChiTotal | total:m1371_17 |
 | ir.cpp:1372:25:1372:29 | ChiTotal | total:m1372_3 |
-| ir.cpp:1372:25:1372:29 | Load | m1372_11 |
+| ir.cpp:1372:25:1372:29 | Load | m1372_12 |
 | ir.cpp:1372:25:1372:29 | SideEffect | ~m1365_3 |
 | ir.cpp:1372:25:1372:29 | SideEffect | ~m1371_17 |
 | ir.cpp:1372:25:1372:29 | Unary | r1372_5 |
@@ -6414,10 +6414,10 @@
 | ir.cpp:1396:17:1396:17 | Arg(this) | this:r1396_2 |
 | ir.cpp:1396:17:1396:17 | CallTarget | func:r1396_4 |
 | ir.cpp:1396:17:1396:17 | ChiPartial | partial:m1396_9 |
-| ir.cpp:1396:17:1396:17 | ChiPartial | partial:m1396_11 |
+| ir.cpp:1396:17:1396:17 | ChiPartial | partial:m1396_12 |
 | ir.cpp:1396:17:1396:17 | ChiTotal | total:m1395_7 |
 | ir.cpp:1396:17:1396:17 | ChiTotal | total:m1396_3 |
-| ir.cpp:1396:17:1396:17 | Load | m1396_12 |
+| ir.cpp:1396:17:1396:17 | Load | m1396_13 |
 | ir.cpp:1396:17:1396:17 | SideEffect | ~m1392_6 |
 | ir.cpp:1396:17:1396:17 | SideEffect | ~m1395_7 |
 | ir.cpp:1396:17:1396:17 | Unary | r1396_5 |
@@ -6741,7 +6741,7 @@
 | smart_ptr.cpp:19:20:19:21 | ChiPartial | partial:m19_18 |
 | smart_ptr.cpp:19:20:19:21 | ChiTotal | total:m17_8 |
 | smart_ptr.cpp:19:20:19:21 | ChiTotal | total:m18_8 |
-| smart_ptr.cpp:19:20:19:21 | Load | m19_11 |
+| smart_ptr.cpp:19:20:19:21 | Load | m19_12 |
 | smart_ptr.cpp:19:20:19:21 | SideEffect | m18_9 |
 | smart_ptr.cpp:19:20:19:21 | SideEffect | ~m17_8 |
 | smart_ptr.cpp:19:20:19:21 | SideEffect | ~m18_8 |
@@ -6766,7 +6766,7 @@
 | smart_ptr.cpp:31:26:31:37 | CallTarget | func:r31_4 |
 | smart_ptr.cpp:31:26:31:37 | ChiPartial | partial:m31_9 |
 | smart_ptr.cpp:31:26:31:37 | ChiTotal | total:m28_4 |
-| smart_ptr.cpp:31:26:31:37 | Load | m31_11 |
+| smart_ptr.cpp:31:26:31:37 | Load | m31_12 |
 | smart_ptr.cpp:31:26:31:37 | SideEffect | m29_2 |
 | smart_ptr.cpp:31:26:31:37 | SideEffect | ~m28_4 |
 | smart_ptr.cpp:31:26:31:37 | SideEffect | ~m31_16 |
@@ -6791,7 +6791,7 @@
 | smart_ptr.cpp:35:30:35:49 | ChiPartial | partial:m35_18 |
 | smart_ptr.cpp:35:30:35:49 | ChiTotal | total:m31_16 |
 | smart_ptr.cpp:35:30:35:49 | ChiTotal | total:m35_16 |
-| smart_ptr.cpp:35:30:35:49 | Load | m35_11 |
+| smart_ptr.cpp:35:30:35:49 | Load | m35_12 |
 | smart_ptr.cpp:35:30:35:49 | SideEffect | m33_2 |
 | smart_ptr.cpp:35:30:35:49 | SideEffect | ~m31_16 |
 | smart_ptr.cpp:35:30:35:49 | SideEffect | ~m35_16 |
@@ -6816,7 +6816,7 @@
 | smart_ptr.cpp:39:37:39:51 | ChiPartial | partial:m39_18 |
 | smart_ptr.cpp:39:37:39:51 | ChiTotal | total:m35_19 |
 | smart_ptr.cpp:39:37:39:51 | ChiTotal | total:m39_16 |
-| smart_ptr.cpp:39:37:39:51 | Load | m39_11 |
+| smart_ptr.cpp:39:37:39:51 | Load | m39_12 |
 | smart_ptr.cpp:39:37:39:51 | SideEffect | m37_2 |
 | smart_ptr.cpp:39:37:39:51 | SideEffect | ~m35_19 |
 | smart_ptr.cpp:39:37:39:51 | SideEffect | ~m39_16 |
@@ -6841,7 +6841,7 @@
 | smart_ptr.cpp:43:37:43:51 | ChiPartial | partial:m43_18 |
 | smart_ptr.cpp:43:37:43:51 | ChiTotal | total:m39_19 |
 | smart_ptr.cpp:43:37:43:51 | ChiTotal | total:m43_16 |
-| smart_ptr.cpp:43:37:43:51 | Load | m43_11 |
+| smart_ptr.cpp:43:37:43:51 | Load | m43_12 |
 | smart_ptr.cpp:43:37:43:51 | SideEffect | m41_2 |
 | smart_ptr.cpp:43:37:43:51 | SideEffect | ~m39_19 |
 | smart_ptr.cpp:43:37:43:51 | SideEffect | ~m43_16 |
@@ -6863,7 +6863,7 @@
 | smart_ptr.cpp:47:43:47:63 | CallTarget | func:r47_4 |
 | smart_ptr.cpp:47:43:47:63 | ChiPartial | partial:m47_9 |
 | smart_ptr.cpp:47:43:47:63 | ChiTotal | total:m43_19 |
-| smart_ptr.cpp:47:43:47:63 | Load | m47_11 |
+| smart_ptr.cpp:47:43:47:63 | Load | m47_12 |
 | smart_ptr.cpp:47:43:47:63 | SideEffect | m45_2 |
 | smart_ptr.cpp:47:43:47:63 | SideEffect | ~m43_19 |
 | smart_ptr.cpp:47:43:47:63 | SideEffect | ~m47_16 |

cpp/ql/test/library-tests/ir/ir/raw_ir.expected

@@ -3362,8 +3362,8 @@ ir.cpp:
 #  617|     r617_5(char *)         = Convert                         : r617_4
 #  617|     v617_6(void)           = Call[String]                    : func:r617_3, this:r617_1, 0:r617_5
 #  617|     mu617_7(unknown)       = ^CallSideEffect                 : ~m?
-#  617|     mu617_8(String)        = ^IndirectMayWriteSideEffect[-1] : &:r617_1
-#  617|     v617_9(void)           = ^BufferReadSideEffect[0]        : &:r617_5, ~m?
+#  617|     v617_8(void)           = ^BufferReadSideEffect[0]        : &:r617_5, ~m?
+#  617|     mu617_9(String)        = ^IndirectMayWriteSideEffect[-1] : &:r617_1
 #  618|     r618_1(glval<String>)  = VariableAddress[s3]             : 
 #  618|     r618_2(glval<unknown>) = FunctionAddress[ReturnObject]   : 
 #  618|     r618_3(String)         = Call[ReturnObject]              : func:r618_2
@@ -3376,8 +3376,8 @@ ir.cpp:
 #  619|     r619_5(char *)         = Convert                         : r619_4
 #  619|     v619_6(void)           = Call[String]                    : func:r619_3, this:r619_1, 0:r619_5
 #  619|     mu619_7(unknown)       = ^CallSideEffect                 : ~m?
-#  619|     mu619_8(String)        = ^IndirectMayWriteSideEffect[-1] : &:r619_1
-#  619|     v619_9(void)           = ^BufferReadSideEffect[0]        : &:r619_5, ~m?
+#  619|     v619_8(void)           = ^BufferReadSideEffect[0]        : &:r619_5, ~m?
+#  619|     mu619_9(String)        = ^IndirectMayWriteSideEffect[-1] : &:r619_1
 #  620|     v620_1(void)           = NoOp                            : 
 #  615|     v615_4(void)           = ReturnVoid                      : 
 #  615|     v615_5(void)           = AliasedUse                      : ~m?
@@ -3628,8 +3628,8 @@ ir.cpp:
 #  662|     r662_4(char *)         = Convert                         : r662_3
 #  662|     v662_5(void)           = Call[String]                    : func:r662_2, this:r662_1, 0:r662_4
 #  662|     mu662_6(unknown)       = ^CallSideEffect                 : ~m?
-#  662|     mu662_7(String)        = ^IndirectMayWriteSideEffect[-1] : &:r662_1
-#  662|     v662_8(void)           = ^BufferReadSideEffect[0]        : &:r662_4, ~m?
+#  662|     v662_7(void)           = ^BufferReadSideEffect[0]        : &:r662_4, ~m?
+#  662|     mu662_8(String)        = ^IndirectMayWriteSideEffect[-1] : &:r662_1
 #  664|     v664_1(void)           = NoOp                            : 
 #  658|     v658_8(void)           = ReturnIndirection[#this]        : &:r658_6, ~m?
 #  658|     v658_9(void)           = ReturnVoid                      : 
@@ -3924,8 +3924,8 @@ ir.cpp:
 #  731|     r731_15(char *)          = Convert                         : r731_14
 #  731|     v731_16(void)            = Call[String]                    : func:r731_13, this:r731_11, 0:r731_15
 #  731|     mu731_17(unknown)        = ^CallSideEffect                 : ~m?
-#  731|     mu731_18(String)         = ^IndirectMayWriteSideEffect[-1] : &:r731_11
-#  731|     v731_19(void)            = ^BufferReadSideEffect[0]        : &:r731_15, ~m?
+#  731|     v731_18(void)            = ^BufferReadSideEffect[0]        : &:r731_15, ~m?
+#  731|     mu731_19(String)         = ^IndirectMayWriteSideEffect[-1] : &:r731_11
 #  731|     v731_20(void)            = ThrowValue                      : &:r731_11, ~m?
 #-----|   Exception -> Block 9
 
@@ -3952,8 +3952,8 @@ ir.cpp:
 #  736|     r736_5(char *)         = Load[s]                         : &:r736_4, ~m?
 #  736|     v736_6(void)           = Call[String]                    : func:r736_3, this:r736_1, 0:r736_5
 #  736|     mu736_7(unknown)       = ^CallSideEffect                 : ~m?
-#  736|     mu736_8(String)        = ^IndirectMayWriteSideEffect[-1] : &:r736_1
-#  736|     v736_9(void)           = ^BufferReadSideEffect[0]        : &:r736_5, ~m?
+#  736|     v736_8(void)           = ^BufferReadSideEffect[0]        : &:r736_5, ~m?
+#  736|     mu736_9(String)        = ^IndirectMayWriteSideEffect[-1] : &:r736_1
 #  736|     v736_10(void)          = ThrowValue                      : &:r736_1, ~m?
 #-----|   Exception -> Block 2
 
@@ -4518,8 +4518,8 @@ ir.cpp:
 #  809|     r809_8(Base &)             = CopyValue                                 : r809_7
 #  809|     v809_9(void)               = Call[Base]                                : func:r809_5, this:r809_3, 0:r809_8
 #  809|     mu809_10(unknown)          = ^CallSideEffect                           : ~m?
-#  809|     mu809_11(Base)             = ^IndirectMayWriteSideEffect[-1]           : &:r809_3
-#  809|     v809_12(void)              = ^BufferReadSideEffect[0]                  : &:r809_8, ~m?
+#  809|     v809_11(void)              = ^BufferReadSideEffect[0]                  : &:r809_8, ~m?
+#  809|     mu809_12(Base)             = ^IndirectMayWriteSideEffect[-1]           : &:r809_3
 #  809|     r809_13(glval<Base>)       = Convert                                   : r809_3
 #  809|     r809_14(Base &)            = CopyValue                                 : r809_13
 #  809|     r809_15(Base &)            = Call[operator=]                           : func:r809_2, this:r809_1, 0:r809_14
@@ -4538,8 +4538,8 @@ ir.cpp:
 #  810|     r810_8(Base &)             = CopyValue                                 : r810_7
 #  810|     v810_9(void)               = Call[Base]                                : func:r810_5, this:r810_3, 0:r810_8
 #  810|     mu810_10(unknown)          = ^CallSideEffect                           : ~m?
-#  810|     mu810_11(Base)             = ^IndirectMayWriteSideEffect[-1]           : &:r810_3
-#  810|     v810_12(void)              = ^BufferReadSideEffect[0]                  : &:r810_8, ~m?
+#  810|     v810_11(void)              = ^BufferReadSideEffect[0]                  : &:r810_8, ~m?
+#  810|     mu810_12(Base)             = ^IndirectMayWriteSideEffect[-1]           : &:r810_3
 #  810|     r810_13(glval<Base>)       = Convert                                   : r810_3
 #  810|     r810_14(Base &)            = CopyValue                                 : r810_13
 #  810|     r810_15(Base &)            = Call[operator=]                           : func:r810_2, this:r810_1, 0:r810_14
@@ -4630,8 +4630,8 @@ ir.cpp:
 #  823|     r823_9(Base &)             = CopyValue                                 : r823_8
 #  823|     v823_10(void)              = Call[Base]                                : func:r823_5, this:r823_3, 0:r823_9
 #  823|     mu823_11(unknown)          = ^CallSideEffect                           : ~m?
-#  823|     mu823_12(Base)             = ^IndirectMayWriteSideEffect[-1]           : &:r823_3
-#  823|     v823_13(void)              = ^BufferReadSideEffect[0]                  : &:r823_9, ~m?
+#  823|     v823_12(void)              = ^BufferReadSideEffect[0]                  : &:r823_9, ~m?
+#  823|     mu823_13(Base)             = ^IndirectMayWriteSideEffect[-1]           : &:r823_3
 #  823|     r823_14(glval<Base>)       = Convert                                   : r823_3
 #  823|     r823_15(Base &)            = CopyValue                                 : r823_14
 #  823|     r823_16(Base &)            = Call[operator=]                           : func:r823_2, this:r823_1, 0:r823_15
@@ -4651,8 +4651,8 @@ ir.cpp:
 #  824|     r824_9(Base &)             = CopyValue                                 : r824_8
 #  824|     v824_10(void)              = Call[Base]                                : func:r824_5, this:r824_3, 0:r824_9
 #  824|     mu824_11(unknown)          = ^CallSideEffect                           : ~m?
-#  824|     mu824_12(Base)             = ^IndirectMayWriteSideEffect[-1]           : &:r824_3
-#  824|     v824_13(void)              = ^BufferReadSideEffect[0]                  : &:r824_9, ~m?
+#  824|     v824_12(void)              = ^BufferReadSideEffect[0]                  : &:r824_9, ~m?
+#  824|     mu824_13(Base)             = ^IndirectMayWriteSideEffect[-1]           : &:r824_3
 #  824|     r824_14(glval<Base>)       = Convert                                   : r824_3
 #  824|     r824_15(Base &)            = CopyValue                                 : r824_14
 #  824|     r824_16(Base &)            = Call[operator=]                           : func:r824_2, this:r824_1, 0:r824_15
@@ -4876,8 +4876,8 @@ ir.cpp:
 #  868|     r868_3(char *)         = Convert                         : r868_2
 #  868|     v868_4(void)           = Call[String]                    : func:r868_1, this:mu867_5, 0:r868_3
 #  868|     mu868_5(unknown)       = ^CallSideEffect                 : ~m?
-#  868|     mu868_6(String)        = ^IndirectMayWriteSideEffect[-1] : &:mu867_5
-#  868|     v868_7(void)           = ^BufferReadSideEffect[0]        : &:r868_3, ~m?
+#  868|     v868_6(void)           = ^BufferReadSideEffect[0]        : &:r868_3, ~m?
+#  868|     mu868_7(String)        = ^IndirectMayWriteSideEffect[-1] : &:mu867_5
 #  869|     v869_1(void)           = NoOp                            : 
 #  867|     v867_8(void)           = ReturnIndirection[#this]        : &:r867_6, ~m?
 #  867|     v867_9(void)           = ReturnVoid                      : 
@@ -5177,8 +5177,8 @@ ir.cpp:
 #  954|     r954_10(char *)        = Convert                         : r954_9
 #  954|     v954_11(void)          = Call[String]                    : func:r954_8, this:r954_7, 0:r954_10
 #  954|     mu954_12(unknown)      = ^CallSideEffect                 : ~m?
-#  954|     mu954_13(String)       = ^IndirectMayWriteSideEffect[-1] : &:r954_7
-#  954|     v954_14(void)          = ^BufferReadSideEffect[0]        : &:r954_10, ~m?
+#  954|     v954_13(void)          = ^BufferReadSideEffect[0]        : &:r954_10, ~m?
+#  954|     mu954_14(String)       = ^IndirectMayWriteSideEffect[-1] : &:r954_7
 #  955|     r955_1(glval<unknown>) = FunctionAddress[operator new]   : 
 #  955|     r955_2(unsigned long)  = Constant[256]                   : 
 #  955|     r955_3(align_val_t)    = Constant[128]                   : 
@@ -6423,8 +6423,8 @@ ir.cpp:
 # 1149|     r1149_15(char *)          = Convert                         : r1149_14
 # 1149|     v1149_16(void)            = Call[String]                    : func:r1149_13, this:r1149_11, 0:r1149_15
 # 1149|     mu1149_17(unknown)        = ^CallSideEffect                 : ~m?
-# 1149|     mu1149_18(String)         = ^IndirectMayWriteSideEffect[-1] : &:r1149_11
-# 1149|     v1149_19(void)            = ^BufferReadSideEffect[0]        : &:r1149_15, ~m?
+# 1149|     v1149_18(void)            = ^BufferReadSideEffect[0]        : &:r1149_15, ~m?
+# 1149|     mu1149_19(String)         = ^IndirectMayWriteSideEffect[-1] : &:r1149_11
 # 1149|     v1149_20(void)            = ThrowValue                      : &:r1149_11, ~m?
 #-----|   Exception -> Block 9
 
@@ -6451,8 +6451,8 @@ ir.cpp:
 # 1154|     r1154_5(char *)         = Load[s]                         : &:r1154_4, ~m?
 # 1154|     v1154_6(void)           = Call[String]                    : func:r1154_3, this:r1154_1, 0:r1154_5
 # 1154|     mu1154_7(unknown)       = ^CallSideEffect                 : ~m?
-# 1154|     mu1154_8(String)        = ^IndirectMayWriteSideEffect[-1] : &:r1154_1
-# 1154|     v1154_9(void)           = ^BufferReadSideEffect[0]        : &:r1154_5, ~m?
+# 1154|     v1154_8(void)           = ^BufferReadSideEffect[0]        : &:r1154_5, ~m?
+# 1154|     mu1154_9(String)        = ^IndirectMayWriteSideEffect[-1] : &:r1154_1
 # 1154|     v1154_10(void)          = ThrowValue                      : &:r1154_1, ~m?
 #-----|   Exception -> Block 2
 
@@ -6577,8 +6577,8 @@ ir.cpp:
 # 1179|     r1179_5(char *)         = Convert                         : r1179_4
 # 1179|     v1179_6(void)           = Call[String]                    : func:r1179_3, this:r1179_1, 0:r1179_5
 # 1179|     mu1179_7(unknown)       = ^CallSideEffect                 : ~m?
-# 1179|     mu1179_8(String)        = ^IndirectMayWriteSideEffect[-1] : &:r1179_1
-# 1179|     v1179_9(void)           = ^BufferReadSideEffect[0]        : &:r1179_5, ~m?
+# 1179|     v1179_8(void)           = ^BufferReadSideEffect[0]        : &:r1179_5, ~m?
+# 1179|     mu1179_9(String)        = ^IndirectMayWriteSideEffect[-1] : &:r1179_1
 # 1178|     r1178_4(glval<String>)  = VariableAddress[#return]        : 
 # 1178|     v1178_5(void)           = ReturnValue                     : &:r1178_4, ~m?
 # 1178|     v1178_6(void)           = AliasedUse                      : ~m?
@@ -6832,8 +6832,8 @@ ir.cpp:
 # 1242|     r1242_7(char *)         = Convert                         : r1242_6
 # 1242|     v1242_8(void)           = Call[String]                    : func:r1242_5, this:r1242_4, 0:r1242_7
 # 1242|     mu1242_9(unknown)       = ^CallSideEffect                 : ~m?
-# 1242|     mu1242_10(String)       = ^IndirectMayWriteSideEffect[-1] : &:r1242_4
-# 1242|     v1242_11(void)          = ^BufferReadSideEffect[0]        : &:r1242_7, ~m?
+# 1242|     v1242_10(void)          = ^BufferReadSideEffect[0]        : &:r1242_7, ~m?
+# 1242|     mu1242_11(String)       = ^IndirectMayWriteSideEffect[-1] : &:r1242_4
 # 1242|     r1242_12(bool)          = Constant[1]                     : 
 # 1242|     mu1242_13(bool)         = Store[b#init]                   : &:r1242_1, r1242_12
 #-----|   Goto -> Block 4
@@ -6852,8 +6852,8 @@ ir.cpp:
 # 1243|     r1243_7(char *)         = Load[dynamic]                   : &:r1243_6, ~m?
 # 1243|     v1243_8(void)           = Call[String]                    : func:r1243_5, this:r1243_4, 0:r1243_7
 # 1243|     mu1243_9(unknown)       = ^CallSideEffect                 : ~m?
-# 1243|     mu1243_10(String)       = ^IndirectMayWriteSideEffect[-1] : &:r1243_4
-# 1243|     v1243_11(void)          = ^BufferReadSideEffect[0]        : &:r1243_7, ~m?
+# 1243|     v1243_10(void)          = ^BufferReadSideEffect[0]        : &:r1243_7, ~m?
+# 1243|     mu1243_11(String)       = ^IndirectMayWriteSideEffect[-1] : &:r1243_4
 # 1243|     r1243_12(bool)          = Constant[1]                     : 
 # 1243|     mu1243_13(bool)         = Store[c#init]                   : &:r1243_1, r1243_12
 #-----|   Goto -> Block 6
@@ -7481,8 +7481,8 @@ ir.cpp:
 # 1370|     r1370_6(char *)          = Convert                           : r1370_5
 # 1370|     v1370_7(void)            = Call[String]                      : func:r1370_4, this:r1370_2, 0:r1370_6
 # 1370|     mu1370_8(unknown)        = ^CallSideEffect                   : ~m?
-# 1370|     mu1370_9(String)         = ^IndirectMayWriteSideEffect[-1]   : &:r1370_2
-# 1370|     v1370_10(void)           = ^BufferReadSideEffect[0]          : &:r1370_6, ~m?
+# 1370|     v1370_9(void)            = ^BufferReadSideEffect[0]          : &:r1370_6, ~m?
+# 1370|     mu1370_10(String)        = ^IndirectMayWriteSideEffect[-1]   : &:r1370_2
 # 1370|     r1370_11(String &)       = CopyValue                         : r1370_2
 # 1370|     v1370_12(void)           = Call[acceptRef]                   : func:r1370_1, 0:r1370_11
 # 1370|     mu1370_13(unknown)       = ^CallSideEffect                   : ~m?
@@ -7496,8 +7496,8 @@ ir.cpp:
 # 1371|     r1371_7(String &)        = CopyValue                         : r1371_6
 # 1371|     v1371_8(void)            = Call[String]                      : func:r1371_4, this:r1371_2, 0:r1371_7
 # 1371|     mu1371_9(unknown)        = ^CallSideEffect                   : ~m?
-# 1371|     mu1371_10(String)        = ^IndirectMayWriteSideEffect[-1]   : &:r1371_2
-# 1371|     v1371_11(void)           = ^BufferReadSideEffect[0]          : &:r1371_7, ~m?
+# 1371|     v1371_10(void)           = ^BufferReadSideEffect[0]          : &:r1371_7, ~m?
+# 1371|     mu1371_11(String)        = ^IndirectMayWriteSideEffect[-1]   : &:r1371_2
 # 1371|     r1371_12(String)         = Load[#temp1371:17]                : &:r1371_2, ~m?
 # 1371|     v1371_13(void)           = Call[acceptValue]                 : func:r1371_1, 0:r1371_12
 # 1371|     mu1371_14(unknown)       = ^CallSideEffect                   : ~m?
@@ -7509,8 +7509,8 @@ ir.cpp:
 # 1372|     r1372_6(char *)          = Convert                           : r1372_5
 # 1372|     v1372_7(void)            = Call[String]                      : func:r1372_4, this:r1372_2, 0:r1372_6
 # 1372|     mu1372_8(unknown)        = ^CallSideEffect                   : ~m?
-# 1372|     mu1372_9(String)         = ^IndirectMayWriteSideEffect[-1]   : &:r1372_2
-# 1372|     v1372_10(void)           = ^BufferReadSideEffect[0]          : &:r1372_6, ~m?
+# 1372|     v1372_9(void)            = ^BufferReadSideEffect[0]          : &:r1372_6, ~m?
+# 1372|     mu1372_10(String)        = ^IndirectMayWriteSideEffect[-1]   : &:r1372_2
 # 1372|     r1372_11(String)         = Load[#temp1372:25]                : &:r1372_2, ~m?
 # 1372|     v1372_12(void)           = Call[acceptValue]                 : func:r1372_1, 0:r1372_11
 # 1372|     mu1372_13(unknown)       = ^CallSideEffect                   : ~m?
@@ -7652,8 +7652,8 @@ ir.cpp:
 # 1396|     r1396_7(copy_constructor &)        = CopyValue                         : r1396_6
 # 1396|     v1396_8(void)                      = Call[copy_constructor]            : func:r1396_4, this:r1396_2, 0:r1396_7
 # 1396|     mu1396_9(unknown)                  = ^CallSideEffect                   : ~m?
-# 1396|     mu1396_10(copy_constructor)        = ^IndirectMayWriteSideEffect[-1]   : &:r1396_2
-# 1396|     v1396_11(void)                     = ^BufferReadSideEffect[0]          : &:r1396_7, ~m?
+# 1396|     v1396_10(void)                     = ^BufferReadSideEffect[0]          : &:r1396_7, ~m?
+# 1396|     mu1396_11(copy_constructor)        = ^IndirectMayWriteSideEffect[-1]   : &:r1396_2
 # 1396|     r1396_12(copy_constructor)         = Load[#temp1396:17]                : &:r1396_2, ~m?
 # 1396|     v1396_13(void)                     = Call[acceptValue]                 : func:r1396_1, 0:r1396_12
 # 1396|     mu1396_14(unknown)                 = ^CallSideEffect                   : ~m?
@@ -7967,8 +7967,8 @@ smart_ptr.cpp:
 #   19|     r19_7(shared_ptr<float> &)      = CopyValue                        : r19_6
 #   19|     v19_8(void)                     = Call[shared_ptr]                 : func:r19_4, this:r19_2, 0:r19_7
 #   19|     mu19_9(unknown)                 = ^CallSideEffect                  : ~m?
-#   19|     mu19_10(shared_ptr<float>)      = ^IndirectMustWriteSideEffect[-1] : &:r19_2
-#   19|     v19_11(void)                    = ^IndirectReadSideEffect[0]       : &:r19_7, ~m?
+#   19|     v19_10(void)                    = ^IndirectReadSideEffect[0]       : &:r19_7, ~m?
+#   19|     mu19_11(shared_ptr<float>)      = ^IndirectMustWriteSideEffect[-1] : &:r19_2
 #   19|     r19_12(shared_ptr<float>)       = Load[#temp19:20]                 : &:r19_2, ~m?
 #   19|     v19_13(void)                    = Call[shared_ptr_arg]             : func:r19_1, 0:r19_12
 #   19|     mu19_14(unknown)                = ^CallSideEffect                  : ~m?
@@ -7996,8 +7996,8 @@ smart_ptr.cpp:
 #   31|     r31_7(shared_ptr<const int> &)                        = CopyValue                                              : r31_6
 #   31|     v31_8(void)                                           = Call[shared_ptr]                                       : func:r31_4, this:r31_2, 0:r31_7
 #   31|     mu31_9(unknown)                                       = ^CallSideEffect                                        : ~m?
-#   31|     mu31_10(shared_ptr<const int>)                        = ^IndirectMustWriteSideEffect[-1]                       : &:r31_2
-#   31|     v31_11(void)                                          = ^IndirectReadSideEffect[0]                             : &:r31_7, ~m?
+#   31|     v31_10(void)                                          = ^IndirectReadSideEffect[0]                             : &:r31_7, ~m?
+#   31|     mu31_11(shared_ptr<const int>)                        = ^IndirectMustWriteSideEffect[-1]                       : &:r31_2
 #   31|     r31_12(shared_ptr<const int>)                         = Load[#temp31:26]                                       : &:r31_2, ~m?
 #   31|     v31_13(void)                                          = Call[shared_ptr_const_int]                             : func:r31_1, 0:r31_12
 #   31|     mu31_14(unknown)                                      = ^CallSideEffect                                        : ~m?
@@ -8013,8 +8013,8 @@ smart_ptr.cpp:
 #   35|     r35_7(shared_ptr<int *const> &)                       = CopyValue                                              : r35_6
 #   35|     v35_8(void)                                           = Call[shared_ptr]                                       : func:r35_4, this:r35_2, 0:r35_7
 #   35|     mu35_9(unknown)                                       = ^CallSideEffect                                        : ~m?
-#   35|     mu35_10(shared_ptr<int *const>)                       = ^IndirectMustWriteSideEffect[-1]                       : &:r35_2
-#   35|     v35_11(void)                                          = ^IndirectReadSideEffect[0]                             : &:r35_7, ~m?
+#   35|     v35_10(void)                                          = ^IndirectReadSideEffect[0]                             : &:r35_7, ~m?
+#   35|     mu35_11(shared_ptr<int *const>)                       = ^IndirectMustWriteSideEffect[-1]                       : &:r35_2
 #   35|     r35_12(shared_ptr<int *const>)                        = Load[#temp35:30]                                       : &:r35_2, ~m?
 #   35|     v35_13(void)                                          = Call[shared_ptr_const_int_ptr]                         : func:r35_1, 0:r35_12
 #   35|     mu35_14(unknown)                                      = ^CallSideEffect                                        : ~m?
@@ -8031,8 +8031,8 @@ smart_ptr.cpp:
 #   39|     r39_7(shared_ptr<shared_ptr<const int>> &)            = CopyValue                                              : r39_6
 #   39|     v39_8(void)                                           = Call[shared_ptr]                                       : func:r39_4, this:r39_2, 0:r39_7
 #   39|     mu39_9(unknown)                                       = ^CallSideEffect                                        : ~m?
-#   39|     mu39_10(shared_ptr<shared_ptr<const int>>)            = ^IndirectMustWriteSideEffect[-1]                       : &:r39_2
-#   39|     v39_11(void)                                          = ^IndirectReadSideEffect[0]                             : &:r39_7, ~m?
+#   39|     v39_10(void)                                          = ^IndirectReadSideEffect[0]                             : &:r39_7, ~m?
+#   39|     mu39_11(shared_ptr<shared_ptr<const int>>)            = ^IndirectMustWriteSideEffect[-1]                       : &:r39_2
 #   39|     r39_12(shared_ptr<shared_ptr<const int>>)             = Load[#temp39:37]                                       : &:r39_2, ~m?
 #   39|     v39_13(void)                                          = Call[shared_ptr_shared_ptr_const_int]                  : func:r39_1, 0:r39_12
 #   39|     mu39_14(unknown)                                      = ^CallSideEffect                                        : ~m?
@@ -8049,8 +8049,8 @@ smart_ptr.cpp:
 #   43|     r43_7(shared_ptr<const shared_ptr<int>> &)            = CopyValue                                              : r43_6
 #   43|     v43_8(void)                                           = Call[shared_ptr]                                       : func:r43_4, this:r43_2, 0:r43_7
 #   43|     mu43_9(unknown)                                       = ^CallSideEffect                                        : ~m?
-#   43|     mu43_10(shared_ptr<const shared_ptr<int>>)            = ^IndirectMustWriteSideEffect[-1]                       : &:r43_2
-#   43|     v43_11(void)                                          = ^IndirectReadSideEffect[0]                             : &:r43_7, ~m?
+#   43|     v43_10(void)                                          = ^IndirectReadSideEffect[0]                             : &:r43_7, ~m?
+#   43|     mu43_11(shared_ptr<const shared_ptr<int>>)            = ^IndirectMustWriteSideEffect[-1]                       : &:r43_2
 #   43|     r43_12(shared_ptr<const shared_ptr<int>>)             = Load[#temp43:37]                                       : &:r43_2, ~m?
 #   43|     v43_13(void)                                          = Call[shared_ptr_const_shared_ptr_int]                  : func:r43_1, 0:r43_12
 #   43|     mu43_14(unknown)                                      = ^CallSideEffect                                        : ~m?
@@ -8067,8 +8067,8 @@ smart_ptr.cpp:
 #   47|     r47_7(shared_ptr<const shared_ptr<const int>> &)      = CopyValue                                              : r47_6
 #   47|     v47_8(void)                                           = Call[shared_ptr]                                       : func:r47_4, this:r47_2, 0:r47_7
 #   47|     mu47_9(unknown)                                       = ^CallSideEffect                                        : ~m?
-#   47|     mu47_10(shared_ptr<const shared_ptr<const int>>)      = ^IndirectMustWriteSideEffect[-1]                       : &:r47_2
-#   47|     v47_11(void)                                          = ^IndirectReadSideEffect[0]                             : &:r47_7, ~m?
+#   47|     v47_10(void)                                          = ^IndirectReadSideEffect[0]                             : &:r47_7, ~m?
+#   47|     mu47_11(shared_ptr<const shared_ptr<const int>>)      = ^IndirectMustWriteSideEffect[-1]                       : &:r47_2
 #   47|     r47_12(shared_ptr<const shared_ptr<const int>>)       = Load[#temp47:43]                                       : &:r47_2, ~m?
 #   47|     v47_13(void)                                          = Call[shared_ptr_const_shared_ptr_const_int]            : func:r47_1, 0:r47_12
 #   47|     mu47_14(unknown)                                      = ^CallSideEffect                                        : ~m?

cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected

@@ -1398,13 +1398,13 @@ ssa.cpp:
 #  294|     v294_25(void)           = Call[A]                         : func:r294_9, this:r294_8, 0:r294_16
 #  294|     m294_26(unknown)        = ^CallSideEffect                 : ~m294_22
 #  294|     m294_27(unknown)        = Chi                             : total:m294_22, partial:m294_26
-#  294|     m294_28(A)              = ^IndirectMayWriteSideEffect[-1] : &:r294_8
-#  294|     m294_29(unknown)        = Chi                             : total:m294_7, partial:m294_28
-#  294|     v294_30(void)           = ^BufferReadSideEffect[0]        : &:r294_16, ~m294_24
+#  294|     v294_28(void)           = ^BufferReadSideEffect[0]        : &:r294_16, ~m294_24
+#  294|     m294_29(A)              = ^IndirectMayWriteSideEffect[-1] : &:r294_8
+#  294|     m294_30(unknown)        = Chi                             : total:m294_7, partial:m294_29
 #  294|     m294_31(unknown)        = ^BufferMayWriteSideEffect[0]    : &:r294_16
 #  294|     m294_32(unknown)        = Chi                             : total:m294_24, partial:m294_31
 #  294|     r294_33(glval<int>)     = FieldAddress[i]                 : r294_8
-#  294|     r294_34(int)            = Load[?]                         : &:r294_33, ~m294_29
+#  294|     r294_34(int)            = Load[?]                         : &:r294_33, ~m294_30
 #  294|     m294_35(int)            = Store[j]                        : &:r294_1, r294_34
 #  295|     r295_1(glval<A *>)      = VariableAddress[a]              : 
 #  295|     r295_2(glval<unknown>)  = FunctionAddress[operator new]   : 

cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected

@@ -1392,13 +1392,13 @@ ssa.cpp:
 #  294|     v294_25(void)           = Call[A]                         : func:r294_9, this:r294_8, 0:r294_16
 #  294|     m294_26(unknown)        = ^CallSideEffect                 : ~m294_22
 #  294|     m294_27(unknown)        = Chi                             : total:m294_22, partial:m294_26
-#  294|     m294_28(A)              = ^IndirectMayWriteSideEffect[-1] : &:r294_8
-#  294|     m294_29(unknown)        = Chi                             : total:m294_7, partial:m294_28
-#  294|     v294_30(void)           = ^BufferReadSideEffect[0]        : &:r294_16, ~m294_24
+#  294|     v294_28(void)           = ^BufferReadSideEffect[0]        : &:r294_16, ~m294_24
+#  294|     m294_29(A)              = ^IndirectMayWriteSideEffect[-1] : &:r294_8
+#  294|     m294_30(unknown)        = Chi                             : total:m294_7, partial:m294_29
 #  294|     m294_31(unknown)        = ^BufferMayWriteSideEffect[0]    : &:r294_16
 #  294|     m294_32(unknown)        = Chi                             : total:m294_24, partial:m294_31
 #  294|     r294_33(glval<int>)     = FieldAddress[i]                 : r294_8
-#  294|     r294_34(int)            = Load[?]                         : &:r294_33, ~m294_29
+#  294|     r294_34(int)            = Load[?]                         : &:r294_33, ~m294_30
 #  294|     m294_35(int)            = Store[j]                        : &:r294_1, r294_34
 #  295|     r295_1(glval<A *>)      = VariableAddress[a]              : 
 #  295|     r295_2(glval<unknown>)  = FunctionAddress[operator new]   : 

cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected

@@ -1285,8 +1285,8 @@ ssa.cpp:
 #  294|     mu294_20(A)             = ^IndirectMayWriteSideEffect[-1] : &:r294_14
 #  294|     v294_21(void)           = Call[A]                         : func:r294_8, this:r294_7, 0:r294_14
 #  294|     mu294_22(unknown)       = ^CallSideEffect                 : ~m?
-#  294|     mu294_23(A)             = ^IndirectMayWriteSideEffect[-1] : &:r294_7
-#  294|     v294_24(void)           = ^BufferReadSideEffect[0]        : &:r294_14, ~m?
+#  294|     v294_23(void)           = ^BufferReadSideEffect[0]        : &:r294_14, ~m?
+#  294|     mu294_24(A)             = ^IndirectMayWriteSideEffect[-1] : &:r294_7
 #  294|     mu294_25(unknown)       = ^BufferMayWriteSideEffect[0]    : &:r294_14
 #  294|     r294_26(glval<int>)     = FieldAddress[i]                 : r294_7
 #  294|     r294_27(int)            = Load[?]                         : &:r294_26, ~m?

cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected

@@ -1285,8 +1285,8 @@ ssa.cpp:
 #  294|     mu294_20(A)             = ^IndirectMayWriteSideEffect[-1] : &:r294_14
 #  294|     v294_21(void)           = Call[A]                         : func:r294_8, this:r294_7, 0:r294_14
 #  294|     mu294_22(unknown)       = ^CallSideEffect                 : ~m?
-#  294|     mu294_23(A)             = ^IndirectMayWriteSideEffect[-1] : &:r294_7
-#  294|     v294_24(void)           = ^BufferReadSideEffect[0]        : &:r294_14, ~m?
+#  294|     v294_23(void)           = ^BufferReadSideEffect[0]        : &:r294_14, ~m?
+#  294|     mu294_24(A)             = ^IndirectMayWriteSideEffect[-1] : &:r294_7
 #  294|     mu294_25(unknown)       = ^BufferMayWriteSideEffect[0]    : &:r294_14
 #  294|     r294_26(glval<int>)     = FieldAddress[i]                 : r294_7
 #  294|     r294_27(int)            = Load[?]                         : &:r294_26, ~m?

cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesVariable/hiding.cpp

@@ -1,4 +1,4 @@
-
+// semmle-extractor-options: -std=c++17
 void f(void) {
     if (1) {
         int i;
@@ -30,3 +30,12 @@ void nestedRangeBasedFor() {
     for (auto y : ys) // GOOD
       x = y = 0;
 }
+
+void structuredBinding() {
+  int xs[1] = {1};
+  auto [x] = xs;
+  {
+    auto [x] = xs; // BAD [NOT DETECTED]
+    auto [y] = xs; // GOOD
+  }
+}

cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected

@@ -1,8 +1,231 @@
-| test.cpp:17:2:17:12 | return ... | May return stack-allocated memory from $@. | test.cpp:17:10:17:11 | mc | mc |
-| test.cpp:25:2:25:12 | return ... | May return stack-allocated memory from $@. | test.cpp:23:18:23:19 | mc | mc |
-| test.cpp:47:2:47:11 | return ... | May return stack-allocated memory from $@. | test.cpp:47:9:47:10 | mc | mc |
-| test.cpp:54:2:54:16 | return ... | May return stack-allocated memory from $@. | test.cpp:54:11:54:12 | mc | mc |
-| test.cpp:92:2:92:12 | return ... | May return stack-allocated memory from $@. | test.cpp:89:10:89:11 | mc | mc |
-| test.cpp:112:2:112:12 | return ... | May return stack-allocated memory from $@. | test.cpp:112:9:112:11 | arr | arr |
-| test.cpp:119:2:119:19 | return ... | May return stack-allocated memory from $@. | test.cpp:119:11:119:13 | arr | arr |
-| test.cpp:171:3:171:24 | return ... | May return stack-allocated memory from $@. | test.cpp:170:35:170:41 | myLocal | myLocal |
+edges
+| test.cpp:17:9:17:11 | & ... | test.cpp:17:9:17:11 | StoreValue |
+| test.cpp:17:10:17:11 | Unary | test.cpp:17:9:17:11 | & ... |
+| test.cpp:17:10:17:11 | mc | test.cpp:17:10:17:11 | Unary |
+| test.cpp:23:17:23:19 | & ... | test.cpp:23:17:23:19 | StoreValue |
+| test.cpp:23:17:23:19 | Store | test.cpp:25:9:25:11 | Load |
+| test.cpp:23:17:23:19 | StoreValue | test.cpp:23:17:23:19 | Store |
+| test.cpp:23:18:23:19 | Unary | test.cpp:23:17:23:19 | & ... |
+| test.cpp:23:18:23:19 | mc | test.cpp:23:18:23:19 | Unary |
+| test.cpp:25:9:25:11 | Load | test.cpp:25:9:25:11 | ptr |
+| test.cpp:25:9:25:11 | ptr | test.cpp:25:9:25:11 | StoreValue |
+| test.cpp:39:17:39:18 | (reference to) | test.cpp:39:17:39:18 | StoreValue |
+| test.cpp:39:17:39:18 | Store | test.cpp:41:10:41:12 | Load |
+| test.cpp:39:17:39:18 | StoreValue | test.cpp:39:17:39:18 | Store |
+| test.cpp:39:17:39:18 | Unary | test.cpp:39:17:39:18 | (reference to) |
+| test.cpp:39:17:39:18 | mc | test.cpp:39:17:39:18 | Unary |
+| test.cpp:41:9:41:12 | & ... | test.cpp:41:9:41:12 | StoreValue |
+| test.cpp:41:10:41:12 | (reference dereference) | test.cpp:41:10:41:12 | Unary |
+| test.cpp:41:10:41:12 | Load | test.cpp:41:10:41:12 | ref |
+| test.cpp:41:10:41:12 | Unary | test.cpp:41:9:41:12 | & ... |
+| test.cpp:41:10:41:12 | Unary | test.cpp:41:10:41:12 | (reference dereference) |
+| test.cpp:41:10:41:12 | ref | test.cpp:41:10:41:12 | Unary |
+| test.cpp:47:9:47:10 | (reference to) | test.cpp:47:9:47:10 | StoreValue |
+| test.cpp:47:9:47:10 | Unary | test.cpp:47:9:47:10 | (reference to) |
+| test.cpp:47:9:47:10 | mc | test.cpp:47:9:47:10 | Unary |
+| test.cpp:54:9:54:15 | & ... | test.cpp:54:9:54:15 | StoreValue |
+| test.cpp:54:11:54:12 | Unary | test.cpp:54:14:54:14 | a |
+| test.cpp:54:11:54:12 | mc | test.cpp:54:11:54:12 | Unary |
+| test.cpp:54:14:54:14 | Unary | test.cpp:54:9:54:15 | & ... |
+| test.cpp:54:14:54:14 | a | test.cpp:54:14:54:14 | Unary |
+| test.cpp:89:3:89:11 | Store | test.cpp:92:9:92:11 | Load |
+| test.cpp:89:9:89:11 | & ... | test.cpp:89:9:89:11 | StoreValue |
+| test.cpp:89:9:89:11 | StoreValue | test.cpp:89:3:89:11 | Store |
+| test.cpp:89:10:89:11 | Unary | test.cpp:89:9:89:11 | & ... |
+| test.cpp:89:10:89:11 | mc | test.cpp:89:10:89:11 | Unary |
+| test.cpp:92:9:92:11 | Load | test.cpp:92:9:92:11 | ptr |
+| test.cpp:92:9:92:11 | ptr | test.cpp:92:9:92:11 | StoreValue |
+| test.cpp:112:9:112:11 | Unary | test.cpp:112:9:112:11 | array to pointer conversion |
+| test.cpp:112:9:112:11 | arr | test.cpp:112:9:112:11 | Unary |
+| test.cpp:112:9:112:11 | array to pointer conversion | test.cpp:112:9:112:11 | StoreValue |
+| test.cpp:119:9:119:18 | & ... | test.cpp:119:9:119:18 | StoreValue |
+| test.cpp:119:11:119:13 | Left | test.cpp:119:11:119:17 | access to array |
+| test.cpp:119:11:119:13 | Unary | test.cpp:119:11:119:13 | array to pointer conversion |
+| test.cpp:119:11:119:13 | arr | test.cpp:119:11:119:13 | Unary |
+| test.cpp:119:11:119:13 | array to pointer conversion | test.cpp:119:11:119:13 | Left |
+| test.cpp:119:11:119:17 | Unary | test.cpp:119:9:119:18 | & ... |
+| test.cpp:119:11:119:17 | access to array | test.cpp:119:11:119:17 | Unary |
+| test.cpp:134:2:134:14 | Store | test.cpp:135:2:135:4 | Load |
+| test.cpp:134:8:134:10 | Left | test.cpp:134:8:134:14 | ... + ... |
+| test.cpp:134:8:134:10 | Unary | test.cpp:134:8:134:10 | array to pointer conversion |
+| test.cpp:134:8:134:10 | arr | test.cpp:134:8:134:10 | Unary |
+| test.cpp:134:8:134:10 | array to pointer conversion | test.cpp:134:8:134:10 | Left |
+| test.cpp:134:8:134:14 | ... + ... | test.cpp:134:8:134:14 | StoreValue |
+| test.cpp:134:8:134:14 | StoreValue | test.cpp:134:2:134:14 | Store |
+| test.cpp:135:2:135:4 | Left | test.cpp:135:2:135:6 | PointerAdd |
+| test.cpp:135:2:135:4 | Load | test.cpp:135:2:135:4 | ptr |
+| test.cpp:135:2:135:4 | ptr | test.cpp:135:2:135:4 | Left |
+| test.cpp:135:2:135:6 | PointerAdd | test.cpp:135:2:135:6 | StoreValue |
+| test.cpp:135:2:135:6 | Store | test.cpp:137:9:137:11 | Load |
+| test.cpp:135:2:135:6 | StoreValue | test.cpp:135:2:135:6 | Store |
+| test.cpp:137:9:137:11 | Load | test.cpp:137:9:137:11 | ptr |
+| test.cpp:137:9:137:11 | ptr | test.cpp:137:9:137:11 | StoreValue |
+| test.cpp:170:26:170:41 | (void *)... | test.cpp:170:26:170:41 | StoreValue |
+| test.cpp:170:26:170:41 | Store | test.cpp:171:10:171:23 | Load |
+| test.cpp:170:26:170:41 | StoreValue | test.cpp:170:26:170:41 | Store |
+| test.cpp:170:34:170:41 | & ... | test.cpp:170:34:170:41 | Unary |
+| test.cpp:170:34:170:41 | Unary | test.cpp:170:26:170:41 | (void *)... |
+| test.cpp:170:35:170:41 | Unary | test.cpp:170:34:170:41 | & ... |
+| test.cpp:170:35:170:41 | myLocal | test.cpp:170:35:170:41 | Unary |
+| test.cpp:171:10:171:23 | Load | test.cpp:171:10:171:23 | pointerToLocal |
+| test.cpp:171:10:171:23 | pointerToLocal | test.cpp:171:10:171:23 | StoreValue |
+| test.cpp:176:25:176:34 | Store | test.cpp:177:10:177:23 | Load |
+| test.cpp:176:25:176:34 | StoreValue | test.cpp:176:25:176:34 | Store |
+| test.cpp:176:25:176:34 | Unary | test.cpp:176:25:176:34 | array to pointer conversion |
+| test.cpp:176:25:176:34 | array to pointer conversion | test.cpp:176:25:176:34 | StoreValue |
+| test.cpp:176:25:176:34 | localArray | test.cpp:176:25:176:34 | Unary |
+| test.cpp:177:10:177:23 | (void *)... | test.cpp:177:10:177:23 | StoreValue |
+| test.cpp:177:10:177:23 | Load | test.cpp:177:10:177:23 | pointerToLocal |
+| test.cpp:177:10:177:23 | Unary | test.cpp:177:10:177:23 | (void *)... |
+| test.cpp:177:10:177:23 | pointerToLocal | test.cpp:177:10:177:23 | Unary |
+| test.cpp:182:21:182:27 | (reference to) | test.cpp:182:21:182:27 | StoreValue |
+| test.cpp:182:21:182:27 | Store | test.cpp:183:10:183:19 | Load |
+| test.cpp:182:21:182:27 | StoreValue | test.cpp:182:21:182:27 | Store |
+| test.cpp:182:21:182:27 | Unary | test.cpp:182:21:182:27 | (reference to) |
+| test.cpp:182:21:182:27 | myLocal | test.cpp:182:21:182:27 | Unary |
+| test.cpp:183:10:183:19 | (reference dereference) | test.cpp:183:10:183:19 | Unary |
+| test.cpp:183:10:183:19 | (reference to) | test.cpp:183:10:183:19 | StoreValue |
+| test.cpp:183:10:183:19 | Load | test.cpp:183:10:183:19 | refToLocal |
+| test.cpp:183:10:183:19 | Unary | test.cpp:183:10:183:19 | (reference dereference) |
+| test.cpp:183:10:183:19 | Unary | test.cpp:183:10:183:19 | (reference to) |
+| test.cpp:183:10:183:19 | refToLocal | test.cpp:183:10:183:19 | Unary |
+| test.cpp:189:16:189:16 | (reference to) | test.cpp:189:16:189:16 | StoreValue |
+| test.cpp:189:16:189:16 | Store | test.cpp:190:10:190:13 | Load |
+| test.cpp:189:16:189:16 | StoreValue | test.cpp:189:16:189:16 | Store |
+| test.cpp:189:16:189:16 | Unary | test.cpp:189:16:189:16 | (reference to) |
+| test.cpp:189:16:189:16 | p | test.cpp:189:16:189:16 | Unary |
+| test.cpp:190:10:190:13 | (reference dereference) | test.cpp:190:10:190:13 | Unary |
+| test.cpp:190:10:190:13 | (reference to) | test.cpp:190:10:190:13 | StoreValue |
+| test.cpp:190:10:190:13 | Load | test.cpp:190:10:190:13 | pRef |
+| test.cpp:190:10:190:13 | Unary | test.cpp:190:10:190:13 | (reference dereference) |
+| test.cpp:190:10:190:13 | Unary | test.cpp:190:10:190:13 | (reference to) |
+| test.cpp:190:10:190:13 | pRef | test.cpp:190:10:190:13 | Unary |
+nodes
+| test.cpp:17:9:17:11 | & ... | semmle.label | & ... |
+| test.cpp:17:9:17:11 | StoreValue | semmle.label | StoreValue |
+| test.cpp:17:10:17:11 | Unary | semmle.label | Unary |
+| test.cpp:17:10:17:11 | mc | semmle.label | mc |
+| test.cpp:23:17:23:19 | & ... | semmle.label | & ... |
+| test.cpp:23:17:23:19 | Store | semmle.label | Store |
+| test.cpp:23:17:23:19 | StoreValue | semmle.label | StoreValue |
+| test.cpp:23:18:23:19 | Unary | semmle.label | Unary |
+| test.cpp:23:18:23:19 | mc | semmle.label | mc |
+| test.cpp:25:9:25:11 | Load | semmle.label | Load |
+| test.cpp:25:9:25:11 | StoreValue | semmle.label | StoreValue |
+| test.cpp:25:9:25:11 | ptr | semmle.label | ptr |
+| test.cpp:39:17:39:18 | (reference to) | semmle.label | (reference to) |
+| test.cpp:39:17:39:18 | Store | semmle.label | Store |
+| test.cpp:39:17:39:18 | StoreValue | semmle.label | StoreValue |
+| test.cpp:39:17:39:18 | Unary | semmle.label | Unary |
+| test.cpp:39:17:39:18 | mc | semmle.label | mc |
+| test.cpp:41:9:41:12 | & ... | semmle.label | & ... |
+| test.cpp:41:9:41:12 | StoreValue | semmle.label | StoreValue |
+| test.cpp:41:10:41:12 | (reference dereference) | semmle.label | (reference dereference) |
+| test.cpp:41:10:41:12 | Load | semmle.label | Load |
+| test.cpp:41:10:41:12 | Unary | semmle.label | Unary |
+| test.cpp:41:10:41:12 | Unary | semmle.label | Unary |
+| test.cpp:41:10:41:12 | ref | semmle.label | ref |
+| test.cpp:47:9:47:10 | (reference to) | semmle.label | (reference to) |
+| test.cpp:47:9:47:10 | StoreValue | semmle.label | StoreValue |
+| test.cpp:47:9:47:10 | Unary | semmle.label | Unary |
+| test.cpp:47:9:47:10 | mc | semmle.label | mc |
+| test.cpp:54:9:54:15 | & ... | semmle.label | & ... |
+| test.cpp:54:9:54:15 | StoreValue | semmle.label | StoreValue |
+| test.cpp:54:11:54:12 | Unary | semmle.label | Unary |
+| test.cpp:54:11:54:12 | mc | semmle.label | mc |
+| test.cpp:54:14:54:14 | Unary | semmle.label | Unary |
+| test.cpp:54:14:54:14 | a | semmle.label | a |
+| test.cpp:89:3:89:11 | Store | semmle.label | Store |
+| test.cpp:89:9:89:11 | & ... | semmle.label | & ... |
+| test.cpp:89:9:89:11 | StoreValue | semmle.label | StoreValue |
+| test.cpp:89:10:89:11 | Unary | semmle.label | Unary |
+| test.cpp:89:10:89:11 | mc | semmle.label | mc |
+| test.cpp:92:9:92:11 | Load | semmle.label | Load |
+| test.cpp:92:9:92:11 | StoreValue | semmle.label | StoreValue |
+| test.cpp:92:9:92:11 | ptr | semmle.label | ptr |
+| test.cpp:112:9:112:11 | StoreValue | semmle.label | StoreValue |
+| test.cpp:112:9:112:11 | Unary | semmle.label | Unary |
+| test.cpp:112:9:112:11 | arr | semmle.label | arr |
+| test.cpp:112:9:112:11 | array to pointer conversion | semmle.label | array to pointer conversion |
+| test.cpp:119:9:119:18 | & ... | semmle.label | & ... |
+| test.cpp:119:9:119:18 | StoreValue | semmle.label | StoreValue |
+| test.cpp:119:11:119:13 | Left | semmle.label | Left |
+| test.cpp:119:11:119:13 | Unary | semmle.label | Unary |
+| test.cpp:119:11:119:13 | arr | semmle.label | arr |
+| test.cpp:119:11:119:13 | array to pointer conversion | semmle.label | array to pointer conversion |
+| test.cpp:119:11:119:17 | Unary | semmle.label | Unary |
+| test.cpp:119:11:119:17 | access to array | semmle.label | access to array |
+| test.cpp:134:2:134:14 | Store | semmle.label | Store |
+| test.cpp:134:8:134:10 | Left | semmle.label | Left |
+| test.cpp:134:8:134:10 | Unary | semmle.label | Unary |
+| test.cpp:134:8:134:10 | arr | semmle.label | arr |
+| test.cpp:134:8:134:10 | array to pointer conversion | semmle.label | array to pointer conversion |
+| test.cpp:134:8:134:14 | ... + ... | semmle.label | ... + ... |
+| test.cpp:134:8:134:14 | StoreValue | semmle.label | StoreValue |
+| test.cpp:135:2:135:4 | Left | semmle.label | Left |
+| test.cpp:135:2:135:4 | Load | semmle.label | Load |
+| test.cpp:135:2:135:4 | ptr | semmle.label | ptr |
+| test.cpp:135:2:135:6 | PointerAdd | semmle.label | PointerAdd |
+| test.cpp:135:2:135:6 | Store | semmle.label | Store |
+| test.cpp:135:2:135:6 | StoreValue | semmle.label | StoreValue |
+| test.cpp:137:9:137:11 | Load | semmle.label | Load |
+| test.cpp:137:9:137:11 | StoreValue | semmle.label | StoreValue |
+| test.cpp:137:9:137:11 | ptr | semmle.label | ptr |
+| test.cpp:170:26:170:41 | (void *)... | semmle.label | (void *)... |
+| test.cpp:170:26:170:41 | Store | semmle.label | Store |
+| test.cpp:170:26:170:41 | StoreValue | semmle.label | StoreValue |
+| test.cpp:170:34:170:41 | & ... | semmle.label | & ... |
+| test.cpp:170:34:170:41 | Unary | semmle.label | Unary |
+| test.cpp:170:35:170:41 | Unary | semmle.label | Unary |
+| test.cpp:170:35:170:41 | myLocal | semmle.label | myLocal |
+| test.cpp:171:10:171:23 | Load | semmle.label | Load |
+| test.cpp:171:10:171:23 | StoreValue | semmle.label | StoreValue |
+| test.cpp:171:10:171:23 | pointerToLocal | semmle.label | pointerToLocal |
+| test.cpp:176:25:176:34 | Store | semmle.label | Store |
+| test.cpp:176:25:176:34 | StoreValue | semmle.label | StoreValue |
+| test.cpp:176:25:176:34 | Unary | semmle.label | Unary |
+| test.cpp:176:25:176:34 | array to pointer conversion | semmle.label | array to pointer conversion |
+| test.cpp:176:25:176:34 | localArray | semmle.label | localArray |
+| test.cpp:177:10:177:23 | (void *)... | semmle.label | (void *)... |
+| test.cpp:177:10:177:23 | Load | semmle.label | Load |
+| test.cpp:177:10:177:23 | StoreValue | semmle.label | StoreValue |
+| test.cpp:177:10:177:23 | Unary | semmle.label | Unary |
+| test.cpp:177:10:177:23 | pointerToLocal | semmle.label | pointerToLocal |
+| test.cpp:182:21:182:27 | (reference to) | semmle.label | (reference to) |
+| test.cpp:182:21:182:27 | Store | semmle.label | Store |
+| test.cpp:182:21:182:27 | StoreValue | semmle.label | StoreValue |
+| test.cpp:182:21:182:27 | Unary | semmle.label | Unary |
+| test.cpp:182:21:182:27 | myLocal | semmle.label | myLocal |
+| test.cpp:183:10:183:19 | (reference dereference) | semmle.label | (reference dereference) |
+| test.cpp:183:10:183:19 | (reference to) | semmle.label | (reference to) |
+| test.cpp:183:10:183:19 | Load | semmle.label | Load |
+| test.cpp:183:10:183:19 | StoreValue | semmle.label | StoreValue |
+| test.cpp:183:10:183:19 | Unary | semmle.label | Unary |
+| test.cpp:183:10:183:19 | Unary | semmle.label | Unary |
+| test.cpp:183:10:183:19 | refToLocal | semmle.label | refToLocal |
+| test.cpp:189:16:189:16 | (reference to) | semmle.label | (reference to) |
+| test.cpp:189:16:189:16 | Store | semmle.label | Store |
+| test.cpp:189:16:189:16 | StoreValue | semmle.label | StoreValue |
+| test.cpp:189:16:189:16 | Unary | semmle.label | Unary |
+| test.cpp:189:16:189:16 | p | semmle.label | p |
+| test.cpp:190:10:190:13 | (reference dereference) | semmle.label | (reference dereference) |
+| test.cpp:190:10:190:13 | (reference to) | semmle.label | (reference to) |
+| test.cpp:190:10:190:13 | Load | semmle.label | Load |
+| test.cpp:190:10:190:13 | StoreValue | semmle.label | StoreValue |
+| test.cpp:190:10:190:13 | Unary | semmle.label | Unary |
+| test.cpp:190:10:190:13 | Unary | semmle.label | Unary |
+| test.cpp:190:10:190:13 | pRef | semmle.label | pRef |
+#select
+| test.cpp:17:9:17:11 | StoreValue | test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | StoreValue | May return stack-allocated memory from $@. | test.cpp:17:10:17:11 | mc | mc |
+| test.cpp:25:9:25:11 | StoreValue | test.cpp:23:18:23:19 | mc | test.cpp:25:9:25:11 | StoreValue | May return stack-allocated memory from $@. | test.cpp:23:18:23:19 | mc | mc |
+| test.cpp:41:9:41:12 | StoreValue | test.cpp:39:17:39:18 | mc | test.cpp:41:9:41:12 | StoreValue | May return stack-allocated memory from $@. | test.cpp:39:17:39:18 | mc | mc |
+| test.cpp:47:9:47:10 | StoreValue | test.cpp:47:9:47:10 | mc | test.cpp:47:9:47:10 | StoreValue | May return stack-allocated memory from $@. | test.cpp:47:9:47:10 | mc | mc |
+| test.cpp:54:9:54:15 | StoreValue | test.cpp:54:11:54:12 | mc | test.cpp:54:9:54:15 | StoreValue | May return stack-allocated memory from $@. | test.cpp:54:11:54:12 | mc | mc |
+| test.cpp:92:9:92:11 | StoreValue | test.cpp:89:10:89:11 | mc | test.cpp:92:9:92:11 | StoreValue | May return stack-allocated memory from $@. | test.cpp:89:10:89:11 | mc | mc |
+| test.cpp:112:9:112:11 | StoreValue | test.cpp:112:9:112:11 | arr | test.cpp:112:9:112:11 | StoreValue | May return stack-allocated memory from $@. | test.cpp:112:9:112:11 | arr | arr |
+| test.cpp:119:9:119:18 | StoreValue | test.cpp:119:11:119:13 | arr | test.cpp:119:9:119:18 | StoreValue | May return stack-allocated memory from $@. | test.cpp:119:11:119:13 | arr | arr |
+| test.cpp:137:9:137:11 | StoreValue | test.cpp:134:8:134:10 | arr | test.cpp:137:9:137:11 | StoreValue | May return stack-allocated memory from $@. | test.cpp:134:8:134:10 | arr | arr |
+| test.cpp:171:10:171:23 | StoreValue | test.cpp:170:35:170:41 | myLocal | test.cpp:171:10:171:23 | StoreValue | May return stack-allocated memory from $@. | test.cpp:170:35:170:41 | myLocal | myLocal |
+| test.cpp:177:10:177:23 | StoreValue | test.cpp:176:25:176:34 | localArray | test.cpp:177:10:177:23 | StoreValue | May return stack-allocated memory from $@. | test.cpp:176:25:176:34 | localArray | localArray |
+| test.cpp:183:10:183:19 | StoreValue | test.cpp:182:21:182:27 | myLocal | test.cpp:183:10:183:19 | StoreValue | May return stack-allocated memory from $@. | test.cpp:182:21:182:27 | myLocal | myLocal |
+| test.cpp:190:10:190:13 | StoreValue | test.cpp:189:16:189:16 | p | test.cpp:190:10:190:13 | StoreValue | May return stack-allocated memory from $@. | test.cpp:189:16:189:16 | p | p |

cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp

@@ -38,7 +38,7 @@ MyClass *test4()
 	MyClass mc;
 	MyClass &ref = mc;
 
-	return &ref; // BAD [NOT DETECTED]
+	return &ref; // BAD
 }
 
 MyClass &test5()
@@ -134,7 +134,7 @@ char *testArray4()
 	ptr = arr + 1;
 	ptr++;
 
-	return ptr; // BAD [NOT DETECTED]
+	return ptr; // BAD
 }
 
 char *testArray5()
@@ -174,20 +174,20 @@ void *conversionBeforeDataFlow() {
 void *arrayConversionBeforeDataFlow() {
   int localArray[4];
   int *pointerToLocal = localArray; // has conversion
-  return pointerToLocal; // BAD [NOT DETECTED]
+  return pointerToLocal; // BAD
 }
 
 int &dataFlowThroughReference() {
   int myLocal;
   int &refToLocal = myLocal; // has conversion
-  return refToLocal; // BAD [NOT DETECTED]
+  return refToLocal; // BAD
 }
 
 int *&conversionInFlow() {
   int myLocal;
   int *p = &myLocal;
   int *&pRef = p; // has conversion in the middle of data flow
-  return pRef; // BAD [NOT DETECTED]
+  return pRef; // BAD
 }
 
 namespace std {
@@ -215,4 +215,9 @@ auto make_read_port()
   auto port = std::shared_ptr<int>(new int);
   auto ptr = port.get();
   return ptr; // GOOD
+}
+
+void* get_sp() {
+	int p;
+	return (void*)&p; // GOOD: The function name makes it sound like the programmer intended to get the value of the stack pointer.
 }

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected

@@ -1,18 +1,8 @@
 edges
 | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
-| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
-| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
-| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
-| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input indirection |
-| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input indirection |
-subpaths
 nodes
 | test.cpp:54:17:54:20 | argv | semmle.label | argv |
-| test.cpp:54:17:54:20 | argv | semmle.label | argv |
 | test.cpp:58:25:58:29 | input | semmle.label | input |
-| test.cpp:58:25:58:29 | input | semmle.label | input |
-| test.cpp:58:25:58:29 | input | semmle.label | input |
-| test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
-| test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
+subpaths
 #select
-| test.cpp:58:3:58:9 | call to sprintf | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@ | test.cpp:54:17:54:20 | argv | user input (argv) |
+| test.cpp:58:3:58:9 | call to sprintf | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@ | test.cpp:54:17:54:20 | argv | user input (a command-line argument) |

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected

@@ -1,10 +1,42 @@
-| test2.cpp:43:2:43:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:43:36:43:43 | password | this source. |
-| test2.cpp:44:2:44:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:44:37:44:45 | thepasswd | this source. |
-| test2.cpp:50:2:50:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:50:41:50:53 | passwd_config | this source. |
-| test2.cpp:54:2:54:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:54:41:54:52 | widepassword | this source. |
-| test2.cpp:55:2:55:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:55:40:55:51 | widepassword | this source. |
-| test2.cpp:57:2:57:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:57:39:57:49 | call to getPassword | this source. |
-| test2.cpp:65:3:65:9 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:62:18:62:25 | password | this source. |
-| test.cpp:45:3:45:7 | call to fputs | This write into file 'file' may contain unencrypted data from $@ | test.cpp:45:9:45:19 | thePassword | this source. |
-| test.cpp:70:35:70:35 | call to operator<< | This write into file 'mystream' may contain unencrypted data from $@ | test.cpp:70:38:70:48 | thePassword | this source. |
-| test.cpp:73:37:73:41 | call to write | This write into file 'mystream' may contain unencrypted data from $@ | test.cpp:73:43:73:53 | thePassword | this source. |
+edges
+| test2.cpp:52:44:52:57 | password_tries | test2.cpp:52:40:52:58 | * ... |
+| test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 |
+| test2.cpp:72:17:72:24 | password | test2.cpp:73:30:73:32 | buf |
+| test2.cpp:72:17:72:24 | password | test2.cpp:76:30:76:32 | buf |
+| test2.cpp:98:45:98:52 | password | test2.cpp:99:27:99:32 | buffer |
+nodes
+| test2.cpp:43:36:43:43 | password | semmle.label | password |
+| test2.cpp:44:37:44:45 | thepasswd | semmle.label | thepasswd |
+| test2.cpp:50:41:50:53 | passwd_config | semmle.label | passwd_config |
+| test2.cpp:52:40:52:58 | * ... | semmle.label | * ... |
+| test2.cpp:52:44:52:57 | password_tries | semmle.label | password_tries |
+| test2.cpp:54:41:54:52 | widepassword | semmle.label | widepassword |
+| test2.cpp:55:40:55:51 | widepassword | semmle.label | widepassword |
+| test2.cpp:57:39:57:49 | call to getPassword | semmle.label | call to getPassword |
+| test2.cpp:62:18:62:25 | password | semmle.label | password |
+| test2.cpp:65:31:65:34 | cpy1 | semmle.label | cpy1 |
+| test2.cpp:72:17:72:24 | password | semmle.label | password |
+| test2.cpp:73:30:73:32 | buf | semmle.label | buf |
+| test2.cpp:76:30:76:32 | buf | semmle.label | buf |
+| test2.cpp:86:36:86:43 | password | semmle.label | password |
+| test2.cpp:91:50:91:63 | passwd_config2 | semmle.label | passwd_config2 |
+| test2.cpp:98:45:98:52 | password | semmle.label | password |
+| test2.cpp:99:27:99:32 | buffer | semmle.label | buffer |
+| test.cpp:45:9:45:19 | thePassword | semmle.label | thePassword |
+| test.cpp:70:38:70:48 | thePassword | semmle.label | thePassword |
+| test.cpp:73:43:73:53 | thePassword | semmle.label | thePassword |
+subpaths
+#select
+| test2.cpp:43:2:43:8 | call to fprintf | test2.cpp:43:36:43:43 | password | test2.cpp:43:36:43:43 | password | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:43:36:43:43 | password | this source. |
+| test2.cpp:44:2:44:8 | call to fprintf | test2.cpp:44:37:44:45 | thepasswd | test2.cpp:44:37:44:45 | thepasswd | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:44:37:44:45 | thepasswd | this source. |
+| test2.cpp:50:2:50:8 | call to fprintf | test2.cpp:50:41:50:53 | passwd_config | test2.cpp:50:41:50:53 | passwd_config | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:50:41:50:53 | passwd_config | this source. |
+| test2.cpp:54:2:54:8 | call to fprintf | test2.cpp:54:41:54:52 | widepassword | test2.cpp:54:41:54:52 | widepassword | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:54:41:54:52 | widepassword | this source. |
+| test2.cpp:55:2:55:8 | call to fprintf | test2.cpp:55:40:55:51 | widepassword | test2.cpp:55:40:55:51 | widepassword | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:55:40:55:51 | widepassword | this source. |
+| test2.cpp:57:2:57:8 | call to fprintf | test2.cpp:57:39:57:49 | call to getPassword | test2.cpp:57:39:57:49 | call to getPassword | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:57:39:57:49 | call to getPassword | this source. |
+| test2.cpp:65:3:65:9 | call to fprintf | test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:62:18:62:25 | password | this source. |
+| test2.cpp:73:3:73:9 | call to fprintf | test2.cpp:72:17:72:24 | password | test2.cpp:73:30:73:32 | buf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:72:17:72:24 | password | this source. |
+| test2.cpp:76:3:76:9 | call to fprintf | test2.cpp:72:17:72:24 | password | test2.cpp:76:30:76:32 | buf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:72:17:72:24 | password | this source. |
+| test2.cpp:99:3:99:9 | call to fprintf | test2.cpp:98:45:98:52 | password | test2.cpp:99:27:99:32 | buffer | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:98:45:98:52 | password | this source. |
+| test.cpp:45:3:45:7 | call to fputs | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | This write into file 'file' may contain unencrypted data from $@ | test.cpp:45:9:45:19 | thePassword | this source. |
+| test.cpp:70:35:70:35 | call to operator<< | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | This write into file 'mystream' may contain unencrypted data from $@ | test.cpp:70:38:70:48 | thePassword | this source. |
+| test.cpp:73:37:73:41 | call to write | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@ | test.cpp:73:43:73:53 | thePassword | this source. |

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected

@@ -37,10 +37,8 @@ edges
 | test3.cpp:214:8:214:15 | password | test3.cpp:217:30:217:37 | password |
 | test3.cpp:214:8:214:15 | password | test3.cpp:219:15:219:26 | password_ptr |
 | test3.cpp:217:18:217:28 | call to rtn_encrypt | test3.cpp:219:15:219:26 | password_ptr |
-| test3.cpp:225:34:225:41 | password | test3.cpp:227:22:227:29 | password |
 | test3.cpp:225:34:225:41 | password | test3.cpp:228:26:228:33 | password |
 | test3.cpp:239:7:239:14 | password | test3.cpp:241:8:241:15 | password |
-| test3.cpp:239:7:239:14 | password | test3.cpp:242:8:242:15 | password |
 | test3.cpp:252:8:252:16 | password1 | test3.cpp:254:15:254:23 | password1 |
 | test3.cpp:252:8:252:16 | password1 | test3.cpp:256:3:256:19 | call to decrypt_to_buffer |
 | test3.cpp:252:8:252:16 | password1 | test3.cpp:256:21:256:29 | password1 |
@@ -84,6 +82,13 @@ edges
 | test3.cpp:350:9:350:16 | password | test3.cpp:352:16:352:23 | password |
 | test3.cpp:350:9:350:16 | password | test3.cpp:353:4:353:18 | call to decrypt_inplace |
 | test3.cpp:350:9:350:16 | password | test3.cpp:353:20:353:27 | password |
+| test3.cpp:366:8:366:15 | password | test3.cpp:368:15:368:22 | password |
+| test3.cpp:366:8:366:15 | password | test3.cpp:374:3:374:18 | call to SecureZeroBuffer |
+| test3.cpp:366:8:366:15 | password | test3.cpp:374:20:374:27 | password |
+| test3.cpp:386:8:386:15 | password | test3.cpp:388:15:388:22 | password |
+| test3.cpp:398:18:398:25 | password | test3.cpp:400:15:400:23 | & ... |
+| test3.cpp:398:18:398:25 | password | test3.cpp:400:16:400:23 | password |
+| test3.cpp:398:18:398:25 | password | test3.cpp:400:33:400:40 | password |
 | test.cpp:41:23:41:43 | cleartext password! | test.cpp:48:21:48:27 | call to encrypt |
 | test.cpp:41:23:41:43 | cleartext password! | test.cpp:48:29:48:39 | thePassword |
 | test.cpp:66:23:66:43 | cleartext password! | test.cpp:76:21:76:27 | call to encrypt |
@@ -144,11 +149,9 @@ nodes
 | test3.cpp:217:30:217:37 | password | semmle.label | password |
 | test3.cpp:219:15:219:26 | password_ptr | semmle.label | password_ptr |
 | test3.cpp:225:34:225:41 | password | semmle.label | password |
-| test3.cpp:227:22:227:29 | password | semmle.label | password |
 | test3.cpp:228:26:228:33 | password | semmle.label | password |
 | test3.cpp:239:7:239:14 | password | semmle.label | password |
 | test3.cpp:241:8:241:15 | password | semmle.label | password |
-| test3.cpp:242:8:242:15 | password | semmle.label | password |
 | test3.cpp:252:8:252:16 | password1 | semmle.label | password1 |
 | test3.cpp:252:24:252:32 | password2 | semmle.label | password2 |
 | test3.cpp:254:15:254:23 | password1 | semmle.label | password1 |
@@ -195,6 +198,16 @@ nodes
 | test3.cpp:352:16:352:23 | password | semmle.label | password |
 | test3.cpp:353:4:353:18 | call to decrypt_inplace | semmle.label | call to decrypt_inplace |
 | test3.cpp:353:20:353:27 | password | semmle.label | password |
+| test3.cpp:366:8:366:15 | password | semmle.label | password |
+| test3.cpp:368:15:368:22 | password | semmle.label | password |
+| test3.cpp:374:3:374:18 | call to SecureZeroBuffer | semmle.label | call to SecureZeroBuffer |
+| test3.cpp:374:20:374:27 | password | semmle.label | password |
+| test3.cpp:386:8:386:15 | password | semmle.label | password |
+| test3.cpp:388:15:388:22 | password | semmle.label | password |
+| test3.cpp:398:18:398:25 | password | semmle.label | password |
+| test3.cpp:400:15:400:23 | & ... | semmle.label | & ... |
+| test3.cpp:400:16:400:23 | password | semmle.label | password |
+| test3.cpp:400:33:400:40 | password | semmle.label | password |
 | test.cpp:41:23:41:43 | cleartext password! | semmle.label | cleartext password! |
 | test.cpp:48:21:48:27 | call to encrypt | semmle.label | call to encrypt |
 | test.cpp:48:29:48:39 | thePassword | semmle.label | thePassword |
@@ -218,11 +231,10 @@ subpaths
 | test3.cpp:140:3:140:6 | call to send | test3.cpp:129:39:129:47 | password1 | test3.cpp:140:15:140:17 | ptr | This operation transmits 'ptr', which may contain unencrypted sensitive data from $@ | test3.cpp:129:39:129:47 | password1 | password1 |
 | test3.cpp:146:3:146:6 | call to send | test3.cpp:126:9:126:23 | global_password | test3.cpp:146:15:146:18 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@ | test3.cpp:126:9:126:23 | global_password | global_password |
 | test3.cpp:159:3:159:6 | call to send | test3.cpp:152:29:152:36 | password | test3.cpp:159:15:159:20 | buffer | This operation transmits 'buffer', which may contain unencrypted sensitive data from $@ | test3.cpp:152:29:152:36 | password | password |
-| test3.cpp:227:2:227:5 | call to send | test3.cpp:225:34:225:41 | password | test3.cpp:227:22:227:29 | password | This operation transmits 'password', which may contain unencrypted sensitive data from $@ | test3.cpp:225:34:225:41 | password | password |
 | test3.cpp:228:2:228:5 | call to send | test3.cpp:225:34:225:41 | password | test3.cpp:228:26:228:33 | password | This operation transmits 'password', which may contain unencrypted sensitive data from $@ | test3.cpp:225:34:225:41 | password | password |
 | test3.cpp:241:2:241:6 | call to fgets | test3.cpp:239:7:239:14 | password | test3.cpp:241:8:241:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:239:7:239:14 | password | password |
-| test3.cpp:242:2:242:6 | call to fgets | test3.cpp:239:7:239:14 | password | test3.cpp:242:8:242:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:239:7:239:14 | password | password |
 | test3.cpp:272:3:272:6 | call to send | test3.cpp:268:19:268:26 | password | test3.cpp:272:15:272:18 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@ | test3.cpp:268:19:268:26 | password | password |
 | test3.cpp:295:2:295:5 | call to send | test3.cpp:308:58:308:66 | password2 | test3.cpp:295:14:295:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@ | test3.cpp:308:58:308:66 | password2 | password2 |
 | test3.cpp:300:2:300:5 | call to send | test3.cpp:308:58:308:66 | password2 | test3.cpp:300:14:300:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@ | test3.cpp:308:58:308:66 | password2 | password2 |
 | test3.cpp:341:4:341:7 | call to recv | test3.cpp:339:9:339:16 | password | test3.cpp:341:16:341:23 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:339:9:339:16 | password | password |
+| test3.cpp:388:3:388:6 | call to recv | test3.cpp:386:8:386:15 | password | test3.cpp:388:15:388:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:386:8:386:15 | password | password |

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp

@@ -70,8 +70,15 @@ void tests(FILE *log, myStruct &s)
 		char buf[1024];
 
 		strcpy(buf, s.password);
-		fprintf(log, "buf = %s\n", buf); // BAD [NOT DETECTED]
+		fprintf(log, "buf = %s\n", buf); // BAD
 		
+		strcpy(buf, s.password_hash);
+		fprintf(log, "buf = %s\n", buf); // GOOD [FALSE POSITIVE]
+	}
+
+	{
+		char buf[1024];
+
 		strcpy(buf, s.password_hash);
 		fprintf(log, "buf = %s\n", buf); // GOOD
 	}
@@ -89,6 +96,6 @@ void tests(FILE *log, myStruct &s)
 		char buffer[1024];
 
 		snprintf(buffer, 1024, "password = %s", s.password);
-		fprintf(log, "log: %s", buffer); // BAD [NOT DETECTED]
+		fprintf(log, "log: %s", buffer); // BAD
 	}
 }

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp

@@ -224,7 +224,7 @@ int get_socket(int from);
 
 void test_more_stdio(const char *password)
 {
-	send(get_socket(1), password, 128, val()); // GOOD: `getsocket(1)` is probably standard output [FALSE POSITIVE]
+	send(get_socket(1), password, 128, val()); // GOOD: `getsocket(1)` is probably standard output
 	send(get_socket(val()), password, 128, val()); // BAD
 }
 
@@ -239,7 +239,7 @@ void test_fgets(FILE *stream)
 	char password[128];
 
 	fgets(password, 128, stream); // BAD
-	fgets(password, 128, STDIN_STREAM); // GOOD: `STDIN_STREAM` is probably standard input [FALSE POSITIVE]
+	fgets(password, 128, STDIN_STREAM); // GOOD: `STDIN_STREAM` is probably standard input
 }
 
 void encrypt_to_buffer(const char *input, char* output);
@@ -356,3 +356,68 @@ void test_loops()
 		}
 	}
 }
+
+void DoDisguisedOperation(char *buffer, size_t size);
+void SecureZeroBuffer(char *buffer, size_t size);
+
+void test_securezero()
+{
+	{
+		char password[256];
+
+		recv(val(), password, 256, val()); // GOOD: password is (probably) encrypted
+
+		DoDisguisedOperation(password, 256); // decryption (disguised)
+
+		// ...
+
+		SecureZeroBuffer(password, 256); // evidence we may have been doing decryption
+	}
+}
+
+struct encrypted_data
+{
+	char data[256];
+};
+
+void test_more_clues()
+{
+	{
+		char password[256];
+
+		recv(val(), password, 256, val()); // BAD: not encrypted
+	}
+
+	{
+		char encrypted_password[256];
+
+		recv(val(), encrypted_password, 256, val()); // GOOD: password is (probably) encrypted
+	}
+
+	{
+		encrypted_data password;
+
+		recv(val(), &password, sizeof(password), val()); // GOOD: password is (probably) encrypted
+	}
+}
+
+struct packet
+{
+	char password[256];
+};
+
+void test_member_password()
+{
+	{
+		packet p;
+
+		recv(val(), p.password, 256, val()); // BAD: not encrypted [NOT DETECTED]
+	}
+
+	{
+		packet p;
+
+		recv(val(), p.password, 256, val()); // GOOD: password is encrypted
+		decrypt_inplace(p.password); // proof that `password` was in fact encrypted
+	}
+}

csharp/downgrades/58a680081d22ec56c376539b7cca9521dc38fdbb/upgrade.properties

@@ -0,0 +1,2 @@
+description: Remove unused legacy relations.
+compatibility: backwards

csharp/extractor/Semmle.Extraction.CSharp/Entities/Accessor.cs

@@ -42,7 +42,8 @@ namespace Semmle.Extraction.CSharp.Entities
             var prop = PropertySymbol;
             if (prop is null)
             {
-                Context.ModelError(Symbol, "Unhandled accessor associated symbol");
+                var type = Symbol.AssociatedSymbol?.GetType().ToString() ?? "null";
+                Context.ModelError(Symbol, $"Unhandled accessor associated symbol of type {type}");
                 return;
             }
 
@@ -61,7 +62,7 @@ namespace Semmle.Extraction.CSharp.Entities
             }
             else
             {
-                Context.ModelError(Symbol, "Unhandled accessor kind");
+                Context.ModelError(Symbol, $"Unhandled accessor method {Symbol.ToDisplayString()}");
                 return;
             }
 

csharp/extractor/Semmle.Extraction.CSharp/Entities/EventAccessor.cs

@@ -21,7 +21,8 @@ namespace Semmle.Extraction.CSharp.Entities
             var @event = EventSymbol;
             if (@event is null)
             {
-                Context.ModelError(Symbol, "Unhandled event accessor associated symbol");
+                var type = Symbol.AssociatedSymbol?.GetType().ToString() ?? "null";
+                Context.ModelError(Symbol, $"Unhandled event accessor associated symbol of type {type}");
                 return;
             }
 

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Lambda.cs

@@ -45,7 +45,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                 else if (body is BlockSyntax blockBody)
                     Statements.Block.Create(Context, blockBody, this, 0);
                 else
-                    Context.ModelError(body, "Unhandled lambda body");
+                    Context.ModelError(body, $"Unhandled lambda body of type {body.GetType()}");
             });
         }
 

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/MemberAccess.cs

@@ -96,7 +96,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                     kind = ExprKind.NAMESPACE_ACCESS;
                     break;
                 default:
-                    info.Context.ModelError(info.Node, "Unhandled symbol for member access");
+                    info.Context.ModelError(info.Node, $"Unhandled symbol for member access of kind {symbol.Kind}");
                     kind = ExprKind.UNKNOWN;
                     break;
             }

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ObjectCreation/BaseObjectCreation.cs

@@ -43,7 +43,8 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
             if (Syntax.Initializer is not null)
             {
-                switch (Syntax.Initializer.Kind())
+                var kind = Syntax.Initializer.Kind();
+                switch (kind)
                 {
                     case SyntaxKind.CollectionInitializerExpression:
                         CollectionInitializer.Create(new ExpressionNodeInfo(Context, Syntax.Initializer, this, -1).SetType(Type));
@@ -52,7 +53,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                         ObjectInitializer.Create(new ExpressionNodeInfo(Context, Syntax.Initializer, this, -1).SetType(Type));
                         break;
                     default:
-                        Context.ModelError(Syntax.Initializer, "Unhandled initializer in object creation");
+                        Context.ModelError(Syntax.Initializer, $"Unhandled initializer in object creation of kind {kind}");
                         break;
                 }
             }

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/Pattern.cs

@@ -68,7 +68,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                         case DiscardDesignationSyntax discard:
                             return new Expressions.Discard(cx, discard, parent, child);
                         default:
-                            throw new InternalError("var pattern designation is unhandled");
+                            throw new InternalError($"var pattern designation of type {varPattern.Designation.GetType()} is unhandled");
                     }
 
                 case DiscardPatternSyntax dp:

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/VariableDeclaration.cs

@@ -105,7 +105,8 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                             }
                             break;
                         default:
-                            throw new InternalError(variable, "Unhandled designation type");
+                            var type = variable.GetType().ToString() ?? "null";
+                            throw new InternalError(variable, $"Unhandled designation type {type}");
                     }
 
                     elementTypes.Add(sub.Type.HasValue && sub.Type.Value.Symbol?.Kind != SymbolKind.ErrorType

csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/LineDirective.cs

@@ -13,7 +13,7 @@ namespace Semmle.Extraction.CSharp.Entities
                 SyntaxKind.DefaultKeyword => LineDirectiveKind.Default,
                 SyntaxKind.HiddenKeyword => LineDirectiveKind.Hidden,
                 SyntaxKind.NumericLiteralToken => LineDirectiveKind.Numeric,
-                _ => throw new InternalError(trivia, "Unhandled line token kind")
+                _ => throw new InternalError(trivia, $"Unhandled line token kind {trivia.Line.Kind()}")
             })
         {
         }

csharp/extractor/Semmle.Extraction.CSharp/Entities/PreprocessorDirectives/NullableDirective.cs

@@ -18,7 +18,7 @@ namespace Semmle.Extraction.CSharp.Entities
                 SyntaxKind.DisableKeyword => 0,
                 SyntaxKind.EnableKeyword => 1,
                 SyntaxKind.RestoreKeyword => 2,
-                _ => throw new InternalError(Symbol, "Unhandled setting token kind")
+                _ => throw new InternalError(Symbol, $"Unhandled setting token kind {Symbol.SettingToken.Kind()}")
             };
 
             var target = Symbol.TargetToken.Kind() switch
@@ -26,7 +26,7 @@ namespace Semmle.Extraction.CSharp.Entities
                 SyntaxKind.None => 0,
                 SyntaxKind.AnnotationsKeyword => 1,
                 SyntaxKind.WarningsKeyword => 2,
-                _ => throw new InternalError(Symbol, "Unhandled target token kind")
+                _ => throw new InternalError(Symbol, $"Unhandled target token kind {Symbol.TargetToken.Kind()}")
             };
 
             trapFile.directive_nullables(this, setting, target);

csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Case.cs

@@ -23,7 +23,7 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
                 case SyntaxKind.CasePatternSwitchLabel:
                     return CasePattern.Create(cx, (CasePatternSwitchLabelSyntax)node, parent, child);
                 default:
-                    throw new InternalError(node, "Unhandled case label");
+                    throw new InternalError(node, $"Unhandled case label of kind {node.Kind()}");
             }
         }
     }

csharp/extractor/Semmle.Extraction.CSharp/Extractor/Extractor.cs

@@ -86,9 +86,9 @@ namespace Semmle.Extraction.CSharp
             var stopwatch = new Stopwatch();
             stopwatch.Start();
 
-            Entities.Compilation.Settings = (Directory.GetCurrentDirectory(), args);
+            var options = Options.CreateWithEnvironment(args);
+            Entities.Compilation.Settings = (Directory.GetCurrentDirectory(), options.CompilerArguments.ToArray());
 
-            var options = Options.CreateWithEnvironment(Entities.Compilation.Settings.Args);
             var fileLogger = new FileLogger(options.Verbosity, GetCSharpLogPath());
             using var logger = options.Console
                 ? new CombinedLogger(new ConsoleLogger(options.Verbosity), fileLogger)

csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeContainerVisitor.cs

@@ -36,7 +36,7 @@ namespace Semmle.Extraction.CSharp.Populators
 
         public override void DefaultVisit(SyntaxNode node)
         {
-            throw new InternalError(node, "Unhandled top-level syntax node");
+            throw new InternalError(node, $"Unhandled top-level syntax node of type  {node.GetType()}");
         }
 
         public override void VisitGlobalStatement(GlobalStatementSyntax node)

csharp/ql/lib/CHANGELOG.md

@@ -1,3 +1,5 @@
+## 0.0.7
+
 ## 0.0.6
 
 ## 0.0.5

csharp/ql/lib/Linq/Helpers.qll

@@ -46,7 +46,7 @@ predicate missedAllOpportunity(ForeachStmt fes) {
       bl = a.getRValue() and
       bl.toString() = "false"
     ) and
-    exists(BreakStmt bs | bs = is.getThen().getAChild*())
+    is.getThen().getAChild*() instanceof BreakStmt
   )
 }
 

csharp/ql/lib/change-notes/2022-01-25-csharp10-features.md

@@ -0,0 +1,11 @@
+---
+category: majorAnalysis
+---
+Added support for the following C# 10 features.
+* [Record structs](https://docs.microsoft.com/en-us/dotnet/csharp/whats-new/csharp-10#record-structs).
+* [Improvements of structure types](https://docs.microsoft.com/en-us/dotnet/csharp/whats-new/csharp-10#improvements-of-structure-types).
+  * Instance parameterless constructor in a structure type.
+  * Enhance `WithExpr` in QL to support `structs` and anonymous classes.
+* [Global using directives](https://docs.microsoft.com/en-us/dotnet/csharp/whats-new/csharp-10#global-using-directives).
+* [File-scoped namespace declaration](https://docs.microsoft.com/en-us/dotnet/csharp/whats-new/csharp-10#file-scoped-namespace-declaration).
+* [Enhanced #line pragma](https://docs.microsoft.com/en-us/dotnet/csharp/whats-new/csharp-10#enhanced-line-pragma).

csharp/ql/lib/change-notes/released/0.0.7.md

@@ -0,0 +1 @@
+## 0.0.7

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.6
+lastReleaseVersion: 0.0.7

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 0.0.7-dev
+version: 0.0.8-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/lib/semmle/code/csharp/File.qll

@@ -182,6 +182,14 @@ class Folder extends Container, @folder {
   override string getURL() { result = "folder://" + this.getAbsolutePath() }
 }
 
+bindingset[flag]
+private predicate fileHasExtractionFlag(File f, int flag) {
+  exists(int i |
+    file_extraction_mode(f, i) and
+    i.bitAnd(flag) = flag
+  )
+}
+
 /** A file. */
 class File extends Container, @file {
   override string getAbsolutePath() { files(this, result) }
@@ -199,7 +207,10 @@ class File extends Container, @file {
 
   /** Holds if this file is a QL test stub file. */
   pragma[noinline]
-  private predicate isStub() { this.getAbsolutePath().matches("%resources/stubs/%") }
+  private predicate isStub() {
+    this.extractedQlTest() and
+    this.getAbsolutePath().matches("%resources/stubs/%")
+  }
 
   /** Holds if this file contains source code. */
   final predicate fromSource() {
@@ -218,12 +229,12 @@ class File extends Container, @file {
    * A source file can come from a PDB and from regular extraction
    * in the same snapshot.
    */
-  predicate isPdbSourceFile() {
-    exists(int i |
-      file_extraction_mode(this, i) and
-      i.bitAnd(2) = 2
-    )
-  }
+  predicate isPdbSourceFile() { fileHasExtractionFlag(this, 2) }
+
+  /**
+   * Holds if this file was extracted using `codeql test run`.
+   */
+  predicate extractedQlTest() { fileHasExtractionFlag(this, 4) }
 }
 
 /**
@@ -233,10 +244,5 @@ class SourceFile extends File {
   SourceFile() { this.fromSource() }
 
   /** Holds if the file was extracted without building the source code. */
-  predicate extractedStandalone() {
-    exists(int i |
-      file_extraction_mode(this, i) and
-      i.bitAnd(1) = 1
-    )
-  }
+  predicate extractedStandalone() { fileHasExtractionFlag(this, 1) }
 }

csharp/ql/lib/semmle/code/csharp/XML.qll

@@ -233,7 +233,7 @@ class XMLElement extends @xmlelement, XMLParent, XMLLocatable {
   XMLAttribute getAttribute(string name) { result.getElement() = this and result.getName() = name }
 
   /** Holds if this XML element has an attribute with the specified `name`. */
-  predicate hasAttribute(string name) { exists(XMLAttribute a | a = this.getAttribute(name)) }
+  predicate hasAttribute(string name) { exists(this.getAttribute(name)) }
 
   /** Gets the value of the attribute with the specified `name`, if any. */
   string getAttributeValue(string name) { result = this.getAttribute(name).getValue() }

csharp/ql/lib/semmle/code/csharp/dataflow/FlowSummary.qll

@@ -40,7 +40,12 @@ module SummaryComponent {
   predicate return = SummaryComponentInternal::return/1;
 
   /** Gets a summary component that represents a qualifier. */
-  SummaryComponent qualifier() { result = argument(-1) }
+  SummaryComponent qualifier() {
+    exists(ParameterPosition pos |
+      result = SummaryComponentInternal::argument(pos) and
+      pos.isThisParameter()
+    )
+  }
 
   /** Gets a summary component that represents an element in a collection. */
   SummaryComponent element() { result = content(any(DataFlow::ElementContent c)) }
@@ -140,12 +145,17 @@ private class SummarizedCallableDefaultClearsContent extends Impl::Public::Summa
 
   // By default, we assume that all stores into arguments are definite
   override predicate clearsContent(ParameterPosition pos, DataFlow::Content content) {
-    exists(SummaryComponentStack output |
+    exists(SummaryComponentStack output, SummaryComponent target |
       this.propagatesFlow(_, output, _) and
       output.drop(_) =
         SummaryComponentStack::push(SummaryComponent::content(content),
-          SummaryComponentStack::argument(pos.getPosition())) and
+          SummaryComponentStack::singleton(target)) and
       not content instanceof DataFlow::ElementContent
+    |
+      target = SummaryComponent::argument(pos.getPosition())
+      or
+      target = SummaryComponent::qualifier() and
+      pos.isThisParameter()
     )
   }
 }
@@ -153,15 +163,11 @@ private class SummarizedCallableDefaultClearsContent extends Impl::Public::Summa
 class RequiredSummaryComponentStack = Impl::Public::RequiredSummaryComponentStack;
 
 private class RecordConstructorFlowRequiredSummaryComponentStack extends RequiredSummaryComponentStack {
-  private SummaryComponent head;
-
-  RecordConstructorFlowRequiredSummaryComponentStack() {
+  override predicate required(SummaryComponent head, SummaryComponentStack tail) {
     exists(Property p |
       recordConstructorFlow(_, _, p) and
       head = SummaryComponent::property(p) and
-      this = SummaryComponentStack::return()
+      tail = SummaryComponentStack::return()
     )
   }
-
-  override predicate required(SummaryComponent c) { c = head }
 }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll

@@ -116,19 +116,23 @@ private module Cached {
   cached
   DataFlowCallable viableCallable(DataFlowCall call) { result = call.getARuntimeTarget() }
 
-  private int parameterPosition() {
-    result =
-      [
-        -1, any(Parameter p).getPosition(),
-        ImplicitCapturedParameterNodeImpl::getParameterPosition(_)
-      ]
+  private predicate capturedWithFlowIn(LocalScopeVariable v) {
+    exists(Ssa::ExplicitDefinition def | def.isCapturedVariableDefinitionFlowIn(_, _, _) |
+      v = def.getSourceVariable().getAssignable()
+    )
   }
 
   cached
-  newtype TParameterPosition = MkParameterPosition(int i) { i = parameterPosition() }
+  newtype TParameterPosition =
+    TPositionalParameterPosition(int i) { i = any(Parameter p).getPosition() } or
+    TThisParameterPosition() or
+    TImplicitCapturedParameterPosition(LocalScopeVariable v) { capturedWithFlowIn(v) }
 
   cached
-  newtype TArgumentPosition = MkArgumentPosition(int i) { i = parameterPosition() }
+  newtype TArgumentPosition =
+    TPositionalArgumentPosition(int i) { i = any(Parameter p).getPosition() } or
+    TQualifierArgumentPosition() or
+    TImplicitCapturedArgumentPosition(LocalScopeVariable v) { capturedWithFlowIn(v) }
 }
 
 import Cached
@@ -268,8 +272,8 @@ abstract class DataFlowCall extends TDataFlowCall {
   /** Gets the underlying expression, if any. */
   final DotNet::Expr getExpr() { result = this.getNode().asExpr() }
 
-  /** Gets the `i`th argument of this call. */
-  final ArgumentNode getArgument(int i) { result.argumentOf(this, i) }
+  /** Gets the argument at position `pos` of this call. */
+  final ArgumentNode getArgument(ArgumentPosition pos) { result.argumentOf(this, pos) }
 
   /** Gets a textual representation of this call. */
   abstract string toString();
@@ -425,36 +429,64 @@ class SummaryCall extends DelegateDataFlowCall, TSummaryCall {
   override Location getLocation() { result = c.getLocation() }
 }
 
-/** A parameter position represented by an integer. */
-class ParameterPosition extends MkParameterPosition {
-  private int i;
+/** A parameter position. */
+class ParameterPosition extends TParameterPosition {
+  /** Gets the underlying integer position, if any. */
+  int getPosition() { this = TPositionalParameterPosition(result) }
 
-  ParameterPosition() { this = MkParameterPosition(i) }
+  /** Holds if this position represents a `this` parameter. */
+  predicate isThisParameter() { this = TThisParameterPosition() }
 
-  /** Gets the underlying integer. */
-  int getPosition() { result = i }
+  /** Holds if this position is used to model flow through captured variables. */
+  predicate isImplicitCapturedParameterPosition(LocalScopeVariable v) {
+    this = TImplicitCapturedParameterPosition(v)
+  }
 
   /** Gets a textual representation of this position. */
-  string toString() { result = i.toString() }
+  string toString() {
+    result = "position " + this.getPosition()
+    or
+    this.isThisParameter() and result = "this"
+    or
+    exists(LocalScopeVariable v |
+      this.isImplicitCapturedParameterPosition(v) and result = "captured " + v
+    )
+  }
 }
 
-/** An argument position represented by an integer. */
-class ArgumentPosition extends MkArgumentPosition {
-  private int i;
+/** An argument position. */
+class ArgumentPosition extends TArgumentPosition {
+  /** Gets the underlying integer position, if any. */
+  int getPosition() { this = TPositionalArgumentPosition(result) }
 
-  ArgumentPosition() { this = MkArgumentPosition(i) }
+  /** Holds if this position represents a qualifier. */
+  predicate isQualifier() { this = TQualifierArgumentPosition() }
 
-  /** Gets the underlying integer. */
-  int getPosition() { result = i }
+  /** Holds if this position is used to model flow through captured variables. */
+  predicate isImplicitCapturedArgumentPosition(LocalScopeVariable v) {
+    this = TImplicitCapturedArgumentPosition(v)
+  }
 
   /** Gets a textual representation of this position. */
-  string toString() { result = i.toString() }
+  string toString() {
+    result = "position " + this.getPosition()
+    or
+    this.isQualifier() and result = "qualifier"
+    or
+    exists(LocalScopeVariable v |
+      this.isImplicitCapturedArgumentPosition(v) and result = "captured " + v
+    )
+  }
 }
 
 /** Holds if arguments at position `apos` match parameters at position `ppos`. */
 predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
-  exists(int i |
-    ppos = MkParameterPosition(i) and
-    apos = MkArgumentPosition(i)
+  ppos.getPosition() = apos.getPosition()
+  or
+  ppos.isThisParameter() and apos.isQualifier()
+  or
+  exists(LocalScopeVariable v |
+    ppos.isImplicitCapturedParameterPosition(v) and
+    apos.isImplicitCapturedArgumentPosition(v)
   )
 }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -22,13 +22,13 @@ private import semmle.code.csharp.frameworks.system.threading.Tasks
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }
 
 /** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
-predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) {
-  exists(int i | pos = MkParameterPosition(i) and p.isParameterOf(c, i))
+predicate isParameterNode(ParameterNodeImpl p, DataFlowCallable c, ParameterPosition pos) {
+  p.isParameterOf(c, pos)
 }
 
 /** Holds if `arg` is an `ArgumentNode` of `c` with position `pos`. */
 predicate isArgumentNode(ArgumentNode arg, DataFlowCall c, ArgumentPosition pos) {
-  exists(int i | pos = MkArgumentPosition(i) and arg.argumentOf(c, i))
+  arg.argumentOf(c, pos)
 }
 
 abstract class NodeImpl extends Node {
@@ -469,18 +469,20 @@ private predicate isParamsArg(Call c, Expr arg, Parameter p) {
 /** An argument of a C# call (including qualifier arguments). */
 private class Argument extends Expr {
   private Expr call;
-  private int arg;
+  private ArgumentPosition arg;
 
   Argument() {
     call =
       any(DispatchCall dc |
-        this = dc.getArgument(arg) and
+        this = dc.getArgument(arg.getPosition()) and
         not isParamsArg(_, this, _)
         or
-        this = dc.getQualifier() and arg = -1 and not dc.getAStaticTarget().(Modifiable).isStatic()
+        this = dc.getQualifier() and
+        arg.isQualifier() and
+        not dc.getAStaticTarget().(Modifiable).isStatic()
       ).getCall()
     or
-    this = call.(DelegateLikeCall).getArgument(arg)
+    this = call.(DelegateLikeCall).getArgument(arg.getPosition())
   }
 
   /**
@@ -488,7 +490,7 @@ private class Argument extends Expr {
    *
    * Qualifier arguments have index `-1`.
    */
-  predicate isArgumentOf(Expr c, int i) { c = call and i = arg }
+  predicate isArgumentOf(Expr c, ArgumentPosition pos) { c = call and pos = arg }
 }
 
 /**
@@ -855,7 +857,7 @@ class SsaDefinitionNode extends NodeImpl, TSsaDefinitionNode {
 }
 
 abstract class ParameterNodeImpl extends NodeImpl {
-  abstract predicate isParameterOf(DataFlowCallable c, int i);
+  abstract predicate isParameterOf(DataFlowCallable c, ParameterPosition pos);
 }
 
 private module ParameterNodes {
@@ -874,7 +876,9 @@ private module ParameterNodes {
         parameter
     }
 
-    override predicate isParameterOf(DataFlowCallable c, int i) { c.getParameter(i) = parameter }
+    override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+      c.getParameter(pos.getPosition()) = parameter
+    }
 
     override DataFlowCallable getEnclosingCallableImpl() { result = parameter.getCallable() }
 
@@ -896,7 +900,9 @@ private module ParameterNodes {
     /** Gets the callable containing this implicit instance parameter. */
     Callable getCallable() { result = callable }
 
-    override predicate isParameterOf(DataFlowCallable c, int pos) { callable = c and pos = -1 }
+    override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+      callable = c and pos.isThisParameter()
+    }
 
     override DataFlowCallable getEnclosingCallableImpl() { result = callable }
 
@@ -909,42 +915,15 @@ private module ParameterNodes {
     override string toStringImpl() { result = "this" }
   }
 
-  module ImplicitCapturedParameterNodeImpl {
-    /** An implicit entry definition for a captured variable. */
-    class SsaCapturedEntryDefinition extends Ssa::ImplicitEntryDefinition {
-      private LocalScopeVariable v;
+  /** An implicit entry definition for a captured variable. */
+  class SsaCapturedEntryDefinition extends Ssa::ImplicitEntryDefinition {
+    private LocalScopeVariable v;
 
-      SsaCapturedEntryDefinition() { this.getSourceVariable().getAssignable() = v }
+    SsaCapturedEntryDefinition() { this.getSourceVariable().getAssignable() = v }
 
-      LocalScopeVariable getVariable() { result = v }
-    }
-
-    private class CapturedVariable extends LocalScopeVariable {
-      CapturedVariable() { this = any(SsaCapturedEntryDefinition d).getVariable() }
-    }
-
-    private predicate id(CapturedVariable x, CapturedVariable y) { x = y }
-
-    private predicate idOf(CapturedVariable x, int y) = equivalenceRelation(id/2)(x, y)
-
-    int getId(CapturedVariable v) { idOf(v, result) }
-
-    // we model implicit parameters for captured variables starting from index `-2`,
-    // the order is irrelevant
-    int getParameterPosition(SsaCapturedEntryDefinition def) {
-      exists(Callable c | c = def.getCallable() |
-        def =
-          rank[-result - 1](SsaCapturedEntryDefinition def0 |
-            def0.getCallable() = c
-          |
-            def0 order by getId(def0.getSourceVariable().getAssignable())
-          )
-      )
-    }
+    LocalScopeVariable getVariable() { result = v }
   }
 
-  private import ImplicitCapturedParameterNodeImpl
-
   /**
    * The value of an implicit captured variable parameter at function entry,
    * viewed as a node in a data flow graph.
@@ -970,8 +949,8 @@ private module ParameterNodes {
     /** Gets the captured variable that this implicit parameter models. */
     LocalScopeVariable getVariable() { result = def.getVariable() }
 
-    override predicate isParameterOf(DataFlowCallable c, int i) {
-      i = getParameterPosition(def) and
+    override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+      pos.isImplicitCapturedParameterPosition(def.getSourceVariable().getAssignable()) and
       c = this.getEnclosingCallable()
     }
   }
@@ -982,11 +961,13 @@ import ParameterNodes
 /** A data-flow node that represents a call argument. */
 class ArgumentNode extends Node instanceof ArgumentNodeImpl {
   /** Holds if this argument occurs at the given position in the given call. */
-  final predicate argumentOf(DataFlowCall call, int pos) { super.argumentOf(call, pos) }
+  final predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
+    super.argumentOf(call, pos)
+  }
 }
 
 abstract private class ArgumentNodeImpl extends Node {
-  abstract predicate argumentOf(DataFlowCall call, int pos);
+  abstract predicate argumentOf(DataFlowCall call, ArgumentPosition pos);
 }
 
 private module ArgumentNodes {
@@ -1011,7 +992,7 @@ private module ArgumentNodes {
       this.asExpr() = any(CIL::Call call).getAnArgument()
     }
 
-    override predicate argumentOf(DataFlowCall call, int pos) {
+    override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
       exists(ArgumentConfiguration x, Expr c, Argument arg |
         arg = this.asExpr() and
         c = call.getExpr() and
@@ -1022,7 +1003,7 @@ private module ArgumentNodes {
       exists(CIL::Call c, CIL::Expr arg |
         arg = this.asExpr() and
         c = call.getExpr() and
-        arg = c.getArgument(pos)
+        arg = c.getArgument(pos.getPosition())
       )
     }
   }
@@ -1050,25 +1031,9 @@ private module ArgumentNodes {
 
     ImplicitCapturedArgumentNode() { this = TImplicitCapturedArgumentNode(cfn, v) }
 
-    /** Holds if the value at this node may flow into the implicit parameter `p`. */
-    private predicate flowsInto(ImplicitCapturedParameterNode p, boolean additionalCalls) {
-      exists(Ssa::ImplicitEntryDefinition def, Ssa::ExplicitDefinition edef |
-        def = p.getDefinition()
-      |
-        edef.isCapturedVariableDefinitionFlowIn(def, cfn, additionalCalls) and
-        v = def.getSourceVariable().getAssignable()
-      )
-    }
-
-    override predicate argumentOf(DataFlowCall call, int pos) {
-      exists(ImplicitCapturedParameterNode p, boolean additionalCalls |
-        this.flowsInto(p, additionalCalls) and
-        p.isParameterOf(call.getARuntimeTarget(), pos) and
-        call.getControlFlowNode() = cfn and
-        if call instanceof TransitiveCapturedDataFlowCall
-        then additionalCalls = true
-        else additionalCalls = false
-      )
+    override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
+      pos.isImplicitCapturedArgumentPosition(v) and
+      call.getControlFlowNode() = cfn
     }
 
     override DataFlowCallable getEnclosingCallableImpl() { result = cfn.getEnclosingCallable() }
@@ -1091,9 +1056,9 @@ private module ArgumentNodes {
 
     MallocNode() { this = TMallocNode(cfn) }
 
-    override predicate argumentOf(DataFlowCall call, int pos) {
+    override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
       call = TNonDelegateCall(cfn, _) and
-      pos = -1
+      pos.isQualifier()
     }
 
     override ControlFlow::Node getControlFlowNodeImpl() { result = cfn }
@@ -1130,9 +1095,9 @@ private module ArgumentNodes {
       callCfn = any(Call c | isParamsArg(c, _, result)).getAControlFlowNode()
     }
 
-    override predicate argumentOf(DataFlowCall call, int pos) {
+    override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
       callCfn = call.getControlFlowNode() and
-      pos = this.getParameter().getPosition()
+      pos.getPosition() = this.getParameter().getPosition()
     }
 
     override DataFlowCallable getEnclosingCallableImpl() { result = callCfn.getEnclosingCallable() }
@@ -1149,11 +1114,8 @@ private module ArgumentNodes {
   private class SummaryArgumentNode extends SummaryNode, ArgumentNodeImpl {
     SummaryArgumentNode() { FlowSummaryImpl::Private::summaryArgumentNode(_, this, _) }
 
-    override predicate argumentOf(DataFlowCall call, int pos) {
-      exists(ArgumentPosition apos |
-        FlowSummaryImpl::Private::summaryArgumentNode(call, this, apos) and
-        apos.getPosition() = pos
-      )
+    override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
+      FlowSummaryImpl::Private::summaryArgumentNode(call, this, pos)
     }
   }
 }
@@ -1481,6 +1443,8 @@ class FieldOrProperty extends Assignable, Modifiable {
           p.isAutoImplemented()
           or
           p.matchesHandle(any(CIL::TrivialProperty tp))
+          or
+          p.getDeclaringType() instanceof AnonymousClass
         )
       )
   }
@@ -1870,8 +1834,8 @@ private module PostUpdateNodes {
 
     override MallocNode getPreUpdateNode() { result.getControlFlowNode() = cfn }
 
-    override predicate argumentOf(DataFlowCall call, int pos) {
-      pos = -1 and
+    override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
+      pos.isQualifier() and
       any(ObjectOrCollectionInitializerConfiguration x)
           .hasExprPath(_, cfn, _, call.getControlFlowNode())
     }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll

@@ -101,14 +101,21 @@ class ExprNode extends Node, TExprNode_ {
 class ParameterNode extends Node instanceof ParameterNodeImpl {
   /** Gets the parameter corresponding to this node, if any. */
   DotNet::Parameter getParameter() {
-    exists(DataFlowCallable c, int i | this.isParameterOf(c, i) and result = c.getParameter(i))
+    exists(DataFlowCallable c, ParameterPosition ppos |
+      super.isParameterOf(c, ppos) and
+      result = c.getParameter(ppos.getPosition())
+    )
   }
 
   /**
+   * DEPRECATED
+   *
    * Holds if this node is the parameter of callable `c` at the specified
    * (zero-based) position.
    */
-  predicate isParameterOf(DataFlowCallable c, int i) { super.isParameterOf(c, i) }
+  deprecated predicate isParameterOf(DataFlowCallable c, int i) {
+    super.isParameterOf(c, any(ParameterPosition pos | i = pos.getPosition()))
+  }
 }
 
 /** A definition, viewed as a node in a data flow graph. */

csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll

@@ -175,11 +175,11 @@ module Public {
    * A class that exists for QL technical reasons only (the IPA type used
    * to represent component stacks needs to be bounded).
    */
-  abstract class RequiredSummaryComponentStack extends SummaryComponentStack {
+  class RequiredSummaryComponentStack extends Unit {
     /**
      * Holds if the stack obtained by pushing `head` onto `tail` is required.
      */
-    abstract predicate required(SummaryComponent c);
+    abstract predicate required(SummaryComponent head, SummaryComponentStack tail);
   }
 
   /** A callable with a flow summary. */
@@ -240,9 +240,9 @@ module Private {
   newtype TSummaryComponentStack =
     TSingletonSummaryComponentStack(SummaryComponent c) or
     TConsSummaryComponentStack(SummaryComponent head, SummaryComponentStack tail) {
-      tail.(RequiredSummaryComponentStack).required(head)
+      any(RequiredSummaryComponentStack x).required(head, tail)
       or
-      tail.(RequiredSummaryComponentStack).required(TParameterSummaryComponent(_)) and
+      any(RequiredSummaryComponentStack x).required(TParameterSummaryComponent(_), tail) and
       head = thisParam()
       or
       derivedFluentFlowPush(_, _, _, head, tail, _)
@@ -890,9 +890,9 @@ module Private {
     }
 
     private class MkStack extends RequiredSummaryComponentStack {
-      MkStack() { interpretSpec(_, _, _, this) }
-
-      override predicate required(SummaryComponent c) { interpretSpec(_, _, c, this) }
+      override predicate required(SummaryComponent head, SummaryComponentStack tail) {
+        interpretSpec(_, _, head, tail)
+      }
     }
 
     private class SummarizedCallableExternal extends SummarizedCallable {

csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -166,10 +166,20 @@ string getComponentSpecificCsv(SummaryComponent sc) {
 }
 
 /** Gets the textual representation of a parameter position in the format used for flow summaries. */
-string getParameterPositionCsv(ParameterPosition pos) { result = pos.toString() }
+string getParameterPositionCsv(ParameterPosition pos) {
+  result = pos.getPosition().toString()
+  or
+  pos.isThisParameter() and
+  result = "Qualifier"
+}
 
 /** Gets the textual representation of an argument position in the format used for flow summaries. */
-string getArgumentPositionCsv(ArgumentPosition pos) { result = pos.toString() }
+string getArgumentPositionCsv(ArgumentPosition pos) {
+  result = pos.getPosition().toString()
+  or
+  pos.isQualifier() and
+  result = "This"
+}
 
 /** Holds if input specification component `c` needs a reference. */
 predicate inputNeedsReferenceSpecific(string c) { none() }
@@ -244,20 +254,30 @@ predicate interpretInputSpecific(string c, InterpretNode mid, InterpretNode n) {
 }
 
 bindingset[s]
-private int parsePosition(string s) {
-  result = s.regexpCapture("([-0-9]+)", 1).toInt()
+private int parseIntegerPosition(string s) {
+  result = s.regexpCapture("([0-9]+)", 1).toInt()
   or
   exists(int n1, int n2 |
-    s.regexpCapture("([-0-9]+)\\.\\.([0-9]+)", 1).toInt() = n1 and
-    s.regexpCapture("([-0-9]+)\\.\\.([0-9]+)", 2).toInt() = n2 and
+    s.regexpCapture("([0-9]+)\\.\\.([0-9]+)", 1).toInt() = n1 and
+    s.regexpCapture("([0-9]+)\\.\\.([0-9]+)", 2).toInt() = n2 and
     result in [n1 .. n2]
   )
 }
 
 /** Gets the argument position obtained by parsing `X` in `Parameter[X]`. */
 bindingset[s]
-ArgumentPosition parseParamBody(string s) { result.getPosition() = parsePosition(s) }
+ArgumentPosition parseParamBody(string s) {
+  result.getPosition() = parseIntegerPosition(s)
+  or
+  s = "This" and
+  result.isQualifier()
+}
 
 /** Gets the parameter position obtained by parsing `X` in `Argument[X]`. */
 bindingset[s]
-ParameterPosition parseArgBody(string s) { result.getPosition() = parsePosition(s) }
+ParameterPosition parseArgBody(string s) {
+  result.getPosition() = parseIntegerPosition(s)
+  or
+  s = "Qualifier" and
+  result.isThisParameter()
+}

csharp/ql/lib/semmle/code/csharp/dispatch/Dispatch.qll

@@ -292,7 +292,7 @@ private module Internal {
     pragma[nomagic]
     predicate hasSubsumedQualifierTypeOverridden(Gvn::GvnType t, OverridableCallable c) {
       this.hasSubsumedQualifierType(t) and
-      hasCallable(t, c, any(OverridableCallable oc | oc = this.getAStaticTargetExt()))
+      hasCallable(t, c, this.getAStaticTargetExt())
     }
 
     /**

csharp/ql/lib/semmle/code/csharp/frameworks/EntityFramework.qll

@@ -91,14 +91,10 @@ module EntityFramework {
   abstract class EFSummarizedCallable extends SummarizedCallable { }
 
   private class DbSetAddOrUpdateRequiredSummaryComponentStack extends RequiredSummaryComponentStack {
-    private SummaryComponent head;
-
-    DbSetAddOrUpdateRequiredSummaryComponentStack() {
-      this = SummaryComponentStack::argument([-1, 0]) and
-      head = SummaryComponent::element()
+    override predicate required(SummaryComponent head, SummaryComponentStack tail) {
+      head = SummaryComponent::element() and
+      tail = SummaryComponentStack::argument([-1, 0])
     }
-
-    override predicate required(SummaryComponent c) { c = head }
   }
 
   private class DbSetAddOrUpdate extends EFSummarizedCallable {
@@ -114,7 +110,7 @@ module EntityFramework {
         then input = SummaryComponentStack::elementOf(SummaryComponentStack::argument(0))
         else input = SummaryComponentStack::argument(0)
       ) and
-      output = SummaryComponentStack::elementOf(SummaryComponentStack::argument(-1)) and
+      output = SummaryComponentStack::elementOf(SummaryComponentStack::qualifier()) and
       preservesValue = true
     }
   }
@@ -462,14 +458,12 @@ module EntityFramework {
   }
 
   private class DbContextSaveChangesRequiredSummaryComponentStack extends RequiredSummaryComponentStack {
-    private Content head;
-
-    DbContextSaveChangesRequiredSummaryComponentStack() {
-      any(DbContextClass c).requiresComponentStackIn(head, _, this, _)
-      or
-      any(DbContextClass c).requiresComponentStackOut(head, _, this, _)
+    override predicate required(SummaryComponent head, SummaryComponentStack tail) {
+      exists(Content c | head = SummaryComponent::content(c) |
+        any(DbContextClass cls).requiresComponentStackIn(c, _, tail, _)
+        or
+        any(DbContextClass cls).requiresComponentStackOut(c, _, tail, _)
+      )
     }
-
-    override predicate required(SummaryComponent c) { c = SummaryComponent::content(head) }
   }
 }

csharp/ql/lib/semmle/code/csharp/frameworks/JsonNET.qll

@@ -228,11 +228,11 @@ module JsonNET {
     override predicate row(string row) {
       row =
         [
-          "Newtonsoft.Json.Linq;JToken;false;SelectToken;(System.String);;Argument[-1];ReturnValue;taint",
-          "Newtonsoft.Json.Linq;JToken;false;SelectToken;(System.String,Newtonsoft.Json.Linq.JsonSelectSettings);;Argument[-1];ReturnValue;taint",
-          "Newtonsoft.Json.Linq;JToken;false;SelectToken;(System.String,System.Boolean);;Argument[-1];ReturnValue;taint",
-          "Newtonsoft.Json.Linq;JToken;false;ToString;();;Argument[-1];ReturnValue;taint",
-          "Newtonsoft.Json.Linq;JToken;false;ToString;(Newtonsoft.Json.Formatting,Newtonsoft.Json.JsonConverter[]);;Argument[-1];ReturnValue;taint",
+          "Newtonsoft.Json.Linq;JToken;false;SelectToken;(System.String);;Argument[Qualifier];ReturnValue;taint",
+          "Newtonsoft.Json.Linq;JToken;false;SelectToken;(System.String,Newtonsoft.Json.Linq.JsonSelectSettings);;Argument[Qualifier];ReturnValue;taint",
+          "Newtonsoft.Json.Linq;JToken;false;SelectToken;(System.String,System.Boolean);;Argument[Qualifier];ReturnValue;taint",
+          "Newtonsoft.Json.Linq;JToken;false;ToString;();;Argument[Qualifier];ReturnValue;taint",
+          "Newtonsoft.Json.Linq;JToken;false;ToString;(Newtonsoft.Json.Formatting,Newtonsoft.Json.JsonConverter[]);;Argument[Qualifier];ReturnValue;taint",
         ]
     }
   }
@@ -253,21 +253,21 @@ module JsonNET {
     override predicate row(string row) {
       row =
         [
-          "Newtonsoft.Json.Linq;JObject;false;Add;(System.Collections.Generic.KeyValuePair<System.String,Newtonsoft.Json.Linq.JToken>);;Property[System.Collections.Generic.KeyValuePair<,>.Key] of Argument[0];Property[System.Collections.Generic.KeyValuePair<,>.Key] of Element of Argument[-1];value",
-          "Newtonsoft.Json.Linq;JObject;false;Add;(System.Collections.Generic.KeyValuePair<System.String,Newtonsoft.Json.Linq.JToken>);;Property[System.Collections.Generic.KeyValuePair<,>.Value] of Argument[0];Property[System.Collections.Generic.KeyValuePair<,>.Value] of Element of Argument[-1];value",
+          "Newtonsoft.Json.Linq;JObject;false;Add;(System.Collections.Generic.KeyValuePair<System.String,Newtonsoft.Json.Linq.JToken>);;Property[System.Collections.Generic.KeyValuePair<,>.Key] of Argument[0];Property[System.Collections.Generic.KeyValuePair<,>.Key] of Element of Argument[Qualifier];value",
+          "Newtonsoft.Json.Linq;JObject;false;Add;(System.Collections.Generic.KeyValuePair<System.String,Newtonsoft.Json.Linq.JToken>);;Property[System.Collections.Generic.KeyValuePair<,>.Value] of Argument[0];Property[System.Collections.Generic.KeyValuePair<,>.Value] of Element of Argument[Qualifier];value",
           "Newtonsoft.Json.Linq;JObject;false;JObject;(Newtonsoft.Json.Linq.JObject);;Property[System.Collections.Generic.KeyValuePair<,>.Key] of Element of Argument[0];Property[System.Collections.Generic.KeyValuePair<,>.Key] of Element of ReturnValue;value",
           "Newtonsoft.Json.Linq;JObject;false;JObject;(Newtonsoft.Json.Linq.JObject);;Property[System.Collections.Generic.KeyValuePair<,>.Value] of Element of Argument[0];Property[System.Collections.Generic.KeyValuePair<,>.Value] of Element of ReturnValue;value",
           "Newtonsoft.Json.Linq;JObject;false;JObject;(System.Object[]);;Property[System.Collections.Generic.KeyValuePair<,>.Key] of Element of Argument[0];Property[System.Collections.Generic.KeyValuePair<,>.Key] of Element of ReturnValue;value",
           "Newtonsoft.Json.Linq;JObject;false;JObject;(System.Object[]);;Property[System.Collections.Generic.KeyValuePair<,>.Value] of Element of Argument[0];Property[System.Collections.Generic.KeyValuePair<,>.Value] of Element of ReturnValue;value",
           "Newtonsoft.Json.Linq;JObject;false;Parse;(System.String);;Argument[0];ReturnValue;taint",
           "Newtonsoft.Json.Linq;JObject;false;Parse;(System.String,Newtonsoft.Json.Linq.JsonLoadSettings);;Argument[0];ReturnValue;taint",
-          "Newtonsoft.Json.Linq;JObject;false;get_Item;(System.Object);;Element of Argument[-1];ReturnValue;value",
-          "Newtonsoft.Json.Linq;JObject;false;get_Item;(System.Object);;Property[System.Collections.Generic.KeyValuePair<,>.Value] of Element of Argument[-1];ReturnValue;value",
-          "Newtonsoft.Json.Linq;JObject;false;get_Item;(System.String);;Element of Argument[-1];ReturnValue;value",
-          "Newtonsoft.Json.Linq;JObject;false;set_Item;(System.Object,Newtonsoft.Json.Linq.JToken);;Argument[0];Property[System.Collections.Generic.KeyValuePair<,>.Key] of Element of Argument[-1];value",
-          "Newtonsoft.Json.Linq;JObject;false;set_Item;(System.Object,Newtonsoft.Json.Linq.JToken);;Argument[1];Element of Argument[-1];value",
-          "Newtonsoft.Json.Linq;JObject;false;set_Item;(System.Object,Newtonsoft.Json.Linq.JToken);;Argument[1];Property[System.Collections.Generic.KeyValuePair<,>.Value] of Element of Argument[-1];value",
-          "Newtonsoft.Json.Linq;JObject;false;set_Item;(System.String,Newtonsoft.Json.Linq.JToken);;Argument[1];Element of Argument[-1];value",
+          "Newtonsoft.Json.Linq;JObject;false;get_Item;(System.Object);;Element of Argument[Qualifier];ReturnValue;value",
+          "Newtonsoft.Json.Linq;JObject;false;get_Item;(System.Object);;Property[System.Collections.Generic.KeyValuePair<,>.Value] of Element of Argument[Qualifier];ReturnValue;value",
+          "Newtonsoft.Json.Linq;JObject;false;get_Item;(System.String);;Element of Argument[Qualifier];ReturnValue;value",
+          "Newtonsoft.Json.Linq;JObject;false;set_Item;(System.Object,Newtonsoft.Json.Linq.JToken);;Argument[0];Property[System.Collections.Generic.KeyValuePair<,>.Key] of Element of Argument[Qualifier];value",
+          "Newtonsoft.Json.Linq;JObject;false;set_Item;(System.Object,Newtonsoft.Json.Linq.JToken);;Argument[1];Element of Argument[Qualifier];value",
+          "Newtonsoft.Json.Linq;JObject;false;set_Item;(System.Object,Newtonsoft.Json.Linq.JToken);;Argument[1];Property[System.Collections.Generic.KeyValuePair<,>.Value] of Element of Argument[Qualifier];value",
+          "Newtonsoft.Json.Linq;JObject;false;set_Item;(System.String,Newtonsoft.Json.Linq.JToken);;Argument[1];Element of Argument[Qualifier];value",
         ]
     }
   }
@@ -277,8 +277,8 @@ module JsonNET {
     override predicate row(string row) {
       row =
         [
-          "Newtonsoft.Json.Linq;JArray;false;get_Item;(System.Object);;Element of Argument[-1];ReturnValue;value",
-          "Newtonsoft.Json.Linq;JArray;false;set_Item;(System.Object,Newtonsoft.Json.Linq.JToken);;Argument[1];Element of Argument[-1];value",
+          "Newtonsoft.Json.Linq;JArray;false;get_Item;(System.Object);;Element of Argument[Qualifier];ReturnValue;value",
+          "Newtonsoft.Json.Linq;JArray;false;set_Item;(System.Object,Newtonsoft.Json.Linq.JToken);;Argument[1];Element of Argument[Qualifier];value",
         ]
     }
   }
@@ -288,8 +288,8 @@ module JsonNET {
     override predicate row(string row) {
       row =
         [
-          "Newtonsoft.Json.Linq;JConstructor;false;get_Item;(System.Object);;Element of Argument[-1];ReturnValue;value",
-          "Newtonsoft.Json.Linq;JConstructor;false;set_Item;(System.Object,Newtonsoft.Json.Linq.JToken);;Argument[1];Element of Argument[-1];value",
+          "Newtonsoft.Json.Linq;JConstructor;false;get_Item;(System.Object);;Element of Argument[Qualifier];ReturnValue;value",
+          "Newtonsoft.Json.Linq;JConstructor;false;set_Item;(System.Object,Newtonsoft.Json.Linq.JToken);;Argument[1];Element of Argument[Qualifier];value",
         ]
     }
   }
@@ -298,7 +298,7 @@ module JsonNET {
   private class NewtonsoftJsonLinqJContainerFlowModelCsv extends SummaryModelCsv {
     override predicate row(string row) {
       row =
-        "Newtonsoft.Json.Linq;JContainer;true;Add;(System.Object);;Argument[0];Element of Argument[-1];value"
+        "Newtonsoft.Json.Linq;JContainer;true;Add;(System.Object);;Argument[0];Element of Argument[Qualifier];value"
     }
   }
 }

csharp/ql/lib/semmle/code/csharp/frameworks/System.qll

@@ -72,7 +72,7 @@ private class SystemArrayFlowModelCsv extends SummaryModelCsv {
       [
         "System;Array;false;AsReadOnly<>;(T[]);;Element of Argument[0];Element of ReturnValue;value",
         "System;Array;false;Clone;();;Element of Argument[0];Element of ReturnValue;value",
-        "System;Array;false;CopyTo;(System.Array,System.Int64);;Element of Argument[-1];Element of Argument[0];value",
+        "System;Array;false;CopyTo;(System.Array,System.Int64);;Element of Argument[Qualifier];Element of Argument[0];value",
         "System;Array;false;Find<>;(T[],System.Predicate<T>);;Element of Argument[0];Parameter[0] of Argument[1];value",
         "System;Array;false;Find<>;(T[],System.Predicate<T>);;Element of Argument[0];ReturnValue;value",
         "System;Array;false;FindAll<>;(T[],System.Predicate<T>);;Element of Argument[0];Parameter[0] of Argument[1];value",
@@ -625,7 +625,7 @@ private class SystemLazyFlowModelCsv extends SummaryModelCsv {
         "System;Lazy<>;false;Lazy;(System.Func<T>);;ReturnValue of Argument[0];Property[System.Lazy<>.Value] of ReturnValue;value",
         "System;Lazy<>;false;Lazy;(System.Func<T>,System.Boolean);;ReturnValue of Argument[0];Property[System.Lazy<>.Value] of ReturnValue;value",
         "System;Lazy<>;false;Lazy;(System.Func<T>,System.Threading.LazyThreadSafetyMode);;ReturnValue of Argument[0];Property[System.Lazy<>.Value] of ReturnValue;value",
-        "System;Lazy<>;false;get_Value;();;Argument[-1];ReturnValue;taint",
+        "System;Lazy<>;false;get_Value;();;Argument[Qualifier];ReturnValue;taint",
       ]
   }
 }
@@ -664,12 +664,12 @@ private class SystemNullableFlowModelCsv extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
-        "System;Nullable<>;false;GetValueOrDefault;();;Property[System.Nullable<>.Value] of Argument[-1];ReturnValue;value",
+        "System;Nullable<>;false;GetValueOrDefault;();;Property[System.Nullable<>.Value] of Argument[Qualifier];ReturnValue;value",
         "System;Nullable<>;false;GetValueOrDefault;(T);;Argument[0];ReturnValue;value",
-        "System;Nullable<>;false;GetValueOrDefault;(T);;Property[System.Nullable<>.Value] of Argument[-1];ReturnValue;value",
+        "System;Nullable<>;false;GetValueOrDefault;(T);;Property[System.Nullable<>.Value] of Argument[Qualifier];ReturnValue;value",
         "System;Nullable<>;false;Nullable;(T);;Argument[0];Property[System.Nullable<>.Value] of ReturnValue;value",
-        "System;Nullable<>;false;get_HasValue;();;Property[System.Nullable<>.Value] of Argument[-1];ReturnValue;taint",
-        "System;Nullable<>;false;get_Value;();;Argument[-1];ReturnValue;taint",
+        "System;Nullable<>;false;get_HasValue;();;Property[System.Nullable<>.Value] of Argument[Qualifier];ReturnValue;taint",
+        "System;Nullable<>;false;get_Value;();;Argument[Qualifier];ReturnValue;taint",
       ]
   }
 }
@@ -885,7 +885,7 @@ private class SystemStringFlowModelCsv extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
-        "System;String;false;Clone;();;Argument[-1];ReturnValue;value",
+        "System;String;false;Clone;();;Argument[Qualifier];ReturnValue;value",
         "System;String;false;Concat;(System.Collections.Generic.IEnumerable<System.String>);;Element of Argument[0];ReturnValue;taint",
         "System;String;false;Concat;(System.Object);;Argument[0];ReturnValue;taint",
         "System;String;false;Concat;(System.Object,System.Object);;Argument[0];ReturnValue;taint",
@@ -937,10 +937,10 @@ private class SystemStringFlowModelCsv extends SummaryModelCsv {
         "System;String;false;Format;(System.String,System.Object,System.Object,System.Object);;Argument[3];ReturnValue;taint",
         "System;String;false;Format;(System.String,System.Object[]);;Argument[0];ReturnValue;taint",
         "System;String;false;Format;(System.String,System.Object[]);;Element of Argument[1];ReturnValue;taint",
-        "System;String;false;GetEnumerator;();;Element of Argument[-1];Property[System.CharEnumerator.Current] of ReturnValue;value",
-        "System;String;false;GetEnumerator;();;Element of Argument[-1];Property[System.Collections.Generic.IEnumerator<>.Current] of ReturnValue;value",
+        "System;String;false;GetEnumerator;();;Element of Argument[Qualifier];Property[System.CharEnumerator.Current] of ReturnValue;value",
+        "System;String;false;GetEnumerator;();;Element of Argument[Qualifier];Property[System.Collections.Generic.IEnumerator<>.Current] of ReturnValue;value",
         "System;String;false;Insert;(System.Int32,System.String);;Argument[1];ReturnValue;taint",
-        "System;String;false;Insert;(System.Int32,System.String);;Argument[-1];ReturnValue;taint",
+        "System;String;false;Insert;(System.Int32,System.String);;Argument[Qualifier];ReturnValue;taint",
         "System;String;false;Join;(System.Char,System.Object[]);;Argument[0];ReturnValue;taint",
         "System;String;false;Join;(System.Char,System.Object[]);;Element of Argument[1];ReturnValue;taint",
         "System;String;false;Join;(System.Char,System.String[]);;Argument[0];ReturnValue;taint",
@@ -959,49 +959,49 @@ private class SystemStringFlowModelCsv extends SummaryModelCsv {
         "System;String;false;Join<>;(System.Char,System.Collections.Generic.IEnumerable<T>);;Element of Argument[1];ReturnValue;taint",
         "System;String;false;Join<>;(System.String,System.Collections.Generic.IEnumerable<T>);;Argument[0];ReturnValue;taint",
         "System;String;false;Join<>;(System.String,System.Collections.Generic.IEnumerable<T>);;Element of Argument[1];ReturnValue;taint",
-        "System;String;false;Normalize;();;Argument[-1];ReturnValue;taint",
-        "System;String;false;Normalize;(System.Text.NormalizationForm);;Argument[-1];ReturnValue;taint",
-        "System;String;false;PadLeft;(System.Int32);;Argument[-1];ReturnValue;taint",
-        "System;String;false;PadLeft;(System.Int32,System.Char);;Argument[-1];ReturnValue;taint",
-        "System;String;false;PadRight;(System.Int32);;Argument[-1];ReturnValue;taint",
-        "System;String;false;PadRight;(System.Int32,System.Char);;Argument[-1];ReturnValue;taint",
-        "System;String;false;Remove;(System.Int32);;Argument[-1];ReturnValue;taint",
-        "System;String;false;Remove;(System.Int32,System.Int32);;Argument[-1];ReturnValue;taint",
+        "System;String;false;Normalize;();;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;Normalize;(System.Text.NormalizationForm);;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;PadLeft;(System.Int32);;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;PadLeft;(System.Int32,System.Char);;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;PadRight;(System.Int32);;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;PadRight;(System.Int32,System.Char);;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;Remove;(System.Int32);;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;Remove;(System.Int32,System.Int32);;Argument[Qualifier];ReturnValue;taint",
         "System;String;false;Replace;(System.Char,System.Char);;Argument[1];ReturnValue;taint",
-        "System;String;false;Replace;(System.Char,System.Char);;Argument[-1];ReturnValue;taint",
+        "System;String;false;Replace;(System.Char,System.Char);;Argument[Qualifier];ReturnValue;taint",
         "System;String;false;Replace;(System.String,System.String);;Argument[1];ReturnValue;taint",
-        "System;String;false;Replace;(System.String,System.String);;Argument[-1];ReturnValue;taint",
-        "System;String;false;Split;(System.Char,System.Int32,System.StringSplitOptions);;Argument[-1];Element of ReturnValue;taint",
-        "System;String;false;Split;(System.Char,System.StringSplitOptions);;Argument[-1];Element of ReturnValue;taint",
-        "System;String;false;Split;(System.Char[]);;Argument[-1];Element of ReturnValue;taint",
-        "System;String;false;Split;(System.Char[],System.Int32);;Argument[-1];Element of ReturnValue;taint",
-        "System;String;false;Split;(System.Char[],System.Int32,System.StringSplitOptions);;Argument[-1];Element of ReturnValue;taint",
-        "System;String;false;Split;(System.Char[],System.StringSplitOptions);;Argument[-1];Element of ReturnValue;taint",
-        "System;String;false;Split;(System.String,System.Int32,System.StringSplitOptions);;Argument[-1];Element of ReturnValue;taint",
-        "System;String;false;Split;(System.String,System.StringSplitOptions);;Argument[-1];Element of ReturnValue;taint",
-        "System;String;false;Split;(System.String[],System.Int32,System.StringSplitOptions);;Argument[-1];Element of ReturnValue;taint",
-        "System;String;false;Split;(System.String[],System.StringSplitOptions);;Argument[-1];Element of ReturnValue;taint",
+        "System;String;false;Replace;(System.String,System.String);;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;Split;(System.Char,System.Int32,System.StringSplitOptions);;Argument[Qualifier];Element of ReturnValue;taint",
+        "System;String;false;Split;(System.Char,System.StringSplitOptions);;Argument[Qualifier];Element of ReturnValue;taint",
+        "System;String;false;Split;(System.Char[]);;Argument[Qualifier];Element of ReturnValue;taint",
+        "System;String;false;Split;(System.Char[],System.Int32);;Argument[Qualifier];Element of ReturnValue;taint",
+        "System;String;false;Split;(System.Char[],System.Int32,System.StringSplitOptions);;Argument[Qualifier];Element of ReturnValue;taint",
+        "System;String;false;Split;(System.Char[],System.StringSplitOptions);;Argument[Qualifier];Element of ReturnValue;taint",
+        "System;String;false;Split;(System.String,System.Int32,System.StringSplitOptions);;Argument[Qualifier];Element of ReturnValue;taint",
+        "System;String;false;Split;(System.String,System.StringSplitOptions);;Argument[Qualifier];Element of ReturnValue;taint",
+        "System;String;false;Split;(System.String[],System.Int32,System.StringSplitOptions);;Argument[Qualifier];Element of ReturnValue;taint",
+        "System;String;false;Split;(System.String[],System.StringSplitOptions);;Argument[Qualifier];Element of ReturnValue;taint",
         "System;String;false;String;(System.Char[]);;Element of Argument[0];ReturnValue;taint",
         "System;String;false;String;(System.Char[],System.Int32,System.Int32);;Element of Argument[0];ReturnValue;taint",
-        "System;String;false;Substring;(System.Int32);;Argument[-1];ReturnValue;taint",
-        "System;String;false;Substring;(System.Int32,System.Int32);;Argument[-1];ReturnValue;taint",
-        "System;String;false;ToLower;();;Argument[-1];ReturnValue;taint",
-        "System;String;false;ToLower;(System.Globalization.CultureInfo);;Argument[-1];ReturnValue;taint",
-        "System;String;false;ToLowerInvariant;();;Argument[-1];ReturnValue;taint",
-        "System;String;false;ToString;();;Argument[-1];ReturnValue;value",
-        "System;String;false;ToString;(System.IFormatProvider);;Argument[-1];ReturnValue;value",
-        "System;String;false;ToUpper;();;Argument[-1];ReturnValue;taint",
-        "System;String;false;ToUpper;(System.Globalization.CultureInfo);;Argument[-1];ReturnValue;taint",
-        "System;String;false;ToUpperInvariant;();;Argument[-1];ReturnValue;taint",
-        "System;String;false;Trim;();;Argument[-1];ReturnValue;taint",
-        "System;String;false;Trim;(System.Char);;Argument[-1];ReturnValue;taint",
-        "System;String;false;Trim;(System.Char[]);;Argument[-1];ReturnValue;taint",
-        "System;String;false;TrimEnd;();;Argument[-1];ReturnValue;taint",
-        "System;String;false;TrimEnd;(System.Char);;Argument[-1];ReturnValue;taint",
-        "System;String;false;TrimEnd;(System.Char[]);;Argument[-1];ReturnValue;taint",
-        "System;String;false;TrimStart;();;Argument[-1];ReturnValue;taint",
-        "System;String;false;TrimStart;(System.Char);;Argument[-1];ReturnValue;taint",
-        "System;String;false;TrimStart;(System.Char[]);;Argument[-1];ReturnValue;taint",
+        "System;String;false;Substring;(System.Int32);;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;Substring;(System.Int32,System.Int32);;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;ToLower;();;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;ToLower;(System.Globalization.CultureInfo);;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;ToLowerInvariant;();;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;ToString;();;Argument[Qualifier];ReturnValue;value",
+        "System;String;false;ToString;(System.IFormatProvider);;Argument[Qualifier];ReturnValue;value",
+        "System;String;false;ToUpper;();;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;ToUpper;(System.Globalization.CultureInfo);;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;ToUpperInvariant;();;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;Trim;();;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;Trim;(System.Char);;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;Trim;(System.Char[]);;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;TrimEnd;();;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;TrimEnd;(System.Char);;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;TrimEnd;(System.Char[]);;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;TrimStart;();;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;TrimStart;(System.Char);;Argument[Qualifier];ReturnValue;taint",
+        "System;String;false;TrimStart;(System.Char[]);;Argument[Qualifier];ReturnValue;taint",
       ]
   }
 }
@@ -1072,13 +1072,13 @@ private class SystemUriFlowModelCsv extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
-        "System;Uri;false;ToString;();;Argument[-1];ReturnValue;taint",
+        "System;Uri;false;ToString;();;Argument[Qualifier];ReturnValue;taint",
         "System;Uri;false;Uri;(System.String);;Argument[0];ReturnValue;taint",
         "System;Uri;false;Uri;(System.String,System.Boolean);;Argument[0];ReturnValue;taint",
         "System;Uri;false;Uri;(System.String,System.UriKind);;Argument[0];ReturnValue;taint",
-        "System;Uri;false;get_OriginalString;();;Argument[-1];ReturnValue;taint",
-        "System;Uri;false;get_PathAndQuery;();;Argument[-1];ReturnValue;taint",
-        "System;Uri;false;get_Query;();;Argument[-1];ReturnValue;taint",
+        "System;Uri;false;get_OriginalString;();;Argument[Qualifier];ReturnValue;taint",
+        "System;Uri;false;get_PathAndQuery;();;Argument[Qualifier];ReturnValue;taint",
+        "System;Uri;false;get_Query;();;Argument[Qualifier];ReturnValue;taint",
       ]
   }
 }
@@ -1371,13 +1371,13 @@ private class SystemTupleTFlowModelCsv extends SummaryModelCsv {
         "System;Tuple<,,,,,,,>;false;Tuple;(T1,T2,T3,T4,T5,T6,T7,TRest);;Argument[4];Property[System.Tuple<,,,,,,,>.Item5] of ReturnValue;value",
         "System;Tuple<,,,,,,,>;false;Tuple;(T1,T2,T3,T4,T5,T6,T7,TRest);;Argument[5];Property[System.Tuple<,,,,,,,>.Item6] of ReturnValue;value",
         "System;Tuple<,,,,,,,>;false;Tuple;(T1,T2,T3,T4,T5,T6,T7,TRest);;Argument[6];Property[System.Tuple<,,,,,,,>.Item7] of ReturnValue;value",
-        "System;Tuple<,,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,,>.Item1] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,,>.Item2] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,,>.Item3] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,,>.Item4] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,,>.Item5] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,,>.Item6] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,,>.Item7] of Argument[-1];ReturnValue;value",
+        "System;Tuple<,,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,,>.Item1] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,,>.Item2] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,,>.Item3] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,,>.Item4] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,,>.Item5] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,,>.Item6] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,,>.Item7] of Argument[Qualifier];ReturnValue;value",
         "System;Tuple<,,,,,,>;false;Tuple;(T1,T2,T3,T4,T5,T6,T7);;Argument[0];Property[System.Tuple<,,,,,,>.Item1] of ReturnValue;value",
         "System;Tuple<,,,,,,>;false;Tuple;(T1,T2,T3,T4,T5,T6,T7);;Argument[1];Property[System.Tuple<,,,,,,>.Item2] of ReturnValue;value",
         "System;Tuple<,,,,,,>;false;Tuple;(T1,T2,T3,T4,T5,T6,T7);;Argument[2];Property[System.Tuple<,,,,,,>.Item3] of ReturnValue;value",
@@ -1385,55 +1385,55 @@ private class SystemTupleTFlowModelCsv extends SummaryModelCsv {
         "System;Tuple<,,,,,,>;false;Tuple;(T1,T2,T3,T4,T5,T6,T7);;Argument[4];Property[System.Tuple<,,,,,,>.Item5] of ReturnValue;value",
         "System;Tuple<,,,,,,>;false;Tuple;(T1,T2,T3,T4,T5,T6,T7);;Argument[5];Property[System.Tuple<,,,,,,>.Item6] of ReturnValue;value",
         "System;Tuple<,,,,,,>;false;Tuple;(T1,T2,T3,T4,T5,T6,T7);;Argument[6];Property[System.Tuple<,,,,,,>.Item7] of ReturnValue;value",
-        "System;Tuple<,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,>.Item1] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,>.Item2] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,>.Item3] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,>.Item4] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,>.Item5] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,>.Item6] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,>.Item7] of Argument[-1];ReturnValue;value",
+        "System;Tuple<,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,>.Item1] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,>.Item2] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,>.Item3] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,>.Item4] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,>.Item5] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,>.Item6] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,,>.Item7] of Argument[Qualifier];ReturnValue;value",
         "System;Tuple<,,,,,>;false;Tuple;(T1,T2,T3,T4,T5,T6);;Argument[0];Property[System.Tuple<,,,,,>.Item1] of ReturnValue;value",
         "System;Tuple<,,,,,>;false;Tuple;(T1,T2,T3,T4,T5,T6);;Argument[1];Property[System.Tuple<,,,,,>.Item2] of ReturnValue;value",
         "System;Tuple<,,,,,>;false;Tuple;(T1,T2,T3,T4,T5,T6);;Argument[2];Property[System.Tuple<,,,,,>.Item3] of ReturnValue;value",
         "System;Tuple<,,,,,>;false;Tuple;(T1,T2,T3,T4,T5,T6);;Argument[3];Property[System.Tuple<,,,,,>.Item4] of ReturnValue;value",
         "System;Tuple<,,,,,>;false;Tuple;(T1,T2,T3,T4,T5,T6);;Argument[4];Property[System.Tuple<,,,,,>.Item5] of ReturnValue;value",
         "System;Tuple<,,,,,>;false;Tuple;(T1,T2,T3,T4,T5,T6);;Argument[5];Property[System.Tuple<,,,,,>.Item6] of ReturnValue;value",
-        "System;Tuple<,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,>.Item1] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,>.Item2] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,>.Item3] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,>.Item4] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,>.Item5] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,>.Item6] of Argument[-1];ReturnValue;value",
+        "System;Tuple<,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,>.Item1] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,>.Item2] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,>.Item3] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,>.Item4] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,>.Item5] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,,>.Item6] of Argument[Qualifier];ReturnValue;value",
         "System;Tuple<,,,,>;false;Tuple;(T1,T2,T3,T4,T5);;Argument[0];Property[System.Tuple<,,,,>.Item1] of ReturnValue;value",
         "System;Tuple<,,,,>;false;Tuple;(T1,T2,T3,T4,T5);;Argument[1];Property[System.Tuple<,,,,>.Item2] of ReturnValue;value",
         "System;Tuple<,,,,>;false;Tuple;(T1,T2,T3,T4,T5);;Argument[2];Property[System.Tuple<,,,,>.Item3] of ReturnValue;value",
         "System;Tuple<,,,,>;false;Tuple;(T1,T2,T3,T4,T5);;Argument[3];Property[System.Tuple<,,,,>.Item4] of ReturnValue;value",
         "System;Tuple<,,,,>;false;Tuple;(T1,T2,T3,T4,T5);;Argument[4];Property[System.Tuple<,,,,>.Item5] of ReturnValue;value",
-        "System;Tuple<,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,>.Item1] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,>.Item2] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,>.Item3] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,>.Item4] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,>.Item5] of Argument[-1];ReturnValue;value",
+        "System;Tuple<,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,>.Item1] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,>.Item2] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,>.Item3] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,>.Item4] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,,>.Item5] of Argument[Qualifier];ReturnValue;value",
         "System;Tuple<,,,>;false;Tuple;(T1,T2,T3,T4);;Argument[0];Property[System.Tuple<,,,>.Item1] of ReturnValue;value",
         "System;Tuple<,,,>;false;Tuple;(T1,T2,T3,T4);;Argument[1];Property[System.Tuple<,,,>.Item2] of ReturnValue;value",
         "System;Tuple<,,,>;false;Tuple;(T1,T2,T3,T4);;Argument[2];Property[System.Tuple<,,,>.Item3] of ReturnValue;value",
         "System;Tuple<,,,>;false;Tuple;(T1,T2,T3,T4);;Argument[3];Property[System.Tuple<,,,>.Item4] of ReturnValue;value",
-        "System;Tuple<,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,>.Item1] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,>.Item2] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,>.Item3] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,>.Item4] of Argument[-1];ReturnValue;value",
+        "System;Tuple<,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,>.Item1] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,>.Item2] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,>.Item3] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,,>.Item4] of Argument[Qualifier];ReturnValue;value",
         "System;Tuple<,,>;false;Tuple;(T1,T2,T3);;Argument[0];Property[System.Tuple<,,>.Item1] of ReturnValue;value",
         "System;Tuple<,,>;false;Tuple;(T1,T2,T3);;Argument[1];Property[System.Tuple<,,>.Item2] of ReturnValue;value",
         "System;Tuple<,,>;false;Tuple;(T1,T2,T3);;Argument[2];Property[System.Tuple<,,>.Item3] of ReturnValue;value",
-        "System;Tuple<,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,>.Item1] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,>.Item2] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,>.Item3] of Argument[-1];ReturnValue;value",
+        "System;Tuple<,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,>.Item1] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,>.Item2] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,,>;false;get_Item;(System.Int32);;Property[System.Tuple<,,>.Item3] of Argument[Qualifier];ReturnValue;value",
         "System;Tuple<,>;false;Tuple;(T1,T2);;Argument[0];Property[System.Tuple<,>.Item1] of ReturnValue;value",
         "System;Tuple<,>;false;Tuple;(T1,T2);;Argument[1];Property[System.Tuple<,>.Item2] of ReturnValue;value",
-        "System;Tuple<,>;false;get_Item;(System.Int32);;Property[System.Tuple<,>.Item1] of Argument[-1];ReturnValue;value",
-        "System;Tuple<,>;false;get_Item;(System.Int32);;Property[System.Tuple<,>.Item2] of Argument[-1];ReturnValue;value",
+        "System;Tuple<,>;false;get_Item;(System.Int32);;Property[System.Tuple<,>.Item1] of Argument[Qualifier];ReturnValue;value",
+        "System;Tuple<,>;false;get_Item;(System.Int32);;Property[System.Tuple<,>.Item2] of Argument[Qualifier];ReturnValue;value",
         "System;Tuple<>;false;Tuple;(T1);;Argument[0];Property[System.Tuple<>.Item1] of ReturnValue;value",
-        "System;Tuple<>;false;get_Item;(System.Int32);;Property[System.Tuple<>.Item1] of Argument[-1];ReturnValue;value",
+        "System;Tuple<>;false;get_Item;(System.Int32);;Property[System.Tuple<>.Item1] of Argument[Qualifier];ReturnValue;value",
       ]
   }
 }
@@ -1629,13 +1629,13 @@ private class SystemValueTupleTFlowModelCsv extends SummaryModelCsv {
         "System;ValueTuple<,,,,,,,>;false;ValueTuple;(T1,T2,T3,T4,T5,T6,T7,TRest);;Argument[4];Field[System.ValueTuple<,,,,,,,>.Item5] of ReturnValue;value",
         "System;ValueTuple<,,,,,,,>;false;ValueTuple;(T1,T2,T3,T4,T5,T6,T7,TRest);;Argument[5];Field[System.ValueTuple<,,,,,,,>.Item6] of ReturnValue;value",
         "System;ValueTuple<,,,,,,,>;false;ValueTuple;(T1,T2,T3,T4,T5,T6,T7,TRest);;Argument[6];Field[System.ValueTuple<,,,,,,,>.Item7] of ReturnValue;value",
-        "System;ValueTuple<,,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,,>.Item1] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,,>.Item2] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,,>.Item3] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,,>.Item4] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,,>.Item5] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,,>.Item6] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,,>.Item7] of Argument[-1];ReturnValue;value",
+        "System;ValueTuple<,,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,,>.Item1] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,,>.Item2] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,,>.Item3] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,,>.Item4] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,,>.Item5] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,,>.Item6] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,,>.Item7] of Argument[Qualifier];ReturnValue;value",
         "System;ValueTuple<,,,,,,>;false;ValueTuple;(T1,T2,T3,T4,T5,T6,T7);;Argument[0];Field[System.ValueTuple<,,,,,,>.Item1] of ReturnValue;value",
         "System;ValueTuple<,,,,,,>;false;ValueTuple;(T1,T2,T3,T4,T5,T6,T7);;Argument[1];Field[System.ValueTuple<,,,,,,>.Item2] of ReturnValue;value",
         "System;ValueTuple<,,,,,,>;false;ValueTuple;(T1,T2,T3,T4,T5,T6,T7);;Argument[2];Field[System.ValueTuple<,,,,,,>.Item3] of ReturnValue;value",
@@ -1643,55 +1643,55 @@ private class SystemValueTupleTFlowModelCsv extends SummaryModelCsv {
         "System;ValueTuple<,,,,,,>;false;ValueTuple;(T1,T2,T3,T4,T5,T6,T7);;Argument[4];Field[System.ValueTuple<,,,,,,>.Item5] of ReturnValue;value",
         "System;ValueTuple<,,,,,,>;false;ValueTuple;(T1,T2,T3,T4,T5,T6,T7);;Argument[5];Field[System.ValueTuple<,,,,,,>.Item6] of ReturnValue;value",
         "System;ValueTuple<,,,,,,>;false;ValueTuple;(T1,T2,T3,T4,T5,T6,T7);;Argument[6];Field[System.ValueTuple<,,,,,,>.Item7] of ReturnValue;value",
-        "System;ValueTuple<,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,>.Item1] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,>.Item2] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,>.Item3] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,>.Item4] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,>.Item5] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,>.Item6] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,>.Item7] of Argument[-1];ReturnValue;value",
+        "System;ValueTuple<,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,>.Item1] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,>.Item2] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,>.Item3] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,>.Item4] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,>.Item5] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,>.Item6] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,,>.Item7] of Argument[Qualifier];ReturnValue;value",
         "System;ValueTuple<,,,,,>;false;ValueTuple;(T1,T2,T3,T4,T5,T6);;Argument[0];Field[System.ValueTuple<,,,,,>.Item1] of ReturnValue;value",
         "System;ValueTuple<,,,,,>;false;ValueTuple;(T1,T2,T3,T4,T5,T6);;Argument[1];Field[System.ValueTuple<,,,,,>.Item2] of ReturnValue;value",
         "System;ValueTuple<,,,,,>;false;ValueTuple;(T1,T2,T3,T4,T5,T6);;Argument[2];Field[System.ValueTuple<,,,,,>.Item3] of ReturnValue;value",
         "System;ValueTuple<,,,,,>;false;ValueTuple;(T1,T2,T3,T4,T5,T6);;Argument[3];Field[System.ValueTuple<,,,,,>.Item4] of ReturnValue;value",
         "System;ValueTuple<,,,,,>;false;ValueTuple;(T1,T2,T3,T4,T5,T6);;Argument[4];Field[System.ValueTuple<,,,,,>.Item5] of ReturnValue;value",
         "System;ValueTuple<,,,,,>;false;ValueTuple;(T1,T2,T3,T4,T5,T6);;Argument[5];Field[System.ValueTuple<,,,,,>.Item6] of ReturnValue;value",
-        "System;ValueTuple<,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,>.Item1] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,>.Item2] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,>.Item3] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,>.Item4] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,>.Item5] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,>.Item6] of Argument[-1];ReturnValue;value",
+        "System;ValueTuple<,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,>.Item1] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,>.Item2] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,>.Item3] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,>.Item4] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,>.Item5] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,,>.Item6] of Argument[Qualifier];ReturnValue;value",
         "System;ValueTuple<,,,,>;false;ValueTuple;(T1,T2,T3,T4,T5);;Argument[0];Field[System.ValueTuple<,,,,>.Item1] of ReturnValue;value",
         "System;ValueTuple<,,,,>;false;ValueTuple;(T1,T2,T3,T4,T5);;Argument[1];Field[System.ValueTuple<,,,,>.Item2] of ReturnValue;value",
         "System;ValueTuple<,,,,>;false;ValueTuple;(T1,T2,T3,T4,T5);;Argument[2];Field[System.ValueTuple<,,,,>.Item3] of ReturnValue;value",
         "System;ValueTuple<,,,,>;false;ValueTuple;(T1,T2,T3,T4,T5);;Argument[3];Field[System.ValueTuple<,,,,>.Item4] of ReturnValue;value",
         "System;ValueTuple<,,,,>;false;ValueTuple;(T1,T2,T3,T4,T5);;Argument[4];Field[System.ValueTuple<,,,,>.Item5] of ReturnValue;value",
-        "System;ValueTuple<,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,>.Item1] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,>.Item2] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,>.Item3] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,>.Item4] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,>.Item5] of Argument[-1];ReturnValue;value",
+        "System;ValueTuple<,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,>.Item1] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,>.Item2] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,>.Item3] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,>.Item4] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,,>.Item5] of Argument[Qualifier];ReturnValue;value",
         "System;ValueTuple<,,,>;false;ValueTuple;(T1,T2,T3,T4);;Argument[0];Field[System.ValueTuple<,,,>.Item1] of ReturnValue;value",
         "System;ValueTuple<,,,>;false;ValueTuple;(T1,T2,T3,T4);;Argument[1];Field[System.ValueTuple<,,,>.Item2] of ReturnValue;value",
         "System;ValueTuple<,,,>;false;ValueTuple;(T1,T2,T3,T4);;Argument[2];Field[System.ValueTuple<,,,>.Item3] of ReturnValue;value",
         "System;ValueTuple<,,,>;false;ValueTuple;(T1,T2,T3,T4);;Argument[3];Field[System.ValueTuple<,,,>.Item4] of ReturnValue;value",
-        "System;ValueTuple<,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,>.Item1] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,>.Item2] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,>.Item3] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,>.Item4] of Argument[-1];ReturnValue;value",
+        "System;ValueTuple<,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,>.Item1] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,>.Item2] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,>.Item3] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,,>.Item4] of Argument[Qualifier];ReturnValue;value",
         "System;ValueTuple<,,>;false;ValueTuple;(T1,T2,T3);;Argument[0];Field[System.ValueTuple<,,>.Item1] of ReturnValue;value",
         "System;ValueTuple<,,>;false;ValueTuple;(T1,T2,T3);;Argument[1];Field[System.ValueTuple<,,>.Item2] of ReturnValue;value",
         "System;ValueTuple<,,>;false;ValueTuple;(T1,T2,T3);;Argument[2];Field[System.ValueTuple<,,>.Item3] of ReturnValue;value",
-        "System;ValueTuple<,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,>.Item1] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,>.Item2] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,>.Item3] of Argument[-1];ReturnValue;value",
+        "System;ValueTuple<,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,>.Item1] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,>.Item2] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,,>.Item3] of Argument[Qualifier];ReturnValue;value",
         "System;ValueTuple<,>;false;ValueTuple;(T1,T2);;Argument[0];Field[System.ValueTuple<,>.Item1] of ReturnValue;value",
         "System;ValueTuple<,>;false;ValueTuple;(T1,T2);;Argument[1];Field[System.ValueTuple<,>.Item2] of ReturnValue;value",
-        "System;ValueTuple<,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,>.Item1] of Argument[-1];ReturnValue;value",
-        "System;ValueTuple<,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,>.Item2] of Argument[-1];ReturnValue;value",
+        "System;ValueTuple<,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,>.Item1] of Argument[Qualifier];ReturnValue;value",
+        "System;ValueTuple<,>;false;get_Item;(System.Int32);;Field[System.ValueTuple<,>.Item2] of Argument[Qualifier];ReturnValue;value",
         "System;ValueTuple<>;false;ValueTuple;(T1);;Argument[0];Field[System.ValueTuple<>.Item1] of ReturnValue;value",
-        "System;ValueTuple<>;false;get_Item;(System.Int32);;Field[System.ValueTuple<>.Item1] of Argument[-1];ReturnValue;value",
+        "System;ValueTuple<>;false;get_Item;(System.Int32);;Field[System.ValueTuple<>.Item1] of Argument[Qualifier];ReturnValue;value",
       ]
   }
 }

csharp/ql/lib/semmle/code/csharp/frameworks/microsoft/VisualBasic.qll

@@ -7,10 +7,10 @@ private class MicrosoftVisualBasicCollectionFlowModelCsv extends SummaryModelCsv
   override predicate row(string row) {
     row =
       [
-        "Microsoft.VisualBasic;Collection;false;GetEnumerator;();;Element of Argument[-1];Property[System.Collections.IEnumerator.Current] of ReturnValue;value",
-        "Microsoft.VisualBasic;Collection;false;get_Item;(System.Int32);;Element of Argument[-1];ReturnValue;value",
-        "Microsoft.VisualBasic;Collection;false;get_Item;(System.Object);;Element of Argument[-1];ReturnValue;value",
-        "Microsoft.VisualBasic;Collection;false;get_Item;(System.String);;Element of Argument[-1];ReturnValue;value",
+        "Microsoft.VisualBasic;Collection;false;GetEnumerator;();;Element of Argument[Qualifier];Property[System.Collections.IEnumerator.Current] of ReturnValue;value",
+        "Microsoft.VisualBasic;Collection;false;get_Item;(System.Int32);;Element of Argument[Qualifier];ReturnValue;value",
+        "Microsoft.VisualBasic;Collection;false;get_Item;(System.Object);;Element of Argument[Qualifier];ReturnValue;value",
+        "Microsoft.VisualBasic;Collection;false;get_Item;(System.String);;Element of Argument[Qualifier];ReturnValue;value",
       ]
   }
 }

csharp/ql/lib/semmle/code/csharp/frameworks/microsoft/extensions/Primitives.qll

@@ -8,7 +8,7 @@ private class MicrosoftExtensionsPrimitivesStringValuesFlowModelCsv extends Summ
     row =
       [
         "Microsoft.Extensions.Primitives;StringValues;false;Add;(System.String);;Argument[0];ReturnValue;taint",
-        "Microsoft.Extensions.Primitives;StringValues;false;Add;(System.String);;Argument[-1];ReturnValue;taint",
+        "Microsoft.Extensions.Primitives;StringValues;false;Add;(System.String);;Argument[Qualifier];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;Concat;(Microsoft.Extensions.Primitives.StringValues,Microsoft.Extensions.Primitives.StringValues);;Argument[0];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;Concat;(Microsoft.Extensions.Primitives.StringValues,Microsoft.Extensions.Primitives.StringValues);;Argument[1];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;Concat;(Microsoft.Extensions.Primitives.StringValues,System.String);;Argument[0];ReturnValue;taint",
@@ -16,12 +16,12 @@ private class MicrosoftExtensionsPrimitivesStringValuesFlowModelCsv extends Summ
         "Microsoft.Extensions.Primitives;StringValues;false;Concat;(System.String,Microsoft.Extensions.Primitives.StringValues);;Argument[0];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;Concat;(System.String,Microsoft.Extensions.Primitives.StringValues);;Argument[1];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;Contains;(System.String);;Argument[0];ReturnValue;taint",
-        "Microsoft.Extensions.Primitives;StringValues;false;Contains;(System.String);;Argument[-1];ReturnValue;taint",
+        "Microsoft.Extensions.Primitives;StringValues;false;Contains;(System.String);;Argument[Qualifier];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;CopyTo;(System.String[],System.Int32);;Element of Argument[0];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;CopyTo;(System.String[],System.Int32);;Argument[1];ReturnValue;taint",
-        "Microsoft.Extensions.Primitives;StringValues;false;CopyTo;(System.String[],System.Int32);;Argument[-1];ReturnValue;taint",
+        "Microsoft.Extensions.Primitives;StringValues;false;CopyTo;(System.String[],System.Int32);;Argument[Qualifier];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;Equals;(Microsoft.Extensions.Primitives.StringValues);;Argument[0];ReturnValue;taint",
-        "Microsoft.Extensions.Primitives;StringValues;false;Equals;(Microsoft.Extensions.Primitives.StringValues);;Argument[-1];ReturnValue;taint",
+        "Microsoft.Extensions.Primitives;StringValues;false;Equals;(Microsoft.Extensions.Primitives.StringValues);;Argument[Qualifier];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;Equals;(Microsoft.Extensions.Primitives.StringValues,Microsoft.Extensions.Primitives.StringValues);;Argument[0];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;Equals;(Microsoft.Extensions.Primitives.StringValues,Microsoft.Extensions.Primitives.StringValues);;Argument[1];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;Equals;(Microsoft.Extensions.Primitives.StringValues,System.String);;Argument[0];ReturnValue;taint",
@@ -29,38 +29,38 @@ private class MicrosoftExtensionsPrimitivesStringValuesFlowModelCsv extends Summ
         "Microsoft.Extensions.Primitives;StringValues;false;Equals;(Microsoft.Extensions.Primitives.StringValues,System.String[]);;Argument[0];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;Equals;(Microsoft.Extensions.Primitives.StringValues,System.String[]);;Element of Argument[1];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;Equals;(System.Object);;Argument[0];ReturnValue;taint",
-        "Microsoft.Extensions.Primitives;StringValues;false;Equals;(System.Object);;Argument[-1];ReturnValue;taint",
+        "Microsoft.Extensions.Primitives;StringValues;false;Equals;(System.Object);;Argument[Qualifier];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;Equals;(System.String);;Argument[0];ReturnValue;taint",
-        "Microsoft.Extensions.Primitives;StringValues;false;Equals;(System.String);;Argument[-1];ReturnValue;taint",
+        "Microsoft.Extensions.Primitives;StringValues;false;Equals;(System.String);;Argument[Qualifier];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;Equals;(System.String,Microsoft.Extensions.Primitives.StringValues);;Argument[0];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;Equals;(System.String,Microsoft.Extensions.Primitives.StringValues);;Argument[1];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;Equals;(System.String[]);;Element of Argument[0];ReturnValue;taint",
-        "Microsoft.Extensions.Primitives;StringValues;false;Equals;(System.String[]);;Argument[-1];ReturnValue;taint",
+        "Microsoft.Extensions.Primitives;StringValues;false;Equals;(System.String[]);;Argument[Qualifier];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;Equals;(System.String[],Microsoft.Extensions.Primitives.StringValues);;Element of Argument[0];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;Equals;(System.String[],Microsoft.Extensions.Primitives.StringValues);;Argument[1];ReturnValue;taint",
-        "Microsoft.Extensions.Primitives;StringValues;false;GetEnumerator;();;Argument[-1];ReturnValue;taint",
-        "Microsoft.Extensions.Primitives;StringValues;false;GetHashCode;();;Argument[-1];ReturnValue;taint",
+        "Microsoft.Extensions.Primitives;StringValues;false;GetEnumerator;();;Argument[Qualifier];ReturnValue;taint",
+        "Microsoft.Extensions.Primitives;StringValues;false;GetHashCode;();;Argument[Qualifier];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;IndexOf;(System.String);;Argument[0];ReturnValue;taint",
-        "Microsoft.Extensions.Primitives;StringValues;false;IndexOf;(System.String);;Argument[-1];ReturnValue;taint",
+        "Microsoft.Extensions.Primitives;StringValues;false;IndexOf;(System.String);;Argument[Qualifier];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;Insert;(System.Int32,System.String);;Argument[0];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;Insert;(System.Int32,System.String);;Argument[1];ReturnValue;taint",
-        "Microsoft.Extensions.Primitives;StringValues;false;Insert;(System.Int32,System.String);;Argument[-1];ReturnValue;taint",
+        "Microsoft.Extensions.Primitives;StringValues;false;Insert;(System.Int32,System.String);;Argument[Qualifier];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;IsNullOrEmpty;(Microsoft.Extensions.Primitives.StringValues);;Argument[0];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;Remove;(System.String);;Argument[0];ReturnValue;taint",
-        "Microsoft.Extensions.Primitives;StringValues;false;Remove;(System.String);;Argument[-1];ReturnValue;taint",
+        "Microsoft.Extensions.Primitives;StringValues;false;Remove;(System.String);;Argument[Qualifier];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;RemoveAt;(System.Int32);;Argument[0];ReturnValue;taint",
-        "Microsoft.Extensions.Primitives;StringValues;false;RemoveAt;(System.Int32);;Argument[-1];ReturnValue;taint",
+        "Microsoft.Extensions.Primitives;StringValues;false;RemoveAt;(System.Int32);;Argument[Qualifier];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;StringValues;(System.String);;Argument[0];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;StringValues;(System.String[]);;Element of Argument[0];ReturnValue;taint",
-        "Microsoft.Extensions.Primitives;StringValues;false;ToArray;();;Argument[-1];ReturnValue;taint",
-        "Microsoft.Extensions.Primitives;StringValues;false;ToString;();;Argument[-1];ReturnValue;taint",
-        "Microsoft.Extensions.Primitives;StringValues;false;get_Count;();;Argument[-1];ReturnValue;taint",
-        "Microsoft.Extensions.Primitives;StringValues;false;get_IsReadOnly;();;Argument[-1];ReturnValue;taint",
+        "Microsoft.Extensions.Primitives;StringValues;false;ToArray;();;Argument[Qualifier];ReturnValue;taint",
+        "Microsoft.Extensions.Primitives;StringValues;false;ToString;();;Argument[Qualifier];ReturnValue;taint",
+        "Microsoft.Extensions.Primitives;StringValues;false;get_Count;();;Argument[Qualifier];ReturnValue;taint",
+        "Microsoft.Extensions.Primitives;StringValues;false;get_IsReadOnly;();;Argument[Qualifier];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;get_Item;(System.Int32);;Argument[0];ReturnValue;taint",
-        "Microsoft.Extensions.Primitives;StringValues;false;get_Item;(System.Int32);;Argument[-1];ReturnValue;taint",
+        "Microsoft.Extensions.Primitives;StringValues;false;get_Item;(System.Int32);;Argument[Qualifier];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;set_Item;(System.Int32,System.String);;Argument[0];ReturnValue;taint",
         "Microsoft.Extensions.Primitives;StringValues;false;set_Item;(System.Int32,System.String);;Argument[1];ReturnValue;taint",
-        "Microsoft.Extensions.Primitives;StringValues;false;set_Item;(System.Int32,System.String);;Argument[-1];ReturnValue;taint",
+        "Microsoft.Extensions.Primitives;StringValues;false;set_Item;(System.Int32,System.String);;Argument[Qualifier];ReturnValue;taint",
       ]
   }
 }