Javascript: tentative fix to a weird build problem

Overlay: Add missing `overlay[caller?]` annotation

.github/workflows/check-change-note.yml

@@ -16,7 +16,6 @@ on:
       - "shared/**/*.qll"
       - "!**/experimental/**"
       - "!ql/**"
-      - "!rust/**"
       - ".github/workflows/check-change-note.yml"
 
 jobs:

.github/workflows/ql-for-ql-dataset_measure.yml

@@ -53,7 +53,7 @@ jobs:
       - name: Create database
         run: |
           "${CODEQL}" database create \
-          --search-path "${{ github.workspace }}"
+          --search-path "${{ github.workspace }}" \
           --threads 4 \
             --language ql --source-root "${{ github.workspace }}/repo" \
             "${{ runner.temp }}/database"

.pre-commit-config.yaml

@@ -9,7 +9,7 @@ repos:
       - id: trailing-whitespace
         exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
       - id: end-of-file-fixer
-        exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
+        exclude: Cargo.lock$|/test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
 
   - repo: https://github.com/pre-commit/mirrors-clang-format
     rev: v17.0.6
@@ -20,7 +20,7 @@ repos:
     rev: 25.1.0
     hooks:
       - id: black
-        files: ^(misc/codegen/.*|misc/scripts/models-as-data/bulk_generate_mad)\.py$
+        files: ^(misc/codegen/.*|misc/scripts/models-as-data/.*)\.py$
 
   - repo: local
     hooks:

Cargo.toml

@@ -11,8 +11,3 @@ members = [
     "rust/autobuild",
 ]
 exclude = ["mad-generation-build"]
-
-[patch.crates-io]
-# patch for build script bug preventing bazel build
-# see https://github.com/rust-lang/rustc_apfloat/pull/17
-rustc_apfloat = { git = "https://github.com/redsun82/rustc_apfloat.git", rev = "32968f16ef1b082243f9bf43a3fbd65c381b3e27" }

MODULE.bazel

@@ -37,7 +37,7 @@ bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True
 # the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies.
 RUST_EDITION = "2024"
 
-RUST_VERSION = "1.85.0"
+RUST_VERSION = "1.86.0"
 
 rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
 rust.toolchain(
@@ -71,11 +71,11 @@ use_repo(
 tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
 use_repo(
     tree_sitter_extractors_deps,
-    "vendor_ts__anyhow-1.0.97",
+    "vendor_ts__anyhow-1.0.98",
     "vendor_ts__argfile-0.2.1",
-    "vendor_ts__chalk-ir-0.100.0",
-    "vendor_ts__chrono-0.4.40",
-    "vendor_ts__clap-4.5.35",
+    "vendor_ts__chalk-ir-0.103.0",
+    "vendor_ts__chrono-0.4.41",
+    "vendor_ts__clap-4.5.40",
     "vendor_ts__dunce-1.0.5",
     "vendor_ts__either-1.15.0",
     "vendor_ts__encoding-0.2.33",
@@ -87,33 +87,33 @@ use_repo(
     "vendor_ts__lazy_static-1.5.0",
     "vendor_ts__mustache-0.9.0",
     "vendor_ts__num-traits-0.2.19",
-    "vendor_ts__num_cpus-1.16.0",
-    "vendor_ts__proc-macro2-1.0.94",
+    "vendor_ts__num_cpus-1.17.0",
+    "vendor_ts__proc-macro2-1.0.95",
     "vendor_ts__quote-1.0.40",
-    "vendor_ts__ra_ap_base_db-0.0.273",
-    "vendor_ts__ra_ap_cfg-0.0.273",
-    "vendor_ts__ra_ap_hir-0.0.273",
-    "vendor_ts__ra_ap_hir_def-0.0.273",
-    "vendor_ts__ra_ap_hir_expand-0.0.273",
-    "vendor_ts__ra_ap_hir_ty-0.0.273",
-    "vendor_ts__ra_ap_ide_db-0.0.273",
-    "vendor_ts__ra_ap_intern-0.0.273",
-    "vendor_ts__ra_ap_load-cargo-0.0.273",
-    "vendor_ts__ra_ap_parser-0.0.273",
-    "vendor_ts__ra_ap_paths-0.0.273",
-    "vendor_ts__ra_ap_project_model-0.0.273",
-    "vendor_ts__ra_ap_span-0.0.273",
-    "vendor_ts__ra_ap_stdx-0.0.273",
-    "vendor_ts__ra_ap_syntax-0.0.273",
-    "vendor_ts__ra_ap_vfs-0.0.273",
-    "vendor_ts__rand-0.9.0",
+    "vendor_ts__ra_ap_base_db-0.0.288",
+    "vendor_ts__ra_ap_cfg-0.0.288",
+    "vendor_ts__ra_ap_hir-0.0.288",
+    "vendor_ts__ra_ap_hir_def-0.0.288",
+    "vendor_ts__ra_ap_hir_expand-0.0.288",
+    "vendor_ts__ra_ap_hir_ty-0.0.288",
+    "vendor_ts__ra_ap_ide_db-0.0.288",
+    "vendor_ts__ra_ap_intern-0.0.288",
+    "vendor_ts__ra_ap_load-cargo-0.0.288",
+    "vendor_ts__ra_ap_parser-0.0.288",
+    "vendor_ts__ra_ap_paths-0.0.288",
+    "vendor_ts__ra_ap_project_model-0.0.288",
+    "vendor_ts__ra_ap_span-0.0.288",
+    "vendor_ts__ra_ap_stdx-0.0.288",
+    "vendor_ts__ra_ap_syntax-0.0.288",
+    "vendor_ts__ra_ap_vfs-0.0.288",
+    "vendor_ts__rand-0.9.1",
     "vendor_ts__rayon-1.10.0",
     "vendor_ts__regex-1.11.1",
     "vendor_ts__serde-1.0.219",
     "vendor_ts__serde_json-1.0.140",
-    "vendor_ts__serde_with-3.12.0",
-    "vendor_ts__syn-2.0.100",
-    "vendor_ts__toml-0.8.20",
+    "vendor_ts__serde_with-3.13.0",
+    "vendor_ts__syn-2.0.103",
+    "vendor_ts__toml-0.8.23",
     "vendor_ts__tracing-0.1.41",
     "vendor_ts__tracing-flame-0.2.0",
     "vendor_ts__tracing-subscriber-0.3.19",

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 0.4.12
+
+### Minor Analysis Improvements
+
+* Fixed performance issues in the parsing of Bash scripts in workflow files,
+  which led to out-of-disk errors when analysing certain workflow files with
+  complex interpolations of shell commands or quoted strings.
+
 ## 0.4.11
 
 No user-facing changes.

actions/ql/lib/change-notes/released/0.4.12.md

@@ -1,6 +1,7 @@
----
-category: minorAnalysis
----
+## 0.4.12
+
+### Minor Analysis Improvements
+
 * Fixed performance issues in the parsing of Bash scripts in workflow files,
   which led to out-of-disk errors when analysing certain workflow files with
-  complex interpolations of shell commands or quoted strings.
+  complex interpolations of shell commands or quoted strings.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.11
+lastReleaseVersion: 0.4.12

actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll

@@ -216,6 +216,8 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */

actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll

@@ -18,6 +18,8 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */

actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll

@@ -17,6 +17,8 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 /** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.12-dev
+version: 0.4.13-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.6.4
+
+No user-facing changes.
+
 ## 0.6.3
 
 No user-facing changes.

actions/ql/src/Models/CompositeActionsSinks.ql

@@ -26,6 +26,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/CompositeActionsSources.ql

@@ -36,6 +36,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/CompositeActionsSummaries.ql

@@ -27,6 +27,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/ReusableWorkflowsSinks.ql

@@ -26,6 +26,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/ReusableWorkflowsSources.ql

@@ -36,6 +36,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/ReusableWorkflowsSummaries.ql

@@ -27,6 +27,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/change-notes/released/0.6.4.md

@@ -0,0 +1,3 @@
+## 0.6.4
+
+No user-facing changes.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.3
+lastReleaseVersion: 0.6.4

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.4-dev
+version: 0.6.5-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

config/add-overlay-annotations.py

@@ -17,16 +17,16 @@
 #!/usr/bin/python3
 import sys
 import os
+import re
 from difflib import context_diff
 
+OVERLAY_PATTERN = re.compile(r'overlay\[[a-zA-Z?_-]+\]')
 
 def has_overlay_annotations(lines):
     '''
     Check whether the given lines contain any overlay[...] annotations.
     '''
-    overlays = ["local", "local?", "global", "caller", "caller?"]
-    annotations = [f"overlay[{t}]" for t in overlays]
-    return any(ann in line for ann in annotations for line in lines)
+    return any(OVERLAY_PATTERN.search(line) for line in lines)
 
 
 def is_line_comment(line):

config/dbscheme-fragments.json

@@ -11,6 +11,7 @@
     "/*- Diagnostic messages -*/",
     "/*- Diagnostic messages: severity -*/",
     "/*- Source location prefix -*/",
+    "/*- Database metadata -*/",
     "/*- Lines of code -*/",
     "/*- Configuration files with key value pairs -*/",
     "/*- YAML -*/",
@@ -31,4 +32,4 @@
     "/*- Python dbscheme -*/",
     "/*- Empty location -*/"
   ]
-}
+}

config/opcode-qldoc.py

@@ -8,9 +8,9 @@ needs_an_re = re.compile(r'^(?!Unary)[AEIOU]')  # Name requiring "an" instead of
 start_qldoc_re = re.compile(r'^\s*/\*\*')  # Start of a QLDoc comment
 end_qldoc_re = re.compile(r'\*/\s*$')  # End of a QLDoc comment
 blank_qldoc_line_re = re.compile(r'^\s*\*\s*$')  # A line in a QLDoc comment with only the '*'
-instruction_class_re = re.compile(r'^class (?P<name>[A-aa-z0-9]+)Instruction\s')  # Declaration of an `Instruction` class
-opcode_base_class_re = re.compile(r'^abstract class (?P<name>[A-aa-z0-9]+)Opcode\s')  # Declaration of an `Opcode` base class
-opcode_class_re = re.compile(r'^  class (?P<name>[A-aa-z0-9]+)\s')  # Declaration of an `Opcode` class
+instruction_class_re = re.compile(r'^class (?P<name>[A-Za-z0-9]+)Instruction\s')  # Declaration of an `Instruction` class
+opcode_base_class_re = re.compile(r'^abstract class (?P<name>[A-Za-z0-9]+)Opcode\s')  # Declaration of an `Opcode` base class
+opcode_class_re = re.compile(r'^  class (?P<name>[A-Za-z0-9]+)\s')  # Declaration of an `Opcode` class
 
 script_dir = path.realpath(path.dirname(__file__))
 instruction_path = path.realpath(path.join(script_dir, '../cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll'))

cpp/downgrades/7bc12b02a4363149f0727a4bce07952dbb9d98aa/builtintypes.ql

@@ -0,0 +1,14 @@
+class BuiltinType extends @builtintype {
+  string toString() { none() }
+}
+
+from BuiltinType type, string name, int kind, int kind_new, int size, int sign, int alignment
+where
+  builtintypes(type, name, kind, size, sign, alignment) and
+  if
+    type instanceof @complex_fp16 or
+    type instanceof @complex_std_bfloat16 or
+    type instanceof @complex_std_float16
+  then kind_new = 2
+  else kind_new = kind
+select type, name, kind_new, size, sign, alignment

cpp/downgrades/7bc12b02a4363149f0727a4bce07952dbb9d98aa/upgrade.properties

@@ -0,0 +1,3 @@
+description: Introduce new complex 16-bit floating-point types
+compatibility: backwards
+builtintypes.rel: run builtintypes.qlo

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,20 @@
+## 5.2.0
+
+### Deprecated APIs
+
+* The `ThrowingFunction` class (`semmle.code.cpp.models.interfaces.Throwing`) has been deprecated. Please use the `AlwaysSehThrowingFunction` class instead.
+
+### New Features
+
+* Added a predicate `getAnAttribute` to `Namespace` to retrieve a namespace attribute.
+* The Microsoft-specific `__leave` statement is now supported.
+* A new class `LeaveStmt` extending `JumpStmt` was added to represent `__leave` statements.
+* Added a predicate `hasParameterList` to `LambdaExpression` to capture whether a lambda has an explicitly specified parameter list.
+
+### Bug Fixes
+
+* `resolveTypedefs` now properly resolves typedefs for `ArrayType`s.
+
 ## 5.1.0
 
 ### New Features

cpp/ql/lib/change-notes/2014-12-13-deprecate-throwing.md

@@ -1,4 +0,0 @@
----
-category: deprecated
----
-* The `ThrowingFunction` class (`semmle.code.cpp.models.interfaces.Throwing`) has been deprecated. Please use the `AlwaysSehThrowingFunction` class instead.

cpp/ql/lib/change-notes/2025-06-06-lambda-parameters.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added a predicate `hasParameterList` to `LambdaExpression` to capture whether a lambda has an explicitly specified parameter list.

cpp/ql/lib/change-notes/2025-06-11-leave-stmt.md

@@ -1,5 +0,0 @@
----
-category: feature
----
-* The Microsoft-specific `__leave` statement is now supported.
-* A new class `LeaveStmt` extending `JumpStmt` was added to represent `__leave` statements.

cpp/ql/lib/change-notes/2025-06-16-namespace-attributes.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added a predicate `getAnAttribute` to `Namespace` to retrieve a namespace attribute.

cpp/ql/lib/change-notes/2025-06-17-arraytype-typedefs.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* `resolveTypedefs` now properly resolves typedefs for `ArrayType`s.

cpp/ql/lib/change-notes/2025-06-20-oracle-oci-models.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `sql-injection` sink models for the Oracle Call Interface (OCI) database library functions `OCIStmtPrepare` and `OCIStmtPrepare2`.

cpp/ql/lib/change-notes/2025-06-24-float16.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added support for `__fp16 _Complex` and `__bf16 _Complex` types

cpp/ql/lib/change-notes/released/5.2.0.md

@@ -0,0 +1,16 @@
+## 5.2.0
+
+### Deprecated APIs
+
+* The `ThrowingFunction` class (`semmle.code.cpp.models.interfaces.Throwing`) has been deprecated. Please use the `AlwaysSehThrowingFunction` class instead.
+
+### New Features
+
+* Added a predicate `getAnAttribute` to `Namespace` to retrieve a namespace attribute.
+* The Microsoft-specific `__leave` statement is now supported.
+* A new class `LeaveStmt` extending `JumpStmt` was added to represent `__leave` statements.
+* Added a predicate `hasParameterList` to `LambdaExpression` to capture whether a lambda has an explicitly specified parameter list.
+
+### Bug Fixes
+
+* `resolveTypedefs` now properly resolves typedefs for `ArrayType`s.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.1.0
+lastReleaseVersion: 5.2.0

cpp/ql/lib/experimental/quantum/Language.qll

@@ -56,7 +56,7 @@ module ArtifactFlowConfig implements DataFlow::ConfigSig {
 module ArtifactFlow = DataFlow::Global<ArtifactFlowConfig>;
 
 /**
- * Artifact output to node input configuration
+ * An artifact output to node input configuration
  */
 abstract class AdditionalFlowInputStep extends DataFlow::Node {
   abstract DataFlow::Node getOutput();
@@ -91,9 +91,8 @@ module GenericDataSourceFlowConfig implements DataFlow::ConfigSig {
 
 module GenericDataSourceFlow = TaintTracking::Global<GenericDataSourceFlowConfig>;
 
-private class ConstantDataSource extends Crypto::GenericConstantSourceInstance instanceof Literal {
-  ConstantDataSource() { this instanceof OpenSslGenericSourceCandidateLiteral }
-
+private class ConstantDataSource extends Crypto::GenericConstantSourceInstance instanceof OpenSslGenericSourceCandidateLiteral
+{
   override DataFlow::Node getOutputNode() { result.asExpr() = this }
 
   override predicate flowsTo(Crypto::FlowAwareElement other) {

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll

@@ -48,7 +48,7 @@ module KnownOpenSslAlgorithmToAlgorithmValueConsumerConfig implements DataFlow::
 module KnownOpenSslAlgorithmToAlgorithmValueConsumerFlow =
   DataFlow::Global<KnownOpenSslAlgorithmToAlgorithmValueConsumerConfig>;
 
-module RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {
+module RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source.asExpr() instanceof OpenSslPaddingLiteral }
 
   predicate isSink(DataFlow::Node sink) {
@@ -60,8 +60,8 @@ module RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataF
   }
 }
 
-module RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow =
-  DataFlow::Global<RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig>;
+module RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow =
+  DataFlow::Global<RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig>;
 
 class OpenSslAlgorithmAdditionalFlowStep extends AdditionalFlowInputStep {
   OpenSslAlgorithmAdditionalFlowStep() { exists(AlgorithmPassthroughCall c | c.getInNode() = this) }
@@ -114,11 +114,11 @@ class CopyAndDupAlgorithmPassthroughCall extends AlgorithmPassthroughCall {
   override DataFlow::Node getOutNode() { result = outNode }
 }
 
-class NIDToPointerPassthroughCall extends AlgorithmPassthroughCall {
+class NidToPointerPassthroughCall extends AlgorithmPassthroughCall {
   DataFlow::Node inNode;
   DataFlow::Node outNode;
 
-  NIDToPointerPassthroughCall() {
+  NidToPointerPassthroughCall() {
     this.getTarget().getName() in ["OBJ_nid2obj", "OBJ_nid2ln", "OBJ_nid2sn"] and
     inNode.asExpr() = this.getArgument(0) and
     outNode.asExpr() = this
@@ -150,11 +150,11 @@ class PointerToPointerPassthroughCall extends AlgorithmPassthroughCall {
   override DataFlow::Node getOutNode() { result = outNode }
 }
 
-class PointerToNIDPassthroughCall extends AlgorithmPassthroughCall {
+class PointerToNidPassthroughCall extends AlgorithmPassthroughCall {
   DataFlow::Node inNode;
   DataFlow::Node outNode;
 
-  PointerToNIDPassthroughCall() {
+  PointerToNidPassthroughCall() {
     this.getTarget().getName() in ["OBJ_obj2nid", "OBJ_ln2nid", "OBJ_sn2nid", "OBJ_txt2nid"] and
     (
       inNode.asIndirectExpr() = this.getArgument(0)

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll

@@ -5,36 +5,35 @@ private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmCon
 private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
 private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
 private import AlgToAVCFlow
+private import codeql.quantum.experimental.Standardization::Types::KeyOpAlg as KeyOpAlg
 
 /**
  * Given a `KnownOpenSslBlockModeAlgorithmExpr`, converts this to a block family type.
  * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
  */
 predicate knownOpenSslConstantToBlockModeFamilyType(
-  KnownOpenSslBlockModeAlgorithmExpr e, Crypto::TBlockCipherModeOfOperationType type
+  KnownOpenSslBlockModeAlgorithmExpr e, KeyOpAlg::ModeOfOperationType type
 ) {
   exists(string name |
     name = e.(KnownOpenSslAlgorithmExpr).getNormalizedName() and
     (
-      name.matches("CBC") and type instanceof Crypto::CBC
+      name = "CBC" and type instanceof KeyOpAlg::CBC
       or
-      name.matches("CFB%") and type instanceof Crypto::CFB
+      name = "CFB%" and type instanceof KeyOpAlg::CFB
       or
-      name.matches("CTR") and type instanceof Crypto::CTR
+      name = "CTR" and type instanceof KeyOpAlg::CTR
       or
-      name.matches("GCM") and type instanceof Crypto::GCM
+      name = "GCM" and type instanceof KeyOpAlg::GCM
       or
-      name.matches("OFB") and type instanceof Crypto::OFB
+      name = "OFB" and type instanceof KeyOpAlg::OFB
       or
-      name.matches("XTS") and type instanceof Crypto::XTS
+      name = "XTS" and type instanceof KeyOpAlg::XTS
       or
-      name.matches("CCM") and type instanceof Crypto::CCM
+      name = "CCM" and type instanceof KeyOpAlg::CCM
       or
-      name.matches("GCM") and type instanceof Crypto::GCM
+      name = "CCM" and type instanceof KeyOpAlg::CCM
       or
-      name.matches("CCM") and type instanceof Crypto::CCM
-      or
-      name.matches("ECB") and type instanceof Crypto::ECB
+      name = "ECB" and type instanceof KeyOpAlg::ECB
     )
   )
 }
@@ -64,10 +63,10 @@ class KnownOpenSslBlockModeConstantAlgorithmInstance extends OpenSslAlgorithmIns
     getterCall = this
   }
 
-  override Crypto::TBlockCipherModeOfOperationType getModeType() {
+  override KeyOpAlg::ModeOfOperationType getModeType() {
     knownOpenSslConstantToBlockModeFamilyType(this, result)
     or
-    not knownOpenSslConstantToBlockModeFamilyType(this, _) and result = Crypto::OtherMode()
+    not knownOpenSslConstantToBlockModeFamilyType(this, _) and result = KeyOpAlg::OtherMode()
   }
 
   // NOTE: I'm not going to attempt to parse out the mode specific part, so returning

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll

@@ -33,9 +33,9 @@ predicate knownOpenSslConstantToCipherFamilyType(
       or
       name.matches("CAST5%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::CAST5())
       or
-      name.matches("2DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DoubleDES())
+      name.matches("2DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DOUBLE_DES())
       or
-      name.matches("3DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::TripleDES())
+      name.matches("3DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::TRIPLE_DES())
       or
       name.matches("DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DES())
       or
@@ -113,7 +113,7 @@ class KnownOpenSslCipherConstantAlgorithmInstance extends OpenSslAlgorithmInstan
     this.(KnownOpenSslCipherAlgorithmExpr).getExplicitKeySize() = result
   }
 
-  override Crypto::KeyOpAlg::Algorithm getAlgorithmType() {
+  override KeyOpAlg::AlgorithmType getAlgorithmType() {
     knownOpenSslConstantToCipherFamilyType(this, result)
     or
     not knownOpenSslConstantToCipherFamilyType(this, _) and

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll

@@ -39,8 +39,14 @@ class KnownOpenSslEllipticCurveConstantAlgorithmInstance extends OpenSslAlgorith
     result = this.(Call).getTarget().getName()
   }
 
-  override Crypto::TEllipticCurveType getEllipticCurveType() {
-    Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _, result)
+  override Crypto::EllipticCurveFamilyType getEllipticCurveFamilyType() {
+    if
+      Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _,
+        _)
+    then
+      Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _,
+        result)
+    else result = Crypto::OtherEllipticCurveType()
   }
 
   override string getParsedEllipticCurveName() {
@@ -48,7 +54,7 @@ class KnownOpenSslEllipticCurveConstantAlgorithmInstance extends OpenSslAlgorith
   }
 
   override int getKeySize() {
-    Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.(KnownOpenSslAlgorithmExpr)
+    Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.(KnownOpenSslAlgorithmExpr)
           .getNormalizedName(), result, _)
   }
 }

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll

@@ -11,21 +11,21 @@ predicate knownOpenSslConstantToHashFamilyType(
   exists(string name |
     name = e.(KnownOpenSslAlgorithmExpr).getNormalizedName() and
     (
-      name.matches("BLAKE2B") and type instanceof Crypto::BLAKE2B
+      name = "BLAKE2B" and type instanceof Crypto::BLAKE2B
       or
-      name.matches("BLAKE2S") and type instanceof Crypto::BLAKE2S
+      name = "BLAKE2S" and type instanceof Crypto::BLAKE2S
       or
-      name.matches("GOST%") and type instanceof Crypto::GOSTHash
+      name.matches("GOST%") and type instanceof Crypto::GOST_HASH
       or
-      name.matches("MD2") and type instanceof Crypto::MD2
+      name = "MD2" and type instanceof Crypto::MD2
       or
-      name.matches("MD4") and type instanceof Crypto::MD4
+      name = "MD4" and type instanceof Crypto::MD4
       or
-      name.matches("MD5") and type instanceof Crypto::MD5
+      name = "MD5" and type instanceof Crypto::MD5
       or
-      name.matches("MDC2") and type instanceof Crypto::MDC2
+      name = "MDC2" and type instanceof Crypto::MDC2
       or
-      name.matches("POLY1305") and type instanceof Crypto::POLY1305
+      name = "POLY1305" and type instanceof Crypto::POLY1305
       or
       name.matches(["SHA", "SHA1"]) and type instanceof Crypto::SHA1
       or
@@ -33,13 +33,13 @@ predicate knownOpenSslConstantToHashFamilyType(
       or
       name.matches("SHA3-%") and type instanceof Crypto::SHA3
       or
-      name.matches(["SHAKE"]) and type instanceof Crypto::SHAKE
+      name = "SHAKE" and type instanceof Crypto::SHAKE
       or
-      name.matches("SM3") and type instanceof Crypto::SM3
+      name = "SM3" and type instanceof Crypto::SM3
       or
-      name.matches("RIPEMD160") and type instanceof Crypto::RIPEMD160
+      name = "RIPEMD160" and type instanceof Crypto::RIPEMD160
       or
-      name.matches("WHIRLPOOL") and type instanceof Crypto::WHIRLPOOL
+      name = "WHIRLPOOL" and type instanceof Crypto::WHIRLPOOL
     )
   )
 }

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll

@@ -210,7 +210,8 @@ string getAlgorithmAlias(string alias) {
 }
 
 /**
- * Finds aliases of known alagorithms defined by users (through obj_name_add and various macros pointing to this function)
+ * Holds for aliases of known algorithms defined by users
+ * (through obj_name_add and various macros pointing to this function).
  *
  * The `target` and `alias` are converted to lowercase to be of a standard form.
  */
@@ -222,7 +223,7 @@ predicate customAliases(string target, string alias) {
 }
 
 /**
- * A hard-coded mapping of known algorithm aliases in OpenSsl.
+ * Holds for a hard-coded mapping of known algorithm aliases in OpenSsl.
  * This was derived by applying the same kind of logic foun din `customAliases` to the
  * OpenSsl code base directly.
  *

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/MACAlgorithmInstance.qll

@@ -7,7 +7,7 @@ private import experimental.quantum.OpenSSL.Operations.OpenSSLOperations
 private import AlgToAVCFlow
 
 class KnownOpenSslMacConstantAlgorithmInstance extends OpenSslAlgorithmInstance,
-  Crypto::MACAlgorithmInstance instanceof KnownOpenSslMacAlgorithmExpr
+  Crypto::MacAlgorithmInstance instanceof KnownOpenSslMacAlgorithmExpr
 {
   OpenSslAlgorithmValueConsumer getterCall;
 
@@ -39,14 +39,14 @@ class KnownOpenSslMacConstantAlgorithmInstance extends OpenSslAlgorithmInstance,
     result = this.(Call).getTarget().getName()
   }
 
-  override Crypto::TMACType getMacType() {
-    this instanceof KnownOpenSslHMacAlgorithmExpr and result instanceof Crypto::THMAC
+  override Crypto::MacType getMacType() {
+    this instanceof KnownOpenSslHMacAlgorithmExpr and result = Crypto::HMAC()
     or
-    this instanceof KnownOpenSslCMacAlgorithmExpr and result instanceof Crypto::TCMAC
+    this instanceof KnownOpenSslCMacAlgorithmExpr and result = Crypto::CMAC()
   }
 }
 
-class KnownOpenSslHMacConstantAlgorithmInstance extends Crypto::HMACAlgorithmInstance,
+class KnownOpenSslHMacConstantAlgorithmInstance extends Crypto::HmacAlgorithmInstance,
   KnownOpenSslMacConstantAlgorithmInstance
 {
   override Crypto::AlgorithmValueConsumer getHashAlgorithmValueConsumer() {

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll

@@ -5,6 +5,7 @@ private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmCon
 private import AlgToAVCFlow
 private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
 private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import codeql.quantum.experimental.Standardization::Types::KeyOpAlg as KeyOpAlg
 
 /**
  * A class to define padding specific integer values.
@@ -28,18 +29,18 @@ class OpenSslPaddingLiteral extends Literal {
  * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
  */
 predicate knownOpenSslConstantToPaddingFamilyType(
-  KnownOpenSslPaddingAlgorithmExpr e, Crypto::TPaddingType type
+  KnownOpenSslPaddingAlgorithmExpr e, KeyOpAlg::PaddingSchemeType type
 ) {
   exists(string name |
     name = e.(KnownOpenSslAlgorithmExpr).getNormalizedName() and
     (
-      name.matches("OAEP") and type = Crypto::OAEP()
+      name = "OAEP" and type = KeyOpAlg::OAEP()
       or
-      name.matches("PSS") and type = Crypto::PSS()
+      name = "PSS" and type = KeyOpAlg::PSS()
       or
-      name.matches("PKCS7") and type = Crypto::PKCS7()
+      name = "PKCS7" and type = KeyOpAlg::PKCS7()
       or
-      name.matches("PKCS1V15") and type = Crypto::PKCS1_v1_5()
+      name = "PKCS1V15" and type = KeyOpAlg::PKCS1_V1_5()
     )
   )
 }
@@ -85,7 +86,7 @@ class KnownOpenSslPaddingConstantAlgorithmInstance extends OpenSslAlgorithmInsta
       // Source is `this`
       src.asExpr() = this and
       // This traces to a padding-specific consumer
-      RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow::flow(src, sink)
+      RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow::flow(src, sink)
     ) and
     isPaddingSpecificConsumer = true
   }
@@ -98,24 +99,24 @@ class KnownOpenSslPaddingConstantAlgorithmInstance extends OpenSslAlgorithmInsta
 
   override OpenSslAlgorithmValueConsumer getAvc() { result = getterCall }
 
-  Crypto::TPaddingType getKnownPaddingType() {
-    this.(Literal).getValue().toInt() in [1, 7, 8] and result = Crypto::PKCS1_v1_5()
+  KeyOpAlg::PaddingSchemeType getKnownPaddingType() {
+    this.(Literal).getValue().toInt() in [1, 7, 8] and result = KeyOpAlg::PKCS1_V1_5()
     or
-    this.(Literal).getValue().toInt() = 3 and result = Crypto::NoPadding()
+    this.(Literal).getValue().toInt() = 3 and result = KeyOpAlg::NoPadding()
     or
-    this.(Literal).getValue().toInt() = 4 and result = Crypto::OAEP()
+    this.(Literal).getValue().toInt() = 4 and result = KeyOpAlg::OAEP()
     or
-    this.(Literal).getValue().toInt() = 5 and result = Crypto::ANSI_X9_23()
+    this.(Literal).getValue().toInt() = 5 and result = KeyOpAlg::ANSI_X9_23()
     or
-    this.(Literal).getValue().toInt() = 6 and result = Crypto::PSS()
+    this.(Literal).getValue().toInt() = 6 and result = KeyOpAlg::PSS()
   }
 
-  override Crypto::TPaddingType getPaddingType() {
+  override KeyOpAlg::PaddingSchemeType getPaddingType() {
     isPaddingSpecificConsumer = true and
     (
       result = this.getKnownPaddingType()
       or
-      not exists(this.getKnownPaddingType()) and result = Crypto::OtherPadding()
+      not exists(this.getKnownPaddingType()) and result = KeyOpAlg::OtherPadding()
     )
     or
     isPaddingSpecificConsumer = false and
@@ -143,7 +144,7 @@ class KnownOpenSslPaddingConstantAlgorithmInstance extends OpenSslAlgorithmInsta
 //     this instanceof Literal and
 //     this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8]
 //     // TODO: trace to padding-specific consumers
-//     RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow
+//     RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow
 //   }
 //   override string getRawPaddingAlgorithmName() { result = this.(Literal).getValue().toString() }
 //   override Crypto::TPaddingType getPaddingType() {
@@ -161,18 +162,18 @@ class KnownOpenSslPaddingConstantAlgorithmInstance extends OpenSslAlgorithmInsta
 //           else result = Crypto::OtherPadding()
 //   }
 // }
-class OAEPPaddingAlgorithmInstance extends Crypto::OAEPPaddingAlgorithmInstance,
+class OaepPaddingAlgorithmInstance extends Crypto::OaepPaddingAlgorithmInstance,
   KnownOpenSslPaddingConstantAlgorithmInstance
 {
-  OAEPPaddingAlgorithmInstance() {
-    this.(Crypto::PaddingAlgorithmInstance).getPaddingType() = Crypto::OAEP()
+  OaepPaddingAlgorithmInstance() {
+    this.(Crypto::PaddingAlgorithmInstance).getPaddingType() = KeyOpAlg::OAEP()
   }
 
-  override Crypto::HashAlgorithmInstance getOAEPEncodingHashAlgorithm() {
+  override Crypto::HashAlgorithmInstance getOaepEncodingHashAlgorithm() {
     none() //TODO
   }
 
-  override Crypto::HashAlgorithmInstance getMGF1HashAlgorithm() {
+  override Crypto::HashAlgorithmInstance getMgf1HashAlgorithm() {
     none() //TODO
   }
 }

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/SignatureAlgorithmInstance.qll

@@ -73,7 +73,7 @@ class KnownOpenSslSignatureConstantAlgorithmInstance extends OpenSslAlgorithmIns
     none()
   }
 
-  override KeyOpAlg::Algorithm getAlgorithmType() {
+  override KeyOpAlg::AlgorithmType getAlgorithmType() {
     knownOpenSslConstantToSignatureFamilyType(this, result)
     or
     not knownOpenSslConstantToSignatureFamilyType(this, _) and

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/DirectAlgorithmValueConsumer.qll

@@ -4,10 +4,10 @@ private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmCon
 private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
 
 /**
- * Cases like EVP_MD5(),
- * there is no input, rather it directly gets an algorithm
- * and returns it.
- * Also includes operations directly using an algorithm
+ * A call that is considered to inherently 'consume' an algorithm value.
+ * E.g., cases like EVP_MD5(),
+ * where there is no input, rather it directly gets an algorithm
+ * and returns it. Also includes operations directly using an algorithm
  * like AES_encrypt().
  */
 class DirectAlgorithmValueConsumer extends OpenSslAlgorithmValueConsumer instanceof OpenSslAlgorithmCall

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/HashAlgorithmValueConsumer.qll

@@ -7,7 +7,7 @@ private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmI
 abstract class HashAlgorithmValueConsumer extends OpenSslAlgorithmValueConsumer { }
 
 /**
- * EVP_Q_Digest directly consumes algorithm constant values
+ * An EVP_Q_Digest directly consumes algorithm constant values
  */
 class Evp_Q_Digest_Algorithm_Consumer extends HashAlgorithmValueConsumer {
   Evp_Q_Digest_Algorithm_Consumer() { this.(Call).getTarget().getName() = "EVP_Q_digest" }

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll

@@ -91,7 +91,8 @@ class Evp_Cipher_Update_Call extends EvpUpdate {
 }
 
 /**
- * see: https://docs.openssl.org/master/man3/EVP_EncryptInit/#synopsis
+ * The EVP Cipher operations.
+ * See: https://docs.openssl.org/master/man3/EVP_EncryptInit/#synopsis
  * Base configuration for all EVP cipher operations.
  */
 abstract class Evp_Cipher_Operation extends EvpOperation, Crypto::KeyOperationInstance {
@@ -163,6 +164,7 @@ class Evp_Cipher_Final_Call extends EvpFinal, Evp_Cipher_Operation {
 }
 
 /**
+ * The EVP encryption/decryption operations.
  * https://docs.openssl.org/3.2/man3/EVP_PKEY_decrypt/
  * https://docs.openssl.org/3.2/man3/EVP_PKEY_encrypt
  */

cpp/ql/lib/ext/Oracle.oci.model.yml

@@ -0,0 +1,8 @@
+# partial model of the Oracle Call Interface (OCI) library
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sinkModel
+    data: # namespace, type, subtypes, name, signature, ext, input, kind, provenance
+      - ["", "", False, "OCIStmtPrepare", "", "", "Argument[*2]", "sql-injection", "manual"]
+      - ["", "", False, "OCIStmtPrepare2", "", "", "Argument[*3]", "sql-injection", "manual"]

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 5.1.1-dev
+version: 5.2.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -858,6 +858,15 @@ private predicate floatingPointTypeMapping(
   or
   // __mfp8
   kind = 62 and base = 2 and domain = TRealDomain() and realKind = 62 and extended = false
+  or
+  // _Complex __fp16
+  kind = 64 and base = 2 and domain = TComplexDomain() and realKind = 54 and extended = false
+  or
+  // _Complex __bf16
+  kind = 65 and base = 2 and domain = TComplexDomain() and realKind = 55 and extended = false
+  or
+  // _Complex std::float16_t
+  kind = 66 and base = 2 and domain = TComplexDomain() and realKind = 56 and extended = false
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -229,6 +229,49 @@ private predicate summaryModel0(
   )
 }
 
+/**
+ * Holds if the given extension tuple `madId` should pretty-print as `model`.
+ *
+ * This predicate should only be used in tests.
+ */
+predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) {
+  exists(
+    string namespace, string type, boolean subtypes, string name, string signature, string ext,
+    string output, string kind, string provenance
+  |
+    Extensions::sourceModel(namespace, type, subtypes, name, signature, ext, output, kind,
+      provenance, madId)
+  |
+    model =
+      "Source: " + namespace + "; " + type + "; " + subtypes + "; " + name + "; " + signature + "; "
+        + ext + "; " + output + "; " + kind + "; " + provenance
+  )
+  or
+  exists(
+    string namespace, string type, boolean subtypes, string name, string signature, string ext,
+    string input, string kind, string provenance
+  |
+    Extensions::sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance,
+      madId)
+  |
+    model =
+      "Sink: " + namespace + "; " + type + "; " + subtypes + "; " + name + "; " + signature + "; " +
+        ext + "; " + input + "; " + kind + "; " + provenance
+  )
+  or
+  exists(
+    string namespace, string type, boolean subtypes, string name, string signature, string ext,
+    string input, string output, string kind, string provenance
+  |
+    Extensions::summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind,
+      provenance, madId)
+  |
+    model =
+      "Summary: " + namespace + "; " + type + "; " + subtypes + "; " + name + "; " + signature +
+        "; " + ext + "; " + input + "; " + output + "; " + kind + "; " + provenance
+  )
+}
+
 /**
  * Holds if `input` is `input0`, but with all occurrences of `@` replaced
  * by `n` repetitions of `*` (and similarly for `output` and `output0`).

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll

@@ -54,6 +54,8 @@ private predicate isDeeplyConstBelow(Type t) {
   or
   isDeeplyConst(t.(GNUVectorType).getBaseType())
   or
+  isDeeplyConst(t.(ScalableVectorType).getBaseType())
+  or
   isDeeplyConst(t.(FunctionPointerIshType).getBaseType())
   or
   isDeeplyConst(t.(PointerWrapper).getTemplateArgument(0))

cpp/ql/lib/semmle/code/cpp/ir/internal/CppType.qll

@@ -29,6 +29,10 @@ private int getTypeSizeWorkaround(Type type) {
         not arrayType.hasArraySize() and
         result = getPointerSize()
       )
+      or
+      // Scalable vectors are opaque and not of fixed size. Use 0 as a substitute.
+      type instanceof ScalableVectorType and
+      result = 0
     )
   )
 }
@@ -136,6 +140,8 @@ private predicate isOpaqueType(Type type) {
   type instanceof PointerToMemberType // PTMs are missing size info
   or
   type instanceof ScalableVectorCount
+  or
+  type instanceof ScalableVectorType
 }
 
 /**

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -693,6 +693,9 @@ case @builtintype.kind of
 | 61 = @complex_std_float128  // _Complex _Float128
 | 62 = @mfp8                  // __mfp8
 | 63 = @scalable_vector_count // __SVCount_t
+| 64 = @complex_fp16          // _Complex __fp16
+| 65 = @complex_std_bfloat16  // _Complex __bf16
+| 66 = @complex_std_float16   // _Complex std::float16_t
 ;
 
 builtintypes(

cpp/ql/lib/upgrades/e38346051783182ea75822e4adf8d4c6a949bc37/upgrade.properties

@@ -0,0 +1,2 @@
+description: Support more complex 16-bit floating-point types
+compatibility: full

cpp/ql/lib/utils/test/PrettyPrintModels.ql

@@ -0,0 +1,6 @@
+/**
+ * @kind test-postprocess
+ */
+
+import semmle.code.cpp.dataflow.ExternalFlow
+import codeql.dataflow.test.ProvenancePathGraph::TestPostProcessing::TranslateProvenanceResults<interpretModelForTest/2>

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 1.4.3
+
+### Minor Analysis Improvements
+
+* Added flow model for the following libraries: `madler/zlib`, `google/brotli`, `libidn/libidn2`, `libssh2/libssh2/`, `nghttp2/nghttp2`, `libuv/libuv/`, and `curl/curl`. This may result in more alerts when running queries on codebases that use these libraries.
+
 ## 1.4.2
 
 No user-facing changes.

cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql

@@ -38,6 +38,9 @@ module SqlTaintedConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node node) {
     exists(SqlLikeFunction runSql | runSql.outermostWrapperFunctionCall(asSinkExpr(node), _))
+    or
+    // sink defined using models-as-data
+    sinkNode(node, "sql-injection")
   }
 
   predicate isBarrier(DataFlow::Node node) {
@@ -56,13 +59,21 @@ module SqlTaintedConfig implements DataFlow::ConfigSig {
 module SqlTainted = TaintTracking::Global<SqlTaintedConfig>;
 
 from
-  SqlLikeFunction runSql, Expr taintedArg, FlowSource taintSource, SqlTainted::PathNode sourceNode,
-  SqlTainted::PathNode sinkNode, string callChain
+  Expr taintedArg, FlowSource taintSource, SqlTainted::PathNode sourceNode,
+  SqlTainted::PathNode sinkNode, string extraText
 where
-  runSql.outermostWrapperFunctionCall(taintedArg, callChain) and
+  (
+    exists(SqlLikeFunction runSql, string callChain |
+      runSql.outermostWrapperFunctionCall(taintedArg, callChain) and
+      extraText = " and then passed to " + callChain
+    )
+    or
+    sinkNode(sinkNode.getNode(), "sql-injection") and
+    extraText = ""
+  ) and
   SqlTainted::flowPath(sourceNode, sinkNode) and
   taintedArg = asSinkExpr(sinkNode.getNode()) and
   taintSource = sourceNode.getNode()
 select taintedArg, sourceNode, sinkNode,
-  "This argument to a SQL query function is derived from $@ and then passed to " + callChain + ".",
-  taintSource, "user input (" + taintSource.getSourceType() + ")"
+  "This argument to a SQL query function is derived from $@" + extraText + ".", taintSource,
+  "user input (" + taintSource.getSourceType() + ")"

cpp/ql/src/change-notes/2025-06-20-sql-injection-models.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `cpp/sql-injection` now can be extended using the `sql-injection` Models as Data (MaD) sink kind.

cpp/ql/src/change-notes/released/1.4.3.md

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
-* Added flow model for the following libraries: `madler/zlib`, `google/brotli`, `libidn/libidn2`, `libssh2/libssh2/`, `nghttp2/nghttp2`, `libuv/libuv/`, and `curl/curl`. This may result in more alerts when running queries on codebases that use these libraries.
+## 1.4.3
+
+### Minor Analysis Improvements
+
+* Added flow model for the following libraries: `madler/zlib`, `google/brotli`, `libidn/libidn2`, `libssh2/libssh2/`, `nghttp2/nghttp2`, `libuv/libuv/`, and `curl/curl`. This may result in more alerts when running queries on codebases that use these libraries.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.4.2
+lastReleaseVersion: 1.4.3

cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql

@@ -50,6 +50,8 @@ module WordexpTaintConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
 }
 
 module WordexpTaint = TaintTracking::Global<WordexpTaintConfig>;

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.4.3-dev
+version: 1.4.4-dev
 groups:
   - cpp
   - queries

cpp/ql/test/library-tests/dataflow/external-models/flow.expected

@@ -1,57 +1,80 @@
-testFailures
+models
+| 1 | Sink: ; ; false; ymlSink; ; ; Argument[0]; test-sink; manual |
+| 2 | Sink: boost::asio; ; false; write; ; ; Argument[*1]; remote-sink; manual |
+| 3 | Source: ; ; false; GetCommandLineA; ; ; ReturnValue[*]; local; manual |
+| 4 | Source: ; ; false; GetEnvironmentStringsA; ; ; ReturnValue[*]; local; manual |
+| 5 | Source: ; ; false; GetEnvironmentVariableA; ; ; Argument[*1]; local; manual |
+| 6 | Source: ; ; false; MapViewOfFile2; ; ; ReturnValue[*]; local; manual |
+| 7 | Source: ; ; false; MapViewOfFile3; ; ; ReturnValue[*]; local; manual |
+| 8 | Source: ; ; false; MapViewOfFile3FromApp; ; ; ReturnValue[*]; local; manual |
+| 9 | Source: ; ; false; MapViewOfFile; ; ; ReturnValue[*]; local; manual |
+| 10 | Source: ; ; false; MapViewOfFileEx; ; ; ReturnValue[*]; local; manual |
+| 11 | Source: ; ; false; MapViewOfFileFromApp; ; ; ReturnValue[*]; local; manual |
+| 12 | Source: ; ; false; MapViewOfFileNuma2; ; ; ReturnValue[*]; local; manual |
+| 13 | Source: ; ; false; NtReadFile; ; ; Argument[*5]; local; manual |
+| 14 | Source: ; ; false; ReadFile; ; ; Argument[*1]; local; manual |
+| 15 | Source: ; ; false; ReadFileEx; ; ; Argument[*1]; local; manual |
+| 16 | Source: ; ; false; ymlSource; ; ; ReturnValue; local; manual |
+| 17 | Source: boost::asio; ; false; read_until; ; ; Argument[*1]; remote; manual |
+| 18 | Summary: ; ; false; CommandLineToArgvA; ; ; Argument[*0]; ReturnValue[**]; taint; manual |
+| 19 | Summary: ; ; false; ReadFileEx; ; ; Argument[*3].Field[@hEvent]; Argument[4].Parameter[*2].Field[@hEvent]; value; manual |
+| 20 | Summary: ; ; false; ymlStepGenerated; ; ; Argument[0]; ReturnValue; taint; df-generated |
+| 21 | Summary: ; ; false; ymlStepManual; ; ; Argument[0]; ReturnValue; taint; manual |
+| 22 | Summary: ; ; false; ymlStepManual_with_body; ; ; Argument[0]; ReturnValue; taint; manual |
+| 23 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
 edges
-| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:10 |
-| asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:91:7:91:17 | recv_buffer | provenance | Src:MaD:2  |
-| asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:93:29:93:39 | *recv_buffer | provenance | Src:MaD:2 Sink:MaD:6 |
+| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:23 |
+| asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:91:7:91:17 | recv_buffer | provenance | Src:MaD:17  |
+| asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:93:29:93:39 | *recv_buffer | provenance | Src:MaD:17 Sink:MaD:2 |
 | asio_streams.cpp:97:37:97:44 | call to source | asio_streams.cpp:98:7:98:14 | send_str | provenance | TaintFunction |
 | asio_streams.cpp:97:37:97:44 | call to source | asio_streams.cpp:100:64:100:71 | *send_str | provenance | TaintFunction |
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:100:44:100:62 | call to buffer | provenance |  |
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:101:7:101:17 | send_buffer | provenance |  |
-| asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:6 |
+| asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:2 |
 | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance |  |
-| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:10 |
-| test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | provenance | MaD:26955 |
-| test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | provenance | MaD:26956 |
-| test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | provenance | MaD:26957 |
+| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:23 |
+| test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | provenance | MaD:21 |
+| test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | provenance | MaD:20 |
+| test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | provenance | MaD:22 |
 | test.cpp:7:47:7:52 | value2 | test.cpp:7:64:7:69 | value2 | provenance |  |
 | test.cpp:7:64:7:69 | value2 | test.cpp:7:5:7:30 | *ymlStepGenerated_with_body | provenance |  |
-| test.cpp:10:10:10:18 | call to ymlSource | test.cpp:10:10:10:18 | call to ymlSource | provenance | Src:MaD:26953  |
-| test.cpp:10:10:10:18 | call to ymlSource | test.cpp:14:10:14:10 | x | provenance | Sink:MaD:26954 |
+| test.cpp:10:10:10:18 | call to ymlSource | test.cpp:10:10:10:18 | call to ymlSource | provenance | Src:MaD:16  |
+| test.cpp:10:10:10:18 | call to ymlSource | test.cpp:14:10:14:10 | x | provenance | Sink:MaD:1 |
 | test.cpp:10:10:10:18 | call to ymlSource | test.cpp:17:24:17:24 | x | provenance |  |
 | test.cpp:10:10:10:18 | call to ymlSource | test.cpp:21:27:21:27 | x | provenance |  |
 | test.cpp:10:10:10:18 | call to ymlSource | test.cpp:25:35:25:35 | x | provenance |  |
 | test.cpp:10:10:10:18 | call to ymlSource | test.cpp:32:41:32:41 | x | provenance |  |
 | test.cpp:17:10:17:22 | call to ymlStepManual | test.cpp:17:10:17:22 | call to ymlStepManual | provenance |  |
-| test.cpp:17:10:17:22 | call to ymlStepManual | test.cpp:18:10:18:10 | y | provenance | Sink:MaD:26954 |
+| test.cpp:17:10:17:22 | call to ymlStepManual | test.cpp:18:10:18:10 | y | provenance | Sink:MaD:1 |
 | test.cpp:17:24:17:24 | x | test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | provenance |  |
-| test.cpp:17:24:17:24 | x | test.cpp:17:10:17:22 | call to ymlStepManual | provenance | MaD:26955 |
+| test.cpp:17:24:17:24 | x | test.cpp:17:10:17:22 | call to ymlStepManual | provenance | MaD:21 |
 | test.cpp:21:10:21:25 | call to ymlStepGenerated | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance |  |
-| test.cpp:21:10:21:25 | call to ymlStepGenerated | test.cpp:22:10:22:10 | z | provenance | Sink:MaD:26954 |
+| test.cpp:21:10:21:25 | call to ymlStepGenerated | test.cpp:22:10:22:10 | z | provenance | Sink:MaD:1 |
 | test.cpp:21:27:21:27 | x | test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | provenance |  |
-| test.cpp:21:27:21:27 | x | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance | MaD:26956 |
+| test.cpp:21:27:21:27 | x | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance | MaD:20 |
 | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance |  |
-| test.cpp:25:11:25:33 | call to ymlStepManual_with_body | test.cpp:26:10:26:11 | y2 | provenance | Sink:MaD:26954 |
+| test.cpp:25:11:25:33 | call to ymlStepManual_with_body | test.cpp:26:10:26:11 | y2 | provenance | Sink:MaD:1 |
 | test.cpp:25:35:25:35 | x | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | provenance |  |
-| test.cpp:25:35:25:35 | x | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance | MaD:26957 |
+| test.cpp:25:35:25:35 | x | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance | MaD:22 |
 | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | provenance |  |
-| test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | test.cpp:33:10:33:11 | z2 | provenance | Sink:MaD:26954 |
+| test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | test.cpp:33:10:33:11 | z2 | provenance | Sink:MaD:1 |
 | test.cpp:32:41:32:41 | x | test.cpp:7:47:7:52 | value2 | provenance |  |
 | test.cpp:32:41:32:41 | x | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | provenance |  |
-| windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | provenance | MaD:341 |
-| windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:22:15:22:29 | *call to GetCommandLineA | provenance | Src:MaD:325  |
+| windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | provenance | MaD:18 |
+| windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:22:15:22:29 | *call to GetCommandLineA | provenance | Src:MaD:3  |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:24:8:24:11 | * ... | provenance |  |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:27:36:27:38 | *cmd | provenance |  |
 | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | provenance |  |
 | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | windows.cpp:30:8:30:15 | * ... | provenance |  |
 | windows.cpp:27:36:27:38 | *cmd | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | provenance |  |
-| windows.cpp:27:36:27:38 | *cmd | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | provenance | MaD:341 |
-| windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | provenance | Src:MaD:327  |
+| windows.cpp:27:36:27:38 | *cmd | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | provenance | MaD:18 |
+| windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | provenance | Src:MaD:4  |
 | windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | windows.cpp:36:10:36:13 | * ... | provenance |  |
-| windows.cpp:39:36:39:38 | GetEnvironmentVariableA output argument | windows.cpp:41:10:41:13 | * ... | provenance | Src:MaD:329  |
+| windows.cpp:39:36:39:38 | GetEnvironmentVariableA output argument | windows.cpp:41:10:41:13 | * ... | provenance | Src:MaD:5  |
 | windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [*hEvent] | windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[*hEvent] in ReadFileEx | provenance |  |
 | windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [hEvent] | windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[hEvent] in ReadFileEx | provenance |  |
-| windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[*hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[*hEvent] in ReadFileEx | provenance | MaD:343 |
-| windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[hEvent] in ReadFileEx | provenance | MaD:343 |
+| windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[*hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[*hEvent] in ReadFileEx | provenance | MaD:19 |
+| windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[hEvent] in ReadFileEx | provenance | MaD:19 |
 | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [*hEvent] | windows.cpp:147:16:147:27 | *lpOverlapped [*hEvent] | provenance |  |
 | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [hEvent] | windows.cpp:157:16:157:27 | *lpOverlapped [hEvent] | provenance |  |
 | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[*hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [*hEvent] | provenance |  |
@@ -67,36 +90,36 @@ edges
 | windows.cpp:159:12:159:55 | hEvent | windows.cpp:160:8:160:8 | c | provenance |  |
 | windows.cpp:159:35:159:46 | *lpOverlapped [hEvent] | windows.cpp:159:12:159:55 | hEvent | provenance |  |
 | windows.cpp:159:35:159:46 | *lpOverlapped [hEvent] | windows.cpp:159:12:159:55 | hEvent | provenance |  |
-| windows.cpp:168:35:168:40 | ReadFile output argument | windows.cpp:170:10:170:16 | * ... | provenance | Src:MaD:331  |
-| windows.cpp:177:23:177:28 | ReadFileEx output argument | windows.cpp:179:10:179:16 | * ... | provenance | Src:MaD:332  |
-| windows.cpp:189:21:189:26 | ReadFile output argument | windows.cpp:190:5:190:56 | *... = ... | provenance | Src:MaD:331  |
+| windows.cpp:168:35:168:40 | ReadFile output argument | windows.cpp:170:10:170:16 | * ... | provenance | Src:MaD:14  |
+| windows.cpp:177:23:177:28 | ReadFileEx output argument | windows.cpp:179:10:179:16 | * ... | provenance | Src:MaD:15  |
+| windows.cpp:189:21:189:26 | ReadFile output argument | windows.cpp:190:5:190:56 | *... = ... | provenance | Src:MaD:14  |
 | windows.cpp:190:5:190:14 | *overlapped [post update] [*hEvent] | windows.cpp:192:53:192:63 | *& ... [*hEvent] | provenance |  |
 | windows.cpp:190:5:190:56 | *... = ... | windows.cpp:190:5:190:14 | *overlapped [post update] [*hEvent] | provenance |  |
 | windows.cpp:192:53:192:63 | *& ... [*hEvent] | windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [*hEvent] | provenance |  |
-| windows.cpp:198:21:198:26 | ReadFile output argument | windows.cpp:199:5:199:57 | ... = ... | provenance | Src:MaD:331  |
+| windows.cpp:198:21:198:26 | ReadFile output argument | windows.cpp:199:5:199:57 | ... = ... | provenance | Src:MaD:14  |
 | windows.cpp:199:5:199:14 | *overlapped [post update] [hEvent] | windows.cpp:201:53:201:63 | *& ... [hEvent] | provenance |  |
 | windows.cpp:199:5:199:57 | ... = ... | windows.cpp:199:5:199:14 | *overlapped [post update] [hEvent] | provenance |  |
 | windows.cpp:201:53:201:63 | *& ... [hEvent] | windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [hEvent] | provenance |  |
-| windows.cpp:209:84:209:89 | NtReadFile output argument | windows.cpp:211:10:211:16 | * ... | provenance | Src:MaD:340  |
-| windows.cpp:286:23:286:35 | *call to MapViewOfFile | windows.cpp:286:23:286:35 | *call to MapViewOfFile | provenance | Src:MaD:333  |
+| windows.cpp:209:84:209:89 | NtReadFile output argument | windows.cpp:211:10:211:16 | * ... | provenance | Src:MaD:13  |
+| windows.cpp:286:23:286:35 | *call to MapViewOfFile | windows.cpp:286:23:286:35 | *call to MapViewOfFile | provenance | Src:MaD:9  |
 | windows.cpp:286:23:286:35 | *call to MapViewOfFile | windows.cpp:287:20:287:52 | *pMapView | provenance |  |
 | windows.cpp:287:20:287:52 | *pMapView | windows.cpp:289:10:289:16 | * ... | provenance |  |
-| windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | provenance | Src:MaD:334  |
+| windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | provenance | Src:MaD:6  |
 | windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | windows.cpp:294:20:294:52 | *pMapView | provenance |  |
 | windows.cpp:294:20:294:52 | *pMapView | windows.cpp:296:10:296:16 | * ... | provenance |  |
-| windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | provenance | Src:MaD:335  |
+| windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | provenance | Src:MaD:7  |
 | windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | windows.cpp:303:20:303:52 | *pMapView | provenance |  |
 | windows.cpp:303:20:303:52 | *pMapView | windows.cpp:305:10:305:16 | * ... | provenance |  |
-| windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | provenance | Src:MaD:336  |
+| windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | provenance | Src:MaD:8  |
 | windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | windows.cpp:312:20:312:52 | *pMapView | provenance |  |
 | windows.cpp:312:20:312:52 | *pMapView | windows.cpp:314:10:314:16 | * ... | provenance |  |
-| windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | provenance | Src:MaD:337  |
+| windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | provenance | Src:MaD:10  |
 | windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | windows.cpp:319:20:319:52 | *pMapView | provenance |  |
 | windows.cpp:319:20:319:52 | *pMapView | windows.cpp:321:10:321:16 | * ... | provenance |  |
-| windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | provenance | Src:MaD:338  |
+| windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | provenance | Src:MaD:11  |
 | windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | windows.cpp:326:20:326:52 | *pMapView | provenance |  |
 | windows.cpp:326:20:326:52 | *pMapView | windows.cpp:328:10:328:16 | * ... | provenance |  |
-| windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | provenance | Src:MaD:339  |
+| windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | provenance | Src:MaD:12  |
 | windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | windows.cpp:333:20:333:52 | *pMapView | provenance |  |
 | windows.cpp:333:20:333:52 | *pMapView | windows.cpp:335:10:335:16 | * ... | provenance |  |
 nodes
@@ -222,3 +245,4 @@ subpaths
 | test.cpp:25:35:25:35 | x | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | test.cpp:25:11:25:33 | call to ymlStepManual_with_body |
 | test.cpp:32:41:32:41 | x | test.cpp:7:47:7:52 | value2 | test.cpp:7:5:7:30 | *ymlStepGenerated_with_body | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body |
 | windows.cpp:27:36:27:38 | *cmd | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA |
+testFailures

cpp/ql/test/library-tests/dataflow/external-models/flow.ql

@@ -1,7 +1,7 @@
 import utils.test.dataflow.FlowTestCommon
 import cpp
 import semmle.code.cpp.security.FlowSources
-import IRTest::IRFlow::PathGraph
+import codeql.dataflow.test.ProvenancePathGraph
 
 module IRTest {
   private import semmle.code.cpp.ir.IR
@@ -33,3 +33,4 @@ module IRTest {
 }
 
 import MakeTest<IRFlowTest<IRTest::IRFlow>>
+import ShowProvenance<interpretModelForTest/2, IRTest::IRFlow::PathNode, IRTest::IRFlow::PathGraph>

cpp/ql/test/library-tests/floats/float128/usertypes.ql

@@ -2,6 +2,9 @@ import cpp
 
 from UserType t, Type related
 where
-  related = t.(Class).getABaseClass() or
-  related = t.(TypedefType).getUnderlyingType()
+  (
+    related = t.(Class).getABaseClass() or
+    related = t.(TypedefType).getUnderlyingType()
+  ) and
+  exists(t.getFile())
 select t, related

cpp/ql/test/library-tests/ir/ir/PrintAST.expected

@@ -58,7 +58,7 @@
 #-----|         Type = [LongType] unsigned long
 #-----|     getParameter(1): [Parameter] (unnamed parameter 1)
 #-----|         Type = [ScopedEnum] align_val_t
-arm.cpp:
+arm_neon.cpp:
 #    6| [TopLevelFunction] uint8x8_t vadd_u8(uint8x8_t, uint8x8_t)
 #    6|   <params>: 
 #    6|     getParameter(0): [Parameter] a
@@ -76,59 +76,105 @@ arm.cpp:
 #    7|         getRightOperand(): [VariableAccess] b
 #    7|             Type = [CTypedefType] uint8x8_t
 #    7|             ValueCategory = prvalue(load)
-#   12| [TopLevelFunction] uint16x8_t __builtin_aarch64_uaddlv8qi_uuu(uint8x8_t, uint8x8_t)
+#   10| [TopLevelFunction] uint16x8_t vaddl_u8(uint8x8_t, uint8x8_t)
+#   10|   <params>: 
+#   10|     getParameter(0): [Parameter] a
+#   10|         Type = [CTypedefType] uint8x8_t
+#   10|     getParameter(1): [Parameter] b
+#   10|         Type = [CTypedefType] uint8x8_t
+#   12| [TopLevelFunction] uint16x8_t arm_add(uint8x8_t, uint8x8_t*)
 #   12|   <params>: 
-#   12|     getParameter(0): [Parameter] (unnamed parameter 0)
+#   12|     getParameter(0): [Parameter] a
 #   12|         Type = [CTypedefType] uint8x8_t
-#   12|     getParameter(1): [Parameter] (unnamed parameter 1)
-#   12|         Type = [CTypedefType] uint8x8_t
-#   14| [TopLevelFunction] uint16x8_t vaddl_u8(uint8x8_t, uint8x8_t)
-#   14|   <params>: 
-#   14|     getParameter(0): [Parameter] a
-#   14|         Type = [CTypedefType] uint8x8_t
-#   14|     getParameter(1): [Parameter] b
-#   14|         Type = [CTypedefType] uint8x8_t
-#   14|   getEntryPoint(): [BlockStmt] { ... }
-#   15|     getStmt(0): [ReturnStmt] return ...
-#   15|       getExpr(): [FunctionCall] call to __builtin_aarch64_uaddlv8qi_uuu
-#   15|           Type = [CTypedefType] uint16x8_t
-#   15|           ValueCategory = prvalue
-#   15|         getArgument(0): [VariableAccess] a
-#   15|             Type = [CTypedefType] uint8x8_t
-#   15|             ValueCategory = prvalue(load)
-#   15|         getArgument(1): [VariableAccess] b
-#   15|             Type = [CTypedefType] uint8x8_t
-#   15|             ValueCategory = prvalue(load)
-#   18| [TopLevelFunction] uint16x8_t arm_add(uint8x8_t, uint8x8_t)
-#   18|   <params>: 
-#   18|     getParameter(0): [Parameter] a
-#   18|         Type = [CTypedefType] uint8x8_t
-#   18|     getParameter(1): [Parameter] b
-#   18|         Type = [CTypedefType] uint8x8_t
-#   18|   getEntryPoint(): [BlockStmt] { ... }
-#   19|     getStmt(0): [DeclStmt] declaration
-#   19|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of c
-#   19|           Type = [CTypedefType] uint8x8_t
-#   19|         getVariable().getInitializer(): [Initializer] initializer for c
-#   19|           getExpr(): [FunctionCall] call to vadd_u8
-#   19|               Type = [CTypedefType] uint8x8_t
-#   19|               ValueCategory = prvalue
-#   19|             getArgument(0): [VariableAccess] a
-#   19|                 Type = [CTypedefType] uint8x8_t
-#   19|                 ValueCategory = prvalue(load)
-#   19|             getArgument(1): [VariableAccess] b
-#   19|                 Type = [CTypedefType] uint8x8_t
-#   19|                 ValueCategory = prvalue(load)
-#   20|     getStmt(1): [ReturnStmt] return ...
-#   20|       getExpr(): [FunctionCall] call to vaddl_u8
-#   20|           Type = [CTypedefType] uint16x8_t
-#   20|           ValueCategory = prvalue
-#   20|         getArgument(0): [VariableAccess] a
-#   20|             Type = [CTypedefType] uint8x8_t
-#   20|             ValueCategory = prvalue(load)
-#   20|         getArgument(1): [VariableAccess] c
-#   20|             Type = [CTypedefType] uint8x8_t
-#   20|             ValueCategory = prvalue(load)
+#   12|     getParameter(1): [Parameter] b
+#   12|         Type = [PointerType] uint8x8_t *
+#   12|   getEntryPoint(): [BlockStmt] { ... }
+#   13|     getStmt(0): [DeclStmt] declaration
+#   13|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of c
+#   13|           Type = [CTypedefType] uint8x8_t
+#   13|         getVariable().getInitializer(): [Initializer] initializer for c
+#   13|           getExpr(): [FunctionCall] call to vadd_u8
+#   13|               Type = [CTypedefType] uint8x8_t
+#   13|               ValueCategory = prvalue
+#   13|             getArgument(0): [VariableAccess] a
+#   13|                 Type = [CTypedefType] uint8x8_t
+#   13|                 ValueCategory = prvalue(load)
+#   13|             getArgument(1): [PointerDereferenceExpr] * ...
+#   13|                 Type = [CTypedefType] uint8x8_t
+#   13|                 ValueCategory = prvalue(load)
+#   13|               getOperand(): [VariableAccess] b
+#   13|                   Type = [PointerType] uint8x8_t *
+#   13|                   ValueCategory = prvalue(load)
+#   14|     getStmt(1): [ReturnStmt] return ...
+#   14|       getExpr(): [FunctionCall] call to vaddl_u8
+#   14|           Type = [CTypedefType] uint16x8_t
+#   14|           ValueCategory = prvalue
+#   14|         getArgument(0): [VariableAccess] a
+#   14|             Type = [CTypedefType] uint8x8_t
+#   14|             ValueCategory = prvalue(load)
+#   14|         getArgument(1): [VariableAccess] c
+#   14|             Type = [CTypedefType] uint8x8_t
+#   14|             ValueCategory = prvalue(load)
+#   20| [TopLevelFunction] mfloat8x8_t vreinterpret_mf8_s8(int8x8_t)
+#   20|   <params>: 
+#   20|     getParameter(0): [Parameter] (unnamed parameter 0)
+#   20|         Type = [CTypedefType] int8x8_t
+#   22| [TopLevelFunction] mfloat8x8_t arm_reinterpret(int8x8_t*)
+#   22|   <params>: 
+#   22|     getParameter(0): [Parameter] a
+#   22|         Type = [PointerType] int8x8_t *
+#   22|   getEntryPoint(): [BlockStmt] { ... }
+#   23|     getStmt(0): [ReturnStmt] return ...
+#   23|       getExpr(): [FunctionCall] call to vreinterpret_mf8_s8
+#   23|           Type = [CTypedefType] mfloat8x8_t
+#   23|           ValueCategory = prvalue
+#   23|         getArgument(0): [PointerDereferenceExpr] * ...
+#   23|             Type = [CTypedefType] int8x8_t
+#   23|             ValueCategory = prvalue(load)
+#   23|           getOperand(): [VariableAccess] a
+#   23|               Type = [PointerType] int8x8_t *
+#   23|               ValueCategory = prvalue(load)
+arm_sve.cpp:
+#    6| [TopLevelFunction] svuint8x2_t svsel_u8_x2(svcount_t, svuint8x2_t, svuint8x2_t)
+#    6|   <params>: 
+#    6|     getParameter(0): [Parameter] (unnamed parameter 0)
+#    6|         Type = [CTypedefType] svcount_t
+#    6|     getParameter(1): [Parameter] (unnamed parameter 1)
+#    6|         Type = [CTypedefType] svuint8x2_t
+#    6|     getParameter(2): [Parameter] (unnamed parameter 2)
+#    6|         Type = [CTypedefType] svuint8x2_t
+#    8| [TopLevelFunction] svuint8x2_t arm_sel(svcount_t, svuint8x2_t, svuint8x2_t*)
+#    8|   <params>: 
+#    8|     getParameter(0): [Parameter] a
+#    8|         Type = [CTypedefType] svcount_t
+#    8|     getParameter(1): [Parameter] b
+#    8|         Type = [CTypedefType] svuint8x2_t
+#    8|     getParameter(2): [Parameter] c
+#    8|         Type = [PointerType] svuint8x2_t *
+#    8|   getEntryPoint(): [BlockStmt] { ... }
+#    9|     getStmt(0): [DeclStmt] declaration
+#    9|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of d
+#    9|           Type = [CTypedefType] svuint8x2_t
+#    9|         getVariable().getInitializer(): [Initializer] initializer for d
+#    9|           getExpr(): [FunctionCall] call to svsel_u8_x2
+#    9|               Type = [CTypedefType] svuint8x2_t
+#    9|               ValueCategory = prvalue
+#    9|             getArgument(0): [VariableAccess] a
+#    9|                 Type = [CTypedefType] svcount_t
+#    9|                 ValueCategory = prvalue(load)
+#    9|             getArgument(1): [VariableAccess] b
+#    9|                 Type = [CTypedefType] svuint8x2_t
+#    9|                 ValueCategory = prvalue(load)
+#    9|             getArgument(2): [PointerDereferenceExpr] * ...
+#    9|                 Type = [CTypedefType] svuint8x2_t
+#    9|                 ValueCategory = prvalue(load)
+#    9|               getOperand(): [VariableAccess] c
+#    9|                   Type = [PointerType] svuint8x2_t *
+#    9|                   ValueCategory = prvalue(load)
+#   10|     getStmt(1): [ReturnStmt] return ...
+#   10|       getExpr(): [VariableAccess] d
+#   10|           Type = [CTypedefType] svuint8x2_t
+#   10|           ValueCategory = prvalue(load)
 bad_asts.cpp:
 #    5| [CopyAssignmentOperator] Bad::S& Bad::S::operator=(Bad::S const&)
 #    5|   <params>: 
@@ -10807,22 +10853,22 @@ ir.cpp:
 #  885|             Type = [FunctionPointerType] ..(*)(..)
 #  885|             ValueCategory = prvalue
 #  886|     getStmt(2): [ReturnStmt] return ...
-#  888| [TopLevelFunction] void VAListUsage(int, __va_list_tag[1])
+#  888| [TopLevelFunction] void VAListUsage(int, __builtin_va_list)
 #  888|   <params>: 
 #  888|     getParameter(0): [Parameter] x
 #  888|         Type = [IntType] int
 #  888|     getParameter(1): [Parameter] args
-#  888|         Type = [ArrayType] __va_list_tag[1]
+#  888|         Type = [BuiltInVarArgsList,CTypedefType] __builtin_va_list
 #  888|   getEntryPoint(): [BlockStmt] { ... }
 #  889|     getStmt(0): [DeclStmt] declaration
 #  889|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of args2
-#  889|           Type = [ArrayType] __va_list_tag[1]
+#  889|           Type = [BuiltInVarArgsList,CTypedefType] __builtin_va_list
 #  890|     getStmt(1): [ExprStmt] ExprStmt
 #  890|       getExpr(): [BuiltInVarArgCopy] __builtin_va_copy
 #  890|           Type = [VoidType] void
 #  890|           ValueCategory = prvalue
 #  890|         getDestinationVAList(): [VariableAccess] args2
-#  890|             Type = [ArrayType] __va_list_tag[1]
+#  890|             Type = [BuiltInVarArgsList,CTypedefType] __builtin_va_list
 #  890|             ValueCategory = lvalue
 #  890|         getSourceVAList(): [VariableAccess] args
 #  890|             Type = [PointerType] __va_list_tag *
@@ -10859,7 +10905,7 @@ ir.cpp:
 #  893|           Type = [VoidType] void
 #  893|           ValueCategory = prvalue
 #  893|         getVAList(): [VariableAccess] args2
-#  893|             Type = [ArrayType] __va_list_tag[1]
+#  893|             Type = [BuiltInVarArgsList,CTypedefType] __builtin_va_list
 #  893|             ValueCategory = lvalue
 #  893|         getVAList().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
 #  893|             Type = [PointerType] __va_list_tag *
@@ -10872,13 +10918,13 @@ ir.cpp:
 #  896|   getEntryPoint(): [BlockStmt] { ... }
 #  897|     getStmt(0): [DeclStmt] declaration
 #  897|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of args
-#  897|           Type = [ArrayType] __va_list_tag[1]
+#  897|           Type = [BuiltInVarArgsList,CTypedefType] __builtin_va_list
 #  899|     getStmt(1): [ExprStmt] ExprStmt
 #  899|       getExpr(): [BuiltInVarArgsStart] __builtin_va_start
 #  899|           Type = [VoidType] void
 #  899|           ValueCategory = prvalue
 #  899|         getVAList(): [VariableAccess] args
-#  899|             Type = [ArrayType] __va_list_tag[1]
+#  899|             Type = [BuiltInVarArgsList,CTypedefType] __builtin_va_list
 #  899|             ValueCategory = lvalue
 #  899|         getLastNamedParameter(): [VariableAccess] x
 #  899|             Type = [IntType] int
@@ -10888,16 +10934,16 @@ ir.cpp:
 #  899|             ValueCategory = prvalue
 #  900|     getStmt(2): [DeclStmt] declaration
 #  900|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of args2
-#  900|           Type = [ArrayType] __va_list_tag[1]
+#  900|           Type = [BuiltInVarArgsList,CTypedefType] __builtin_va_list
 #  901|     getStmt(3): [ExprStmt] ExprStmt
 #  901|       getExpr(): [BuiltInVarArgCopy] __builtin_va_copy
 #  901|           Type = [VoidType] void
 #  901|           ValueCategory = prvalue
 #  901|         getDestinationVAList(): [VariableAccess] args2
-#  901|             Type = [ArrayType] __va_list_tag[1]
+#  901|             Type = [BuiltInVarArgsList,CTypedefType] __builtin_va_list
 #  901|             ValueCategory = lvalue
 #  901|         getSourceVAList(): [VariableAccess] args
-#  901|             Type = [ArrayType] __va_list_tag[1]
+#  901|             Type = [BuiltInVarArgsList,CTypedefType] __builtin_va_list
 #  901|             ValueCategory = lvalue
 #  901|         getDestinationVAList().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
 #  901|             Type = [PointerType] __va_list_tag *
@@ -10913,7 +10959,7 @@ ir.cpp:
 #  902|               Type = [DoubleType] double
 #  902|               ValueCategory = prvalue(load)
 #  902|             getVAList(): [VariableAccess] args
-#  902|                 Type = [ArrayType] __va_list_tag[1]
+#  902|                 Type = [BuiltInVarArgsList,CTypedefType] __builtin_va_list
 #  902|                 ValueCategory = lvalue
 #  902|             getVAList().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
 #  902|                 Type = [PointerType] __va_list_tag *
@@ -10926,7 +10972,7 @@ ir.cpp:
 #  903|               Type = [IntType] int
 #  903|               ValueCategory = prvalue(load)
 #  903|             getVAList(): [VariableAccess] args
-#  903|                 Type = [ArrayType] __va_list_tag[1]
+#  903|                 Type = [BuiltInVarArgsList,CTypedefType] __builtin_va_list
 #  903|                 ValueCategory = lvalue
 #  903|             getVAList().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
 #  903|                 Type = [PointerType] __va_list_tag *
@@ -10940,7 +10986,7 @@ ir.cpp:
 #  904|           Type = [VoidType] void
 #  904|           ValueCategory = prvalue
 #  904|         getVAList(): [VariableAccess] args
-#  904|             Type = [ArrayType] __va_list_tag[1]
+#  904|             Type = [BuiltInVarArgsList,CTypedefType] __builtin_va_list
 #  904|             ValueCategory = lvalue
 #  904|         getVAList().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
 #  904|             Type = [PointerType] __va_list_tag *
@@ -10953,7 +10999,7 @@ ir.cpp:
 #  905|             Type = [IntType] int
 #  905|             ValueCategory = prvalue(load)
 #  905|         getArgument(1): [VariableAccess] args2
-#  905|             Type = [ArrayType] __va_list_tag[1]
+#  905|             Type = [BuiltInVarArgsList,CTypedefType] __builtin_va_list
 #  905|             ValueCategory = lvalue
 #  905|         getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
 #  905|             Type = [PointerType] __va_list_tag *
@@ -10963,7 +11009,7 @@ ir.cpp:
 #  906|           Type = [VoidType] void
 #  906|           ValueCategory = prvalue
 #  906|         getVAList(): [VariableAccess] args2
-#  906|             Type = [ArrayType] __va_list_tag[1]
+#  906|             Type = [BuiltInVarArgsList,CTypedefType] __builtin_va_list
 #  906|             ValueCategory = lvalue
 #  906|         getVAList().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
 #  906|             Type = [PointerType] __va_list_tag *

cpp/ql/test/library-tests/ir/ir/aliased_ir.expected

@@ -1,4 +1,4 @@
-arm.cpp:
+arm_neon.cpp:
 #    6| uint8x8_t vadd_u8(uint8x8_t, uint8x8_t)
 #    6|   Block 0
 #    6|     v6_1(void)                                                    = EnterFunction            : 
@@ -21,65 +21,107 @@ arm.cpp:
 #    6|     v6_11(void)                                                   = AliasedUse               : m6_3
 #    6|     v6_12(void)                                                   = ExitFunction             : 
 
-#   14| uint16x8_t vaddl_u8(uint8x8_t, uint8x8_t)
-#   14|   Block 0
-#   14|     v14_1(void)                                                     = EnterFunction                                    : 
-#   14|     m14_2(unknown)                                                  = AliasedDefinition                                : 
-#   14|     m14_3(unknown)                                                  = InitializeNonLocal                               : 
-#   14|     m14_4(unknown)                                                  = Chi                                              : total:m14_2, partial:m14_3
-#   14|     r14_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]                               : 
-#   14|     m14_6(__attribute((neon_vector_type(8))) unsigned char)         = InitializeParameter[a]                           : &:r14_5
-#   14|     r14_7(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]                               : 
-#   14|     m14_8(__attribute((neon_vector_type(8))) unsigned char)         = InitializeParameter[b]                           : &:r14_7
-#   15|     r15_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]                         : 
-#   15|     r15_2(glval<unknown>)                                           = FunctionAddress[__builtin_aarch64_uaddlv8qi_uuu] : 
-#   15|     r15_3(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]                               : 
-#   15|     r15_4(__attribute((neon_vector_type(8))) unsigned char)         = Load[a]                                          : &:r15_3, m14_6
-#   15|     r15_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]                               : 
-#   15|     r15_6(__attribute((neon_vector_type(8))) unsigned char)         = Load[b]                                          : &:r15_5, m14_8
-#   15|     r15_7(__attribute((neon_vector_type(8))) unsigned short)        = Call[__builtin_aarch64_uaddlv8qi_uuu]            : func:r15_2, 0:r15_4, 1:r15_6
-#   15|     m15_8(unknown)                                                  = ^CallSideEffect                                  : ~m14_4
-#   15|     m15_9(unknown)                                                  = Chi                                              : total:m14_4, partial:m15_8
-#   15|     m15_10(__attribute((neon_vector_type(8))) unsigned short)       = Store[#return]                                   : &:r15_1, r15_7
-#   14|     r14_9(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]                         : 
-#   14|     v14_10(void)                                                    = ReturnValue                                      : &:r14_9, m15_10
-#   14|     v14_11(void)                                                    = AliasedUse                                       : ~m15_9
-#   14|     v14_12(void)                                                    = ExitFunction                                     : 
+#   12| uint16x8_t arm_add(uint8x8_t, uint8x8_t*)
+#   12|   Block 0
+#   12|     v12_1(void)                                                      = EnterFunction             : 
+#   12|     m12_2(unknown)                                                   = AliasedDefinition         : 
+#   12|     m12_3(unknown)                                                   = InitializeNonLocal        : 
+#   12|     m12_4(unknown)                                                   = Chi                       : total:m12_2, partial:m12_3
+#   12|     r12_5(glval<__attribute((neon_vector_type(8))) unsigned char>)   = VariableAddress[a]        : 
+#   12|     m12_6(__attribute((neon_vector_type(8))) unsigned char)          = InitializeParameter[a]    : &:r12_5
+#   12|     r12_7(glval<__attribute((neon_vector_type(8))) unsigned char *>) = VariableAddress[b]        : 
+#   12|     m12_8(__attribute((neon_vector_type(8))) unsigned char *)        = InitializeParameter[b]    : &:r12_7
+#   12|     r12_9(__attribute((neon_vector_type(8))) unsigned char *)        = Load[b]                   : &:r12_7, m12_8
+#   12|     m12_10(unknown)                                                  = InitializeIndirection[b]  : &:r12_9
+#   13|     r13_1(glval<__attribute((neon_vector_type(8))) unsigned char>)   = VariableAddress[c]        : 
+#   13|     r13_2(glval<unknown>)                                            = FunctionAddress[vadd_u8]  : 
+#   13|     r13_3(glval<__attribute((neon_vector_type(8))) unsigned char>)   = VariableAddress[a]        : 
+#   13|     r13_4(__attribute((neon_vector_type(8))) unsigned char)          = Load[a]                   : &:r13_3, m12_6
+#   13|     r13_5(glval<__attribute((neon_vector_type(8))) unsigned char *>) = VariableAddress[b]        : 
+#   13|     r13_6(__attribute((neon_vector_type(8))) unsigned char *)        = Load[b]                   : &:r13_5, m12_8
+#   13|     r13_7(__attribute((neon_vector_type(8))) unsigned char)          = Load[?]                   : &:r13_6, ~m12_10
+#   13|     r13_8(__attribute((neon_vector_type(8))) unsigned char)          = Call[vadd_u8]             : func:r13_2, 0:r13_4, 1:r13_7
+#   13|     m13_9(unknown)                                                   = ^CallSideEffect           : ~m12_4
+#   13|     m13_10(unknown)                                                  = Chi                       : total:m12_4, partial:m13_9
+#   13|     m13_11(__attribute((neon_vector_type(8))) unsigned char)         = Store[c]                  : &:r13_1, r13_8
+#   14|     r14_1(glval<__attribute((neon_vector_type(8))) unsigned short>)  = VariableAddress[#return]  : 
+#   14|     r14_2(glval<unknown>)                                            = FunctionAddress[vaddl_u8] : 
+#   14|     r14_3(glval<__attribute((neon_vector_type(8))) unsigned char>)   = VariableAddress[a]        : 
+#   14|     r14_4(__attribute((neon_vector_type(8))) unsigned char)          = Load[a]                   : &:r14_3, m12_6
+#   14|     r14_5(glval<__attribute((neon_vector_type(8))) unsigned char>)   = VariableAddress[c]        : 
+#   14|     r14_6(__attribute((neon_vector_type(8))) unsigned char)          = Load[c]                   : &:r14_5, m13_11
+#   14|     r14_7(__attribute((neon_vector_type(8))) unsigned short)         = Call[vaddl_u8]            : func:r14_2, 0:r14_4, 1:r14_6
+#   14|     m14_8(unknown)                                                   = ^CallSideEffect           : ~m13_10
+#   14|     m14_9(unknown)                                                   = Chi                       : total:m13_10, partial:m14_8
+#   14|     m14_10(__attribute((neon_vector_type(8))) unsigned short)        = Store[#return]            : &:r14_1, r14_7
+#   12|     v12_11(void)                                                     = ReturnIndirection[b]      : &:r12_9, m12_10
+#   12|     r12_12(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]  : 
+#   12|     v12_13(void)                                                     = ReturnValue               : &:r12_12, m14_10
+#   12|     v12_14(void)                                                     = AliasedUse                : ~m14_9
+#   12|     v12_15(void)                                                     = ExitFunction              : 
 
-#   18| uint16x8_t arm_add(uint8x8_t, uint8x8_t)
-#   18|   Block 0
-#   18|     v18_1(void)                                                     = EnterFunction             : 
-#   18|     m18_2(unknown)                                                  = AliasedDefinition         : 
-#   18|     m18_3(unknown)                                                  = InitializeNonLocal        : 
-#   18|     m18_4(unknown)                                                  = Chi                       : total:m18_2, partial:m18_3
-#   18|     r18_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]        : 
-#   18|     m18_6(__attribute((neon_vector_type(8))) unsigned char)         = InitializeParameter[a]    : &:r18_5
-#   18|     r18_7(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]        : 
-#   18|     m18_8(__attribute((neon_vector_type(8))) unsigned char)         = InitializeParameter[b]    : &:r18_7
-#   19|     r19_1(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[c]        : 
-#   19|     r19_2(glval<unknown>)                                           = FunctionAddress[vadd_u8]  : 
-#   19|     r19_3(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]        : 
-#   19|     r19_4(__attribute((neon_vector_type(8))) unsigned char)         = Load[a]                   : &:r19_3, m18_6
-#   19|     r19_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]        : 
-#   19|     r19_6(__attribute((neon_vector_type(8))) unsigned char)         = Load[b]                   : &:r19_5, m18_8
-#   19|     r19_7(__attribute((neon_vector_type(8))) unsigned char)         = Call[vadd_u8]             : func:r19_2, 0:r19_4, 1:r19_6
-#   19|     m19_8(unknown)                                                  = ^CallSideEffect           : ~m18_4
-#   19|     m19_9(unknown)                                                  = Chi                       : total:m18_4, partial:m19_8
-#   19|     m19_10(__attribute((neon_vector_type(8))) unsigned char)        = Store[c]                  : &:r19_1, r19_7
-#   20|     r20_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]  : 
-#   20|     r20_2(glval<unknown>)                                           = FunctionAddress[vaddl_u8] : 
-#   20|     r20_3(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]        : 
-#   20|     r20_4(__attribute((neon_vector_type(8))) unsigned char)         = Load[a]                   : &:r20_3, m18_6
-#   20|     r20_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[c]        : 
-#   20|     r20_6(__attribute((neon_vector_type(8))) unsigned char)         = Load[c]                   : &:r20_5, m19_10
-#   20|     r20_7(__attribute((neon_vector_type(8))) unsigned short)        = Call[vaddl_u8]            : func:r20_2, 0:r20_4, 1:r20_6
-#   20|     m20_8(unknown)                                                  = ^CallSideEffect           : ~m19_9
-#   20|     m20_9(unknown)                                                  = Chi                       : total:m19_9, partial:m20_8
-#   20|     m20_10(__attribute((neon_vector_type(8))) unsigned short)       = Store[#return]            : &:r20_1, r20_7
-#   18|     r18_9(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]  : 
-#   18|     v18_10(void)                                                    = ReturnValue               : &:r18_9, m20_10
-#   18|     v18_11(void)                                                    = AliasedUse                : ~m20_9
-#   18|     v18_12(void)                                                    = ExitFunction              : 
+#   22| mfloat8x8_t arm_reinterpret(int8x8_t*)
+#   22|   Block 0
+#   22|     v22_1(void)           = EnterFunction                        : 
+#   22|     m22_2(unknown)        = AliasedDefinition                    : 
+#   22|     m22_3(unknown)        = InitializeNonLocal                   : 
+#   22|     m22_4(unknown)        = Chi                                  : total:m22_2, partial:m22_3
+#   22|     r22_5(glval<char *>)  = VariableAddress[a]                   : 
+#   22|     m22_6(char *)         = InitializeParameter[a]               : &:r22_5
+#   22|     r22_7(char *)         = Load[a]                              : &:r22_5, m22_6
+#   22|     m22_8(unknown)        = InitializeIndirection[a]             : &:r22_7
+#   23|     r23_1(glval<__mfp8>)  = VariableAddress[#return]             : 
+#   23|     r23_2(glval<unknown>) = FunctionAddress[vreinterpret_mf8_s8] : 
+#   23|     r23_3(glval<char *>)  = VariableAddress[a]                   : 
+#   23|     r23_4(char *)         = Load[a]                              : &:r23_3, m22_6
+#   23|     r23_5(char)           = Load[?]                              : &:r23_4, ~m22_8
+#   23|     r23_6(__mfp8)         = Call[vreinterpret_mf8_s8]            : func:r23_2, 0:r23_5
+#   23|     m23_7(unknown)        = ^CallSideEffect                      : ~m22_4
+#   23|     m23_8(unknown)        = Chi                                  : total:m22_4, partial:m23_7
+#   23|     m23_9(__mfp8)         = Store[#return]                       : &:r23_1, r23_6
+#   22|     v22_9(void)           = ReturnIndirection[a]                 : &:r22_7, m22_8
+#   22|     r22_10(glval<__mfp8>) = VariableAddress[#return]             : 
+#   22|     v22_11(void)          = ReturnValue                          : &:r22_10, m23_9
+#   22|     v22_12(void)          = AliasedUse                           : ~m23_8
+#   22|     v22_13(void)          = ExitFunction                         : 
+
+arm_sve.cpp:
+#    8| svuint8x2_t arm_sel(svcount_t, svuint8x2_t, svuint8x2_t*)
+#    8|   Block 0
+#    8|     v8_1(void)                                                    = EnterFunction                : 
+#    8|     m8_2(unknown)                                                 = AliasedDefinition            : 
+#    8|     m8_3(unknown)                                                 = InitializeNonLocal           : 
+#    8|     m8_4(unknown)                                                 = Chi                          : total:m8_2, partial:m8_3
+#    8|     r8_5(glval<__SVCount_t>)                                      = VariableAddress[a]           : 
+#    8|     m8_6(__SVCount_t)                                             = InitializeParameter[a]       : &:r8_5
+#    8|     r8_7(glval<__edg_scalable_vector_type__(unsigned char, 2)>)   = VariableAddress[b]           : 
+#    8|     m8_8(__edg_scalable_vector_type__(unsigned char, 2))          = InitializeParameter[b]       : &:r8_7
+#    8|     r8_9(glval<__edg_scalable_vector_type__(unsigned char, 2) *>) = VariableAddress[c]           : 
+#    8|     m8_10(__edg_scalable_vector_type__(unsigned char, 2) *)       = InitializeParameter[c]       : &:r8_9
+#    8|     r8_11(__edg_scalable_vector_type__(unsigned char, 2) *)       = Load[c]                      : &:r8_9, m8_10
+#    8|     m8_12(unknown)                                                = InitializeIndirection[c]     : &:r8_11
+#    9|     r9_1(glval<__edg_scalable_vector_type__(unsigned char, 2)>)   = VariableAddress[d]           : 
+#    9|     r9_2(glval<unknown>)                                          = FunctionAddress[svsel_u8_x2] : 
+#    9|     r9_3(glval<__SVCount_t>)                                      = VariableAddress[a]           : 
+#    9|     r9_4(__SVCount_t)                                             = Load[a]                      : &:r9_3, m8_6
+#    9|     r9_5(glval<__edg_scalable_vector_type__(unsigned char, 2)>)   = VariableAddress[b]           : 
+#    9|     r9_6(__edg_scalable_vector_type__(unsigned char, 2))          = Load[b]                      : &:r9_5, m8_8
+#    9|     r9_7(glval<__edg_scalable_vector_type__(unsigned char, 2) *>) = VariableAddress[c]           : 
+#    9|     r9_8(__edg_scalable_vector_type__(unsigned char, 2) *)        = Load[c]                      : &:r9_7, m8_10
+#    9|     r9_9(__edg_scalable_vector_type__(unsigned char, 2))          = Load[?]                      : &:r9_8, ~m8_12
+#    9|     r9_10(__edg_scalable_vector_type__(unsigned char, 2))         = Call[svsel_u8_x2]            : func:r9_2, 0:r9_4, 1:r9_6, 2:r9_9
+#    9|     m9_11(unknown)                                                = ^CallSideEffect              : ~m8_4
+#    9|     m9_12(unknown)                                                = Chi                          : total:m8_4, partial:m9_11
+#    9|     m9_13(__edg_scalable_vector_type__(unsigned char, 2))         = Store[d]                     : &:r9_1, r9_10
+#   10|     r10_1(glval<__edg_scalable_vector_type__(unsigned char, 2)>)  = VariableAddress[#return]     : 
+#   10|     r10_2(glval<__edg_scalable_vector_type__(unsigned char, 2)>)  = VariableAddress[d]           : 
+#   10|     r10_3(__edg_scalable_vector_type__(unsigned char, 2))         = Load[d]                      : &:r10_2, m9_13
+#   10|     m10_4(__edg_scalable_vector_type__(unsigned char, 2))         = Store[#return]               : &:r10_1, r10_3
+#    8|     v8_13(void)                                                   = ReturnIndirection[c]         : &:r8_11, m8_12
+#    8|     r8_14(glval<__edg_scalable_vector_type__(unsigned char, 2)>)  = VariableAddress[#return]     : 
+#    8|     v8_15(void)                                                   = ReturnValue                  : &:r8_14, m10_4
+#    8|     v8_16(void)                                                   = AliasedUse                   : ~m9_12
+#    8|     v8_17(void)                                                   = ExitFunction                 : 
 
 bad_asts.cpp:
 #    9| int Bad::S::MemberFunction<int 6>(int)
@@ -8614,7 +8656,7 @@ ir.cpp:
 #  883|     v883_13(void)            = AliasedUse               : m883_3
 #  883|     v883_14(void)            = ExitFunction             : 
 
-#  888| void VAListUsage(int, __va_list_tag[1])
+#  888| void VAListUsage(int, __builtin_va_list)
 #  888|   Block 0
 #  888|     v888_1(void)                    = EnterFunction               : 
 #  888|     m888_2(unknown)                 = AliasedDefinition           : 

cpp/ql/test/library-tests/ir/ir/arm.cpp

@@ -1,21 +0,0 @@
-// semmle-extractor-options: --edg --target --edg linux_arm64
-
-typedef __Uint8x8_t uint8x8_t;
-typedef __Uint16x8_t uint16x8_t;
-
-uint8x8_t vadd_u8(uint8x8_t a, uint8x8_t b) {
-  return a + b;
-}
-
-// Workaround: the frontend only exposes this when the arm_neon.h
-// header is encountered.
-uint16x8_t __builtin_aarch64_uaddlv8qi_uuu(uint8x8_t, uint8x8_t);
-
-uint16x8_t vaddl_u8(uint8x8_t a, uint8x8_t b) {
-  return __builtin_aarch64_uaddlv8qi_uuu (a, b);
-}
-
-uint16x8_t arm_add(uint8x8_t a, uint8x8_t b) {
-  uint8x8_t c = vadd_u8(a, b);
-  return vaddl_u8(a, c);
-}

cpp/ql/test/library-tests/ir/ir/arm_neon.cpp

@@ -0,0 +1,24 @@
+// semmle-extractor-options: --edg --target --edg linux_arm64 --gnu_version 150000
+
+typedef __Uint8x8_t uint8x8_t;
+typedef __Uint16x8_t uint16x8_t;
+
+uint8x8_t vadd_u8(uint8x8_t a, uint8x8_t b) {
+  return a + b;
+}
+
+uint16x8_t vaddl_u8(uint8x8_t a, uint8x8_t b);
+
+uint16x8_t arm_add(uint8x8_t a, uint8x8_t *b) {
+  uint8x8_t c = vadd_u8(a, *b);
+  return vaddl_u8(a, c);
+}
+
+typedef __attribute__((neon_vector_type(8))) __mfp8 mfloat8x8_t;
+typedef __attribute__((neon_vector_type(8))) char int8x8_t;
+
+mfloat8x8_t vreinterpret_mf8_s8(int8x8_t);
+
+mfloat8x8_t arm_reinterpret(int8x8_t *a) {
+  return vreinterpret_mf8_s8(*a);
+}

cpp/ql/test/library-tests/ir/ir/arm_sve.cpp

@@ -0,0 +1,11 @@
+// semmle-extractor-options: --edg --target --edg linux_arm64 --clang_version 190000
+
+typedef __clang_svuint8x2_t svuint8x2_t;
+typedef __SVCount_t svcount_t;
+
+svuint8x2_t svsel_u8_x2(svcount_t, svuint8x2_t, svuint8x2_t);
+
+svuint8x2_t arm_sel(svcount_t a, svuint8x2_t b, svuint8x2_t *c) {
+  svuint8x2_t d = svsel_u8_x2(a, b, *c);
+  return d;
+}

cpp/ql/test/library-tests/ir/ir/raw_ir.expected

@@ -1,4 +1,4 @@
-arm.cpp:
+arm_neon.cpp:
 #    6| uint8x8_t vadd_u8(uint8x8_t, uint8x8_t)
 #    6|   Block 0
 #    6|     v6_1(void)                                                    = EnterFunction            : 
@@ -20,60 +20,100 @@ arm.cpp:
 #    6|     v6_10(void)                                                   = AliasedUse               : ~m?
 #    6|     v6_11(void)                                                   = ExitFunction             : 
 
-#   14| uint16x8_t vaddl_u8(uint8x8_t, uint8x8_t)
-#   14|   Block 0
-#   14|     v14_1(void)                                                     = EnterFunction                                    : 
-#   14|     mu14_2(unknown)                                                 = AliasedDefinition                                : 
-#   14|     mu14_3(unknown)                                                 = InitializeNonLocal                               : 
-#   14|     r14_4(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]                               : 
-#   14|     mu14_5(__attribute((neon_vector_type(8))) unsigned char)        = InitializeParameter[a]                           : &:r14_4
-#   14|     r14_6(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]                               : 
-#   14|     mu14_7(__attribute((neon_vector_type(8))) unsigned char)        = InitializeParameter[b]                           : &:r14_6
-#   15|     r15_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]                         : 
-#   15|     r15_2(glval<unknown>)                                           = FunctionAddress[__builtin_aarch64_uaddlv8qi_uuu] : 
-#   15|     r15_3(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]                               : 
-#   15|     r15_4(__attribute((neon_vector_type(8))) unsigned char)         = Load[a]                                          : &:r15_3, ~m?
-#   15|     r15_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]                               : 
-#   15|     r15_6(__attribute((neon_vector_type(8))) unsigned char)         = Load[b]                                          : &:r15_5, ~m?
-#   15|     r15_7(__attribute((neon_vector_type(8))) unsigned short)        = Call[__builtin_aarch64_uaddlv8qi_uuu]            : func:r15_2, 0:r15_4, 1:r15_6
-#   15|     mu15_8(unknown)                                                 = ^CallSideEffect                                  : ~m?
-#   15|     mu15_9(__attribute((neon_vector_type(8))) unsigned short)       = Store[#return]                                   : &:r15_1, r15_7
-#   14|     r14_8(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]                         : 
-#   14|     v14_9(void)                                                     = ReturnValue                                      : &:r14_8, ~m?
-#   14|     v14_10(void)                                                    = AliasedUse                                       : ~m?
-#   14|     v14_11(void)                                                    = ExitFunction                                     : 
+#   12| uint16x8_t arm_add(uint8x8_t, uint8x8_t*)
+#   12|   Block 0
+#   12|     v12_1(void)                                                      = EnterFunction             : 
+#   12|     mu12_2(unknown)                                                  = AliasedDefinition         : 
+#   12|     mu12_3(unknown)                                                  = InitializeNonLocal        : 
+#   12|     r12_4(glval<__attribute((neon_vector_type(8))) unsigned char>)   = VariableAddress[a]        : 
+#   12|     mu12_5(__attribute((neon_vector_type(8))) unsigned char)         = InitializeParameter[a]    : &:r12_4
+#   12|     r12_6(glval<__attribute((neon_vector_type(8))) unsigned char *>) = VariableAddress[b]        : 
+#   12|     mu12_7(__attribute((neon_vector_type(8))) unsigned char *)       = InitializeParameter[b]    : &:r12_6
+#   12|     r12_8(__attribute((neon_vector_type(8))) unsigned char *)        = Load[b]                   : &:r12_6, ~m?
+#   12|     mu12_9(unknown)                                                  = InitializeIndirection[b]  : &:r12_8
+#   13|     r13_1(glval<__attribute((neon_vector_type(8))) unsigned char>)   = VariableAddress[c]        : 
+#   13|     r13_2(glval<unknown>)                                            = FunctionAddress[vadd_u8]  : 
+#   13|     r13_3(glval<__attribute((neon_vector_type(8))) unsigned char>)   = VariableAddress[a]        : 
+#   13|     r13_4(__attribute((neon_vector_type(8))) unsigned char)          = Load[a]                   : &:r13_3, ~m?
+#   13|     r13_5(glval<__attribute((neon_vector_type(8))) unsigned char *>) = VariableAddress[b]        : 
+#   13|     r13_6(__attribute((neon_vector_type(8))) unsigned char *)        = Load[b]                   : &:r13_5, ~m?
+#   13|     r13_7(__attribute((neon_vector_type(8))) unsigned char)          = Load[?]                   : &:r13_6, ~m?
+#   13|     r13_8(__attribute((neon_vector_type(8))) unsigned char)          = Call[vadd_u8]             : func:r13_2, 0:r13_4, 1:r13_7
+#   13|     mu13_9(unknown)                                                  = ^CallSideEffect           : ~m?
+#   13|     mu13_10(__attribute((neon_vector_type(8))) unsigned char)        = Store[c]                  : &:r13_1, r13_8
+#   14|     r14_1(glval<__attribute((neon_vector_type(8))) unsigned short>)  = VariableAddress[#return]  : 
+#   14|     r14_2(glval<unknown>)                                            = FunctionAddress[vaddl_u8] : 
+#   14|     r14_3(glval<__attribute((neon_vector_type(8))) unsigned char>)   = VariableAddress[a]        : 
+#   14|     r14_4(__attribute((neon_vector_type(8))) unsigned char)          = Load[a]                   : &:r14_3, ~m?
+#   14|     r14_5(glval<__attribute((neon_vector_type(8))) unsigned char>)   = VariableAddress[c]        : 
+#   14|     r14_6(__attribute((neon_vector_type(8))) unsigned char)          = Load[c]                   : &:r14_5, ~m?
+#   14|     r14_7(__attribute((neon_vector_type(8))) unsigned short)         = Call[vaddl_u8]            : func:r14_2, 0:r14_4, 1:r14_6
+#   14|     mu14_8(unknown)                                                  = ^CallSideEffect           : ~m?
+#   14|     mu14_9(__attribute((neon_vector_type(8))) unsigned short)        = Store[#return]            : &:r14_1, r14_7
+#   12|     v12_10(void)                                                     = ReturnIndirection[b]      : &:r12_8, ~m?
+#   12|     r12_11(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]  : 
+#   12|     v12_12(void)                                                     = ReturnValue               : &:r12_11, ~m?
+#   12|     v12_13(void)                                                     = AliasedUse                : ~m?
+#   12|     v12_14(void)                                                     = ExitFunction              : 
 
-#   18| uint16x8_t arm_add(uint8x8_t, uint8x8_t)
-#   18|   Block 0
-#   18|     v18_1(void)                                                     = EnterFunction             : 
-#   18|     mu18_2(unknown)                                                 = AliasedDefinition         : 
-#   18|     mu18_3(unknown)                                                 = InitializeNonLocal        : 
-#   18|     r18_4(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]        : 
-#   18|     mu18_5(__attribute((neon_vector_type(8))) unsigned char)        = InitializeParameter[a]    : &:r18_4
-#   18|     r18_6(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]        : 
-#   18|     mu18_7(__attribute((neon_vector_type(8))) unsigned char)        = InitializeParameter[b]    : &:r18_6
-#   19|     r19_1(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[c]        : 
-#   19|     r19_2(glval<unknown>)                                           = FunctionAddress[vadd_u8]  : 
-#   19|     r19_3(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]        : 
-#   19|     r19_4(__attribute((neon_vector_type(8))) unsigned char)         = Load[a]                   : &:r19_3, ~m?
-#   19|     r19_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]        : 
-#   19|     r19_6(__attribute((neon_vector_type(8))) unsigned char)         = Load[b]                   : &:r19_5, ~m?
-#   19|     r19_7(__attribute((neon_vector_type(8))) unsigned char)         = Call[vadd_u8]             : func:r19_2, 0:r19_4, 1:r19_6
-#   19|     mu19_8(unknown)                                                 = ^CallSideEffect           : ~m?
-#   19|     mu19_9(__attribute((neon_vector_type(8))) unsigned char)        = Store[c]                  : &:r19_1, r19_7
-#   20|     r20_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]  : 
-#   20|     r20_2(glval<unknown>)                                           = FunctionAddress[vaddl_u8] : 
-#   20|     r20_3(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]        : 
-#   20|     r20_4(__attribute((neon_vector_type(8))) unsigned char)         = Load[a]                   : &:r20_3, ~m?
-#   20|     r20_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[c]        : 
-#   20|     r20_6(__attribute((neon_vector_type(8))) unsigned char)         = Load[c]                   : &:r20_5, ~m?
-#   20|     r20_7(__attribute((neon_vector_type(8))) unsigned short)        = Call[vaddl_u8]            : func:r20_2, 0:r20_4, 1:r20_6
-#   20|     mu20_8(unknown)                                                 = ^CallSideEffect           : ~m?
-#   20|     mu20_9(__attribute((neon_vector_type(8))) unsigned short)       = Store[#return]            : &:r20_1, r20_7
-#   18|     r18_8(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]  : 
-#   18|     v18_9(void)                                                     = ReturnValue               : &:r18_8, ~m?
-#   18|     v18_10(void)                                                    = AliasedUse                : ~m?
-#   18|     v18_11(void)                                                    = ExitFunction              : 
+#   22| mfloat8x8_t arm_reinterpret(int8x8_t*)
+#   22|   Block 0
+#   22|     v22_1(void)           = EnterFunction                        : 
+#   22|     mu22_2(unknown)       = AliasedDefinition                    : 
+#   22|     mu22_3(unknown)       = InitializeNonLocal                   : 
+#   22|     r22_4(glval<char *>)  = VariableAddress[a]                   : 
+#   22|     mu22_5(char *)        = InitializeParameter[a]               : &:r22_4
+#   22|     r22_6(char *)         = Load[a]                              : &:r22_4, ~m?
+#   22|     mu22_7(unknown)       = InitializeIndirection[a]             : &:r22_6
+#   23|     r23_1(glval<__mfp8>)  = VariableAddress[#return]             : 
+#   23|     r23_2(glval<unknown>) = FunctionAddress[vreinterpret_mf8_s8] : 
+#   23|     r23_3(glval<char *>)  = VariableAddress[a]                   : 
+#   23|     r23_4(char *)         = Load[a]                              : &:r23_3, ~m?
+#   23|     r23_5(char)           = Load[?]                              : &:r23_4, ~m?
+#   23|     r23_6(__mfp8)         = Call[vreinterpret_mf8_s8]            : func:r23_2, 0:r23_5
+#   23|     mu23_7(unknown)       = ^CallSideEffect                      : ~m?
+#   23|     mu23_8(__mfp8)        = Store[#return]                       : &:r23_1, r23_6
+#   22|     v22_8(void)           = ReturnIndirection[a]                 : &:r22_6, ~m?
+#   22|     r22_9(glval<__mfp8>)  = VariableAddress[#return]             : 
+#   22|     v22_10(void)          = ReturnValue                          : &:r22_9, ~m?
+#   22|     v22_11(void)          = AliasedUse                           : ~m?
+#   22|     v22_12(void)          = ExitFunction                         : 
+
+arm_sve.cpp:
+#    8| svuint8x2_t arm_sel(svcount_t, svuint8x2_t, svuint8x2_t*)
+#    8|   Block 0
+#    8|     v8_1(void)                                                    = EnterFunction                : 
+#    8|     mu8_2(unknown)                                                = AliasedDefinition            : 
+#    8|     mu8_3(unknown)                                                = InitializeNonLocal           : 
+#    8|     r8_4(glval<__SVCount_t>)                                      = VariableAddress[a]           : 
+#    8|     mu8_5(__SVCount_t)                                            = InitializeParameter[a]       : &:r8_4
+#    8|     r8_6(glval<__edg_scalable_vector_type__(unsigned char, 2)>)   = VariableAddress[b]           : 
+#    8|     mu8_7(__edg_scalable_vector_type__(unsigned char, 2))         = InitializeParameter[b]       : &:r8_6
+#    8|     r8_8(glval<__edg_scalable_vector_type__(unsigned char, 2) *>) = VariableAddress[c]           : 
+#    8|     mu8_9(__edg_scalable_vector_type__(unsigned char, 2) *)       = InitializeParameter[c]       : &:r8_8
+#    8|     r8_10(__edg_scalable_vector_type__(unsigned char, 2) *)       = Load[c]                      : &:r8_8, ~m?
+#    8|     mu8_11(unknown)                                               = InitializeIndirection[c]     : &:r8_10
+#    9|     r9_1(glval<__edg_scalable_vector_type__(unsigned char, 2)>)   = VariableAddress[d]           : 
+#    9|     r9_2(glval<unknown>)                                          = FunctionAddress[svsel_u8_x2] : 
+#    9|     r9_3(glval<__SVCount_t>)                                      = VariableAddress[a]           : 
+#    9|     r9_4(__SVCount_t)                                             = Load[a]                      : &:r9_3, ~m?
+#    9|     r9_5(glval<__edg_scalable_vector_type__(unsigned char, 2)>)   = VariableAddress[b]           : 
+#    9|     r9_6(__edg_scalable_vector_type__(unsigned char, 2))          = Load[b]                      : &:r9_5, ~m?
+#    9|     r9_7(glval<__edg_scalable_vector_type__(unsigned char, 2) *>) = VariableAddress[c]           : 
+#    9|     r9_8(__edg_scalable_vector_type__(unsigned char, 2) *)        = Load[c]                      : &:r9_7, ~m?
+#    9|     r9_9(__edg_scalable_vector_type__(unsigned char, 2))          = Load[?]                      : &:r9_8, ~m?
+#    9|     r9_10(__edg_scalable_vector_type__(unsigned char, 2))         = Call[svsel_u8_x2]            : func:r9_2, 0:r9_4, 1:r9_6, 2:r9_9
+#    9|     mu9_11(unknown)                                               = ^CallSideEffect              : ~m?
+#    9|     mu9_12(__edg_scalable_vector_type__(unsigned char, 2))        = Store[d]                     : &:r9_1, r9_10
+#   10|     r10_1(glval<__edg_scalable_vector_type__(unsigned char, 2)>)  = VariableAddress[#return]     : 
+#   10|     r10_2(glval<__edg_scalable_vector_type__(unsigned char, 2)>)  = VariableAddress[d]           : 
+#   10|     r10_3(__edg_scalable_vector_type__(unsigned char, 2))         = Load[d]                      : &:r10_2, ~m?
+#   10|     mu10_4(__edg_scalable_vector_type__(unsigned char, 2))        = Store[#return]               : &:r10_1, r10_3
+#    8|     v8_12(void)                                                   = ReturnIndirection[c]         : &:r8_10, ~m?
+#    8|     r8_13(glval<__edg_scalable_vector_type__(unsigned char, 2)>)  = VariableAddress[#return]     : 
+#    8|     v8_14(void)                                                   = ReturnValue                  : &:r8_13, ~m?
+#    8|     v8_15(void)                                                   = AliasedUse                   : ~m?
+#    8|     v8_16(void)                                                   = ExitFunction                 : 
 
 bad_asts.cpp:
 #    9| int Bad::S::MemberFunction<int 6>(int)
@@ -7955,7 +7995,7 @@ ir.cpp:
 #  883|     v883_12(void)            = AliasedUse               : ~m?
 #  883|     v883_13(void)            = ExitFunction             : 
 
-#  888| void VAListUsage(int, __va_list_tag[1])
+#  888| void VAListUsage(int, __builtin_va_list)
 #  888|   Block 0
 #  888|     v888_1(void)                    = EnterFunction               : 
 #  888|     mu888_2(unknown)                = AliasedDefinition           : 

cpp/ql/test/library-tests/templates/instantiation_directive/functions.expected

@@ -1,3 +1,5 @@
 | file://:0:0:0:0 | operator= | file://:0:0:0:0 | __va_list_tag && |
 | file://:0:0:0:0 | operator= | file://:0:0:0:0 | const __va_list_tag & |
+| test.cpp:2:6:2:6 | foo | file://:0:0:0:0 | float |
+| test.cpp:2:6:2:6 | foo | file://:0:0:0:0 | int |
 | test.cpp:2:6:2:8 | foo | test.cpp:1:19:1:19 | T |

cpp/ql/test/library-tests/templates/isfromtemplateinstantiation/instantiations.expected

@@ -10,3 +10,4 @@
 | isfromtemplateinstantiation.cpp:134:29:134:33 | Outer<int> | ClassTemplateInstantiation | file://:0:0:0:0 | int |
 | isfromtemplateinstantiation.cpp:135:31:135:35 | Inner<long> | ClassTemplateInstantiation | file://:0:0:0:0 | long |
 | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> | ClassTemplateInstantiation | load.cpp:3:7:3:24 | std_istream_mockup |
+| load.cpp:22:10:22:10 | load | FunctionTemplateInstantiation | file://:0:0:0:0 | short |

cpp/ql/test/library-tests/templates/isfromtemplateinstantiation/isfromtemplateinstantiation.expected

@@ -104,6 +104,15 @@
 | isfromtemplateinstantiation.cpp:99:1:99:1 | return ... | isfromtemplateinstantiation.cpp:77:26:77:45 | AnotherTemplateClass<int> |
 | isfromtemplateinstantiation.cpp:99:1:99:1 | return ... | isfromtemplateinstantiation.cpp:97:52:97:52 | AnotherTemplateClass<int>::myMethod2(MyClassEnum) |
 | isfromtemplateinstantiation.cpp:110:3:110:3 | definition of var_template | isfromtemplateinstantiation.cpp:110:3:110:3 | var_template |
+| isfromtemplateinstantiation.cpp:129:6:129:6 | AnotherTemplateClass<long *>::f() | isfromtemplateinstantiation.cpp:128:7:128:30 | AnotherTemplateClass<long *> |
+| isfromtemplateinstantiation.cpp:129:6:129:6 | definition of f | isfromtemplateinstantiation.cpp:128:7:128:30 | AnotherTemplateClass<long *> |
+| isfromtemplateinstantiation.cpp:129:6:129:6 | definition of f | isfromtemplateinstantiation.cpp:129:6:129:6 | AnotherTemplateClass<long *>::f() |
+| isfromtemplateinstantiation.cpp:129:10:129:22 | { ... } | isfromtemplateinstantiation.cpp:128:7:128:30 | AnotherTemplateClass<long *> |
+| isfromtemplateinstantiation.cpp:129:10:129:22 | { ... } | isfromtemplateinstantiation.cpp:129:6:129:6 | AnotherTemplateClass<long *>::f() |
+| isfromtemplateinstantiation.cpp:129:12:129:20 | return ... | isfromtemplateinstantiation.cpp:128:7:128:30 | AnotherTemplateClass<long *> |
+| isfromtemplateinstantiation.cpp:129:12:129:20 | return ... | isfromtemplateinstantiation.cpp:129:6:129:6 | AnotherTemplateClass<long *>::f() |
+| isfromtemplateinstantiation.cpp:129:19:129:19 | 1 | isfromtemplateinstantiation.cpp:128:7:128:30 | AnotherTemplateClass<long *> |
+| isfromtemplateinstantiation.cpp:129:19:129:19 | 1 | isfromtemplateinstantiation.cpp:129:6:129:6 | AnotherTemplateClass<long *>::f() |
 | isfromtemplateinstantiation.cpp:135:31:135:35 | Inner<U> | isfromtemplateinstantiation.cpp:134:29:134:33 | Outer<int> |
 | isfromtemplateinstantiation.cpp:135:31:135:35 | declaration of Inner<U> | isfromtemplateinstantiation.cpp:134:29:134:33 | Outer<int> |
 | isfromtemplateinstantiation.cpp:136:7:136:7 | definition of x | isfromtemplateinstantiation.cpp:135:31:135:35 | Inner<long> |
@@ -112,7 +121,94 @@
 | isfromtemplateinstantiation.cpp:137:7:137:7 | y | isfromtemplateinstantiation.cpp:135:31:135:35 | Inner<long> |
 | load.cpp:15:14:15:15 | definition of is | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
 | load.cpp:15:14:15:15 | is | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:18:5:18:5 | definition of basic_text_iprimitive | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:18:5:18:5 | definition of basic_text_iprimitive | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
+| load.cpp:18:36:18:42 | definition of isParam | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:18:36:18:42 | definition of isParam | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
+| load.cpp:18:36:18:42 | std_istream_mockup & isParam | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:18:36:18:42 | std_istream_mockup & isParam | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
+| load.cpp:19:11:19:21 | constructor init of field is | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:19:11:19:21 | constructor init of field is | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
+| load.cpp:19:14:19:20 | (reference dereference) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:19:14:19:20 | (reference dereference) | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
+| load.cpp:19:14:19:20 | (reference to) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:19:14:19:20 | (reference to) | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
+| load.cpp:19:14:19:20 | isParam | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:19:14:19:20 | isParam | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
+| load.cpp:19:23:19:24 | { ... } | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:19:23:19:24 | { ... } | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
+| load.cpp:19:24:19:24 | return ... | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:19:24:19:24 | return ... | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
+| load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:22:10:22:10 | definition of load | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:22:10:22:10 | definition of load | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
 | load.cpp:22:10:22:13 | basic_text_iprimitive<std_istream_mockup>::load<T>(T &) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
 | load.cpp:22:10:22:13 | declaration of load | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
 | load.cpp:22:19:22:19 | T & t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
 | load.cpp:22:19:22:19 | declaration of t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:22:19:22:19 | definition of t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:22:19:22:19 | definition of t | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
+| load.cpp:22:19:22:19 | short & t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:22:19:22:19 | short & t | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
+| load.cpp:23:5:25:5 | { ... } | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:23:5:25:5 | { ... } | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
+| load.cpp:24:9:24:10 | (reference dereference) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:24:9:24:10 | (reference dereference) | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
+| load.cpp:24:9:24:10 | is | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:24:9:24:10 | is | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
+| load.cpp:24:9:24:10 | this | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:24:9:24:10 | this | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
+| load.cpp:24:9:24:16 | ExprStmt | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:24:9:24:16 | ExprStmt | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
+| load.cpp:24:12:24:12 | call to operator>> | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:24:12:24:12 | call to operator>> | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
+| load.cpp:24:12:24:16 | (reference dereference) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:24:12:24:16 | (reference dereference) | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
+| load.cpp:24:15:24:15 | (reference dereference) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:24:15:24:15 | (reference dereference) | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
+| load.cpp:24:15:24:15 | (reference to) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:24:15:24:15 | (reference to) | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
+| load.cpp:24:15:24:15 | t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:24:15:24:15 | t | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
+| load.cpp:25:5:25:5 | return ... | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:25:5:25:5 | return ... | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
+| load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:27:10:27:10 | definition of load | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:27:10:27:10 | definition of load | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
+| load.cpp:27:22:27:22 | char & t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:27:22:27:22 | char & t | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
+| load.cpp:27:22:27:22 | definition of t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:27:22:27:22 | definition of t | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
+| load.cpp:28:5:32:5 | { ... } | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:28:5:32:5 | { ... } | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
+| load.cpp:29:9:29:20 | declaration | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:29:9:29:20 | declaration | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
+| load.cpp:29:19:29:19 | definition of i | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:29:19:29:19 | definition of i | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
+| load.cpp:29:19:29:19 | i | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:29:19:29:19 | i | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
+| load.cpp:30:9:30:12 | call to load | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:30:9:30:12 | call to load | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
+| load.cpp:30:9:30:12 | this | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:30:9:30:12 | this | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
+| load.cpp:30:9:30:16 | ExprStmt | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:30:9:30:16 | ExprStmt | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
+| load.cpp:30:14:30:14 | (reference to) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:30:14:30:14 | (reference to) | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
+| load.cpp:30:14:30:14 | i | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:30:14:30:14 | i | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
+| load.cpp:31:9:31:9 | (reference dereference) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:31:9:31:9 | (reference dereference) | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
+| load.cpp:31:9:31:9 | t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:31:9:31:9 | t | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
+| load.cpp:31:9:31:13 | ... = ... | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:31:9:31:13 | ... = ... | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
+| load.cpp:31:9:31:14 | ExprStmt | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:31:9:31:14 | ExprStmt | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
+| load.cpp:31:13:31:13 | (char)... | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:31:13:31:13 | (char)... | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
+| load.cpp:31:13:31:13 | i | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:31:13:31:13 | i | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
+| load.cpp:32:5:32:5 | return ... | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
+| load.cpp:32:5:32:5 | return ... | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |

cpp/ql/test/library-tests/templates/isfromtemplateinstantiation/isfromuninstantiatedtemplate.expected

@@ -425,7 +425,16 @@ isFromUninstantiatedTemplate
 | isfromtemplateinstantiation.cpp:123:6:123:6 | f |  |  | Declaration |  |
 | isfromtemplateinstantiation.cpp:128:7:128:30 | AnotherTemplateClass<T *> |  | T | Declaration |  |
 | isfromtemplateinstantiation.cpp:128:7:128:30 | AnotherTemplateClass<long *> | I |  | Declaration |  |
+| isfromtemplateinstantiation.cpp:129:6:129:6 | definition of f |  | T | Definition |  |
+| isfromtemplateinstantiation.cpp:129:6:129:6 | definition of f | I |  | Definition |  |
 | isfromtemplateinstantiation.cpp:129:6:129:6 | f |  | T | Declaration |  |
+| isfromtemplateinstantiation.cpp:129:6:129:6 | f | I |  | Declaration |  |
+| isfromtemplateinstantiation.cpp:129:10:129:22 | { ... } |  | T | Stmt |  |
+| isfromtemplateinstantiation.cpp:129:10:129:22 | { ... } | I |  | Stmt |  |
+| isfromtemplateinstantiation.cpp:129:12:129:20 | return ... |  | T | Stmt |  |
+| isfromtemplateinstantiation.cpp:129:12:129:20 | return ... | I |  | Stmt |  |
+| isfromtemplateinstantiation.cpp:129:19:129:19 | 1 |  | T | Expr |  |
+| isfromtemplateinstantiation.cpp:129:19:129:19 | 1 | I |  | Expr |  |
 | isfromtemplateinstantiation.cpp:134:29:134:33 | Outer<T> |  | T | Declaration |  |
 | isfromtemplateinstantiation.cpp:134:29:134:33 | Outer<int> | I |  | Declaration |  |
 | isfromtemplateinstantiation.cpp:135:31:135:35 | Inner<U> |  | T | Declaration |  |
@@ -461,21 +470,82 @@ isFromUninstantiatedTemplate
 | load.cpp:15:14:15:15 | definition of is | I |  | Definition |  |
 | load.cpp:15:14:15:15 | is |  | T | Declaration |  |
 | load.cpp:15:14:15:15 | is | I |  | Declaration |  |
+| load.cpp:18:5:18:5 | basic_text_iprimitive | I |  | Declaration |  |
 | load.cpp:18:5:18:25 | basic_text_iprimitive |  | T | Declaration |  |
+| load.cpp:18:36:18:42 | definition of isParam |  | T | Definition |  |
+| load.cpp:18:36:18:42 | definition of isParam | I |  | Definition |  |
+| load.cpp:18:36:18:42 | isParam |  | T | Declaration |  |
+| load.cpp:18:36:18:42 | isParam | I |  | Declaration |  |
+| load.cpp:19:11:19:21 | constructor init of field is |  | T | Expr |  |
+| load.cpp:19:11:19:21 | constructor init of field is | I |  | Expr |  |
 | load.cpp:19:14:19:20 | (reference dereference) |  | T | Expr |  |
+| load.cpp:19:14:19:20 | (reference dereference) | I |  | Expr |  |
 | load.cpp:19:14:19:20 | (reference to) |  | T | Expr |  |
+| load.cpp:19:14:19:20 | (reference to) | I |  | Expr |  |
 | load.cpp:19:14:19:20 | isParam |  | T | Expr | Ref |
+| load.cpp:19:14:19:20 | isParam | I |  | Expr | Ref |
+| load.cpp:19:23:19:24 | { ... } |  | T | Stmt |  |
+| load.cpp:19:23:19:24 | { ... } | I |  | Stmt |  |
+| load.cpp:19:24:19:24 | return ... |  | T | Stmt |  |
+| load.cpp:19:24:19:24 | return ... | I |  | Stmt |  |
+| load.cpp:22:10:22:10 | load | I |  | Declaration |  |
 | load.cpp:22:10:22:13 | load |  | T | Declaration |  |
 | load.cpp:22:10:22:13 | load | I | T | Declaration |  |
+| load.cpp:22:19:22:19 | definition of t |  | T | Definition |  |
+| load.cpp:22:19:22:19 | definition of t | I |  | Definition |  |
 | load.cpp:22:19:22:19 | t |  | T | Declaration |  |
+| load.cpp:22:19:22:19 | t | I |  | Declaration |  |
 | load.cpp:22:19:22:19 | t | I | T | Declaration |  |
+| load.cpp:23:5:25:5 | { ... } |  | T | Stmt |  |
+| load.cpp:23:5:25:5 | { ... } | I |  | Stmt |  |
 | load.cpp:24:9:24:10 | (reference dereference) |  | T | Expr |  |
+| load.cpp:24:9:24:10 | (reference dereference) | I |  | Expr |  |
 | load.cpp:24:9:24:10 | is |  | T | Expr | Not ref |
+| load.cpp:24:9:24:10 | is | I |  | Expr | Not ref |
 | load.cpp:24:9:24:10 | this |  | T | Expr |  |
+| load.cpp:24:9:24:10 | this | I |  | Expr |  |
+| load.cpp:24:9:24:16 | ExprStmt |  | T | Stmt |  |
+| load.cpp:24:9:24:16 | ExprStmt | I |  | Stmt |  |
 | load.cpp:24:15:24:15 | (reference dereference) |  | T | Expr |  |
+| load.cpp:24:15:24:15 | (reference dereference) | I |  | Expr |  |
+| load.cpp:24:15:24:15 | (reference to) | I |  | Expr |  |
 | load.cpp:24:15:24:15 | t |  | T | Expr | Not ref |
+| load.cpp:24:15:24:15 | t | I |  | Expr | Ref |
+| load.cpp:25:5:25:5 | return ... |  | T | Stmt |  |
+| load.cpp:25:5:25:5 | return ... | I |  | Stmt |  |
+| load.cpp:27:10:27:10 | load | I |  | Declaration |  |
 | load.cpp:27:10:27:13 | load |  | T | Declaration |  |
+| load.cpp:27:22:27:22 | definition of t |  | T | Definition |  |
+| load.cpp:27:22:27:22 | definition of t | I |  | Definition |  |
+| load.cpp:27:22:27:22 | t |  | T | Declaration |  |
+| load.cpp:27:22:27:22 | t | I |  | Declaration |  |
+| load.cpp:28:5:32:5 | { ... } |  | T | Stmt |  |
+| load.cpp:28:5:32:5 | { ... } | I |  | Stmt |  |
+| load.cpp:29:9:29:20 | declaration |  | T | Stmt |  |
+| load.cpp:29:9:29:20 | declaration | I |  | Stmt |  |
+| load.cpp:29:19:29:19 | definition of i |  | T | Definition |  |
+| load.cpp:29:19:29:19 | definition of i | I |  | Definition |  |
+| load.cpp:29:19:29:19 | i |  | T | Declaration |  |
+| load.cpp:29:19:29:19 | i | I |  | Declaration |  |
+| load.cpp:30:9:30:12 | Unknown literal |  | T | Expr |  |
+| load.cpp:30:9:30:12 | call to load | I |  | Expr |  |
+| load.cpp:30:9:30:12 | this | I |  | Expr |  |
+| load.cpp:30:9:30:16 | ExprStmt |  | T | Stmt |  |
+| load.cpp:30:9:30:16 | ExprStmt | I |  | Stmt |  |
+| load.cpp:30:14:30:14 | (reference to) | I |  | Expr |  |
+| load.cpp:30:14:30:14 | i |  | T | Expr | Not ref |
+| load.cpp:30:14:30:14 | i | I |  | Expr | Ref |
 | load.cpp:31:9:31:9 | (reference dereference) |  | T | Expr |  |
+| load.cpp:31:9:31:9 | (reference dereference) | I |  | Expr |  |
 | load.cpp:31:9:31:9 | t |  | T | Expr | Not ref |
+| load.cpp:31:9:31:9 | t | I |  | Expr | Not ref |
+| load.cpp:31:9:31:13 | ... = ... |  | T | Expr |  |
+| load.cpp:31:9:31:13 | ... = ... | I |  | Expr |  |
+| load.cpp:31:9:31:14 | ExprStmt |  | T | Stmt |  |
+| load.cpp:31:9:31:14 | ExprStmt | I |  | Stmt |  |
 | load.cpp:31:13:31:13 | (char)... |  | T | Expr |  |
+| load.cpp:31:13:31:13 | (char)... | I |  | Expr |  |
 | load.cpp:31:13:31:13 | i |  | T | Expr | Not ref |
+| load.cpp:31:13:31:13 | i | I |  | Expr | Not ref |
+| load.cpp:32:5:32:5 | return ... |  | T | Stmt |  |
+| load.cpp:32:5:32:5 | return ... | I |  | Stmt |  |

cpp/ql/test/library-tests/templates/switch/test.expected

@@ -1 +1,2 @@
 | test.cpp:13:3:20:3 | switch (...) ...  | 3 |
+| test.cpp:13:3:20:3 | switch (...) ...  | 3 |

cpp/ql/test/library-tests/templates/type_instantiations/types.expected

@@ -5,10 +5,13 @@
 | file://:0:0:0:0 | _Complex _Float64 |
 | file://:0:0:0:0 | _Complex _Float64x |
 | file://:0:0:0:0 | _Complex _Float128 |
+| file://:0:0:0:0 | _Complex __bf16 |
 | file://:0:0:0:0 | _Complex __float128 |
+| file://:0:0:0:0 | _Complex __fp16 |
 | file://:0:0:0:0 | _Complex double |
 | file://:0:0:0:0 | _Complex float |
 | file://:0:0:0:0 | _Complex long double |
+| file://:0:0:0:0 | _Complex std::float16_t |
 | file://:0:0:0:0 | _Decimal32 |
 | file://:0:0:0:0 | _Decimal64 |
 | file://:0:0:0:0 | _Decimal128 |

cpp/ql/test/library-tests/type_sizes/type_sizes.expected

@@ -25,10 +25,13 @@
 | file://:0:0:0:0 | _Complex _Float64 | 16 |
 | file://:0:0:0:0 | _Complex _Float64x | 32 |
 | file://:0:0:0:0 | _Complex _Float128 | 32 |
+| file://:0:0:0:0 | _Complex __bf16 | 4 |
 | file://:0:0:0:0 | _Complex __float128 | 32 |
+| file://:0:0:0:0 | _Complex __fp16 | 4 |
 | file://:0:0:0:0 | _Complex double | 16 |
 | file://:0:0:0:0 | _Complex float | 8 |
 | file://:0:0:0:0 | _Complex long double | 32 |
+| file://:0:0:0:0 | _Complex std::float16_t | 4 |
 | file://:0:0:0:0 | _Decimal32 | 4 |
 | file://:0:0:0:0 | _Decimal64 | 8 |
 | file://:0:0:0:0 | _Decimal128 | 16 |

cpp/ql/test/library-tests/unspecified_type/types/unspecified_type.expected

@@ -7,10 +7,13 @@
 | file://:0:0:0:0 | _Complex _Float64 | _Complex _Float64 |
 | file://:0:0:0:0 | _Complex _Float64x | _Complex _Float64x |
 | file://:0:0:0:0 | _Complex _Float128 | _Complex _Float128 |
+| file://:0:0:0:0 | _Complex __bf16 | _Complex __bf16 |
 | file://:0:0:0:0 | _Complex __float128 | _Complex __float128 |
+| file://:0:0:0:0 | _Complex __fp16 | _Complex __fp16 |
 | file://:0:0:0:0 | _Complex double | _Complex double |
 | file://:0:0:0:0 | _Complex float | _Complex float |
 | file://:0:0:0:0 | _Complex long double | _Complex long double |
+| file://:0:0:0:0 | _Complex std::float16_t | _Complex std::float16_t |
 | file://:0:0:0:0 | _Decimal32 | _Decimal32 |
 | file://:0:0:0:0 | _Decimal64 | _Decimal64 |
 | file://:0:0:0:0 | _Decimal128 | _Decimal128 |

cpp/ql/test/library-tests/variables/variables/types.expected

@@ -6,10 +6,13 @@
 | _Complex _Float64 | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
 | _Complex _Float64x | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
 | _Complex _Float128 | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
+| _Complex __bf16 | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
 | _Complex __float128 | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
+| _Complex __fp16 | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
 | _Complex double | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
 | _Complex float | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
 | _Complex long double | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
+| _Complex std::float16_t | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
 | _Decimal32 | Decimal32Type |  |  |  |  |
 | _Decimal64 | Decimal64Type |  |  |  |  |
 | _Decimal128 | Decimal128Type |  |  |  |  |

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/WrongTypeFormatArguments.expected

@@ -10,6 +10,8 @@
 | printf1.h:44:18:44:20 | ull | This format specifier for type 'int' does not match the argument type 'unsigned long long'. |
 | printf1.h:45:18:45:20 | ull | This format specifier for type 'unsigned int' does not match the argument type 'unsigned long long'. |
 | printf1.h:46:18:46:20 | ull | This format specifier for type 'unsigned int' does not match the argument type 'unsigned long long'. |
+| printf1.h:62:19:62:20 | ul | This format specifier for type 'size_t' does not match the argument type 'unsigned long'. |
+| printf1.h:68:19:68:21 | sst | This format specifier for type 'size_t' does not match the argument type 'long'. |
 | printf1.h:71:19:71:20 | st | This format specifier for type 'ssize_t' does not match the argument type 'unsigned long long'. |
 | printf1.h:72:19:72:20 | ST | This format specifier for type 'ssize_t' does not match the argument type 'unsigned long long'. |
 | printf1.h:73:19:73:22 | c_st | This format specifier for type 'ssize_t' does not match the argument type 'unsigned long long'. |

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/printf1.h

@@ -59,13 +59,13 @@ void g()
     const SIZE_T C_ST = sizeof(st);
     ssize_t sst;
 
-    printf("%zu", ul); // ok (dubious, e.g. on 64-bit Windows `long` is 4 bytes but `size_t` is 8)
+    printf("%zu", ul); // not ok
     printf("%zu", st); // ok
     printf("%zu", ST); // ok
     printf("%zu", c_st); // ok
     printf("%zu", C_ST); // ok
     printf("%zu", sizeof(ul)); // ok
-    printf("%zu", sst); // not ok [NOT DETECTED]
+    printf("%zu", sst); // not ok
 
     printf("%zd", ul); // not ok [NOT DETECTED]
     printf("%zd", st); // not ok

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/WrongTypeFormatArguments.expected

@@ -10,6 +10,8 @@
 | printf1.h:44:18:44:20 | ull | This format specifier for type 'int' does not match the argument type 'unsigned long long'. |
 | printf1.h:45:18:45:20 | ull | This format specifier for type 'unsigned int' does not match the argument type 'unsigned long long'. |
 | printf1.h:46:18:46:20 | ull | This format specifier for type 'unsigned int' does not match the argument type 'unsigned long long'. |
+| printf1.h:62:19:62:20 | ul | This format specifier for type 'size_t' does not match the argument type 'unsigned long'. |
+| printf1.h:68:19:68:21 | sst | This format specifier for type 'size_t' does not match the argument type 'long'. |
 | printf1.h:71:19:71:20 | st | This format specifier for type 'ssize_t' does not match the argument type 'unsigned long long'. |
 | printf1.h:72:19:72:20 | ST | This format specifier for type 'ssize_t' does not match the argument type 'unsigned long long'. |
 | printf1.h:73:19:73:22 | c_st | This format specifier for type 'ssize_t' does not match the argument type 'unsigned long long'. |

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/printf1.h

@@ -59,13 +59,13 @@ void g()
     const SIZE_T C_ST = sizeof(st);
     ssize_t sst;
 
-    printf("%zu", ul); // ok (dubious, e.g. on 64-bit Windows `long` is 4 bytes but `size_t` is 8)
+    printf("%zu", ul); // not ok
     printf("%zu", st); // ok
     printf("%zu", ST); // ok
     printf("%zu", c_st); // ok
     printf("%zu", C_ST); // ok
     printf("%zu", sizeof(ul)); // ok
-    printf("%zu", sst); // not ok [NOT DETECTED]
+    printf("%zu", sst); // not ok
 
     printf("%zd", ul); // not ok [NOT DETECTED]
     printf("%zd", st); // not ok

cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected

@@ -1,3 +1,11 @@
+#select
+| test.c:21:18:21:23 | query1 | test.c:14:27:14:30 | **argv | test.c:21:18:21:23 | *query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | **argv | user input (a command-line argument) |
+| test.c:51:18:51:23 | query1 | test.c:14:27:14:30 | **argv | test.c:51:18:51:23 | *query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | **argv | user input (a command-line argument) |
+| test.c:76:17:76:25 | userInput | test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | *userInput | This argument to a SQL query function is derived from $@ and then passed to SQLPrepare(StatementText). | test.c:75:8:75:16 | gets output argument | user input (string read by gets) |
+| test.c:77:20:77:28 | userInput | test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | *userInput | This argument to a SQL query function is derived from $@ and then passed to SQLExecDirect(StatementText). | test.c:75:8:75:16 | gets output argument | user input (string read by gets) |
+| test.c:106:24:106:29 | query1 | test.c:101:8:101:16 | gets output argument | test.c:106:24:106:29 | *query1 | This argument to a SQL query function is derived from $@. | test.c:101:8:101:16 | gets output argument | user input (string read by gets) |
+| test.c:107:28:107:33 | query1 | test.c:101:8:101:16 | gets output argument | test.c:107:28:107:33 | *query1 | This argument to a SQL query function is derived from $@. | test.c:101:8:101:16 | gets output argument | user input (string read by gets) |
+| test.cpp:43:27:43:33 | access to array | test.cpp:39:27:39:30 | **argv | test.cpp:43:27:43:33 | *access to array | This argument to a SQL query function is derived from $@ and then passed to pqxx::work::exec1((unnamed parameter 0)). | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |
 edges
 | test.c:14:27:14:30 | **argv | test.c:15:20:15:26 | *access to array | provenance |  |
 | test.c:15:20:15:26 | *access to array | test.c:21:18:21:23 | *query1 | provenance | TaintFunction |
@@ -9,7 +17,12 @@ edges
 | test.c:48:20:48:33 | *globalUsername | test.c:51:18:51:23 | *query1 | provenance | TaintFunction |
 | test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | *userInput | provenance |  |
 | test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | *userInput | provenance |  |
+| test.c:101:8:101:16 | gets output argument | test.c:106:24:106:29 | *query1 | provenance | TaintFunction Sink:MaD:2 |
+| test.c:101:8:101:16 | gets output argument | test.c:107:28:107:33 | *query1 | provenance | TaintFunction Sink:MaD:1 |
 | test.cpp:39:27:39:30 | **argv | test.cpp:43:27:43:33 | *access to array | provenance |  |
+models
+| 1 | Sink: ; ; false; OCIStmtPrepare2; ; ; Argument[*3]; sql-injection; manual |
+| 2 | Sink: ; ; false; OCIStmtPrepare; ; ; Argument[*2]; sql-injection; manual |
 nodes
 | test.c:14:27:14:30 | **argv | semmle.label | **argv |
 | test.c:15:20:15:26 | *access to array | semmle.label | *access to array |
@@ -23,12 +36,9 @@ nodes
 | test.c:75:8:75:16 | gets output argument | semmle.label | gets output argument |
 | test.c:76:17:76:25 | *userInput | semmle.label | *userInput |
 | test.c:77:20:77:28 | *userInput | semmle.label | *userInput |
+| test.c:101:8:101:16 | gets output argument | semmle.label | gets output argument |
+| test.c:106:24:106:29 | *query1 | semmle.label | *query1 |
+| test.c:107:28:107:33 | *query1 | semmle.label | *query1 |
 | test.cpp:39:27:39:30 | **argv | semmle.label | **argv |
 | test.cpp:43:27:43:33 | *access to array | semmle.label | *access to array |
 subpaths
-#select
-| test.c:21:18:21:23 | query1 | test.c:14:27:14:30 | **argv | test.c:21:18:21:23 | *query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | **argv | user input (a command-line argument) |
-| test.c:51:18:51:23 | query1 | test.c:14:27:14:30 | **argv | test.c:51:18:51:23 | *query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | **argv | user input (a command-line argument) |
-| test.c:76:17:76:25 | userInput | test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | *userInput | This argument to a SQL query function is derived from $@ and then passed to SQLPrepare(StatementText). | test.c:75:8:75:16 | gets output argument | user input (string read by gets) |
-| test.c:77:20:77:28 | userInput | test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | *userInput | This argument to a SQL query function is derived from $@ and then passed to SQLExecDirect(StatementText). | test.c:75:8:75:16 | gets output argument | user input (string read by gets) |
-| test.cpp:43:27:43:33 | access to array | test.cpp:39:27:39:30 | **argv | test.cpp:43:27:43:33 | *access to array | This argument to a SQL query function is derived from $@ and then passed to pqxx::work::exec1((unnamed parameter 0)). | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |

cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.qlref

@@ -1 +1,5 @@
-Security/CWE/CWE-089/SqlTainted.ql
+query: Security/CWE/CWE-089/SqlTainted.ql
+postprocess:
+ - utils/test/PrettyPrintModels.ql
+ - utils/test/InlineExpectationsTestQuery.ql
+ 

cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.c

@@ -11,14 +11,14 @@ int atoi(const char *nptr);
 void exit(int i);
 ///// Test code /////
 
-int main(int argc, char** argv) {
+int main(int argc, char** argv) { // $ Source
   char *userName = argv[2];
   int userNumber = atoi(argv[3]);
 
   // a string from the user is injected directly into an SQL query.
   char query1[1000] = {0};
   snprintf(query1, 1000, "SELECT UID FROM USERS where name = \"%s\"", userName);
-  mysql_query(0, query1); // BAD
+  mysql_query(0, query1); // $ Alert
   
   // the user string is encoded by a library routine.
   char userNameSanitized[1000] = {0};
@@ -48,7 +48,7 @@ void badFunc() {
   char *userName = globalUsername;
   char query1[1000] = {0};
   snprintf(query1, 1000, "SELECT UID FROM USERS where name = \"%s\"", userName);
-  mysql_query(0, query1); // BAD
+  mysql_query(0, query1); // $ Alert
 }
 
 //ODBC Library Rountines
@@ -72,7 +72,44 @@ SQLRETURN SQLPrepare(
 
 void ODBCTests(){
   char userInput[100];
-  gets(userInput);
-  SQLPrepare(0, userInput, 100); // BAD
-  SQLExecDirect(0, userInput, 100); // BAD
+  gets(userInput); // $ Source
+  SQLPrepare(0, userInput, 100); // $ Alert
+  SQLExecDirect(0, userInput, 100); // $ Alert
+}
+
+// Oracle Call Interface (OCI) Routines
+int OCIStmtPrepare(
+      void *arg0,
+      void *arg1,
+      const unsigned char *sql,
+      unsigned int arg3,
+      unsigned int arg4,
+      unsigned int arg5);
+int OCIStmtPrepare2(
+      void *arg0,
+      void **arg1,
+      void *arg2,
+      const unsigned char *sql,
+      unsigned int arg4,
+      const unsigned char *arg5,
+      unsigned int arg6,
+      unsigned int arg7,
+      unsigned int arg8);
+
+void OCITests(){
+  char userInput[100];
+  gets(userInput); // $ Source
+
+  // a string from the user is injected directly into an SQL query.
+  char query1[1000] = {0};
+  snprintf(query1, 1000, "SELECT UID FROM USERS where name = \"%s\"", userInput);
+  OCIStmtPrepare(0, 0, query1, 0, 0, 0); // $ Alert
+  OCIStmtPrepare2(0, 0, 0, query1, 0, 0, 0, 0, 0); // $ Alert
+
+  // an integer from the user is injected into an SQL query.
+  int userNumber = atoi(userInput);
+  char query2[1000] = {0};
+  snprintf(query2, 1000, "SELECT UID FROM USERS where number = \"%i\"", userNumber);
+  OCIStmtPrepare(0, 0, query2, 0, 0, 0); // GOOD
+  OCIStmtPrepare2(0, 0, 0, query2, 0, 0, 0, 0, 0); // GOOD
 }

cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.cpp

@@ -36,11 +36,11 @@ namespace pqxx {
     };
 }
 
-int main(int argc, char** argv) {
+int main(int argc, char** argv) { // $ Source
     pqxx::connection c;
     pqxx::work w(c);
     
-    pqxx::row r = w.exec1(argv[1]); // BAD
+    pqxx::row r = w.exec1(argv[1]); // $ Alert
     
     pqxx::result r2 = w.exec(w.quote(argv[1])); // GOOD
 

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.43
+
+No user-facing changes.
+
 ## 1.7.42
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.43.md

@@ -0,0 +1,3 @@
+## 1.7.43
+
+No user-facing changes.