WIP: rules_rust upgrade, untangle deps for tree-sitter

Java: add SSRF sink model for the third parameter of `RestTemplate.getForObject`

.bazelrc

@@ -24,4 +24,12 @@ common --registry=https://bcr.bazel.build
 
 common --@rules_dotnet//dotnet/settings:strict_deps=false
 
+# Reduce this eventually to empty, once we've fixed all our usages of java, and https://github.com/bazel-contrib/rules_go/issues/4193 is fixed
+common --incompatible_autoload_externally="+@rules_java,+@rules_shell"
+
+build --java_language_version=17
+build --tool_java_language_version=17
+build --tool_java_runtime_version=remotejdk_17
+build --java_runtime_version=remotejdk_17
+
 try-import %workspace%/local.bazelrc

.bazelversion

@@ -1 +1 @@
-8.0.0rc1
+8.0.0

.gitignore

@@ -8,7 +8,7 @@
 
 # qltest projects and artifacts
 *.actual
-*/ql/test/**/*.testproj
+*/ql/test*/**/*.testproj
 */ql/test/**/go.sum
 
 # Visual studio temporaries, except a file used by QL4VS

MODULE.bazel

@@ -15,19 +15,20 @@ local_path_override(
 # see https://registry.bazel.build/ for a list of available packages
 
 bazel_dep(name = "platforms", version = "0.0.10")
-bazel_dep(name = "rules_go", version = "0.50.0")
+bazel_dep(name = "rules_go", version = "0.50.1")
 bazel_dep(name = "rules_pkg", version = "1.0.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
-bazel_dep(name = "rules_python", version = "0.36.0")
+bazel_dep(name = "rules_python", version = "0.40.0")
+bazel_dep(name = "rules_shell", version = "0.3.0")
 bazel_dep(name = "bazel_skylib", version = "1.7.1")
-bazel_dep(name = "abseil-cpp", version = "20240116.0", repo_name = "absl")
+bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
 bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
-bazel_dep(name = "gazelle", version = "0.38.0")
+bazel_dep(name = "gazelle", version = "0.40.0")
 bazel_dep(name = "rules_dotnet", version = "0.17.4")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.52.2")
+bazel_dep(name = "rules_rust", version = "0.55.6")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
 

cpp/ql/lib/ext/CA2CAEX.model.yml

@@ -0,0 +1,18 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "_U_STRINGorID", True, "_U_STRINGorID", "(UINT)", "", "Argument[0]", "Argument[-1].Field[*m_lpstr]", "value", "manual"]
+      - ["", "_U_STRINGorID", True, "_U_STRINGorID", "(LPCTSTR)", "", "Argument[*0]", "Argument[-1].Field[*m_lpstr]", "value", "manual"]
+      - ["", "CA2AEX", True, "CA2AEX", "", "", "Argument[*0]", "Argument[-1].Field[*m_psz]", "value", "manual"]
+      - ["", "CA2AEX", True, "CA2AEX", "", "", "Argument[*0]", "Argument[-1].Field[m_szBuffer]", "value", "manual"]
+      - ["", "CA2AEX", True, "operator LPSTR", "", "", "Argument[-1].Field[*m_psz]", "ReturnValue[*]", "value", "manual"]
+      - ["", "CA2AEX", True, "CA2AEX", "", "", "Argument[*0]", "Argument[-1].Field[m_szBuffer]", "value", "manual"]
+      - ["", "CA2AEX", True, "operator LPSTR", "", "", "Argument[-1].Field[m_szBuffer]", "ReturnValue[*]", "value", "manual"]
+      - ["", "CA2CAEX", True, "CA2CAEX", "", "", "Argument[*0]", "Argument[-1].Field[*m_psz]", "value", "manual"]
+      - ["", "CA2CAEX", True, "operator LPCSTR", "", "", "Argument[-1].Field[*m_psz]", "ReturnValue[*]", "value", "manual"]
+      - ["", "CA2WEX", True, "CA2WEX", "", "", "Argument[*0]", "Argument[-1].Field[*m_psz]", "value", "manual"]
+      - ["", "CA2WEX", True, "operator LPWSTR", "", "", "Argument[-1].Field[*m_psz]", "ReturnValue[*]", "value", "manual"]
+      - ["", "CA2WEX", True, "CA2WEX", "", "", "Argument[*0]", "Argument[-1].Field[m_szBuffer]", "value", "manual"]
+      - ["", "CA2WEX", True, "operator LPWSTR", "", "", "Argument[-1].Field[m_szBuffer]", "ReturnValue[*]", "value", "manual"]

cpp/ql/lib/ext/CAtlArray.model.yml

@@ -0,0 +1,15 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "CAtlArray", True, "Add", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["", "CAtlArray", True, "Append", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["", "CAtlArray", True, "Copy", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["", "CAtlArray", True, "GetAt", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["", "CAtlArray", True, "GetData", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["", "CAtlArray", True, "InsertArrayAt", "", "", "Argument[*1].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["", "CAtlArray", True, "InsertAt", "", "", "Argument[@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["", "CAtlArray", True, "SetAt", "", "", "Argument[@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["", "CAtlArray", True, "SetAtGrow", "", "", "Argument[@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["", "CAtlArray", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*]", "value", "manual"]

cpp/ql/lib/ext/CAtlFile.model.yml

@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "CAtlFile", True, "CAtlFile", "(CAtlFile &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["", "CAtlFile", True, "CAtlFile", "(HANDLE)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CAtlFile", True, "Create", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CAtlFile", True, "Read", "", "", "Argument[-1]", "Argument[*0]", "taint", "manual"]

cpp/ql/lib/ext/CAtlFileMappingBase.model.yml

@@ -0,0 +1,13 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "CAtlFileMappingBase", True, "CAtlFileMappingBase", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["", "CAtlFileMappingBase", True, "CopyFrom", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CAtlFileMappingBase", True, "GetData", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["", "CAtlFileMappingBase", True, "GetHandle", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["", "CAtlFileMappingBase", True, "MapFile", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CAtlFileMappingBase", True, "MapSharedMem", "", "", "Argument[*1]", "Argument[-1]", "taint", "manual"]
+      - ["", "CAtlFileMappingBase", True, "OpenMapping", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CAtlFileMappingBase", True, "operator=", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]

cpp/ql/lib/ext/CAtlList.model.yml

@@ -0,0 +1,15 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "CAtlList", True, "AddHead", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["", "CAtlList", True, "AddHeadList", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["", "CAtlList", True, "AddTail", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["", "CAtlList", True, "AddTailList", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["", "CAtlList", True, "GetAt", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["", "CAtlList", True, "GetHead", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["", "CAtlList", True, "GetTail", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["", "CAtlList", True, "InsertAfter", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["", "CAtlList", True, "InsertBefore", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["", "CAtlList", True, "SetAt", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]

cpp/ql/lib/ext/CAtlTemporaryFile.model.yml

@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "CAtlTemporaryFile", True, "Create", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CAtlTemporaryFile", True, "Read", "", "", "Argument[-1]", "Argument[*0]", "taint", "manual"]
+      - ["", "CAtlTemporaryFile", True, "Write", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]

cpp/ql/lib/ext/CComBSTR.model.yml

@@ -0,0 +1,33 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "CComBSTR", True, "CComBSTR", "(LPCSTR)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["", "CComBSTR", True, "CComBSTR", "(LPCOLESTR)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["", "CComBSTR", True, "CComBSTR", "(int,LPCSTR)", "", "Argument[*1]", "Argument[-1]", "value", "manual"]
+      - ["", "CComBSTR", True, "CComBSTR", "(int,LPCOLESTR)", "", "Argument[*1]", "Argument[-1]", "value", "manual"]
+      - ["", "CComBSTR", True, "CComBSTR", "(const CComBSTR &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["", "CComBSTR", True, "CComBSTR", "(CComBSTR &&)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["", "CComBSTR", True, "Append", "(const CComBSTR &)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CComBSTR", True, "Append", "(wchar_t)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CComBSTR", True, "Append", "(char)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CComBSTR", True, "Append", "(LPCOLESTR)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CComBSTR", True, "Append", "(LPCSTR)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CComBSTR", True, "Append", "(LPCOLESTR,int)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CComBSTR", True, "AppendBytes", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CComBSTR", True, "AppendBSTR", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CComBSTR", True, "ArrayToBSTR", "", "", "Argument[*0].Field[*pvData]", "Argument[-1]", "value", "manual"]
+      - ["", "CComBSTR", True, "AssignBSTR", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["", "CComBSTR", True, "Attach", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["", "CComBSTR", True, "BSTRToArray", "", "", "Argument[-1]", "Argument[**0].Field[*pvData]", "value", "manual"]
+      - ["", "CComBSTR", True, "Copy", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
+      - ["", "CComBSTR", True, "CopyTo", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"]
+      - ["", "CComBSTR", True, "LoadString", "(HINSTANCE,UINT)", "", "Argument[1]", "Argument[-1]", "taint", "manual"]
+      - ["", "CComBSTR", True, "LoadString", "(UINT)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CComBSTR", True, "ReadFromStream", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CComBSTR", True, "WriteToStream", "", "", "Argument[-1]", "Argument[*0]", "taint", "manual"]
+      - ["", "CComBSTR", True, "operator BSTR", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["", "CComBSTR", True, "operator&", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
+      - ["", "CComBSTR", True, "operator+=", "", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]
+      - ["", "CComBSTR", True, "operator+=", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]

cpp/ql/lib/ext/CComSafeArray.model.yml

@@ -0,0 +1,26 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "CComSafeArray", True, "CComSafeArray", "(const CComSafeArray &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["", "CComSafeArray", True, "CComSafeArray", "(const SAFEARRAY &)", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"]
+      - ["", "CComSafeArray", True, "CComSafeArray", "(const SAFEARRAY *)", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"]
+      - ["", "CComSafeArray", True, "Add", "(const SAFEARRAY *)", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"]
+      - ["", "CComSafeArray<T>", True, "Add", "(const T &,BOOL)", "", "Argument[*@0]", "Argument[-1].Field[*m_psa].Field[*@pvData]", "value", "manual"]
+      - ["", "CComSafeArray", True, "Attach", "", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"]
+      - ["", "CComSafeArray", True, "CopyFrom", "", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"]
+      - ["", "CComSafeArray", True, "CopyTo", "", "", "Argument[-1].Field[*m_psa]", "Argument[*0]", "value", "manual"]
+      - ["", "CComSafeArray", True, "GetAt", "", "", "Argument[-1].Field[*m_psa].Field[*@pvData]", "ReturnValue[*@]", "value", "manual"]
+      - ["", "CComSafeArray", True, "GetLowerBound", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["", "CComSafeArray", True, "GetSafeArrayPtr", "", "", "Argument[-1].Field[*m_psa]", "ReturnValue[*]", "value", "manual"]
+      - ["", "CComSafeArray", True, "GetUpperBound", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["", "CComSafeArray", True, "MultiDimGetAt", "", "", "Argument[-1].Field[*m_psa].Field[*@pvData]", "Argument[*@1]", "value", "manual"]
+      - ["", "CComSafeArray", True, "MultiDimSetAt", "", "", "Argument[*@1]", "Argument[-1].Field[*m_psa].Field[*@pvData]", "value", "manual"]
+      - ["", "CComSafeArray", True, "SetAt", "", "", "Argument[*@1]", "Argument[-1].Field[*m_psa].Field[*@pvData]", "value", "manual"]
+      - ["", "CComSafeArray", True, "operator LPSAFEARRAY", "", "", "Argument[-1].Field[*m_psa]", "ReturnValue[*]", "value", "manual"]
+      - ["", "CComSafeArray", True, "operator[]", "", "", "Argument[-1].Field[*m_psa].Field[*@pvData]", "ReturnValue[*@]", "value", "manual"]
+      - ["", "CComSafeArray", True, "operator=", "(const CComSafeArray &)", "", "Argument[*0].Field[*m_psa]", "ReturnValue[*]", "value", "manual"]
+      - ["", "CComSafeArray", True, "operator=", "(const CComSafeArray &)", "", "Argument[*0].Field[*m_psa]", "Argument[-1].Field[*m_psa]", "value", "manual"]
+      - ["", "CComSafeArray", True, "operator=", "(const SAFEARRAY *)", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"]
+      - ["", "CComSafeArray", True, "operator=", "(const SAFEARRAY *)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]

cpp/ql/lib/ext/CPathT.model.yml

@@ -0,0 +1,23 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "CPathT", True, "CPathT", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["", "CPathT", True, "AddExtension", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CPathT", True, "Append", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CPathT", True, "Combine", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CPathT", True, "Combine", "", "", "Argument[*1]", "Argument[-1]", "taint", "manual"]
+      - ["", "CPathT", True, "CommonPrefix", "", "", "Argument[*0]", "ReturnValue", "taint", "manual"]
+      - ["", "CPathT", True, "CommonPrefix", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["", "CPathT", True, "GetExtension", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["", "CPathT", True, "RelativePathTo", "", "", "Argument[*0]", "ReturnValue[-1]", "taint", "manual"]
+      - ["", "CPathT", True, "RelativePathTo", "", "", "Argument[*2]", "ReturnValue[-1]", "taint", "manual"]
+      - ["", "CPathT", True, "RenameExtension", "", "", "Argument[*0]", "ReturnValue[-1]", "taint", "manual"]
+      # Note: These don't work currently since we cannot use the template parameter in the name of the function
+      # - ["", "CPathT<T>", True, "operator const T &", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
+      # - ["", "CPathT<T>", True, "operator T &", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
+      - ["", "CPathT", True, "operator PCXSTR", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
+      - ["", "CPathT", True, "operator+=", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["", "CPathT", True, "operator+=", "", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]
+      - ["", "CPathT", True, "operator+=", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]

cpp/ql/lib/ext/CRegKey.model.yml

@@ -0,0 +1,20 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "CRegKey", True, "CRegKey", "(CRegKey &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["", "CRegKey", True, "CRegKey", "(HKEY)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CRegKey", True, "Create", "", "", "Argument[*1]", "Argument[-1]", "taint", "manual"]
+      - ["", "CRegKey", True, "Attach", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CRegKey", True, "QueryBinaryValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"]
+      - ["", "CRegKey", True, "QueryDWORDValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"]
+      - ["", "CRegKey", True, "QueryMultiStringValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"]
+      - ["", "CRegKey", True, "QueryQWORDValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"]
+      - ["", "CRegKey", True, "QueryStringValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"]
+      - ["", "CRegKey", True, "QueryValue", "(LPCTSTR,DWORD *,void *,ULONG *)", "", "Argument[*0]", "Argument[*2]", "taint", "manual"]
+      - ["", "CRegKey", True, "QueryValue", "(DWORD &,LPCTSTR)", "", "Argument[*1]", "Argument[*0]", "taint", "manual"]
+      - ["", "CRegKey", True, "QueryValue", "(LPTSTR,LPCTSTR,DWORD *)", "", "Argument[*1]", "Argument[*0]", "taint", "manual"]
+      - ["", "CRegKey", True, "operator HKEY", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["", "CRegKey", True, "operator=", "", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
+      - ["", "CRegKey", True, "operator=", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]

cpp/ql/lib/ext/CSimpleArray.model.yml

@@ -0,0 +1,12 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "CSimpleArray", True, "CSimpleArray", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["", "CSimpleArray", True, "Add", "", "", "Argument[*0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["", "CSimpleArray", True, "GetData", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["", "CSimpleArray", True, "SetAtIndex", "", "", "Argument[*1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["", "CSimpleArray", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["", "CSimpleArray", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["", "CSimpleArray", True, "operator=", "", "", "Argument[*0].Element[@]", "ReturnValue[*].Element[@]", "value", "manual"]

cpp/ql/lib/ext/CSimpleMap.model.yml

@@ -0,0 +1,12 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "CSimpleMap", True, "Add", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["", "CSimpleMap", True, "GetValueAt", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["", "CSimpleMap", True, "Lookup", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["", "CSimpleMap", True, "SetAt", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["", "CSimpleMap", True, "SetAtIndex", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["", "CSimpleMap", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["", "CSimpleMap", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]

cpp/ql/lib/ext/CUrl.model.yml

@@ -0,0 +1,21 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # TODO this model can be improved a lot once we have MapKey content # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "CUrl", True, "CUrl", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["", "CUrl", True, "CrackUrl", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CUrl", True, "CreateUrl", "", "", "Argument[-1]", "Argument[*0]", "taint", "manual"]
+      - ["", "CUrl", True, "GetExtraInfo", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["", "CUrl", True, "GetHostName", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["", "CUrl", True, "GetPassword", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["", "CUrl", True, "GetSchemeName", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["", "CUrl", True, "GetUrlPath", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["", "CUrl", True, "GetUserName", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["", "CUrl", True, "SetExtraInfo", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CUrl", True, "SetHostName", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CUrl", True, "SetPassword", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CUrl", True, "SetSchemeName", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CUrl", True, "SetUrlPath", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CUrl", True, "SetUserName", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["", "CUrl", True, "operator=", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -434,18 +434,48 @@ private predicate elementSpec(
   summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _, _, _)
 }
 
+/**
+ * Holds if `c` is an instantiation of a class template `templateClass`, or
+ * holds with `c = templateClass` if `c` is not an instantiation of any class
+ * template.
+ *
+ * This predicate is used instead of `Class.isConstructedFrom` (which only
+ * holds for template instantiations) in this file to allow for uniform
+ * treatment of non-templated classes and class template instantiations.
+ */
+private predicate isClassConstructedFrom(Class c, Class templateClass) {
+  c.isConstructedFrom(templateClass)
+  or
+  not c.isConstructedFrom(_) and c = templateClass
+}
+
+/**
+ * Holds if `f` is an instantiation of a function template `templateFunc`, or
+ * holds with `f = templateFunc` if `f` is not an instantiation of any function
+ * template.
+ *
+ * This predicate is used instead of `Function.isConstructedFrom` (which only
+ * holds for template instantiations) in this file to allow for uniform
+ * treatment of non-templated classes and class template instantiations.
+ */
+private predicate isFunctionConstructedFrom(Function f, Function templateFunc) {
+  f.isConstructedFrom(templateFunc)
+  or
+  not f.isConstructedFrom(_) and f = templateFunc
+}
+
 /** Gets the fully templated version of `f`. */
 private Function getFullyTemplatedFunction(Function f) {
   not f.isFromUninstantiatedTemplate(_) and
   (
     exists(Class c, Class templateClass, int i |
-      c.isConstructedFrom(templateClass) and
+      isClassConstructedFrom(c, templateClass) and
       f = c.getAMember(i) and
       result = templateClass.getCanonicalMember(i)
     )
     or
     not exists(f.getDeclaringType()) and
-    f.isConstructedFrom(result)
+    isFunctionConstructedFrom(f, result)
   )
 }
 
@@ -489,7 +519,7 @@ private string getTypeNameWithoutFunctionTemplates(Function f, int n, int remain
 private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining) {
   // If there is a declaring type then we start by expanding the function templates
   exists(Class template |
-    f.getDeclaringType().isConstructedFrom(template) and
+    isClassConstructedFrom(f.getDeclaringType(), template) and
     remaining = template.getNumberOfTemplateArguments() and
     result = getTypeNameWithoutFunctionTemplates(f, n, 0)
   )
@@ -501,7 +531,7 @@ private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining
   or
   exists(string mid, TemplateParameter tp, Class template |
     mid = getTypeNameWithoutClassTemplates(f, n, remaining + 1) and
-    f.getDeclaringType().isConstructedFrom(template) and
+    isClassConstructedFrom(f.getDeclaringType(), template) and
     tp = template.getTemplateArgument(remaining) and
     result = mid.replaceAll(tp.getName(), "class:" + remaining.toString())
   )
@@ -742,6 +772,22 @@ private predicate elementSpecMatchesSignature(
   signatureMatches(func, signature, type, name, 0)
 }
 
+/**
+ * Holds when `method` has name `nameWithoutArgs`, and gets the enclosing
+ * class of `method`. Unlike `method.getClassAndName` this predicate does
+ * not strip typedefs from the name when `method` is an `ConversionOperator`.
+ */
+bindingset[nameWithoutArgs]
+pragma[inline_late]
+private Class getClassAndNameImpl(Function method, string nameWithoutArgs) {
+  exists(string memberName | result = method.getClassAndName(memberName) |
+    nameWithoutArgs = "operator " + method.(ConversionOperator).getDestType()
+    or
+    not method instanceof ConversionOperator and
+    memberName = nameWithoutArgs
+  )
+}
+
 /**
  * Holds if `classWithMethod` has `method` named `name` (excluding any
  * template parameters).
@@ -751,7 +797,7 @@ pragma[inline_late]
 private predicate hasClassAndName(Class classWithMethod, Function method, string name) {
   exists(string nameWithoutArgs |
     parseAngles(name, nameWithoutArgs, _, "") and
-    classWithMethod = method.getClassAndName(nameWithoutArgs)
+    classWithMethod = getClassAndNameImpl(method, nameWithoutArgs)
   )
 }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -2275,6 +2275,12 @@ private predicate guardControlsPhiInput(
  */
 signature predicate guardChecksSig(IRGuardCondition g, Expr e, boolean branch);
 
+bindingset[g, n]
+pragma[inline_late]
+private predicate controls(IRGuardCondition g, Node n, boolean edge) {
+  g.controls(n.getBasicBlock(), edge)
+}
+
 /**
  * Provides a set of barrier nodes for a guard that validates an expression.
  *
@@ -2318,15 +2324,17 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
     exists(IRGuardCondition g, Expr e, ValueNumber value, boolean edge |
       e = value.getAnInstruction().getConvertedResultExpression() and
       result.asConvertedExpr() = e and
-      guardChecks(g, value.getAnInstruction().getConvertedResultExpression(), edge) and
-      g.controls(result.getBasicBlock(), edge)
+      guardChecks(g,
+        pragma[only_bind_into](value.getAnInstruction().getConvertedResultExpression()), edge) and
+      controls(g, result, edge)
     )
     or
     exists(
       IRGuardCondition g, boolean branch, Ssa::DefinitionExt def, IRBlock input, Ssa::PhiNode phi
     |
       guardChecks(g, def.getARead().asOperand().getDef().getConvertedResultExpression(), branch) and
-      guardControlsPhiInput(g, branch, def, input, phi) and
+      guardControlsPhiInput(g, branch, def, pragma[only_bind_into](input),
+        pragma[only_bind_into](phi)) and
       result = TSsaPhiInputNode(phi, input)
     )
   }
@@ -2404,8 +2412,9 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
     exists(IRGuardCondition g, Expr e, ValueNumber value, boolean edge |
       e = value.getAnInstruction().getConvertedResultExpression() and
       result.asIndirectConvertedExpr(indirectionIndex) = e and
-      guardChecks(g, value.getAnInstruction().getConvertedResultExpression(), edge) and
-      g.controls(result.getBasicBlock(), edge)
+      guardChecks(g,
+        pragma[only_bind_into](value.getAnInstruction().getConvertedResultExpression()), edge) and
+      controls(g, result, edge)
     )
     or
     exists(
@@ -2414,7 +2423,8 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
       guardChecks(g,
         def.getARead().asIndirectOperand(indirectionIndex).getDef().getConvertedResultExpression(),
         branch) and
-      guardControlsPhiInput(g, branch, def, input, phi) and
+      guardControlsPhiInput(g, branch, def, pragma[only_bind_into](input),
+        pragma[only_bind_into](phi)) and
       result = TSsaPhiInputNode(phi, input)
     )
   }
@@ -2443,17 +2453,18 @@ module InstructionBarrierGuard<instructionGuardChecksSig/3 instructionGuardCheck
   /** Gets a node that is safely guarded by the given guard check. */
   Node getABarrierNode() {
     exists(IRGuardCondition g, ValueNumber value, boolean edge, Operand use |
-      instructionGuardChecks(g, value.getAnInstruction(), edge) and
+      instructionGuardChecks(g, pragma[only_bind_into](value.getAnInstruction()), edge) and
       use = value.getAnInstruction().getAUse() and
       result.asOperand() = use and
-      g.controls(result.getBasicBlock(), edge)
+      controls(g, result, edge)
     )
     or
     exists(
       IRGuardCondition g, boolean branch, Ssa::DefinitionExt def, IRBlock input, Ssa::PhiNode phi
     |
       instructionGuardChecks(g, def.getARead().asOperand().getDef(), branch) and
-      guardControlsPhiInput(g, branch, def, input, phi) and
+      guardControlsPhiInput(g, branch, def, pragma[only_bind_into](input),
+        pragma[only_bind_into](phi)) and
       result = TSsaPhiInputNode(phi, input)
     )
   }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -1276,6 +1276,7 @@ class DefinitionExt extends SsaImpl::DefinitionExt {
   }
 
   /** Gets a node that represents a read of this SSA definition. */
+  pragma[nomagic]
   Node getARead() {
     exists(SourceVariable sv, IRBlock bb, int i | SsaCached::ssaDefReachesReadExt(sv, this, bb, i) |
       useToNode(bb, i, sv, result)

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TypeFlow.qll

@@ -27,8 +27,11 @@ private module Input implements TypeFlowInput<Location> {
   }
 
   private predicate hasExactSingleType(Instruction i) {
-    // The address of a variable is always a single object
-    i instanceof VariableAddressInstruction
+    // The address of a variable is always a single object (unless it's an array)
+    exists(VariableAddressInstruction vai |
+      i = vai and
+      not vai.getResultType() instanceof ArrayType
+    )
     or
     // A reference always points to a single object
     i.getResultLanguageType().hasUnspecifiedType(any(ReferenceType rt), false)

cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll

@@ -8,7 +8,8 @@ private newtype TEdgeKind =
   TGotoEdge() or // Single successor (including fall-through)
   TTrueEdge() or // 'true' edge of conditional branch
   TFalseEdge() or // 'false' edge of conditional branch
-  TExceptionEdge() or // Thrown exception
+  TCppExceptionEdge() or // Thrown C++ exception
+  TSehExceptionEdge() or // Thrown SEH exception
   TDefaultEdge() or // 'default' label of switch
   TCaseEdge(string minValue, string maxValue) {
     // Case label of switch
@@ -20,16 +21,18 @@ private newtype TEdgeKind =
  * `Instruction` or `IRBlock` has at most one successor of any single
  * `EdgeKind`.
  */
-abstract class EdgeKind extends TEdgeKind {
+abstract private class EdgeKindImpl extends TEdgeKind {
   /** Gets a textual representation of this edge kind. */
   abstract string toString();
 }
 
+final class EdgeKind = EdgeKindImpl;
+
 /**
  * A "goto" edge, representing the unconditional successor of an `Instruction`
  * or `IRBlock`.
  */
-class GotoEdge extends EdgeKind, TGotoEdge {
+class GotoEdge extends EdgeKindImpl, TGotoEdge {
   final override string toString() { result = "Goto" }
 }
 
@@ -37,7 +40,7 @@ class GotoEdge extends EdgeKind, TGotoEdge {
  * A "true" edge, representing the successor of a conditional branch when the
  * condition is non-zero.
  */
-class TrueEdge extends EdgeKind, TTrueEdge {
+class TrueEdge extends EdgeKindImpl, TTrueEdge {
   final override string toString() { result = "True" }
 }
 
@@ -45,23 +48,42 @@ class TrueEdge extends EdgeKind, TTrueEdge {
  * A "false" edge, representing the successor of a conditional branch when the
  * condition is zero.
  */
-class FalseEdge extends EdgeKind, TFalseEdge {
+class FalseEdge extends EdgeKindImpl, TFalseEdge {
   final override string toString() { result = "False" }
 }
 
+abstract private class ExceptionEdgeImpl extends EdgeKindImpl { }
+
 /**
  * An "exception" edge, representing the successor of an instruction when that
  * instruction's evaluation throws an exception.
+ *
+ * Exception edges are expclitly sublcassed to `CppExceptionEdge` and `SehExceptionEdge`
+ * only. Further sublcasses, if required, should be added privately here for IR efficiency.
  */
-class ExceptionEdge extends EdgeKind, TExceptionEdge {
-  final override string toString() { result = "Exception" }
+final class ExceptionEdge = ExceptionEdgeImpl;
+
+/**
+ * An "exception" edge, representing the successor of an instruction when that
+ * instruction's evaluation throws a C++ exception.
+ */
+class CppExceptionEdge extends ExceptionEdgeImpl, TCppExceptionEdge {
+  final override string toString() { result = "C++ Exception" }
+}
+
+/**
+ * An "exception" edge, representing the successor of an instruction when that
+ * instruction's evaluation throws an SEH exception.
+ */
+class SehExceptionEdge extends ExceptionEdgeImpl, TSehExceptionEdge {
+  final override string toString() { result = "SEH Exception" }
 }
 
 /**
  * A "default" edge, representing the successor of a `Switch` instruction when
  * none of the case values matches the condition value.
  */
-class DefaultEdge extends EdgeKind, TDefaultEdge {
+class DefaultEdge extends EdgeKindImpl, TDefaultEdge {
   final override string toString() { result = "Default" }
 }
 
@@ -69,7 +91,7 @@ class DefaultEdge extends EdgeKind, TDefaultEdge {
  * A "case" edge, representing the successor of a `Switch` instruction when the
  * the condition value matches a corresponding `case` label.
  */
-class CaseEdge extends EdgeKind, TCaseEdge {
+class CaseEdge extends EdgeKindImpl, TCaseEdge {
   string minValue;
   string maxValue;
 
@@ -121,9 +143,14 @@ module EdgeKind {
   FalseEdge falseEdge() { result = TFalseEdge() }
 
   /**
-   * Gets the single instance of the `ExceptionEdge` class.
+   * Gets the single instance of the `CppExceptionEdge` class.
    */
-  ExceptionEdge exceptionEdge() { result = TExceptionEdge() }
+  CppExceptionEdge cppExceptionEdge() { result = TCppExceptionEdge() }
+
+  /**
+   * Gets the single instance of the `SehExceptionEdge` class.
+   */
+  SehExceptionEdge sehExceptionEdge() { result = TSehExceptionEdge() }
 
   /**
    * Gets the single instance of the `DefaultEdge` class.

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll

@@ -88,7 +88,7 @@ abstract class TranslatedCall extends TranslatedExpr {
       result = this.getParent().getChildSuccessor(this, kind)
       or
       this.mayThrowException() and
-      kind instanceof ExceptionEdge and
+      kind instanceof CppExceptionEdge and
       result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge edge))
     )
   }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -3039,7 +3039,7 @@ class TranslatedDestructorsAfterThrow extends TranslatedElement, TTranslatedDest
       or
       // And otherwise, exit this element with an exceptional edge
       not exists(this.getChild(id + 1)) and
-      kind instanceof ExceptionEdge and
+      kind instanceof CppExceptionEdge and
       result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge edge))
     )
   }
@@ -3078,7 +3078,7 @@ abstract class TranslatedThrowExpr extends TranslatedNonConstantExpr {
       result = this.getDestructors().getFirstInstruction(kind)
       or
       not exists(this.getDestructors()) and
-      kind instanceof ExceptionEdge and
+      kind instanceof CppExceptionEdge and
       result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge edge))
     )
   }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll

@@ -932,7 +932,7 @@ class TranslatedCatchByTypeHandler extends TranslatedHandler {
       kind instanceof GotoEdge and
       result = this.getParameter().getFirstInstruction(kind)
       or
-      kind instanceof ExceptionEdge and
+      kind instanceof CppExceptionEdge and
       if exists(this.getDestructors())
       then result = this.getDestructors().getFirstInstruction(any(GotoEdge edge))
       else result = this.getParent().(TranslatedTryStmt).getNextHandler(this, any(GotoEdge edge))

cpp/ql/lib/semmle/code/cpp/models/Models.qll

@@ -50,3 +50,10 @@ private import implementations.System
 private import implementations.StructuredExceptionHandling
 private import implementations.ZMQ
 private import implementations.Win32CommandExecution
+private import implementations.CA2AEX
+private import implementations.CComBSTR
+private import implementations.CPathT
+private import implementations.CAtlFile
+private import implementations.CAtlFileMapping
+private import implementations.CAtlTemporaryFile
+private import implementations.CRegKey

cpp/ql/lib/semmle/code/cpp/models/implementations/CA2AEX.qll

@@ -0,0 +1,17 @@
+private import cpp
+private import semmle.code.cpp.ir.dataflow.FlowSteps
+private import semmle.code.cpp.dataflow.new.DataFlow
+
+/**
+ * The `CA2AEX` (and related) classes from the Windows Active Template library.
+ */
+class Ca2Aex extends Class {
+  Ca2Aex() { this.hasGlobalName(["CA2AEX", "CA2CAEX", "CA2WEX"]) }
+}
+
+private class Ca2AexTaintInheritingContent extends TaintInheritingContent, DataFlow::FieldContent {
+  Ca2AexTaintInheritingContent() {
+    // The two members m_psz and m_szBuffer
+    this.getField().getDeclaringType() instanceof Ca2Aex
+  }
+}

cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlFile.qll

@@ -0,0 +1,17 @@
+import semmle.code.cpp.models.interfaces.FlowSource
+
+/**
+ * The `CAtlFile` class from Microsoft's Active Template Library.
+ */
+class CAtlFile extends Class {
+  CAtlFile() { this.hasGlobalName("CAtlFile") }
+}
+
+private class CAtlFileRead extends MemberFunction, LocalFlowSourceFunction {
+  CAtlFileRead() { this.getClassAndName("Read") instanceof CAtlFile }
+
+  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(0) and
+    description = "string read by " + this.getName()
+  }
+}

cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlFileMapping.qll

@@ -0,0 +1,37 @@
+import semmle.code.cpp.models.interfaces.FlowSource
+
+/**
+ * The `CAtlFileMapping` class from Microsoft's Active Template Library.
+ */
+class CAtlFileMapping extends Class {
+  CAtlFileMapping() { this.hasGlobalName("CAtlFileMapping") }
+}
+
+/**
+ * The `CAtlFileMappingBase` class from Microsoft's Active Template Library.
+ */
+class CAtlFileMappingBase extends Class {
+  CAtlFileMappingBase() { this.hasGlobalName("CAtlFileMappingBase") }
+}
+
+private class CAtlFileMappingBaseGetData extends MemberFunction, LocalFlowSourceFunction {
+  CAtlFileMappingBaseGetData() {
+    this.getClassAndName("GetData") = any(CAtlFileMappingBase fileMaping).getADerivedClass*()
+  }
+
+  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
+    output.isReturnValueDeref(1) and
+    description = "data read by " + this.getName()
+  }
+}
+
+private class CAtlFileMappingGetData extends MemberFunction, LocalFlowSourceFunction {
+  CAtlFileMappingGetData() {
+    this.(ConversionOperator).getDeclaringType() instanceof CAtlFileMapping
+  }
+
+  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
+    output.isReturnValueDeref(1) and
+    description = "data read by " + this.getName()
+  }
+}

cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlTemporaryFile.qll

@@ -0,0 +1,17 @@
+import semmle.code.cpp.models.interfaces.FlowSource
+
+/**
+ * The `CAtlFile` class from Microsoft's Active Template Library.
+ */
+class CAtlTemporaryFile extends Class {
+  CAtlTemporaryFile() { this.hasGlobalName("CAtlTemporaryFile") }
+}
+
+private class CAtlTemporaryFileRead extends MemberFunction, LocalFlowSourceFunction {
+  CAtlTemporaryFileRead() { this.getClassAndName("Read") instanceof CAtlTemporaryFile }
+
+  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(0) and
+    description = "string read by " + this.getName()
+  }
+}

cpp/ql/lib/semmle/code/cpp/models/implementations/CComBSTR.qll

@@ -0,0 +1,16 @@
+private import cpp
+private import semmle.code.cpp.ir.dataflow.FlowSteps
+private import semmle.code.cpp.dataflow.new.DataFlow
+
+/** The `CComBSTR` class from the Microsoft "Active Template Library". */
+class CcomBstr extends Class {
+  CcomBstr() { this.hasGlobalName("CComBSTR") }
+}
+
+private class Mstr extends Field {
+  Mstr() { this.getDeclaringType() instanceof CcomBstr and this.hasName("m_str") }
+}
+
+private class MstrTaintInheritingContent extends TaintInheritingContent, DataFlow::FieldContent {
+  MstrTaintInheritingContent() { this.getField() instanceof Mstr }
+}

cpp/ql/lib/semmle/code/cpp/models/implementations/CPathT.qll

@@ -0,0 +1,16 @@
+private import cpp
+private import semmle.code.cpp.ir.dataflow.FlowSteps
+private import semmle.code.cpp.dataflow.new.DataFlow
+
+/** The `CPathT` class from the Microsoft "Active Template Library". */
+class CPathT extends Class {
+  CPathT() { this.hasGlobalName("CPathT") }
+}
+
+private class MStrPath extends Field {
+  MStrPath() { this.getDeclaringType() instanceof CPathT and this.hasName("m_strPath") }
+}
+
+private class MStrPathTaintInheritingContent extends TaintInheritingContent, DataFlow::FieldContent {
+  MStrPathTaintInheritingContent() { this.getField() instanceof MStrPath }
+}

cpp/ql/lib/semmle/code/cpp/models/implementations/CRegKey.qll

@@ -0,0 +1,87 @@
+private import cpp
+private import semmle.code.cpp.models.interfaces.FlowSource
+private import semmle.code.cpp.ir.dataflow.FlowSteps
+private import semmle.code.cpp.dataflow.new.DataFlow
+
+/** The `CRegKey` class from the Microsoft "Active Template Library". */
+class CRegKey extends Class {
+  CRegKey() { this.hasGlobalName("CRegKey") }
+}
+
+module CRegKey {
+  /** The `m_hKey` member on a object of type `CRegKey`. */
+  class MhKey extends Field {
+    MhKey() {
+      this.getDeclaringType() instanceof CRegKey and
+      this.getName() = "m_hKey"
+    }
+  }
+
+  private class MhKeyPathTaintInheritingContent extends TaintInheritingContent,
+    DataFlow::FieldContent
+  {
+    MhKeyPathTaintInheritingContent() { this.getField() instanceof MhKey }
+  }
+
+  private class CRegKeyMemberFunction extends MemberFunction {
+    string name;
+
+    CRegKeyMemberFunction() { this.getClassAndName(name) instanceof CRegKey }
+  }
+
+  abstract private class CRegKeyFlowSource extends CRegKeyMemberFunction, LocalFlowSourceFunction {
+    FunctionOutput output;
+
+    final override predicate hasLocalFlowSource(FunctionOutput output_, string description) {
+      output_ = output and
+      description = "registry string read by " + name
+    }
+  }
+
+  /** The `CRegKey::QueryBinaryValue` function from Win32. */
+  class QueryBinaryValue extends CRegKeyFlowSource {
+    QueryBinaryValue() { name = "QueryBinaryValue" and output.isParameterDeref(1) }
+  }
+
+  /** The `CRegKey::QueryDWORDValue` function from Win32. */
+  class QueryDwordValue extends CRegKeyFlowSource {
+    QueryDwordValue() { name = "QueryDWORDValue" and output.isParameterDeref(1) }
+  }
+
+  /** The `CRegKey::QueryGUIDValue` function from Win32. */
+  class QueryGuidValue extends CRegKeyFlowSource {
+    QueryGuidValue() { name = "QueryGUIDValue" and output.isParameterDeref(1) }
+  }
+
+  /** The `CRegKey::QueryMultiStringValue` function from Win32. */
+  class QueryMultiStringValue extends CRegKeyFlowSource {
+    QueryMultiStringValue() { name = "QueryMultiStringValue" and output.isParameterDeref(1) }
+  }
+
+  /** The `CRegKey::QueryQWORDValue` function from Win32. */
+  class QueryQwordValue extends CRegKeyFlowSource {
+    QueryQwordValue() { name = "QueryQWORDValue" and output.isParameterDeref(1) }
+  }
+
+  /** The `CRegKey::QueryStringValue` function from Win32. */
+  class QueryStringValue extends CRegKeyFlowSource {
+    QueryStringValue() { name = "QueryStringValue" and output.isParameterDeref(1) }
+  }
+
+  /** The `CRegKey::QueryValue` function from Win32. */
+  class QueryValue extends CRegKeyFlowSource {
+    QueryValue() {
+      name = "QueryValue" and
+      (
+        this.getNumberOfParameters() = 4 and
+        output.isParameterDeref(2)
+        or
+        this.getNumberOfParameters() = 2 and
+        output.isParameterDeref(0)
+        or
+        this.getNumberOfParameters() = 3 and
+        output.isParameterDeref(0)
+      )
+    }
+  }
+}

cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql

@@ -44,7 +44,8 @@ where
   ) and
   // A typical problem is that string literals are concatenated, but if one of the string
   // literals is an undefined macro, then this just leads to a syntax error.
-  not exists(SyntaxError e | e.affects(fl))
+  not exists(SyntaxError e | e.affects(fl)) and
+  not ffc.getArgument(_) instanceof ErrorExpr
 select ffc,
   "Format for " + ffcName + " expects " + expected.toString() + " arguments but given " +
     given.toString()

cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql

@@ -170,7 +170,7 @@ where
   ) and
   not arg.isAffectedByMacro() and
   not arg.isFromUninstantiatedTemplate(_) and
-  not actual.getUnspecifiedType() instanceof ErroneousType and
+  not actual.stripType() instanceof ErroneousType and
   not arg.(Call).mayBeFromImplicitlyDeclaredFunction()
 select arg,
   "This format specifier for type '" + expected.getName() + "' does not match the argument type '" +

cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql

@@ -25,7 +25,8 @@ from BufferWrite bw, int destSize
 where
   bw.hasExplicitLimit() and // has an explicit size limit
   destSize = max(getBufferSize(bw.getDest(), _)) and
-  bw.getExplicitLimit() > destSize // but it's larger than the destination
+  bw.getExplicitLimit() > destSize and // but it's larger than the destination
+  not bw.getDest().getType().stripType() instanceof ErroneousType // destSize may be incorrect
 select bw,
   "This '" + bw.getBWDesc() + "' operation is limited to " + bw.getExplicitLimit() +
     " bytes but the destination is only " + destSize + " bytes."

cpp/ql/src/change-notes/2024-11-27-active-template-library.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added dataflow models and flow sources for Microsoft's Active Template Library (ATL).

cpp/ql/src/change-notes/2024-12-05-badly-bounded-write.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Badly bounded write" query (`cpp/badly-bounded-write`) no longer produces results if there is an extraction error in the type of the output buffer.

cpp/ql/src/change-notes/2024-12-05-wrong-number-format-arguments.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Too few arguments to formatting function" query (`cpp/wrong-number-format-arguments`) no longer produces results if an argument has an extraction error.

cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Wrong type of arguments to formatting function" query (`cpp/wrong-type-format-argument`) no longer produces results when an argument type has an extraction error.

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected

@@ -21,7 +21,11 @@ edges
 | test.cpp:85:21:85:36 | buf | test.cpp:87:5:87:31 | access to array | provenance | Config |
 | test.cpp:85:21:85:36 | buf | test.cpp:88:5:88:27 | access to array | provenance | Config |
 | test.cpp:85:34:85:36 | buf | test.cpp:85:21:85:36 | buf | provenance |  |
+| test.cpp:92:9:92:11 | definition of arr | test.cpp:96:13:96:18 | access to array | provenance | Config |
 | test.cpp:96:13:96:15 | arr | test.cpp:96:13:96:18 | access to array | provenance | Config |
+| test.cpp:102:9:102:11 | definition of arr | test.cpp:111:17:111:22 | access to array | provenance | Config |
+| test.cpp:102:9:102:11 | definition of arr | test.cpp:115:35:115:40 | access to array | provenance | Config |
+| test.cpp:102:9:102:11 | definition of arr | test.cpp:119:17:119:22 | access to array | provenance | Config |
 | test.cpp:111:17:111:19 | arr | test.cpp:111:17:111:22 | access to array | provenance | Config |
 | test.cpp:111:17:111:19 | arr | test.cpp:115:35:115:40 | access to array | provenance | Config |
 | test.cpp:111:17:111:19 | arr | test.cpp:119:17:119:22 | access to array | provenance | Config |
@@ -31,40 +35,54 @@ edges
 | test.cpp:119:17:119:19 | arr | test.cpp:111:17:111:22 | access to array | provenance | Config |
 | test.cpp:119:17:119:19 | arr | test.cpp:115:35:115:40 | access to array | provenance | Config |
 | test.cpp:119:17:119:19 | arr | test.cpp:119:17:119:22 | access to array | provenance | Config |
+| test.cpp:125:11:125:13 | definition of arr | test.cpp:128:9:128:14 | access to array | provenance | Config |
 | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | provenance | Config |
 | test.cpp:134:25:134:27 | arr | test.cpp:136:9:136:16 | ... += ... | provenance | Config |
 | test.cpp:136:9:136:16 | ... += ... | test.cpp:136:9:136:16 | ... += ... | provenance |  |
 | test.cpp:136:9:136:16 | ... += ... | test.cpp:138:13:138:15 | arr | provenance |  |
+| test.cpp:142:10:142:13 | definition of asdf | test.cpp:143:18:143:21 | asdf | provenance |  |
 | test.cpp:143:18:143:21 | asdf | test.cpp:134:25:134:27 | arr | provenance |  |
 | test.cpp:143:18:143:21 | asdf | test.cpp:143:18:143:21 | asdf | provenance |  |
 | test.cpp:146:26:146:26 | *p | test.cpp:147:4:147:9 | -- ... | provenance |  |
+| test.cpp:154:7:154:9 | definition of buf | test.cpp:156:12:156:18 | ... + ... | provenance | Config |
 | test.cpp:156:12:156:14 | buf | test.cpp:156:12:156:18 | ... + ... | provenance | Config |
 | test.cpp:156:12:156:18 | ... + ... | test.cpp:156:12:156:18 | ... + ... | provenance |  |
 | test.cpp:156:12:156:18 | ... + ... | test.cpp:158:17:158:18 | *& ... | provenance |  |
 | test.cpp:158:17:158:18 | *& ... | test.cpp:146:26:146:26 | *p | provenance |  |
+| test.cpp:217:19:217:24 | definition of buffer | test.cpp:218:16:218:28 | buffer | provenance |  |
 | test.cpp:218:16:218:28 | buffer | test.cpp:220:5:220:11 | access to array | provenance | Config |
 | test.cpp:218:16:218:28 | buffer | test.cpp:221:5:221:11 | access to array | provenance | Config |
 | test.cpp:218:23:218:28 | buffer | test.cpp:218:16:218:28 | buffer | provenance |  |
+| test.cpp:228:10:228:14 | definition of array | test.cpp:229:17:229:29 | array | provenance |  |
 | test.cpp:229:17:229:29 | array | test.cpp:231:5:231:10 | access to array | provenance | Config |
 | test.cpp:229:17:229:29 | array | test.cpp:232:5:232:10 | access to array | provenance | Config |
 | test.cpp:229:25:229:29 | array | test.cpp:229:17:229:29 | array | provenance |  |
 | test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array | provenance | Config |
 | test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array | provenance | Config |
+| test.cpp:273:19:273:25 | definition of buffer3 | test.cpp:274:14:274:20 | buffer3 | provenance |  |
 | test.cpp:274:14:274:20 | buffer3 | test.cpp:245:30:245:30 | p | provenance |  |
 | test.cpp:274:14:274:20 | buffer3 | test.cpp:274:14:274:20 | buffer3 | provenance |  |
 | test.cpp:277:35:277:35 | p | test.cpp:278:14:278:14 | p | provenance |  |
 | test.cpp:278:14:278:14 | p | test.cpp:245:30:245:30 | p | provenance |  |
+| test.cpp:282:19:282:25 | definition of buffer1 | test.cpp:283:19:283:25 | buffer1 | provenance |  |
 | test.cpp:283:19:283:25 | buffer1 | test.cpp:277:35:277:35 | p | provenance |  |
 | test.cpp:283:19:283:25 | buffer1 | test.cpp:283:19:283:25 | buffer1 | provenance |  |
+| test.cpp:285:19:285:25 | definition of buffer2 | test.cpp:286:19:286:25 | buffer2 | provenance |  |
 | test.cpp:286:19:286:25 | buffer2 | test.cpp:277:35:277:35 | p | provenance |  |
 | test.cpp:286:19:286:25 | buffer2 | test.cpp:286:19:286:25 | buffer2 | provenance |  |
+| test.cpp:288:19:288:25 | definition of buffer3 | test.cpp:289:19:289:25 | buffer3 | provenance |  |
 | test.cpp:289:19:289:25 | buffer3 | test.cpp:277:35:277:35 | p | provenance |  |
 | test.cpp:289:19:289:25 | buffer3 | test.cpp:289:19:289:25 | buffer3 | provenance |  |
 | test.cpp:292:25:292:27 | arr | test.cpp:299:16:299:21 | access to array | provenance | Config |
+| test.cpp:305:9:305:12 | definition of arr1 | test.cpp:306:20:306:23 | arr1 | provenance |  |
 | test.cpp:306:20:306:23 | arr1 | test.cpp:292:25:292:27 | arr | provenance |  |
 | test.cpp:306:20:306:23 | arr1 | test.cpp:306:20:306:23 | arr1 | provenance |  |
+| test.cpp:308:9:308:12 | definition of arr2 | test.cpp:309:20:309:23 | arr2 | provenance |  |
 | test.cpp:309:20:309:23 | arr2 | test.cpp:292:25:292:27 | arr | provenance |  |
 | test.cpp:309:20:309:23 | arr2 | test.cpp:309:20:309:23 | arr2 | provenance |  |
+| test.cpp:314:10:314:13 | definition of temp | test.cpp:319:19:319:27 | ... + ... | provenance | Config |
+| test.cpp:314:10:314:13 | definition of temp | test.cpp:322:19:322:27 | ... + ... | provenance | Config |
+| test.cpp:314:10:314:13 | definition of temp | test.cpp:324:23:324:32 | ... + ... | provenance | Config |
 | test.cpp:319:13:319:27 | ... = ... | test.cpp:325:24:325:26 | end | provenance |  |
 | test.cpp:319:19:319:22 | temp | test.cpp:319:19:319:27 | ... + ... | provenance | Config |
 | test.cpp:319:19:319:22 | temp | test.cpp:324:23:324:32 | ... + ... | provenance | Config |
@@ -114,32 +132,39 @@ nodes
 | test.cpp:85:34:85:36 | buf | semmle.label | buf |
 | test.cpp:87:5:87:31 | access to array | semmle.label | access to array |
 | test.cpp:88:5:88:27 | access to array | semmle.label | access to array |
+| test.cpp:92:9:92:11 | definition of arr | semmle.label | definition of arr |
 | test.cpp:96:13:96:15 | arr | semmle.label | arr |
 | test.cpp:96:13:96:18 | access to array | semmle.label | access to array |
+| test.cpp:102:9:102:11 | definition of arr | semmle.label | definition of arr |
 | test.cpp:111:17:111:19 | arr | semmle.label | arr |
 | test.cpp:111:17:111:22 | access to array | semmle.label | access to array |
 | test.cpp:115:35:115:37 | arr | semmle.label | arr |
 | test.cpp:115:35:115:40 | access to array | semmle.label | access to array |
 | test.cpp:119:17:119:19 | arr | semmle.label | arr |
 | test.cpp:119:17:119:22 | access to array | semmle.label | access to array |
+| test.cpp:125:11:125:13 | definition of arr | semmle.label | definition of arr |
 | test.cpp:128:9:128:11 | arr | semmle.label | arr |
 | test.cpp:128:9:128:14 | access to array | semmle.label | access to array |
 | test.cpp:134:25:134:27 | arr | semmle.label | arr |
 | test.cpp:136:9:136:16 | ... += ... | semmle.label | ... += ... |
 | test.cpp:136:9:136:16 | ... += ... | semmle.label | ... += ... |
 | test.cpp:138:13:138:15 | arr | semmle.label | arr |
+| test.cpp:142:10:142:13 | definition of asdf | semmle.label | definition of asdf |
 | test.cpp:143:18:143:21 | asdf | semmle.label | asdf |
 | test.cpp:143:18:143:21 | asdf | semmle.label | asdf |
 | test.cpp:146:26:146:26 | *p | semmle.label | *p |
 | test.cpp:147:4:147:9 | -- ... | semmle.label | -- ... |
+| test.cpp:154:7:154:9 | definition of buf | semmle.label | definition of buf |
 | test.cpp:156:12:156:14 | buf | semmle.label | buf |
 | test.cpp:156:12:156:18 | ... + ... | semmle.label | ... + ... |
 | test.cpp:156:12:156:18 | ... + ... | semmle.label | ... + ... |
 | test.cpp:158:17:158:18 | *& ... | semmle.label | *& ... |
+| test.cpp:217:19:217:24 | definition of buffer | semmle.label | definition of buffer |
 | test.cpp:218:16:218:28 | buffer | semmle.label | buffer |
 | test.cpp:218:23:218:28 | buffer | semmle.label | buffer |
 | test.cpp:220:5:220:11 | access to array | semmle.label | access to array |
 | test.cpp:221:5:221:11 | access to array | semmle.label | access to array |
+| test.cpp:228:10:228:14 | definition of array | semmle.label | definition of array |
 | test.cpp:229:17:229:29 | array | semmle.label | array |
 | test.cpp:229:25:229:29 | array | semmle.label | array |
 | test.cpp:231:5:231:10 | access to array | semmle.label | access to array |
@@ -147,22 +172,29 @@ nodes
 | test.cpp:245:30:245:30 | p | semmle.label | p |
 | test.cpp:245:30:245:30 | p | semmle.label | p |
 | test.cpp:261:27:261:30 | access to array | semmle.label | access to array |
+| test.cpp:273:19:273:25 | definition of buffer3 | semmle.label | definition of buffer3 |
 | test.cpp:274:14:274:20 | buffer3 | semmle.label | buffer3 |
 | test.cpp:274:14:274:20 | buffer3 | semmle.label | buffer3 |
 | test.cpp:277:35:277:35 | p | semmle.label | p |
 | test.cpp:278:14:278:14 | p | semmle.label | p |
+| test.cpp:282:19:282:25 | definition of buffer1 | semmle.label | definition of buffer1 |
 | test.cpp:283:19:283:25 | buffer1 | semmle.label | buffer1 |
 | test.cpp:283:19:283:25 | buffer1 | semmle.label | buffer1 |
+| test.cpp:285:19:285:25 | definition of buffer2 | semmle.label | definition of buffer2 |
 | test.cpp:286:19:286:25 | buffer2 | semmle.label | buffer2 |
 | test.cpp:286:19:286:25 | buffer2 | semmle.label | buffer2 |
+| test.cpp:288:19:288:25 | definition of buffer3 | semmle.label | definition of buffer3 |
 | test.cpp:289:19:289:25 | buffer3 | semmle.label | buffer3 |
 | test.cpp:289:19:289:25 | buffer3 | semmle.label | buffer3 |
 | test.cpp:292:25:292:27 | arr | semmle.label | arr |
 | test.cpp:299:16:299:21 | access to array | semmle.label | access to array |
+| test.cpp:305:9:305:12 | definition of arr1 | semmle.label | definition of arr1 |
 | test.cpp:306:20:306:23 | arr1 | semmle.label | arr1 |
 | test.cpp:306:20:306:23 | arr1 | semmle.label | arr1 |
+| test.cpp:308:9:308:12 | definition of arr2 | semmle.label | definition of arr2 |
 | test.cpp:309:20:309:23 | arr2 | semmle.label | arr2 |
 | test.cpp:309:20:309:23 | arr2 | semmle.label | arr2 |
+| test.cpp:314:10:314:13 | definition of temp | semmle.label | definition of temp |
 | test.cpp:319:13:319:27 | ... = ... | semmle.label | ... = ... |
 | test.cpp:319:19:319:22 | temp | semmle.label | temp |
 | test.cpp:319:19:319:27 | ... + ... | semmle.label | ... + ... |
@@ -187,13 +219,23 @@ subpaths
 | test.cpp:72:5:72:15 | PointerAdd: access to array | test.cpp:79:32:79:34 | buf | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write |
 | test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
 | test.cpp:88:5:88:27 | PointerAdd: access to array | test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:88:5:88:31 | Store: ... = ... | write |
+| test.cpp:128:9:128:14 | PointerAdd: access to array | test.cpp:125:11:125:13 | definition of arr | test.cpp:128:9:128:14 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:125:11:125:13 | arr | arr | test.cpp:128:9:128:18 | Store: ... = ... | write |
 | test.cpp:128:9:128:14 | PointerAdd: access to array | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:125:11:125:13 | arr | arr | test.cpp:128:9:128:18 | Store: ... = ... | write |
+| test.cpp:136:9:136:16 | PointerAdd: ... += ... | test.cpp:142:10:142:13 | definition of asdf | test.cpp:138:13:138:15 | arr | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:142:10:142:13 | asdf | asdf | test.cpp:138:12:138:15 | Load: * ... | read |
 | test.cpp:136:9:136:16 | PointerAdd: ... += ... | test.cpp:143:18:143:21 | asdf | test.cpp:138:13:138:15 | arr | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:142:10:142:13 | asdf | asdf | test.cpp:138:12:138:15 | Load: * ... | read |
+| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:154:7:154:9 | definition of buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write |
 | test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write |
+| test.cpp:221:5:221:11 | PointerAdd: access to array | test.cpp:217:19:217:24 | definition of buffer | test.cpp:221:5:221:11 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:217:19:217:24 | buffer | buffer | test.cpp:221:5:221:15 | Store: ... = ... | write |
 | test.cpp:221:5:221:11 | PointerAdd: access to array | test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:217:19:217:24 | buffer | buffer | test.cpp:221:5:221:15 | Store: ... = ... | write |
+| test.cpp:232:5:232:10 | PointerAdd: access to array | test.cpp:228:10:228:14 | definition of array | test.cpp:232:5:232:10 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:228:10:228:14 | array | array | test.cpp:232:5:232:19 | Store: ... = ... | write |
 | test.cpp:232:5:232:10 | PointerAdd: access to array | test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:228:10:228:14 | array | array | test.cpp:232:5:232:19 | Store: ... = ... | write |
+| test.cpp:261:27:261:30 | PointerAdd: access to array | test.cpp:285:19:285:25 | definition of buffer2 | test.cpp:261:27:261:30 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:285:19:285:25 | buffer2 | buffer2 | test.cpp:261:27:261:30 | Load: access to array | read |
 | test.cpp:261:27:261:30 | PointerAdd: access to array | test.cpp:286:19:286:25 | buffer2 | test.cpp:261:27:261:30 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:285:19:285:25 | buffer2 | buffer2 | test.cpp:261:27:261:30 | Load: access to array | read |
+| test.cpp:299:16:299:21 | PointerAdd: access to array | test.cpp:308:9:308:12 | definition of arr2 | test.cpp:299:16:299:21 | access to array | This pointer arithmetic may have an off-by-1014 error allowing it to overrun $@ at this $@. | test.cpp:308:9:308:12 | arr2 | arr2 | test.cpp:299:16:299:21 | Load: access to array | read |
 | test.cpp:299:16:299:21 | PointerAdd: access to array | test.cpp:309:20:309:23 | arr2 | test.cpp:299:16:299:21 | access to array | This pointer arithmetic may have an off-by-1014 error allowing it to overrun $@ at this $@. | test.cpp:308:9:308:12 | arr2 | arr2 | test.cpp:299:16:299:21 | Load: access to array | read |
+| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:314:10:314:13 | definition of temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:330:13:330:24 | Store: ... = ... | write |
+| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:314:10:314:13 | definition of temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:331:13:331:24 | Store: ... = ... | write |
+| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:314:10:314:13 | definition of temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:333:13:333:24 | Store: ... = ... | write |
 | test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:330:13:330:24 | Store: ... = ... | write |
 | test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:331:13:331:24 | Store: ... = ... | write |
 | test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:333:13:333:24 | Store: ... = ... | write |

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected

@@ -181,6 +181,10 @@ postWithInFlow
 | test.cpp:1108:4:1108:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:1109:3:1109:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:1109:4:1109:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1138:3:1138:13 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1138:5:1138:8 | data [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1139:3:1139:7 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1139:4:1139:7 | data [inner post update] | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition
 uniqueParameterNodePosition

cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected

@@ -132,6 +132,8 @@ astFlow
 | test.cpp:1069:9:1069:14 | call to source | test.cpp:1074:10:1074:10 | i |
 | test.cpp:1069:9:1069:14 | call to source | test.cpp:1082:10:1082:10 | i |
 | test.cpp:1086:12:1086:12 | a | test.cpp:1088:8:1088:9 | & ... |
+| test.cpp:1137:7:1137:10 | data | test.cpp:1140:8:1140:18 | * ... |
+| test.cpp:1138:17:1138:22 | call to source | test.cpp:1140:8:1140:18 | * ... |
 | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
 | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |
 | true_upon_entry.cpp:33:11:33:16 | call to source | true_upon_entry.cpp:39:8:39:8 | x |
@@ -324,6 +326,7 @@ irFlow
 | test.cpp:1069:9:1069:14 | call to source | test.cpp:1081:10:1081:10 | i |
 | test.cpp:1117:27:1117:34 | call to source | test.cpp:1117:27:1117:34 | call to source |
 | test.cpp:1132:11:1132:16 | call to source | test.cpp:1121:8:1121:8 | x |
+| test.cpp:1138:17:1138:22 | call to source | test.cpp:1140:8:1140:18 | * ... |
 | true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x |
 | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
 | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp

@@ -1131,4 +1131,11 @@ void (*dispatch_table[])(int) = {
 void test_dispatch_table(int i) {
   int x = source();
   dispatch_table[i](x);
+}
+
+void test_uncertain_array(int n1, int n2) {
+  int data[10];
+  *(data + 1) = source();
+  *data = 0;
+  sink(*(data + 1)); // $ ast=1138:17 ast=1137:7 ir
 }

cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected

@@ -56,3 +56,6 @@
 | test.cpp:796:12:796:12 | a | test.cpp:798:17:798:17 | a |
 | test.cpp:1086:12:1086:12 | a | test.cpp:1087:3:1087:3 | a |
 | test.cpp:1086:12:1086:12 | a | test.cpp:1088:9:1088:9 | a |
+| test.cpp:1137:7:1137:10 | data | test.cpp:1138:5:1138:8 | data |
+| test.cpp:1137:7:1137:10 | data | test.cpp:1139:4:1139:7 | data |
+| test.cpp:1137:7:1137:10 | data | test.cpp:1140:10:1140:13 | data |

cpp/ql/test/library-tests/dataflow/external-models/flow.expected

@@ -10,14 +10,14 @@ edges
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:6 |
 | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance |  |
 | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:10 |
-| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:644 |
-| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:642  |
-| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:643 |
+| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:801 |
+| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:799  |
+| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:800 |
 | test.cpp:7:10:7:18 | call to ymlSource | test.cpp:13:18:13:18 | x | provenance |  |
 | test.cpp:13:10:13:16 | call to ymlStep | test.cpp:13:10:13:16 | call to ymlStep | provenance |  |
-| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:643 |
+| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:800 |
 | test.cpp:13:18:13:18 | x | test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | provenance |  |
-| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:644 |
+| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:801 |
 nodes
 | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | semmle.label | [summary param] *0 in buffer |
 | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | semmle.label | [summary] to write: ReturnValue in buffer |

cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected

@@ -1,8 +1,28 @@
+| Dubious member name "operator BSTR" in summary model. |
+| Dubious member name "operator HKEY" in summary model. |
+| Dubious member name "operator LPCSTR" in summary model. |
+| Dubious member name "operator LPSAFEARRAY" in summary model. |
+| Dubious member name "operator LPSTR" in summary model. |
+| Dubious member name "operator LPWSTR" in summary model. |
+| Dubious member name "operator PCXSTR" in summary model. |
+| Dubious member name "operator&" in summary model. |
 | Dubious member name "operator*" in summary model. |
+| Dubious member name "operator+=" in summary model. |
 | Dubious member name "operator->" in summary model. |
 | Dubious member name "operator=" in summary model. |
 | Dubious member name "operator[]" in summary model. |
+| Dubious signature "(CAtlFile &)" in summary model. |
+| Dubious signature "(CComBSTR &&)" in summary model. |
+| Dubious signature "(CRegKey &)" in summary model. |
+| Dubious signature "(DWORD &,LPCTSTR)" in summary model. |
 | Dubious signature "(InputIterator,InputIterator,const Allocator &)" in summary model. |
+| Dubious signature "(LPCTSTR,DWORD *,void *,ULONG *)" in summary model. |
+| Dubious signature "(LPTSTR,LPCTSTR,DWORD *)" in summary model. |
+| Dubious signature "(const CComBSTR &)" in summary model. |
+| Dubious signature "(const CComSafeArray &)" in summary model. |
+| Dubious signature "(const SAFEARRAY &)" in summary model. |
+| Dubious signature "(const SAFEARRAY *)" in summary model. |
+| Dubious signature "(const T &,BOOL)" in summary model. |
 | Dubious signature "(const deque &)" in summary model. |
 | Dubious signature "(const deque &,const Allocator &)" in summary model. |
 | Dubious signature "(const forward_list &)" in summary model. |

cpp/ql/test/library-tests/dataflow/source-sink-tests/atl.cpp

@@ -0,0 +1,389 @@
+typedef void* HANDLE;
+typedef long LONG;
+typedef LONG HRESULT;
+typedef const char* LPCTSTR;
+typedef unsigned long DWORD;
+typedef unsigned long ULONG;
+typedef void* PVOID;
+typedef void* LPVOID;
+typedef bool BOOL;
+typedef const void* LPCVOID;
+typedef unsigned long long ULONGLONG;
+typedef long long LONGLONG;
+typedef unsigned long* ULONG_PTR;
+typedef char *LPTSTR;
+typedef DWORD* LPDWORD;
+typedef ULONG REGSAM;
+typedef DWORD SECURITY_INFORMATION, *PSECURITY_INFORMATION;
+typedef PVOID PSECURITY_DESCRIPTOR;
+typedef struct _GUID {
+  unsigned long  Data1;
+  unsigned short Data2;
+  unsigned short Data3;
+  unsigned char  Data4[8];
+} GUID;
+typedef GUID* REFGUID;
+
+typedef struct _SECURITY_ATTRIBUTES {
+  DWORD  nLength;
+  LPVOID lpSecurityDescriptor;
+  BOOL   bInheritHandle;
+} SECURITY_ATTRIBUTES, *PSECURITY_ATTRIBUTES, *LPSECURITY_ATTRIBUTES;
+
+typedef struct _FILETIME {
+  DWORD dwLowDateTime;
+  DWORD dwHighDateTime;
+} FILETIME, *PFILETIME, *LPFILETIME;
+
+using size_t = decltype(sizeof(int));
+using SIZE_T = size_t;
+
+typedef struct _OVERLAPPED {
+  ULONG_PTR Internal;
+  ULONG_PTR InternalHigh;
+  union {
+    struct {
+      DWORD Offset;
+      DWORD OffsetHigh;
+    } DUMMYSTRUCTNAME;
+    PVOID Pointer;
+  } DUMMYUNIONNAME;
+  HANDLE    hEvent;
+} OVERLAPPED, *LPOVERLAPPED;
+
+using LPOVERLAPPED_COMPLETION_ROUTINE = void(DWORD, DWORD, LPOVERLAPPED);
+
+using HKEY = void*;
+
+class CAtlTransactionManager;
+
+class CHandle {
+  CHandle() throw();
+  CHandle(CHandle& h) throw();
+  explicit CHandle(HANDLE h) throw();
+};
+
+struct CAtlFile : public CHandle {
+  CAtlFile() throw();
+  CAtlFile(CAtlTransactionManager* pTM) throw();
+  CAtlFile(CAtlFile& file) throw();
+  explicit CAtlFile(HANDLE hFile) throw();
+
+  HRESULT Create(
+    LPCTSTR szFilename,
+    DWORD dwDesiredAccess,
+    DWORD dwShareMode,
+    DWORD dwCreationDisposition,
+    DWORD dwFlagsAndAttributes,
+    LPSECURITY_ATTRIBUTES lpsa,
+    HANDLE hTemplateFile) throw();
+
+    HRESULT Flush() throw();
+    HRESULT GetOverlappedResult(
+      LPOVERLAPPED pOverlapped,
+      DWORD& dwBytesTransferred,
+      BOOL bWait
+    ) throw();
+
+    HRESULT GetPosition(ULONGLONG& nPos) const throw();
+    HRESULT GetSize(ULONGLONG& nLen) const throw();
+    HRESULT LockRange(ULONGLONG nPos, ULONGLONG nCount) throw();
+    
+    HRESULT Read(
+    LPVOID pBuffer,
+    DWORD nBufSize) throw();
+
+  HRESULT Read(
+      LPVOID pBuffer,
+      DWORD nBufSize,
+      DWORD& nBytesRead) throw();
+  HRESULT Read(
+      LPVOID pBuffer,
+      DWORD nBufSize,
+      LPOVERLAPPED pOverlapped) throw();
+  HRESULT Read(
+      LPVOID pBuffer,
+      DWORD nBufSize,
+      LPOVERLAPPED pOverlapped,
+      LPOVERLAPPED_COMPLETION_ROUTINE pfnCompletionRoutine) throw();
+
+  HRESULT Seek(
+    LONGLONG nOffset,
+    DWORD dwFrom) throw();
+
+  HRESULT SetSize(ULONGLONG nNewLen) throw();
+  HRESULT UnlockRange(ULONGLONG nPos, ULONGLONG nCount) throw();
+  HRESULT Write(
+      LPCVOID pBuffer,
+      DWORD nBufSize,
+      LPOVERLAPPED pOverlapped,
+      LPOVERLAPPED_COMPLETION_ROUTINE pfnCompletionRoutine) throw();
+
+  HRESULT Write(
+      LPCVOID pBuffer,
+      DWORD nBufSize,
+      DWORD* pnBytesWritten) throw();
+
+  HRESULT Write(
+      LPCVOID pBuffer,
+      DWORD nBufSize,
+      LPOVERLAPPED pOverlapped) throw();
+};
+
+void test_CAtlFile() {
+  CAtlFile catFile;
+  char buffer[1024];
+  catFile.Read(buffer, 1024); // $ local_source
+}
+
+struct CAtlFileMappingBase {
+  CAtlFileMappingBase(CAtlFileMappingBase& orig);
+  CAtlFileMappingBase() throw();
+  ~CAtlFileMappingBase() throw();
+
+  HRESULT CopyFrom(CAtlFileMappingBase& orig) throw();
+  void* GetData() const throw();
+  HANDLE GetHandle() throw ();
+  SIZE_T GetMappingSize() throw();
+
+  HRESULT MapFile(
+      HANDLE hFile,
+      SIZE_T nMappingSize,
+      ULONGLONG nOffset,
+      DWORD dwMappingProtection,
+      DWORD dwViewDesiredAccess) throw();
+
+    HRESULT MapSharedMem(
+      SIZE_T nMappingSize,
+      LPCTSTR szName,
+      BOOL* pbAlreadyExisted,
+      LPSECURITY_ATTRIBUTES lpsa,
+      DWORD dwMappingProtection,
+      DWORD dwViewDesiredAccess) throw();
+
+    HRESULT OpenMapping(
+      LPCTSTR szName,
+      SIZE_T nMappingSize,
+      ULONGLONG nOffset,
+      DWORD dwViewDesiredAccess) throw();
+
+    HRESULT Unmap() throw();
+};
+
+template <typename T>
+struct CAtlFileMapping : public CAtlFileMappingBase {
+  operator T*() const throw();
+};
+
+void test_CAtlFileMapping(CAtlFileMapping<char> mapping) {
+  char* data = static_cast<char*>(mapping); // $ local_source
+  void* data2 = mapping.GetData(); // $ local_source
+}
+
+struct CAtlTemporaryFile {
+  CAtlTemporaryFile() throw();
+  ~CAtlTemporaryFile() throw();
+  HRESULT Close(LPCTSTR szNewName) throw();
+  HRESULT Create(LPCTSTR pszDir, DWORD dwDesiredAccess) throw();
+  HRESULT Flush() throw();
+  HRESULT GetPosition(ULONGLONG& nPos) const throw();
+  HRESULT GetSize(ULONGLONG& nLen) const throw();
+  HRESULT HandsOff() throw();
+  HRESULT HandsOn() throw();
+  HRESULT LockRange(ULONGLONG nPos, ULONGLONG nCount) throw();
+
+  HRESULT Read(
+      LPVOID pBuffer,
+      DWORD nBufSize,
+      DWORD& nBytesRead) throw();
+      HRESULT Seek(LONGLONG nOffset, DWORD dwFrom) throw();
+  
+  HRESULT SetSize(ULONGLONG nNewLen) throw();
+  LPCTSTR TempFileName() throw();
+  HRESULT UnlockRange(ULONGLONG nPos, ULONGLONG nCount) throw();
+  
+  HRESULT Write(
+      LPCVOID pBuffer,
+      DWORD nBufSize,
+      DWORD* pnBytesWritten) throw();
+      operator HANDLE() throw();
+};
+
+void test_CAtlTemporaryFile() {
+  CAtlTemporaryFile file;
+  char buffer[1024];
+  DWORD bytesRead;
+  file.Read(buffer, 1024, bytesRead); // $ local_source
+}
+
+struct CRegKey {
+  CRegKey() throw();
+  CRegKey(CRegKey& key) throw();
+  explicit CRegKey(HKEY hKey) throw();
+  CRegKey(CAtlTransactionManager* pTM) throw();
+
+  ~CRegKey() throw();
+  void Attach(HKEY hKey) throw();
+  LONG Close() throw();
+
+  LONG Create(
+    HKEY hKeyParent,
+    LPCTSTR lpszKeyName,
+    LPTSTR lpszClass,
+    DWORD dwOptions,
+    REGSAM samDesired,
+    LPSECURITY_ATTRIBUTES lpSecAttr,
+    LPDWORD lpdwDisposition) throw();
+
+  LONG DeleteSubKey(LPCTSTR lpszSubKey) throw();
+  LONG DeleteValue(LPCTSTR lpszValue) throw();
+  HKEY Detach() throw();
+  
+  LONG EnumKey(
+    DWORD iIndex,
+    LPTSTR pszName,
+    LPDWORD pnNameLength,
+    FILETIME* pftLastWriteTime) throw();
+  
+  LONG Flush() throw();
+
+  LONG GetKeySecurity(
+    SECURITY_INFORMATION si,
+    PSECURITY_DESCRIPTOR psd,
+    LPDWORD pnBytes) throw();
+  
+  LONG NotifyChangeKeyValue(
+    BOOL bWatchSubtree,
+    DWORD dwNotifyFilter,
+    HANDLE hEvent,
+    BOOL bAsync) throw();
+
+  LONG Open(
+    HKEY hKeyParent,
+    LPCTSTR lpszKeyName,
+    REGSAM samDesired) throw();
+
+  LONG QueryBinaryValue(
+    LPCTSTR pszValueName,
+    void* pValue,
+    ULONG* pnBytes) throw();
+
+  LONG QueryDWORDValue(
+    LPCTSTR pszValueName,
+    DWORD& dwValue) throw();
+
+  LONG QueryGUIDValue(
+    LPCTSTR pszValueName,
+    GUID& guidValue) throw();
+
+  LONG QueryMultiStringValue(
+    LPCTSTR pszValueName,
+    LPTSTR pszValue,
+    ULONG* pnChars) throw();
+
+  LONG QueryQWORDValue(
+    LPCTSTR pszValueName,
+    ULONGLONG& qwValue) throw();
+
+  LONG QueryStringValue(
+    LPCTSTR pszValueName,
+    LPTSTR pszValue,
+    ULONG* pnChars) throw();
+
+  LONG QueryValue(
+      LPCTSTR pszValueName,
+      DWORD* pdwType,
+      void* pData,
+      ULONG* pnBytes) throw();
+
+  LONG QueryValue(
+    DWORD& dwValue,
+    LPCTSTR lpszValueName);
+
+  LONG QueryValue(
+    LPTSTR szValue,
+    LPCTSTR lpszValueName,
+    DWORD* pdwCount);
+
+  LONG RecurseDeleteKey(LPCTSTR lpszKey) throw();
+
+  LONG SetBinaryValue(
+    LPCTSTR pszValueName,
+    const void* pValue,
+    ULONG nBytes) throw();
+
+  LONG SetDWORDValue(LPCTSTR pszValueName, DWORD dwValue) throw();
+
+  LONG SetGUIDValue(LPCTSTR pszValueName, REFGUID guidValue) throw();
+
+  LONG SetKeySecurity(SECURITY_INFORMATION si, PSECURITY_DESCRIPTOR psd) throw();
+
+  LONG SetKeyValue(
+    LPCTSTR lpszKeyName,
+    LPCTSTR lpszValue,
+    LPCTSTR lpszValueName) throw();
+
+  LONG SetMultiStringValue(LPCTSTR pszValueName, LPCTSTR pszValue) throw();
+
+  LONG SetQWORDValue(LPCTSTR pszValueName, ULONGLONG qwValue) throw();
+
+  LONG SetStringValue(
+    LPCTSTR pszValueName,
+    LPCTSTR pszValue,
+    DWORD dwType) throw();
+
+  LONG SetValue(
+    LPCTSTR pszValueName,
+    DWORD dwType,
+    const void* pValue,
+    ULONG nBytes) throw();
+
+  static LONG SetValue(
+    HKEY hKeyParent,
+    LPCTSTR lpszKeyName,
+    LPCTSTR lpszValue,
+    LPCTSTR lpszValueName);
+
+  LONG SetValue(
+    DWORD dwValue,
+    LPCTSTR lpszValueName);
+
+  LONG SetValue(
+    LPCTSTR lpszValue,
+    LPCTSTR lpszValueName,
+    bool bMulti,
+    int nValueLen);
+
+  operator HKEY() const throw();
+  CRegKey& operator= (CRegKey& key) throw();
+
+  HKEY m_hKey;
+};
+
+void test_CRegKey() {
+  CRegKey key;
+  char data[1024];
+  ULONG bytesRead;
+  key.QueryBinaryValue("foo", data, &bytesRead); // $ local_source
+
+  DWORD value;
+  key.QueryDWORDValue("foo", value); // $ local_source
+  
+  GUID guid;
+  key.QueryGUIDValue("foo", guid); // $ local_source
+  
+  key.QueryMultiStringValue("foo", data, &bytesRead); // $ local_source
+  
+  ULONGLONG qword;
+  key.QueryQWORDValue("foo", qword); // $ local_source
+  
+  key.QueryStringValue("foo", data, &bytesRead); // $ local_source
+  
+  key.QueryValue(data, "foo", &bytesRead); // $ local_source
+  
+  DWORD type;
+  key.QueryValue("foo", &type, data, &bytesRead); // $ local_source
+  
+  DWORD value2;
+  key.QueryValue(value2, "foo"); // $ local_source
+}

cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp

@@ -0,0 +1,900 @@
+namespace {
+  template<typename T> T source();
+  template<typename T> T* indirect_source();
+  void sink(...);
+}
+
+typedef unsigned int UINT;
+typedef long LONG;
+typedef void* LPVOID;
+typedef void* PVOID;
+typedef bool BOOL;
+typedef char* PSTR, *LPSTR;
+typedef const char* LPCTSTR;
+typedef unsigned short WORD;
+typedef unsigned long DWORD;
+typedef void* HANDLE;
+typedef LONG HRESULT;
+typedef unsigned long ULONG;
+typedef const char* LPCSTR;
+typedef wchar_t OLECHAR;
+typedef OLECHAR* LPOLESTR;
+typedef const LPOLESTR LPCOLESTR;
+typedef OLECHAR* BSTR;
+typedef wchar_t* LPWSTR, *PWSTR;
+typedef BSTR* LPBSTR;
+typedef unsigned short USHORT;
+typedef char *LPTSTR;
+struct __POSITION { int unused; };
+typedef __POSITION* POSITION;
+typedef WORD ATL_URL_PORT;
+
+enum ATL_URL_SCHEME{
+   ATL_URL_SCHEME_UNKNOWN = -1,
+   ATL_URL_SCHEME_FTP     = 0,
+   ATL_URL_SCHEME_GOPHER  = 1,
+   ATL_URL_SCHEME_HTTP    = 2,
+   ATL_URL_SCHEME_HTTPS   = 3,
+   ATL_URL_SCHEME_FILE    = 4,
+   ATL_URL_SCHEME_NEWS    = 5,
+   ATL_URL_SCHEME_MAILTO  = 6,
+   ATL_URL_SCHEME_SOCKS   = 7
+};
+
+using HINSTANCE = void*;
+using size_t = decltype(sizeof(int));
+using SIZE_T = size_t;
+
+#define NULL nullptr
+
+typedef struct tagSAFEARRAYBOUND {
+  ULONG cElements;
+  LONG  lLbound;
+} SAFEARRAYBOUND, *LPSAFEARRAYBOUND;
+
+typedef struct tagVARIANT {
+  /* ... */
+} VARIANT;
+
+typedef struct tagSAFEARRAY {
+  USHORT         cDims;
+  USHORT         fFeatures;
+  ULONG          cbElements;
+  ULONG          cLocks;
+  PVOID          pvData;
+  SAFEARRAYBOUND rgsabound[1];
+} SAFEARRAY, *LPSAFEARRAY;
+
+struct _U_STRINGorID {
+  _U_STRINGorID(UINT nID);
+  _U_STRINGorID(LPCTSTR lpString);
+
+  LPCTSTR m_lpstr;
+};
+
+void test__U_STRINGorID() {
+  {
+    UINT x = source<UINT>();
+    _U_STRINGorID u(x);
+    sink(u.m_lpstr); // $ ir
+  }
+
+  {
+    LPCTSTR y = indirect_source<const char>();
+    _U_STRINGorID u(y);
+    sink(u.m_lpstr); // $ ir
+  }
+}
+
+template <int t_nBufferLength>
+struct CA2AEX {
+  LPSTR m_psz;
+  char m_szBuffer[t_nBufferLength];
+
+  CA2AEX(LPCSTR psz, UINT nCodePage);
+  CA2AEX(LPCSTR psz);
+
+  ~CA2AEX();
+
+  operator LPSTR() const throw();
+};
+
+void test_CA2AEX() {
+  {
+    LPSTR x = indirect_source<char>();
+    CA2AEX<128> a(x);
+    sink(static_cast<LPSTR>(a)); // $ ir
+    sink(a.m_psz); // $ ir
+    sink(a.m_szBuffer); // $ ir
+  }
+
+  {
+    LPSTR x = indirect_source<char>();
+    CA2AEX<128> a(x, 0);
+    sink(static_cast<LPSTR>(a)); // $ ir
+    sink(a.m_psz); // $ ir
+    sink(a.m_szBuffer); // $ ir
+  }
+}
+
+template<int t_nBufferLength>
+struct CA2CAEX {
+  CA2CAEX(LPCSTR psz, UINT nCodePage) ;
+  CA2CAEX(LPCSTR psz) ;
+  ~CA2CAEX() throw();
+  operator LPCSTR() const throw();
+  LPCSTR m_psz;
+};
+
+void test_CA2CAEX() {
+  LPCSTR x = indirect_source<char>();
+  {
+    CA2CAEX<128> a(x);
+    sink(static_cast<LPCSTR>(a)); // $ ir
+    sink(a.m_psz); // $ ir
+    sink(a.m_psz); // $ ir
+  }
+  {
+    CA2CAEX<128> a(x, 0);
+    sink(static_cast<LPCSTR>(a)); // $ ir
+    sink(a.m_psz); // $ ir
+    sink(a.m_psz); // $ ir
+  }
+}
+
+template <int t_nBufferLength>
+struct CA2WEX {
+  CA2WEX(LPCSTR psz, UINT nCodePage) ;
+  CA2WEX(LPCSTR psz) ;
+  ~CA2WEX() throw();
+  operator LPWSTR() const throw();
+  LPWSTR m_psz;
+  wchar_t m_szBuffer[t_nBufferLength];
+};
+
+void test_CA2WEX() {
+  LPCSTR x = indirect_source<char>();
+  {
+    CA2WEX<128> a(x);
+    sink(static_cast<LPWSTR>(a)); // $ ir
+    sink(a.m_psz); // $ ir
+    sink(a.m_psz); // $ ir
+  }
+  {
+    CA2WEX<128> a(x, 0);
+    sink(static_cast<LPWSTR>(a)); // $ ir
+    sink(a.m_psz); // $ ir
+    sink(a.m_psz); // $ ir
+  }
+}
+
+template<typename T>
+struct CElementTraitsBase {
+  typedef const T& INARGTYPE;
+  typedef T& OUTARGTYPE;
+
+  static void CopyElements(T* pDest, const T* pSrc, size_t nElements);
+  static void RelocateElements(T* pDest, T* pSrc, size_t nElements);
+};
+
+template <typename T>
+struct CDefaultElementTraits : public CElementTraitsBase<T> {};
+
+template<typename T>
+struct CElementTraits : public CDefaultElementTraits<T> {};
+
+template<typename E, class ETraits = CElementTraits<E>>
+struct CAtlArray {
+  using INARGTYPE = typename ETraits::INARGTYPE;
+  using OUTARGTYPE = typename ETraits::OUTARGTYPE;
+
+  CAtlArray() throw();
+  ~CAtlArray() throw();
+
+  size_t Add(INARGTYPE element);
+  size_t Add();
+  size_t Append(const CAtlArray<E, ETraits>& aSrc);
+  void Copy(const CAtlArray<E, ETraits>& aSrc);
+  const E& GetAt(size_t iElement) const throw();
+  E& GetAt(size_t iElement) throw();
+  size_t GetCount() const throw();
+  E* GetData() throw();
+  const E* GetData() const throw();
+  void InsertArrayAt(size_t iStart, const CAtlArray<E, ETraits>* paNew);
+  void InsertAt(size_t iElement, INARGTYPE element, size_t nCount);
+  bool IsEmpty() const throw();
+  void RemoveAll() throw();
+  void RemoveAt(size_t iElement, size_t nCount);
+  void SetAt(size_t iElement, INARGTYPE element);
+  void SetAtGrow(size_t iElement, INARGTYPE element);
+  bool SetCount(size_t nNewSize, int nGrowBy);
+  E& operator[](size_t ielement) throw();
+  const E& operator[](size_t ielement) const throw();
+};
+
+void test_CAtlArray() {
+  int x = source<int>();
+
+  {
+    CAtlArray<int> a;
+    a.Add(x);
+    sink(a[0]); // $ ir
+    a.Add(0);
+    sink(a[0]); // $ ir
+
+    CAtlArray<int> a2;
+    sink(a2[0]);
+    a2.Append(a);
+    sink(a2[0]); // $ ir
+
+    CAtlArray<int> a3;
+    sink(a3[0]);
+    a3.Copy(a2);
+    sink(a3[0]); // $ ir
+
+    sink(a3.GetAt(0)); // $ ir
+    sink(*a3.GetData()); // $ ir
+
+    CAtlArray<int> a4;
+    sink(a4.GetAt(0));
+    a4.InsertArrayAt(0, &a3);
+    sink(a4.GetAt(0)); // $ ir
+  }
+  {
+    CAtlArray<int> a5;
+    a5.InsertAt(0, source<int>(), 1);
+    sink(a5[0]); // $ ir
+
+    CAtlArray<int> a6;
+    a6.SetAtGrow(0, source<int>());
+    sink(a6[0]); // $ ir
+  }
+}
+
+template<typename E, class ETraits = CElementTraits<E>>
+struct CAtlList {
+  using INARGTYPE = typename ETraits::INARGTYPE;
+  CAtlList(UINT nBlockSize) throw();
+  ~CAtlList() throw();
+  POSITION AddHead();
+  POSITION AddHead(INARGTYPE element);
+  void AddHeadList(const CAtlList<E, ETraits>* plNew);
+  POSITION AddTail();
+  POSITION AddTail(INARGTYPE element);
+  void AddTailList(const CAtlList<E, ETraits>* plNew);
+  POSITION Find(INARGTYPE element, POSITION posStartAfter) const throw();
+  POSITION FindIndex(size_t iElement) const throw();
+  E& GetAt(POSITION pos) throw();
+  const E& GetAt(POSITION pos) const throw();
+  size_t GetCount() const throw();
+  E& GetHead() throw();
+  const E& GetHead() const throw();
+  POSITION GetHeadPosition() const throw();
+  E& GetNext(POSITION& pos) throw();
+  const E& GetNext(POSITION& pos) const throw();
+  E& GetPrev(POSITION& pos) throw();
+  const E& GetPrev(POSITION& pos) const throw();
+  E& GetTail() throw();
+  const E& GetTail() const throw();
+  POSITION GetTailPosition() const throw();
+  POSITION InsertAfter(POSITION pos, INARGTYPE element);
+  POSITION InsertBefore(POSITION pos, INARGTYPE element);
+  bool IsEmpty() const throw();
+  void MoveToHead(POSITION pos) throw();
+  void MoveToTail(POSITION pos) throw();
+  void RemoveAll() throw();
+  void RemoveAt(POSITION pos) throw();
+  E RemoveHead();
+  void RemoveHeadNoReturn() throw();
+  E RemoveTail();
+  void RemoveTailNoReturn() throw();
+  void SetAt(POSITION pos, INARGTYPE element);
+  void SwapElements(POSITION pos1, POSITION pos2) throw();
+};
+
+void test_CAtlList() {
+  int x = source<int>();
+  {
+    CAtlList<int> list(10);
+    sink(list.GetHead());
+    list.AddHead(x);
+    sink(list.GetHead()); // $ ir
+
+    CAtlList<int> list2(10);
+    list2.AddHeadList(&list);
+    sink(list2.GetHead()); // $ ir
+
+    CAtlList<int> list3(10);
+    list3.AddTail(x);
+    sink(list3.GetHead()); // $ ir
+
+    CAtlList<int> list4(10);
+    list4.AddTailList(&list3);
+    sink(list4.GetHead()); // $ ir
+
+    {
+      CAtlList<int> list5(10);
+      auto pos = list5.Find(x, list5.GetHeadPosition());
+      sink(list5.GetAt(pos)); // $ MISSING: ir
+    }
+
+    {
+      CAtlList<int> list6(10);
+      list6.AddHead(x);
+      auto pos = list6.FindIndex(0);
+      sink(list6.GetAt(pos)); // $ ir
+    }
+
+    {
+      CAtlList<int> list7(10);
+      auto pos = list7.GetTailPosition();
+      list7.InsertAfter(pos, x);
+      sink(list7.GetHead()); // $ ir
+    }
+
+    {
+      CAtlList<int> list8(10);
+      auto pos = list8.GetTailPosition();
+      list8.InsertBefore(pos, x);
+      sink(list8.GetHead()); // $ ir
+    }
+    {
+      CAtlList<int> list9(10);
+      list9.SetAt(list9.GetHeadPosition(), x);
+      sink(list9.GetHead()); // $ ir
+    }
+  }
+
+  int* p = indirect_source<int>();
+  {
+    CAtlList<int*> list(10);
+    sink(list.GetHead());
+    list.AddHead(p);
+    sink(list.GetHead()); // $ ir
+
+    CAtlList<int*> list2(10);
+    list2.AddHeadList(&list);
+    sink(list2.GetHead()); // $ ir
+
+    CAtlList<int*> list3(10);
+    list3.AddTail(p);
+    sink(list3.GetHead()); // $ ir
+
+    CAtlList<int*> list4(10);
+    list4.AddTailList(&list3);
+    sink(list4.GetHead()); // $ ir
+
+    {
+      CAtlList<int*> list5(10);
+      auto pos = list5.Find(p, list5.GetHeadPosition());
+      sink(list5.GetAt(pos)); // $ MISSING: ir
+    }
+
+    {
+      CAtlList<int*> list6(10);
+      list6.AddHead(p);
+      auto pos = list6.FindIndex(0);
+      sink(list6.GetAt(pos)); // $ ir
+    }
+
+    {
+      CAtlList<int*> list7(10);
+      auto pos = list7.GetTailPosition();
+      list7.InsertAfter(pos, p);
+      sink(list7.GetHead()); // $ ir
+    }
+
+    {
+      CAtlList<int*> list8(10);
+      auto pos = list8.GetTailPosition();
+      list8.InsertBefore(pos, p);
+      sink(list8.GetHead()); // $ ir
+    }
+    {
+      CAtlList<int*> list9(10);
+      list9.SetAt(list9.GetHeadPosition(), p);
+      sink(list9.GetHead()); // $ ir
+    }
+  }
+}
+
+struct IUnknown { };
+
+struct ISequentialStream : public IUnknown { };
+
+struct IStream : public ISequentialStream { };
+
+struct CComBSTR {
+  CComBSTR() throw();
+  CComBSTR(const CComBSTR& src);
+  CComBSTR(int nSize);
+  CComBSTR(int nSize, LPCOLESTR sz);
+  CComBSTR(int nSize, LPCSTR sz);
+  CComBSTR(LPCOLESTR pSrc);
+  CComBSTR(LPCSTR pSrc);
+  CComBSTR(CComBSTR&& src) throw();
+  ~CComBSTR();
+  
+  HRESULT Append(const CComBSTR& bstrSrc) throw();
+  HRESULT Append(wchar_t ch) throw();
+  HRESULT Append(char ch) throw();
+  HRESULT Append(LPCOLESTR lpsz) throw();
+  HRESULT Append(LPCSTR lpsz) throw();
+  HRESULT Append(LPCOLESTR lpsz, int nLen) throw();
+  HRESULT AppendBSTR(BSTR p) throw();
+  HRESULT AppendBytes(const char* lpsz, int nLen) throw();
+  HRESULT ArrayToBSTR(const SAFEARRAY* pSrc) throw();
+  HRESULT AssignBSTR(const BSTR bstrSrc) throw();
+  void Attach(BSTR src) throw();
+  HRESULT BSTRToArray(LPSAFEARRAY* ppArray) throw();
+  unsigned int ByteLength() const throw();
+  BSTR Copy() const throw();
+  HRESULT CopyTo(BSTR* pbstr) throw();
+
+  HRESULT CopyTo(VARIANT* pvarDest) throw();
+  BSTR Detach() throw();
+  void Empty() throw();
+  unsigned int Length() const throw();
+  bool LoadString(HINSTANCE hInst, UINT nID) throw();
+  bool LoadString(UINT nID) throw();
+  HRESULT ReadFromStream(IStream* pStream) throw();
+  HRESULT ToUpper() throw();
+  HRESULT WriteToStream(IStream* pStream) throw();
+
+  operator BSTR() const throw();
+  BSTR* operator&() throw();
+
+  CComBSTR& operator+= (const CComBSTR& bstrSrc);
+  CComBSTR& operator+= (const LPCOLESTR pszSrc);
+
+  BSTR m_str;
+};
+
+LPSAFEARRAY getSafeArray() {
+  SAFEARRAY* safe = new SAFEARRAY;
+  safe->pvData = indirect_source<char>();
+  return safe;
+}
+
+void test_CComBSTR() {
+  char* x = indirect_source<char>();
+  {
+    CComBSTR b(x);
+    sink(b.m_str); // $ ir
+
+    CComBSTR b2(b);
+    sink(b2.m_str); // $ ir
+  }
+  {
+    CComBSTR b(10, x);
+    sink(b.m_str); // $ ir
+  }
+  {
+    CComBSTR b(x);
+
+    CComBSTR b2;
+    sink(b2.m_str);
+    b2 += b;
+    sink(b2.m_str); // $ ir
+
+    CComBSTR b3;
+    b3 += x;
+    sink(b3.m_str); // $ ir
+    sink(static_cast<BSTR>(b3)); // $ ir
+    sink(**&b3); // $ ir
+
+    CComBSTR b4;
+    b4.Append(source<char>());
+    sink(b4.m_str); // $ ir
+
+    CComBSTR b5;
+    b5.AppendBSTR(b4.m_str);
+    sink(b5.m_str); // $ ir
+
+    CComBSTR b6;
+    b6.AppendBytes(x, 10);
+    sink(b6.m_str); // $ ir
+
+    CComBSTR b7;
+    b7.ArrayToBSTR(getSafeArray());
+    sink(b7.m_str); // $ ir
+
+    CComBSTR b8;
+    b8.AssignBSTR(b7.m_str);
+    sink(b8.m_str); // $ ir
+
+    CComBSTR b9;
+    LPSAFEARRAY safe;
+    b9.Append(source<char>());
+    b9.BSTRToArray(&safe);
+    sink(safe->pvData); // $ ir
+
+    sink(b9.Copy()); // $ ir
+  }
+
+  wchar_t* w = indirect_source<wchar_t>();
+  {
+    CComBSTR b(w);
+    sink(b.m_str); // $ ir
+
+    CComBSTR b2;
+    b2.Attach(w);
+    sink(b2.m_str); // $ ir
+  }
+  {
+    CComBSTR b(10, w);
+    sink(b.m_str); // $ ir
+  }
+}
+
+template <typename T>
+struct CComSafeArray {
+  CComSafeArray();
+  CComSafeArray(const SAFEARRAYBOUND& bound);
+  CComSafeArray(ULONG  ulCount, LONG lLBound);
+  CComSafeArray(const SAFEARRAYBOUND* pBound, UINT uDims);
+  CComSafeArray(const CComSafeArray& saSrc);
+  CComSafeArray(const SAFEARRAY& saSrc);
+  CComSafeArray(const SAFEARRAY* psaSrc);
+
+  ~CComSafeArray() throw();
+
+  HRESULT Add(const SAFEARRAY* psaSrc);
+  HRESULT Add(ULONG ulCount, const T* pT, BOOL bCopy);
+  HRESULT Add(const T& t, BOOL bCopy);
+  HRESULT Attach(const SAFEARRAY* psaSrc);
+  HRESULT CopyFrom(LPSAFEARRAY* ppArray);
+  HRESULT CopyTo(LPSAFEARRAY* ppArray);
+  HRESULT Create(const SAFEARRAYBOUND* pBound, UINT uDims);
+  HRESULT Create(ULONG ulCount, LONG lLBound);
+  HRESULT Destroy();
+  LPSAFEARRAY Detach();
+  T& GetAt(LONG lIndex) const;
+  ULONG GetCount(UINT uDim) const;
+  UINT GetDimensions() const;
+  LONG GetLowerBound(UINT uDim) const;
+  LPSAFEARRAY GetSafeArrayPtr() throw();
+  LONG GetUpperBound(UINT uDim) const;
+  bool IsSizable() const;
+  HRESULT MultiDimGetAt(const LONG* alIndex, T& t);
+  HRESULT MultiDimSetAt(const LONG* alIndex, const T& t);
+  HRESULT Resize(const SAFEARRAYBOUND* pBound);
+  HRESULT Resize(ULONG ulCount, LONG lLBound);
+  HRESULT SetAt(LONG lIndex, const T& t, BOOL bCopy);
+  operator LPSAFEARRAY() const;
+  T& operator[](long lindex) const;
+  T& operator[](int nindex) const;
+
+  LPSAFEARRAY m_psa;
+};
+
+void test_CComSafeArray() {
+  LPSAFEARRAY safe = getSafeArray();
+  sink(safe->pvData); // $ ir
+  {
+  CComSafeArray<int> c(safe);
+  sink(c[0]); // $ ir
+  sink(c.GetAt(0)); // $ ir
+  sink(c.GetSafeArrayPtr()->pvData); // $ ir
+  sink(c.m_psa->pvData); // $ ir
+  }
+  {
+    CComSafeArray<int> c;
+    sink(c[0]);
+    sink(c.GetAt(0));
+    sink(c.GetSafeArrayPtr()->pvData);
+    c.Add(safe);
+    sink(c[0]); // $ ir
+    sink(c.GetAt(0)); // $ ir
+    sink(c.GetSafeArrayPtr()->pvData); // $ ir
+    sink(static_cast<LPSAFEARRAY>(c)->pvData); // $ ir
+  }
+  {
+    CComSafeArray<int> c;
+    c.Add(source<int>(), true);
+    sink(c[0]); // $ ir
+    sink(c.GetAt(0)); // $ ir
+    sink(c.GetSafeArrayPtr()->pvData); // $ ir
+  }
+  {
+    CComSafeArray<int> c;
+    c.SetAt(0, source<int>(), true);
+    sink(c[0]); // $ ir
+    sink(c[0L]); // $ ir
+  }
+}
+
+template <typename StringType>
+struct CPathT {
+  typedef StringType PCXSTR; // simplified
+  CPathT(PCXSTR pszPath);
+  CPathT(const CPathT<StringType>& path);
+  CPathT() throw();
+
+  void AddBackslash();
+  BOOL AddExtension(PCXSTR pszExtension);
+  BOOL Append(PCXSTR pszMore);
+  void BuildRoot(int iDrive);
+  void Canonicalize();
+  void Combine(PCXSTR pszDir, PCXSTR pszFile);
+  CPathT<StringType> CommonPrefix(PCXSTR pszOther);
+  BOOL CompactPathEx(UINT nMaxChars, DWORD dwFlags);
+  BOOL FileExists() const;
+  int FindExtension() const;
+  int FindFileName() const;
+  int GetDriveNumber() const;
+  StringType GetExtension() const;
+  BOOL IsDirectory() const;
+  BOOL IsFileSpec() const;
+  BOOL IsPrefix(PCXSTR pszPrefix) const;
+  BOOL IsRelative() const;
+  BOOL IsRoot() const;
+  BOOL IsSameRoot(PCXSTR pszOther) const;
+  BOOL IsUNC() const;
+  BOOL IsUNCServer() const;
+  BOOL IsUNCServerShare() const;
+  BOOL MakePretty();
+  BOOL MatchSpec(PCXSTR pszSpec) const;
+  void QuoteSpaces();
+  BOOL RelativePathTo(
+      PCXSTR pszFrom,
+      DWORD dwAttrFrom,
+      PCXSTR pszTo,
+      DWORD dwAttrTo);
+  void RemoveArgs();
+  void RemoveBackslash();
+  void RemoveBlanks();
+  void RemoveExtension();
+  BOOL RemoveFileSpec();
+  BOOL RenameExtension(PCXSTR pszExtension);
+  int SkipRoot() const;
+  void StripPath();
+  BOOL StripToRoot();
+  void UnquoteSpaces();
+  operator const StringType&() const throw();
+  operator PCXSTR() const throw();
+  operator StringType&() throw();
+  CPathT<StringType>& operator+=(PCXSTR pszMore);
+  
+  StringType m_strPath;
+};
+
+using CPath = CPathT<char*>;
+
+void test_CPathT() {
+  char* x = indirect_source<char>();
+  CPath p(x);
+  sink(static_cast<char*>(p)); // $ MISSING: ir
+  sink(p.m_strPath); // $ ir
+
+  CPath p2(p);
+  sink(p2.m_strPath); // $ ir
+
+  {
+    CPath p;
+    p.AddExtension(x);
+    sink(p.m_strPath); // $ ir
+  }
+  {
+    CPath p;
+    p.Append(x);
+    sink(p.m_strPath); // $ ir
+
+    CPath p2;
+    p2 += p;
+    sink(p2.m_strPath); // $ MISSING: ir // this requires flow through `operator StringType&()` which we can't yet model in MaD
+
+    CPath p3;
+    p3 += x;
+    sink(p3.m_strPath); // $ ir
+  }
+
+  {
+    CPath p;
+    p.Combine(x, nullptr);
+    sink(p.m_strPath); // $ ir
+  }
+  {
+    CPath p;
+    p.Combine(nullptr, x);
+    sink(p.m_strPath); // $ ir
+  }
+
+  {
+    CPath p;
+    auto p2 = p.CommonPrefix(x);
+    sink(p2.m_strPath); // $ ir
+    sink(p2.GetExtension()); // $ ir
+  }
+}
+
+template <class T>
+struct CSimpleArray {
+  CSimpleArray(const CSimpleArray<T>& src);
+  CSimpleArray();
+  ~CSimpleArray();
+
+  BOOL Add(const T& t);
+  int Find(const T& t) const;
+  T* GetData() const;
+  int GetSize() const;
+  BOOL Remove(const T& t);
+  void RemoveAll();
+  BOOL RemoveAt(int nIndex);
+  
+  BOOL SetAtIndex(
+    int nIndex,
+    const T& t);
+  
+  T& operator[](int nindex);
+  CSimpleArray<T> & operator=(const CSimpleArray<T>& src);
+};
+
+void test_CSimpleArray() {
+  int x = source<int>();
+  {
+    CSimpleArray<int> a;
+    a.Add(x);
+    sink(a[0]); // $ ir
+    a.Add(0);
+    sink(a[0]); // $ ir
+
+    CSimpleArray<int> a2;
+    sink(a2[0]);
+    a2 = a;
+    sink(a2[0]); // $ ir
+  }
+  {
+    CSimpleArray<int> a;
+    a.Add(x);
+    sink(a.GetData()); // $ ir
+
+    CSimpleArray<int> a2;
+    int pos = a2.Find(x);
+    sink(a2[pos]); // $ MISSING: ir
+  }
+}
+
+template <class TKey, class TVal>
+struct CSimpleMap {
+  CSimpleMap();
+  ~CSimpleMap();
+
+  BOOL Add(const TKey& key, const TVal& val);
+  int FindKey(const TKey& key) const;
+  int FindVal(const TVal& val) const;
+  TKey& GetKeyAt(int nIndex) const;
+  int GetSize() const;
+  TVal& GetValueAt(int nIndex) const;
+  TVal Lookup(const TKey& key) const;
+  BOOL Remove(const TKey& key);
+  void RemoveAll();
+  BOOL RemoveAt(int nIndex);
+  TKey ReverseLookup(const TVal& val) const;
+  BOOL SetAt(const TKey& key, const TVal& val);
+  BOOL SetAtIndex(int nIndex, const TKey& key, const TVal& val);
+};
+
+void test_CSimpleMap() {
+  wchar_t* x = source<wchar_t*>();
+  {
+    CSimpleMap<char*, wchar_t*> a;
+    a.Add("hello", x);
+    sink(a.Lookup("hello")); // $ ir
+  }
+  {
+    CSimpleMap<char*, wchar_t*> a;
+    auto pos = a.FindKey("hello");
+    sink(a.GetValueAt(pos)); // clean
+  }
+  {
+    CSimpleMap<char*, wchar_t*> a;
+    auto pos = a.FindVal(x);
+    sink(a.GetValueAt(pos)); // $ MISSING: ir
+  }
+  {
+    CSimpleMap<char*, wchar_t*> a;
+    auto key = a.ReverseLookup(x);
+    sink(key);
+    sink(a.Lookup(key)); // $ MISSING: ir
+  }
+  {
+    CSimpleMap<char*, wchar_t*> a;
+    a.SetAt("hello", x);
+    sink(a.Lookup("hello")); // $ ir
+  }
+  {
+    CSimpleMap<char*, wchar_t*> a;
+    a.SetAtIndex(0, "hello", x);
+    sink(a.Lookup("hello")); // $ ir
+  }
+}
+
+struct CUrl {
+  CUrl& operator= (const CUrl& urlThat) throw();
+  CUrl() throw();
+  CUrl(const CUrl& urlThat) throw();
+  ~CUrl() throw();
+
+  inline BOOL Canonicalize(DWORD dwFlags) throw();
+  inline void Clear() throw();
+
+  BOOL CrackUrl(LPCTSTR lpszUrl, DWORD dwFlags) throw();
+  inline BOOL CreateUrl(LPTSTR lpszUrl, DWORD* pdwMaxLength, DWORD dwFlags) const throw();
+
+  inline LPCTSTR GetExtraInfo() const throw();
+  inline DWORD GetExtraInfoLength() const throw();
+  inline LPCTSTR GetHostName() const throw();
+  inline DWORD GetHostNameLength() const throw();
+  inline LPCTSTR GetPassword() const throw();
+  inline DWORD GetPasswordLength() const throw();
+  inline ATL_URL_PORT GetPortNumber() const throw();
+  inline ATL_URL_SCHEME GetScheme() const throw();
+  inline LPCTSTR GetSchemeName() const throw();
+  inline DWORD GetSchemeNameLength() const throw();
+  inline DWORD GetUrlLength() const throw();
+  inline LPCTSTR GetUrlPath() const throw();
+  inline DWORD GetUrlPathLength() const throw();
+  inline LPCTSTR GetUserName() const throw();
+  inline DWORD GetUserNameLength() const throw();
+  inline BOOL SetExtraInfo(LPCTSTR lpszInfo) throw();
+  inline BOOL SetHostName(LPCTSTR lpszHost) throw();
+  inline BOOL SetPassword(LPCTSTR lpszPass) throw();
+  inline BOOL SetPortNumber(ATL_URL_PORT nPrt) throw();
+  inline BOOL SetScheme(ATL_URL_SCHEME nScheme) throw();
+  inline BOOL SetSchemeName(LPCTSTR lpszSchm) throw();
+  inline BOOL SetUrlPath(LPCTSTR lpszPath) throw();
+  inline BOOL SetUserName(LPCTSTR lpszUser) throw();
+};
+
+void test_CUrl() {
+  char* x = indirect_source<char>();
+  CUrl url;
+  url.CrackUrl(x, 0);
+  sink(url); // $ ir
+  sink(url.GetExtraInfo()); // $ ir
+  sink(url.GetHostName()); // $ ir
+  sink(url.GetPassword()); // $ ir
+  sink(url.GetSchemeName()); // $ ir
+  sink(url.GetUrlPath()); // $ ir
+  sink(url.GetUserName()); // $ ir
+
+  {
+    CUrl url2;
+    DWORD len;
+    char buffer[1024];
+    url2.CrackUrl(x, 0);
+    url2.CreateUrl(buffer, &len, 0);
+    sink(buffer); // $ ast ir
+  }
+  {
+    CUrl url2;
+    url2.SetExtraInfo(x);
+    sink(url2); // $ ir
+  }
+  {
+    CUrl url2;
+    url2.SetHostName(x);
+    sink(url2); // $ ir
+  }
+  {
+    CUrl url2;
+    url2.SetPassword(x);
+    sink(url2); // $ ir
+  }
+  {
+    CUrl url2;
+    url2.SetSchemeName(x);
+    sink(url2); // $ ir
+  }
+  {
+    CUrl url2;
+    url2.SetUrlPath(x);
+    sink(url2); // $ ir
+  }
+  {
+    CUrl url2;
+    url2.SetUserName(x);
+    sink(url2); // $ ir
+  }
+}

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -140,6 +140,812 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | arrayassignment.cpp:145:12:145:12 | 5 | arrayassignment.cpp:145:7:145:13 | access to array | TAINT |
 | arrayassignment.cpp:146:7:146:10 | arr3 | arrayassignment.cpp:146:7:146:13 | access to array |  |
 | arrayassignment.cpp:146:12:146:12 | 5 | arrayassignment.cpp:146:7:146:13 | access to array | TAINT |
+| atl.cpp:33:30:33:30 | 1 | atl.cpp:33:29:33:30 | - ... | TAINT |
+| atl.cpp:77:14:77:25 | call to source | atl.cpp:78:21:78:21 | x |  |
+| atl.cpp:78:21:78:21 | x | atl.cpp:78:21:78:22 | call to _U_STRINGorID | TAINT |
+| atl.cpp:78:21:78:22 | call to _U_STRINGorID | atl.cpp:79:10:79:10 | u |  |
+| atl.cpp:83:17:83:43 | call to indirect_source | atl.cpp:84:21:84:21 | y |  |
+| atl.cpp:84:21:84:21 | y | atl.cpp:84:21:84:22 | call to _U_STRINGorID | TAINT |
+| atl.cpp:84:21:84:22 | call to _U_STRINGorID | atl.cpp:85:10:85:10 | u |  |
+| atl.cpp:104:15:104:35 | call to indirect_source | atl.cpp:105:19:105:19 | x |  |
+| atl.cpp:105:19:105:19 | x | atl.cpp:105:19:105:20 | call to CA2AEX | TAINT |
+| atl.cpp:105:19:105:20 | call to CA2AEX | atl.cpp:106:29:106:29 | a |  |
+| atl.cpp:105:19:105:20 | call to CA2AEX | atl.cpp:107:10:107:10 | a |  |
+| atl.cpp:105:19:105:20 | call to CA2AEX | atl.cpp:108:10:108:10 | a |  |
+| atl.cpp:105:19:105:20 | call to CA2AEX | atl.cpp:109:3:109:3 | a |  |
+| atl.cpp:106:29:106:29 | ref arg a | atl.cpp:107:10:107:10 | a |  |
+| atl.cpp:106:29:106:29 | ref arg a | atl.cpp:108:10:108:10 | a |  |
+| atl.cpp:106:29:106:29 | ref arg a | atl.cpp:109:3:109:3 | a |  |
+| atl.cpp:107:10:107:10 | a [post update] | atl.cpp:108:10:108:10 | a |  |
+| atl.cpp:107:10:107:10 | a [post update] | atl.cpp:109:3:109:3 | a |  |
+| atl.cpp:108:10:108:10 | a [post update] | atl.cpp:109:3:109:3 | a |  |
+| atl.cpp:112:15:112:35 | call to indirect_source | atl.cpp:113:19:113:19 | x |  |
+| atl.cpp:113:19:113:23 | call to CA2AEX | atl.cpp:114:29:114:29 | a |  |
+| atl.cpp:113:19:113:23 | call to CA2AEX | atl.cpp:115:10:115:10 | a |  |
+| atl.cpp:113:19:113:23 | call to CA2AEX | atl.cpp:116:10:116:10 | a |  |
+| atl.cpp:113:19:113:23 | call to CA2AEX | atl.cpp:117:3:117:3 | a |  |
+| atl.cpp:114:29:114:29 | ref arg a | atl.cpp:115:10:115:10 | a |  |
+| atl.cpp:114:29:114:29 | ref arg a | atl.cpp:116:10:116:10 | a |  |
+| atl.cpp:114:29:114:29 | ref arg a | atl.cpp:117:3:117:3 | a |  |
+| atl.cpp:115:10:115:10 | a [post update] | atl.cpp:116:10:116:10 | a |  |
+| atl.cpp:115:10:115:10 | a [post update] | atl.cpp:117:3:117:3 | a |  |
+| atl.cpp:116:10:116:10 | a [post update] | atl.cpp:117:3:117:3 | a |  |
+| atl.cpp:130:14:130:34 | call to indirect_source | atl.cpp:132:20:132:20 | x |  |
+| atl.cpp:130:14:130:34 | call to indirect_source | atl.cpp:138:20:138:20 | x |  |
+| atl.cpp:132:20:132:20 | x | atl.cpp:132:20:132:21 | call to CA2CAEX | TAINT |
+| atl.cpp:132:20:132:21 | call to CA2CAEX | atl.cpp:133:30:133:30 | a |  |
+| atl.cpp:132:20:132:21 | call to CA2CAEX | atl.cpp:134:10:134:10 | a |  |
+| atl.cpp:132:20:132:21 | call to CA2CAEX | atl.cpp:135:10:135:10 | a |  |
+| atl.cpp:132:20:132:21 | call to CA2CAEX | atl.cpp:136:3:136:3 | a |  |
+| atl.cpp:138:20:138:24 | call to CA2CAEX | atl.cpp:139:30:139:30 | a |  |
+| atl.cpp:138:20:138:24 | call to CA2CAEX | atl.cpp:140:10:140:10 | a |  |
+| atl.cpp:138:20:138:24 | call to CA2CAEX | atl.cpp:141:10:141:10 | a |  |
+| atl.cpp:138:20:138:24 | call to CA2CAEX | atl.cpp:142:3:142:3 | a |  |
+| atl.cpp:156:14:156:34 | call to indirect_source | atl.cpp:158:19:158:19 | x |  |
+| atl.cpp:156:14:156:34 | call to indirect_source | atl.cpp:164:19:164:19 | x |  |
+| atl.cpp:158:19:158:19 | x | atl.cpp:158:19:158:20 | call to CA2WEX | TAINT |
+| atl.cpp:158:19:158:20 | call to CA2WEX | atl.cpp:159:30:159:30 | a |  |
+| atl.cpp:158:19:158:20 | call to CA2WEX | atl.cpp:160:10:160:10 | a |  |
+| atl.cpp:158:19:158:20 | call to CA2WEX | atl.cpp:161:10:161:10 | a |  |
+| atl.cpp:158:19:158:20 | call to CA2WEX | atl.cpp:162:3:162:3 | a |  |
+| atl.cpp:159:30:159:30 | ref arg a | atl.cpp:160:10:160:10 | a |  |
+| atl.cpp:159:30:159:30 | ref arg a | atl.cpp:161:10:161:10 | a |  |
+| atl.cpp:159:30:159:30 | ref arg a | atl.cpp:162:3:162:3 | a |  |
+| atl.cpp:160:10:160:10 | a [post update] | atl.cpp:161:10:161:10 | a |  |
+| atl.cpp:160:10:160:10 | a [post update] | atl.cpp:162:3:162:3 | a |  |
+| atl.cpp:160:12:160:16 | ref arg m_psz | atl.cpp:161:12:161:16 | m_psz |  |
+| atl.cpp:161:10:161:10 | a [post update] | atl.cpp:162:3:162:3 | a |  |
+| atl.cpp:164:19:164:23 | call to CA2WEX | atl.cpp:165:30:165:30 | a |  |
+| atl.cpp:164:19:164:23 | call to CA2WEX | atl.cpp:166:10:166:10 | a |  |
+| atl.cpp:164:19:164:23 | call to CA2WEX | atl.cpp:167:10:167:10 | a |  |
+| atl.cpp:164:19:164:23 | call to CA2WEX | atl.cpp:168:3:168:3 | a |  |
+| atl.cpp:165:30:165:30 | ref arg a | atl.cpp:166:10:166:10 | a |  |
+| atl.cpp:165:30:165:30 | ref arg a | atl.cpp:167:10:167:10 | a |  |
+| atl.cpp:165:30:165:30 | ref arg a | atl.cpp:168:3:168:3 | a |  |
+| atl.cpp:166:10:166:10 | a [post update] | atl.cpp:167:10:167:10 | a |  |
+| atl.cpp:166:10:166:10 | a [post update] | atl.cpp:168:3:168:3 | a |  |
+| atl.cpp:166:12:166:16 | ref arg m_psz | atl.cpp:167:12:167:16 | m_psz |  |
+| atl.cpp:167:10:167:10 | a [post update] | atl.cpp:168:3:168:3 | a |  |
+| atl.cpp:216:11:216:21 | call to source | atl.cpp:220:11:220:11 | x |  |
+| atl.cpp:219:20:219:20 | call to CAtlArray | atl.cpp:220:5:220:5 | a |  |
+| atl.cpp:219:20:219:20 | call to CAtlArray | atl.cpp:221:10:221:10 | a |  |
+| atl.cpp:219:20:219:20 | call to CAtlArray | atl.cpp:222:5:222:5 | a |  |
+| atl.cpp:219:20:219:20 | call to CAtlArray | atl.cpp:223:10:223:10 | a |  |
+| atl.cpp:219:20:219:20 | call to CAtlArray | atl.cpp:227:15:227:15 | a |  |
+| atl.cpp:219:20:219:20 | call to CAtlArray | atl.cpp:242:3:242:3 | a |  |
+| atl.cpp:220:5:220:5 | ref arg a | atl.cpp:221:10:221:10 | a |  |
+| atl.cpp:220:5:220:5 | ref arg a | atl.cpp:222:5:222:5 | a |  |
+| atl.cpp:220:5:220:5 | ref arg a | atl.cpp:223:10:223:10 | a |  |
+| atl.cpp:220:5:220:5 | ref arg a | atl.cpp:227:15:227:15 | a |  |
+| atl.cpp:220:5:220:5 | ref arg a | atl.cpp:242:3:242:3 | a |  |
+| atl.cpp:221:10:221:10 | ref arg a | atl.cpp:222:5:222:5 | a |  |
+| atl.cpp:221:10:221:10 | ref arg a | atl.cpp:223:10:223:10 | a |  |
+| atl.cpp:221:10:221:10 | ref arg a | atl.cpp:227:15:227:15 | a |  |
+| atl.cpp:221:10:221:10 | ref arg a | atl.cpp:242:3:242:3 | a |  |
+| atl.cpp:222:5:222:5 | ref arg a | atl.cpp:223:10:223:10 | a |  |
+| atl.cpp:222:5:222:5 | ref arg a | atl.cpp:227:15:227:15 | a |  |
+| atl.cpp:222:5:222:5 | ref arg a | atl.cpp:242:3:242:3 | a |  |
+| atl.cpp:223:10:223:10 | ref arg a | atl.cpp:227:15:227:15 | a |  |
+| atl.cpp:223:10:223:10 | ref arg a | atl.cpp:242:3:242:3 | a |  |
+| atl.cpp:225:20:225:21 | call to CAtlArray | atl.cpp:226:10:226:11 | a2 |  |
+| atl.cpp:225:20:225:21 | call to CAtlArray | atl.cpp:227:5:227:6 | a2 |  |
+| atl.cpp:225:20:225:21 | call to CAtlArray | atl.cpp:228:10:228:11 | a2 |  |
+| atl.cpp:225:20:225:21 | call to CAtlArray | atl.cpp:232:13:232:14 | a2 |  |
+| atl.cpp:225:20:225:21 | call to CAtlArray | atl.cpp:242:3:242:3 | a2 |  |
+| atl.cpp:226:10:226:11 | ref arg a2 | atl.cpp:227:5:227:6 | a2 |  |
+| atl.cpp:226:10:226:11 | ref arg a2 | atl.cpp:228:10:228:11 | a2 |  |
+| atl.cpp:226:10:226:11 | ref arg a2 | atl.cpp:232:13:232:14 | a2 |  |
+| atl.cpp:226:10:226:11 | ref arg a2 | atl.cpp:242:3:242:3 | a2 |  |
+| atl.cpp:227:5:227:6 | ref arg a2 | atl.cpp:228:10:228:11 | a2 |  |
+| atl.cpp:227:5:227:6 | ref arg a2 | atl.cpp:232:13:232:14 | a2 |  |
+| atl.cpp:227:5:227:6 | ref arg a2 | atl.cpp:242:3:242:3 | a2 |  |
+| atl.cpp:228:10:228:11 | ref arg a2 | atl.cpp:232:13:232:14 | a2 |  |
+| atl.cpp:228:10:228:11 | ref arg a2 | atl.cpp:242:3:242:3 | a2 |  |
+| atl.cpp:230:20:230:21 | call to CAtlArray | atl.cpp:231:10:231:11 | a3 |  |
+| atl.cpp:230:20:230:21 | call to CAtlArray | atl.cpp:232:5:232:6 | a3 |  |
+| atl.cpp:230:20:230:21 | call to CAtlArray | atl.cpp:233:10:233:11 | a3 |  |
+| atl.cpp:230:20:230:21 | call to CAtlArray | atl.cpp:235:10:235:11 | a3 |  |
+| atl.cpp:230:20:230:21 | call to CAtlArray | atl.cpp:236:11:236:12 | a3 |  |
+| atl.cpp:230:20:230:21 | call to CAtlArray | atl.cpp:240:26:240:27 | a3 |  |
+| atl.cpp:230:20:230:21 | call to CAtlArray | atl.cpp:242:3:242:3 | a3 |  |
+| atl.cpp:231:10:231:11 | ref arg a3 | atl.cpp:232:5:232:6 | a3 |  |
+| atl.cpp:231:10:231:11 | ref arg a3 | atl.cpp:233:10:233:11 | a3 |  |
+| atl.cpp:231:10:231:11 | ref arg a3 | atl.cpp:235:10:235:11 | a3 |  |
+| atl.cpp:231:10:231:11 | ref arg a3 | atl.cpp:236:11:236:12 | a3 |  |
+| atl.cpp:231:10:231:11 | ref arg a3 | atl.cpp:240:26:240:27 | a3 |  |
+| atl.cpp:231:10:231:11 | ref arg a3 | atl.cpp:242:3:242:3 | a3 |  |
+| atl.cpp:232:5:232:6 | ref arg a3 | atl.cpp:233:10:233:11 | a3 |  |
+| atl.cpp:232:5:232:6 | ref arg a3 | atl.cpp:235:10:235:11 | a3 |  |
+| atl.cpp:232:5:232:6 | ref arg a3 | atl.cpp:236:11:236:12 | a3 |  |
+| atl.cpp:232:5:232:6 | ref arg a3 | atl.cpp:240:26:240:27 | a3 |  |
+| atl.cpp:232:5:232:6 | ref arg a3 | atl.cpp:242:3:242:3 | a3 |  |
+| atl.cpp:233:10:233:11 | ref arg a3 | atl.cpp:235:10:235:11 | a3 |  |
+| atl.cpp:233:10:233:11 | ref arg a3 | atl.cpp:236:11:236:12 | a3 |  |
+| atl.cpp:233:10:233:11 | ref arg a3 | atl.cpp:240:26:240:27 | a3 |  |
+| atl.cpp:233:10:233:11 | ref arg a3 | atl.cpp:242:3:242:3 | a3 |  |
+| atl.cpp:235:10:235:11 | ref arg a3 | atl.cpp:236:11:236:12 | a3 |  |
+| atl.cpp:235:10:235:11 | ref arg a3 | atl.cpp:240:26:240:27 | a3 |  |
+| atl.cpp:235:10:235:11 | ref arg a3 | atl.cpp:242:3:242:3 | a3 |  |
+| atl.cpp:236:11:236:12 | ref arg a3 | atl.cpp:240:26:240:27 | a3 |  |
+| atl.cpp:236:11:236:12 | ref arg a3 | atl.cpp:242:3:242:3 | a3 |  |
+| atl.cpp:236:14:236:20 | call to GetData | atl.cpp:236:10:236:22 | * ... | TAINT |
+| atl.cpp:238:20:238:21 | call to CAtlArray | atl.cpp:239:10:239:11 | a4 |  |
+| atl.cpp:238:20:238:21 | call to CAtlArray | atl.cpp:240:5:240:6 | a4 |  |
+| atl.cpp:238:20:238:21 | call to CAtlArray | atl.cpp:241:10:241:11 | a4 |  |
+| atl.cpp:238:20:238:21 | call to CAtlArray | atl.cpp:242:3:242:3 | a4 |  |
+| atl.cpp:239:10:239:11 | ref arg a4 | atl.cpp:240:5:240:6 | a4 |  |
+| atl.cpp:239:10:239:11 | ref arg a4 | atl.cpp:241:10:241:11 | a4 |  |
+| atl.cpp:239:10:239:11 | ref arg a4 | atl.cpp:242:3:242:3 | a4 |  |
+| atl.cpp:240:5:240:6 | ref arg a4 | atl.cpp:241:10:241:11 | a4 |  |
+| atl.cpp:240:5:240:6 | ref arg a4 | atl.cpp:242:3:242:3 | a4 |  |
+| atl.cpp:240:26:240:27 | a3 | atl.cpp:240:25:240:27 | & ... |  |
+| atl.cpp:241:10:241:11 | ref arg a4 | atl.cpp:242:3:242:3 | a4 |  |
+| atl.cpp:244:20:244:21 | call to CAtlArray | atl.cpp:245:5:245:6 | a5 |  |
+| atl.cpp:244:20:244:21 | call to CAtlArray | atl.cpp:246:10:246:11 | a5 |  |
+| atl.cpp:244:20:244:21 | call to CAtlArray | atl.cpp:251:3:251:3 | a5 |  |
+| atl.cpp:245:5:245:6 | ref arg a5 | atl.cpp:246:10:246:11 | a5 |  |
+| atl.cpp:245:5:245:6 | ref arg a5 | atl.cpp:251:3:251:3 | a5 |  |
+| atl.cpp:246:10:246:11 | ref arg a5 | atl.cpp:251:3:251:3 | a5 |  |
+| atl.cpp:248:20:248:21 | call to CAtlArray | atl.cpp:249:5:249:6 | a6 |  |
+| atl.cpp:248:20:248:21 | call to CAtlArray | atl.cpp:250:10:250:11 | a6 |  |
+| atl.cpp:248:20:248:21 | call to CAtlArray | atl.cpp:251:3:251:3 | a6 |  |
+| atl.cpp:249:5:249:6 | ref arg a6 | atl.cpp:250:10:250:11 | a6 |  |
+| atl.cpp:249:5:249:6 | ref arg a6 | atl.cpp:251:3:251:3 | a6 |  |
+| atl.cpp:250:10:250:11 | ref arg a6 | atl.cpp:251:3:251:3 | a6 |  |
+| atl.cpp:296:11:296:21 | call to source | atl.cpp:300:18:300:18 | x |  |
+| atl.cpp:296:11:296:21 | call to source | atl.cpp:308:19:308:19 | x |  |
+| atl.cpp:296:11:296:21 | call to source | atl.cpp:317:29:317:29 | x |  |
+| atl.cpp:296:11:296:21 | call to source | atl.cpp:323:21:323:21 | x |  |
+| atl.cpp:296:11:296:21 | call to source | atl.cpp:331:30:331:30 | x |  |
+| atl.cpp:296:11:296:21 | call to source | atl.cpp:338:31:338:31 | x |  |
+| atl.cpp:296:11:296:21 | call to source | atl.cpp:343:44:343:44 | x |  |
+| atl.cpp:298:24:298:25 | 10 | atl.cpp:298:24:298:26 | call to CAtlList | TAINT |
+| atl.cpp:298:24:298:26 | call to CAtlList | atl.cpp:299:10:299:13 | list |  |
+| atl.cpp:298:24:298:26 | call to CAtlList | atl.cpp:300:5:300:8 | list |  |
+| atl.cpp:298:24:298:26 | call to CAtlList | atl.cpp:301:10:301:13 | list |  |
+| atl.cpp:298:24:298:26 | call to CAtlList | atl.cpp:304:24:304:27 | list |  |
+| atl.cpp:298:24:298:26 | call to CAtlList | atl.cpp:346:3:346:3 | list |  |
+| atl.cpp:299:10:299:13 | ref arg list | atl.cpp:300:5:300:8 | list |  |
+| atl.cpp:299:10:299:13 | ref arg list | atl.cpp:301:10:301:13 | list |  |
+| atl.cpp:299:10:299:13 | ref arg list | atl.cpp:304:24:304:27 | list |  |
+| atl.cpp:299:10:299:13 | ref arg list | atl.cpp:346:3:346:3 | list |  |
+| atl.cpp:300:5:300:8 | ref arg list | atl.cpp:301:10:301:13 | list |  |
+| atl.cpp:300:5:300:8 | ref arg list | atl.cpp:304:24:304:27 | list |  |
+| atl.cpp:300:5:300:8 | ref arg list | atl.cpp:346:3:346:3 | list |  |
+| atl.cpp:301:10:301:13 | ref arg list | atl.cpp:304:24:304:27 | list |  |
+| atl.cpp:301:10:301:13 | ref arg list | atl.cpp:346:3:346:3 | list |  |
+| atl.cpp:303:25:303:26 | 10 | atl.cpp:303:25:303:27 | call to CAtlList | TAINT |
+| atl.cpp:303:25:303:27 | call to CAtlList | atl.cpp:304:5:304:9 | list2 |  |
+| atl.cpp:303:25:303:27 | call to CAtlList | atl.cpp:305:10:305:14 | list2 |  |
+| atl.cpp:303:25:303:27 | call to CAtlList | atl.cpp:346:3:346:3 | list2 |  |
+| atl.cpp:304:5:304:9 | ref arg list2 | atl.cpp:305:10:305:14 | list2 |  |
+| atl.cpp:304:5:304:9 | ref arg list2 | atl.cpp:346:3:346:3 | list2 |  |
+| atl.cpp:304:24:304:27 | list | atl.cpp:304:23:304:27 | & ... |  |
+| atl.cpp:305:10:305:14 | ref arg list2 | atl.cpp:346:3:346:3 | list2 |  |
+| atl.cpp:307:25:307:26 | 10 | atl.cpp:307:25:307:27 | call to CAtlList | TAINT |
+| atl.cpp:307:25:307:27 | call to CAtlList | atl.cpp:308:5:308:9 | list3 |  |
+| atl.cpp:307:25:307:27 | call to CAtlList | atl.cpp:309:10:309:14 | list3 |  |
+| atl.cpp:307:25:307:27 | call to CAtlList | atl.cpp:312:24:312:28 | list3 |  |
+| atl.cpp:307:25:307:27 | call to CAtlList | atl.cpp:346:3:346:3 | list3 |  |
+| atl.cpp:308:5:308:9 | ref arg list3 | atl.cpp:309:10:309:14 | list3 |  |
+| atl.cpp:308:5:308:9 | ref arg list3 | atl.cpp:312:24:312:28 | list3 |  |
+| atl.cpp:308:5:308:9 | ref arg list3 | atl.cpp:346:3:346:3 | list3 |  |
+| atl.cpp:309:10:309:14 | ref arg list3 | atl.cpp:312:24:312:28 | list3 |  |
+| atl.cpp:309:10:309:14 | ref arg list3 | atl.cpp:346:3:346:3 | list3 |  |
+| atl.cpp:311:25:311:26 | 10 | atl.cpp:311:25:311:27 | call to CAtlList | TAINT |
+| atl.cpp:311:25:311:27 | call to CAtlList | atl.cpp:312:5:312:9 | list4 |  |
+| atl.cpp:311:25:311:27 | call to CAtlList | atl.cpp:313:10:313:14 | list4 |  |
+| atl.cpp:311:25:311:27 | call to CAtlList | atl.cpp:346:3:346:3 | list4 |  |
+| atl.cpp:312:5:312:9 | ref arg list4 | atl.cpp:313:10:313:14 | list4 |  |
+| atl.cpp:312:5:312:9 | ref arg list4 | atl.cpp:346:3:346:3 | list4 |  |
+| atl.cpp:312:24:312:28 | list3 | atl.cpp:312:23:312:28 | & ... |  |
+| atl.cpp:313:10:313:14 | ref arg list4 | atl.cpp:346:3:346:3 | list4 |  |
+| atl.cpp:316:27:316:28 | 10 | atl.cpp:316:27:316:29 | call to CAtlList | TAINT |
+| atl.cpp:316:27:316:29 | call to CAtlList | atl.cpp:317:18:317:22 | list5 |  |
+| atl.cpp:316:27:316:29 | call to CAtlList | atl.cpp:317:32:317:36 | list5 |  |
+| atl.cpp:316:27:316:29 | call to CAtlList | atl.cpp:318:12:318:16 | list5 |  |
+| atl.cpp:316:27:316:29 | call to CAtlList | atl.cpp:319:5:319:5 | list5 |  |
+| atl.cpp:317:18:317:22 | ref arg list5 | atl.cpp:318:12:318:16 | list5 |  |
+| atl.cpp:317:18:317:22 | ref arg list5 | atl.cpp:319:5:319:5 | list5 |  |
+| atl.cpp:317:24:317:27 | call to Find | atl.cpp:318:24:318:26 | pos |  |
+| atl.cpp:317:32:317:36 | ref arg list5 | atl.cpp:317:18:317:22 | list5 |  |
+| atl.cpp:317:32:317:36 | ref arg list5 | atl.cpp:318:12:318:16 | list5 |  |
+| atl.cpp:317:32:317:36 | ref arg list5 | atl.cpp:319:5:319:5 | list5 |  |
+| atl.cpp:318:12:318:16 | ref arg list5 | atl.cpp:319:5:319:5 | list5 |  |
+| atl.cpp:322:27:322:28 | 10 | atl.cpp:322:27:322:29 | call to CAtlList | TAINT |
+| atl.cpp:322:27:322:29 | call to CAtlList | atl.cpp:323:7:323:11 | list6 |  |
+| atl.cpp:322:27:322:29 | call to CAtlList | atl.cpp:324:18:324:22 | list6 |  |
+| atl.cpp:322:27:322:29 | call to CAtlList | atl.cpp:325:12:325:16 | list6 |  |
+| atl.cpp:322:27:322:29 | call to CAtlList | atl.cpp:326:5:326:5 | list6 |  |
+| atl.cpp:323:7:323:11 | ref arg list6 | atl.cpp:324:18:324:22 | list6 |  |
+| atl.cpp:323:7:323:11 | ref arg list6 | atl.cpp:325:12:325:16 | list6 |  |
+| atl.cpp:323:7:323:11 | ref arg list6 | atl.cpp:326:5:326:5 | list6 |  |
+| atl.cpp:324:18:324:22 | ref arg list6 | atl.cpp:325:12:325:16 | list6 |  |
+| atl.cpp:324:18:324:22 | ref arg list6 | atl.cpp:326:5:326:5 | list6 |  |
+| atl.cpp:324:24:324:32 | call to FindIndex | atl.cpp:325:24:325:26 | pos |  |
+| atl.cpp:325:12:325:16 | ref arg list6 | atl.cpp:326:5:326:5 | list6 |  |
+| atl.cpp:329:27:329:28 | 10 | atl.cpp:329:27:329:29 | call to CAtlList | TAINT |
+| atl.cpp:329:27:329:29 | call to CAtlList | atl.cpp:330:18:330:22 | list7 |  |
+| atl.cpp:329:27:329:29 | call to CAtlList | atl.cpp:331:7:331:11 | list7 |  |
+| atl.cpp:329:27:329:29 | call to CAtlList | atl.cpp:332:12:332:16 | list7 |  |
+| atl.cpp:329:27:329:29 | call to CAtlList | atl.cpp:333:5:333:5 | list7 |  |
+| atl.cpp:330:18:330:22 | ref arg list7 | atl.cpp:331:7:331:11 | list7 |  |
+| atl.cpp:330:18:330:22 | ref arg list7 | atl.cpp:332:12:332:16 | list7 |  |
+| atl.cpp:330:18:330:22 | ref arg list7 | atl.cpp:333:5:333:5 | list7 |  |
+| atl.cpp:330:24:330:38 | call to GetTailPosition | atl.cpp:331:25:331:27 | pos |  |
+| atl.cpp:331:7:331:11 | ref arg list7 | atl.cpp:332:12:332:16 | list7 |  |
+| atl.cpp:331:7:331:11 | ref arg list7 | atl.cpp:333:5:333:5 | list7 |  |
+| atl.cpp:332:12:332:16 | ref arg list7 | atl.cpp:333:5:333:5 | list7 |  |
+| atl.cpp:336:27:336:28 | 10 | atl.cpp:336:27:336:29 | call to CAtlList | TAINT |
+| atl.cpp:336:27:336:29 | call to CAtlList | atl.cpp:337:18:337:22 | list8 |  |
+| atl.cpp:336:27:336:29 | call to CAtlList | atl.cpp:338:7:338:11 | list8 |  |
+| atl.cpp:336:27:336:29 | call to CAtlList | atl.cpp:339:12:339:16 | list8 |  |
+| atl.cpp:336:27:336:29 | call to CAtlList | atl.cpp:340:5:340:5 | list8 |  |
+| atl.cpp:337:18:337:22 | ref arg list8 | atl.cpp:338:7:338:11 | list8 |  |
+| atl.cpp:337:18:337:22 | ref arg list8 | atl.cpp:339:12:339:16 | list8 |  |
+| atl.cpp:337:18:337:22 | ref arg list8 | atl.cpp:340:5:340:5 | list8 |  |
+| atl.cpp:337:24:337:38 | call to GetTailPosition | atl.cpp:338:26:338:28 | pos |  |
+| atl.cpp:338:7:338:11 | ref arg list8 | atl.cpp:339:12:339:16 | list8 |  |
+| atl.cpp:338:7:338:11 | ref arg list8 | atl.cpp:340:5:340:5 | list8 |  |
+| atl.cpp:339:12:339:16 | ref arg list8 | atl.cpp:340:5:340:5 | list8 |  |
+| atl.cpp:342:27:342:28 | 10 | atl.cpp:342:27:342:29 | call to CAtlList | TAINT |
+| atl.cpp:342:27:342:29 | call to CAtlList | atl.cpp:343:7:343:11 | list9 |  |
+| atl.cpp:342:27:342:29 | call to CAtlList | atl.cpp:343:19:343:23 | list9 |  |
+| atl.cpp:342:27:342:29 | call to CAtlList | atl.cpp:344:12:344:16 | list9 |  |
+| atl.cpp:342:27:342:29 | call to CAtlList | atl.cpp:345:5:345:5 | list9 |  |
+| atl.cpp:343:7:343:11 | ref arg list9 | atl.cpp:344:12:344:16 | list9 |  |
+| atl.cpp:343:7:343:11 | ref arg list9 | atl.cpp:345:5:345:5 | list9 |  |
+| atl.cpp:343:19:343:23 | ref arg list9 | atl.cpp:343:7:343:11 | list9 |  |
+| atl.cpp:343:19:343:23 | ref arg list9 | atl.cpp:344:12:344:16 | list9 |  |
+| atl.cpp:343:19:343:23 | ref arg list9 | atl.cpp:345:5:345:5 | list9 |  |
+| atl.cpp:344:12:344:16 | ref arg list9 | atl.cpp:345:5:345:5 | list9 |  |
+| atl.cpp:348:12:348:31 | call to indirect_source | atl.cpp:352:18:352:18 | p |  |
+| atl.cpp:348:12:348:31 | call to indirect_source | atl.cpp:360:19:360:19 | p |  |
+| atl.cpp:348:12:348:31 | call to indirect_source | atl.cpp:369:29:369:29 | p |  |
+| atl.cpp:348:12:348:31 | call to indirect_source | atl.cpp:375:21:375:21 | p |  |
+| atl.cpp:348:12:348:31 | call to indirect_source | atl.cpp:383:30:383:30 | p |  |
+| atl.cpp:348:12:348:31 | call to indirect_source | atl.cpp:390:31:390:31 | p |  |
+| atl.cpp:348:12:348:31 | call to indirect_source | atl.cpp:395:44:395:44 | p |  |
+| atl.cpp:350:25:350:26 | 10 | atl.cpp:350:25:350:27 | call to CAtlList | TAINT |
+| atl.cpp:350:25:350:27 | call to CAtlList | atl.cpp:351:10:351:13 | list |  |
+| atl.cpp:350:25:350:27 | call to CAtlList | atl.cpp:352:5:352:8 | list |  |
+| atl.cpp:350:25:350:27 | call to CAtlList | atl.cpp:353:10:353:13 | list |  |
+| atl.cpp:350:25:350:27 | call to CAtlList | atl.cpp:356:24:356:27 | list |  |
+| atl.cpp:350:25:350:27 | call to CAtlList | atl.cpp:398:3:398:3 | list |  |
+| atl.cpp:351:10:351:13 | ref arg list | atl.cpp:352:5:352:8 | list |  |
+| atl.cpp:351:10:351:13 | ref arg list | atl.cpp:353:10:353:13 | list |  |
+| atl.cpp:351:10:351:13 | ref arg list | atl.cpp:356:24:356:27 | list |  |
+| atl.cpp:351:10:351:13 | ref arg list | atl.cpp:398:3:398:3 | list |  |
+| atl.cpp:352:5:352:8 | ref arg list | atl.cpp:353:10:353:13 | list |  |
+| atl.cpp:352:5:352:8 | ref arg list | atl.cpp:356:24:356:27 | list |  |
+| atl.cpp:352:5:352:8 | ref arg list | atl.cpp:398:3:398:3 | list |  |
+| atl.cpp:353:10:353:13 | ref arg list | atl.cpp:356:24:356:27 | list |  |
+| atl.cpp:353:10:353:13 | ref arg list | atl.cpp:398:3:398:3 | list |  |
+| atl.cpp:355:26:355:27 | 10 | atl.cpp:355:26:355:28 | call to CAtlList | TAINT |
+| atl.cpp:355:26:355:28 | call to CAtlList | atl.cpp:356:5:356:9 | list2 |  |
+| atl.cpp:355:26:355:28 | call to CAtlList | atl.cpp:357:10:357:14 | list2 |  |
+| atl.cpp:355:26:355:28 | call to CAtlList | atl.cpp:398:3:398:3 | list2 |  |
+| atl.cpp:356:5:356:9 | ref arg list2 | atl.cpp:357:10:357:14 | list2 |  |
+| atl.cpp:356:5:356:9 | ref arg list2 | atl.cpp:398:3:398:3 | list2 |  |
+| atl.cpp:356:24:356:27 | list | atl.cpp:356:23:356:27 | & ... |  |
+| atl.cpp:357:10:357:14 | ref arg list2 | atl.cpp:398:3:398:3 | list2 |  |
+| atl.cpp:359:26:359:27 | 10 | atl.cpp:359:26:359:28 | call to CAtlList | TAINT |
+| atl.cpp:359:26:359:28 | call to CAtlList | atl.cpp:360:5:360:9 | list3 |  |
+| atl.cpp:359:26:359:28 | call to CAtlList | atl.cpp:361:10:361:14 | list3 |  |
+| atl.cpp:359:26:359:28 | call to CAtlList | atl.cpp:364:24:364:28 | list3 |  |
+| atl.cpp:359:26:359:28 | call to CAtlList | atl.cpp:398:3:398:3 | list3 |  |
+| atl.cpp:360:5:360:9 | ref arg list3 | atl.cpp:361:10:361:14 | list3 |  |
+| atl.cpp:360:5:360:9 | ref arg list3 | atl.cpp:364:24:364:28 | list3 |  |
+| atl.cpp:360:5:360:9 | ref arg list3 | atl.cpp:398:3:398:3 | list3 |  |
+| atl.cpp:361:10:361:14 | ref arg list3 | atl.cpp:364:24:364:28 | list3 |  |
+| atl.cpp:361:10:361:14 | ref arg list3 | atl.cpp:398:3:398:3 | list3 |  |
+| atl.cpp:363:26:363:27 | 10 | atl.cpp:363:26:363:28 | call to CAtlList | TAINT |
+| atl.cpp:363:26:363:28 | call to CAtlList | atl.cpp:364:5:364:9 | list4 |  |
+| atl.cpp:363:26:363:28 | call to CAtlList | atl.cpp:365:10:365:14 | list4 |  |
+| atl.cpp:363:26:363:28 | call to CAtlList | atl.cpp:398:3:398:3 | list4 |  |
+| atl.cpp:364:5:364:9 | ref arg list4 | atl.cpp:365:10:365:14 | list4 |  |
+| atl.cpp:364:5:364:9 | ref arg list4 | atl.cpp:398:3:398:3 | list4 |  |
+| atl.cpp:364:24:364:28 | list3 | atl.cpp:364:23:364:28 | & ... |  |
+| atl.cpp:365:10:365:14 | ref arg list4 | atl.cpp:398:3:398:3 | list4 |  |
+| atl.cpp:368:28:368:29 | 10 | atl.cpp:368:28:368:30 | call to CAtlList | TAINT |
+| atl.cpp:368:28:368:30 | call to CAtlList | atl.cpp:369:18:369:22 | list5 |  |
+| atl.cpp:368:28:368:30 | call to CAtlList | atl.cpp:369:32:369:36 | list5 |  |
+| atl.cpp:368:28:368:30 | call to CAtlList | atl.cpp:370:12:370:16 | list5 |  |
+| atl.cpp:368:28:368:30 | call to CAtlList | atl.cpp:371:5:371:5 | list5 |  |
+| atl.cpp:369:18:369:22 | ref arg list5 | atl.cpp:370:12:370:16 | list5 |  |
+| atl.cpp:369:18:369:22 | ref arg list5 | atl.cpp:371:5:371:5 | list5 |  |
+| atl.cpp:369:24:369:27 | call to Find | atl.cpp:370:24:370:26 | pos |  |
+| atl.cpp:369:32:369:36 | ref arg list5 | atl.cpp:369:18:369:22 | list5 |  |
+| atl.cpp:369:32:369:36 | ref arg list5 | atl.cpp:370:12:370:16 | list5 |  |
+| atl.cpp:369:32:369:36 | ref arg list5 | atl.cpp:371:5:371:5 | list5 |  |
+| atl.cpp:370:12:370:16 | ref arg list5 | atl.cpp:371:5:371:5 | list5 |  |
+| atl.cpp:374:28:374:29 | 10 | atl.cpp:374:28:374:30 | call to CAtlList | TAINT |
+| atl.cpp:374:28:374:30 | call to CAtlList | atl.cpp:375:7:375:11 | list6 |  |
+| atl.cpp:374:28:374:30 | call to CAtlList | atl.cpp:376:18:376:22 | list6 |  |
+| atl.cpp:374:28:374:30 | call to CAtlList | atl.cpp:377:12:377:16 | list6 |  |
+| atl.cpp:374:28:374:30 | call to CAtlList | atl.cpp:378:5:378:5 | list6 |  |
+| atl.cpp:375:7:375:11 | ref arg list6 | atl.cpp:376:18:376:22 | list6 |  |
+| atl.cpp:375:7:375:11 | ref arg list6 | atl.cpp:377:12:377:16 | list6 |  |
+| atl.cpp:375:7:375:11 | ref arg list6 | atl.cpp:378:5:378:5 | list6 |  |
+| atl.cpp:376:18:376:22 | ref arg list6 | atl.cpp:377:12:377:16 | list6 |  |
+| atl.cpp:376:18:376:22 | ref arg list6 | atl.cpp:378:5:378:5 | list6 |  |
+| atl.cpp:376:24:376:32 | call to FindIndex | atl.cpp:377:24:377:26 | pos |  |
+| atl.cpp:377:12:377:16 | ref arg list6 | atl.cpp:378:5:378:5 | list6 |  |
+| atl.cpp:381:28:381:29 | 10 | atl.cpp:381:28:381:30 | call to CAtlList | TAINT |
+| atl.cpp:381:28:381:30 | call to CAtlList | atl.cpp:382:18:382:22 | list7 |  |
+| atl.cpp:381:28:381:30 | call to CAtlList | atl.cpp:383:7:383:11 | list7 |  |
+| atl.cpp:381:28:381:30 | call to CAtlList | atl.cpp:384:12:384:16 | list7 |  |
+| atl.cpp:381:28:381:30 | call to CAtlList | atl.cpp:385:5:385:5 | list7 |  |
+| atl.cpp:382:18:382:22 | ref arg list7 | atl.cpp:383:7:383:11 | list7 |  |
+| atl.cpp:382:18:382:22 | ref arg list7 | atl.cpp:384:12:384:16 | list7 |  |
+| atl.cpp:382:18:382:22 | ref arg list7 | atl.cpp:385:5:385:5 | list7 |  |
+| atl.cpp:382:24:382:38 | call to GetTailPosition | atl.cpp:383:25:383:27 | pos |  |
+| atl.cpp:383:7:383:11 | ref arg list7 | atl.cpp:384:12:384:16 | list7 |  |
+| atl.cpp:383:7:383:11 | ref arg list7 | atl.cpp:385:5:385:5 | list7 |  |
+| atl.cpp:384:12:384:16 | ref arg list7 | atl.cpp:385:5:385:5 | list7 |  |
+| atl.cpp:388:28:388:29 | 10 | atl.cpp:388:28:388:30 | call to CAtlList | TAINT |
+| atl.cpp:388:28:388:30 | call to CAtlList | atl.cpp:389:18:389:22 | list8 |  |
+| atl.cpp:388:28:388:30 | call to CAtlList | atl.cpp:390:7:390:11 | list8 |  |
+| atl.cpp:388:28:388:30 | call to CAtlList | atl.cpp:391:12:391:16 | list8 |  |
+| atl.cpp:388:28:388:30 | call to CAtlList | atl.cpp:392:5:392:5 | list8 |  |
+| atl.cpp:389:18:389:22 | ref arg list8 | atl.cpp:390:7:390:11 | list8 |  |
+| atl.cpp:389:18:389:22 | ref arg list8 | atl.cpp:391:12:391:16 | list8 |  |
+| atl.cpp:389:18:389:22 | ref arg list8 | atl.cpp:392:5:392:5 | list8 |  |
+| atl.cpp:389:24:389:38 | call to GetTailPosition | atl.cpp:390:26:390:28 | pos |  |
+| atl.cpp:390:7:390:11 | ref arg list8 | atl.cpp:391:12:391:16 | list8 |  |
+| atl.cpp:390:7:390:11 | ref arg list8 | atl.cpp:392:5:392:5 | list8 |  |
+| atl.cpp:391:12:391:16 | ref arg list8 | atl.cpp:392:5:392:5 | list8 |  |
+| atl.cpp:394:28:394:29 | 10 | atl.cpp:394:28:394:30 | call to CAtlList | TAINT |
+| atl.cpp:394:28:394:30 | call to CAtlList | atl.cpp:395:7:395:11 | list9 |  |
+| atl.cpp:394:28:394:30 | call to CAtlList | atl.cpp:395:19:395:23 | list9 |  |
+| atl.cpp:394:28:394:30 | call to CAtlList | atl.cpp:396:12:396:16 | list9 |  |
+| atl.cpp:394:28:394:30 | call to CAtlList | atl.cpp:397:5:397:5 | list9 |  |
+| atl.cpp:395:7:395:11 | ref arg list9 | atl.cpp:396:12:396:16 | list9 |  |
+| atl.cpp:395:7:395:11 | ref arg list9 | atl.cpp:397:5:397:5 | list9 |  |
+| atl.cpp:395:19:395:23 | ref arg list9 | atl.cpp:395:7:395:11 | list9 |  |
+| atl.cpp:395:19:395:23 | ref arg list9 | atl.cpp:396:12:396:16 | list9 |  |
+| atl.cpp:395:19:395:23 | ref arg list9 | atl.cpp:397:5:397:5 | list9 |  |
+| atl.cpp:396:12:396:16 | ref arg list9 | atl.cpp:397:5:397:5 | list9 |  |
+| atl.cpp:454:21:454:33 | new | atl.cpp:455:3:455:6 | safe |  |
+| atl.cpp:454:21:454:33 | new | atl.cpp:456:10:456:13 | safe |  |
+| atl.cpp:455:3:455:6 | safe [post update] | atl.cpp:456:10:456:13 | safe |  |
+| atl.cpp:455:3:455:40 | ... = ... | atl.cpp:455:9:455:14 | pvData [post update] |  |
+| atl.cpp:455:18:455:38 | call to indirect_source | atl.cpp:455:3:455:40 | ... = ... |  |
+| atl.cpp:460:13:460:33 | call to indirect_source | atl.cpp:462:16:462:16 | x |  |
+| atl.cpp:460:13:460:33 | call to indirect_source | atl.cpp:469:20:469:20 | x |  |
+| atl.cpp:460:13:460:33 | call to indirect_source | atl.cpp:473:16:473:16 | x |  |
+| atl.cpp:460:13:460:33 | call to indirect_source | atl.cpp:481:11:481:11 | x |  |
+| atl.cpp:460:13:460:33 | call to indirect_source | atl.cpp:495:20:495:20 | x |  |
+| atl.cpp:462:16:462:16 | x | atl.cpp:462:16:462:17 | call to CComBSTR | TAINT |
+| atl.cpp:462:16:462:17 | call to CComBSTR | atl.cpp:463:10:463:10 | b |  |
+| atl.cpp:462:16:462:17 | call to CComBSTR | atl.cpp:465:17:465:17 | b |  |
+| atl.cpp:462:16:462:17 | call to CComBSTR | atl.cpp:467:3:467:3 | b |  |
+| atl.cpp:463:10:463:10 | b [post update] | atl.cpp:465:17:465:17 | b |  |
+| atl.cpp:463:10:463:10 | b [post update] | atl.cpp:467:3:467:3 | b |  |
+| atl.cpp:463:12:463:16 | ref arg m_str | atl.cpp:466:13:466:17 | m_str |  |
+| atl.cpp:465:17:465:17 | b | atl.cpp:465:17:465:18 | call to CComBSTR |  |
+| atl.cpp:465:17:465:18 | call to CComBSTR | atl.cpp:466:10:466:11 | b2 |  |
+| atl.cpp:465:17:465:18 | call to CComBSTR | atl.cpp:467:3:467:3 | b2 |  |
+| atl.cpp:466:10:466:11 | b2 [post update] | atl.cpp:467:3:467:3 | b2 |  |
+| atl.cpp:469:16:469:21 | call to CComBSTR | atl.cpp:470:10:470:10 | b |  |
+| atl.cpp:469:16:469:21 | call to CComBSTR | atl.cpp:471:3:471:3 | b |  |
+| atl.cpp:470:10:470:10 | b [post update] | atl.cpp:471:3:471:3 | b |  |
+| atl.cpp:473:16:473:16 | x | atl.cpp:473:16:473:17 | call to CComBSTR | TAINT |
+| atl.cpp:473:16:473:17 | call to CComBSTR | atl.cpp:477:11:477:11 | b |  |
+| atl.cpp:473:16:473:17 | call to CComBSTR | atl.cpp:513:3:513:3 | b |  |
+| atl.cpp:475:14:475:15 | call to CComBSTR | atl.cpp:476:10:476:11 | b2 |  |
+| atl.cpp:475:14:475:15 | call to CComBSTR | atl.cpp:477:5:477:6 | b2 |  |
+| atl.cpp:475:14:475:15 | call to CComBSTR | atl.cpp:478:10:478:11 | b2 |  |
+| atl.cpp:475:14:475:15 | call to CComBSTR | atl.cpp:513:3:513:3 | b2 |  |
+| atl.cpp:476:10:476:11 | b2 [post update] | atl.cpp:477:5:477:6 | b2 |  |
+| atl.cpp:476:10:476:11 | b2 [post update] | atl.cpp:478:10:478:11 | b2 |  |
+| atl.cpp:476:10:476:11 | b2 [post update] | atl.cpp:513:3:513:3 | b2 |  |
+| atl.cpp:476:13:476:17 | ref arg m_str | atl.cpp:478:13:478:17 | m_str |  |
+| atl.cpp:477:5:477:6 | ref arg b2 | atl.cpp:478:10:478:11 | b2 |  |
+| atl.cpp:477:5:477:6 | ref arg b2 | atl.cpp:513:3:513:3 | b2 |  |
+| atl.cpp:478:10:478:11 | b2 [post update] | atl.cpp:513:3:513:3 | b2 |  |
+| atl.cpp:480:14:480:15 | call to CComBSTR | atl.cpp:481:5:481:6 | b3 |  |
+| atl.cpp:480:14:480:15 | call to CComBSTR | atl.cpp:482:10:482:11 | b3 |  |
+| atl.cpp:480:14:480:15 | call to CComBSTR | atl.cpp:483:28:483:29 | b3 |  |
+| atl.cpp:480:14:480:15 | call to CComBSTR | atl.cpp:484:13:484:14 | b3 |  |
+| atl.cpp:480:14:480:15 | call to CComBSTR | atl.cpp:513:3:513:3 | b3 |  |
+| atl.cpp:481:5:481:6 | ref arg b3 | atl.cpp:482:10:482:11 | b3 |  |
+| atl.cpp:481:5:481:6 | ref arg b3 | atl.cpp:483:28:483:29 | b3 |  |
+| atl.cpp:481:5:481:6 | ref arg b3 | atl.cpp:484:13:484:14 | b3 |  |
+| atl.cpp:481:5:481:6 | ref arg b3 | atl.cpp:513:3:513:3 | b3 |  |
+| atl.cpp:481:11:481:11 | x | atl.cpp:481:11:481:11 | call to CComBSTR | TAINT |
+| atl.cpp:482:10:482:11 | b3 [post update] | atl.cpp:483:28:483:29 | b3 |  |
+| atl.cpp:482:10:482:11 | b3 [post update] | atl.cpp:484:13:484:14 | b3 |  |
+| atl.cpp:482:10:482:11 | b3 [post update] | atl.cpp:513:3:513:3 | b3 |  |
+| atl.cpp:483:28:483:29 | ref arg b3 | atl.cpp:484:13:484:14 | b3 |  |
+| atl.cpp:483:28:483:29 | ref arg b3 | atl.cpp:513:3:513:3 | b3 |  |
+| atl.cpp:484:11:484:14 | * ... | atl.cpp:484:10:484:14 | * ... | TAINT |
+| atl.cpp:484:12:484:12 | call to operator& | atl.cpp:484:11:484:14 | * ... | TAINT |
+| atl.cpp:484:13:484:14 | ref arg b3 | atl.cpp:513:3:513:3 | b3 |  |
+| atl.cpp:486:14:486:15 | call to CComBSTR | atl.cpp:487:5:487:6 | b4 |  |
+| atl.cpp:486:14:486:15 | call to CComBSTR | atl.cpp:488:10:488:11 | b4 |  |
+| atl.cpp:486:14:486:15 | call to CComBSTR | atl.cpp:491:19:491:20 | b4 |  |
+| atl.cpp:486:14:486:15 | call to CComBSTR | atl.cpp:513:3:513:3 | b4 |  |
+| atl.cpp:487:5:487:6 | ref arg b4 | atl.cpp:488:10:488:11 | b4 |  |
+| atl.cpp:487:5:487:6 | ref arg b4 | atl.cpp:491:19:491:20 | b4 |  |
+| atl.cpp:487:5:487:6 | ref arg b4 | atl.cpp:513:3:513:3 | b4 |  |
+| atl.cpp:488:10:488:11 | b4 [post update] | atl.cpp:491:19:491:20 | b4 |  |
+| atl.cpp:488:10:488:11 | b4 [post update] | atl.cpp:513:3:513:3 | b4 |  |
+| atl.cpp:488:13:488:17 | ref arg m_str | atl.cpp:491:22:491:26 | m_str |  |
+| atl.cpp:490:14:490:15 | call to CComBSTR | atl.cpp:491:5:491:6 | b5 |  |
+| atl.cpp:490:14:490:15 | call to CComBSTR | atl.cpp:492:10:492:11 | b5 |  |
+| atl.cpp:490:14:490:15 | call to CComBSTR | atl.cpp:513:3:513:3 | b5 |  |
+| atl.cpp:491:5:491:6 | ref arg b5 | atl.cpp:492:10:492:11 | b5 |  |
+| atl.cpp:491:5:491:6 | ref arg b5 | atl.cpp:513:3:513:3 | b5 |  |
+| atl.cpp:491:19:491:20 | b4 [post update] | atl.cpp:513:3:513:3 | b4 |  |
+| atl.cpp:492:10:492:11 | b5 [post update] | atl.cpp:513:3:513:3 | b5 |  |
+| atl.cpp:494:14:494:15 | call to CComBSTR | atl.cpp:495:5:495:6 | b6 |  |
+| atl.cpp:494:14:494:15 | call to CComBSTR | atl.cpp:496:10:496:11 | b6 |  |
+| atl.cpp:494:14:494:15 | call to CComBSTR | atl.cpp:513:3:513:3 | b6 |  |
+| atl.cpp:495:5:495:6 | ref arg b6 | atl.cpp:496:10:496:11 | b6 |  |
+| atl.cpp:495:5:495:6 | ref arg b6 | atl.cpp:513:3:513:3 | b6 |  |
+| atl.cpp:496:10:496:11 | b6 [post update] | atl.cpp:513:3:513:3 | b6 |  |
+| atl.cpp:498:14:498:15 | call to CComBSTR | atl.cpp:499:5:499:6 | b7 |  |
+| atl.cpp:498:14:498:15 | call to CComBSTR | atl.cpp:500:10:500:11 | b7 |  |
+| atl.cpp:498:14:498:15 | call to CComBSTR | atl.cpp:503:19:503:20 | b7 |  |
+| atl.cpp:498:14:498:15 | call to CComBSTR | atl.cpp:513:3:513:3 | b7 |  |
+| atl.cpp:499:5:499:6 | ref arg b7 | atl.cpp:500:10:500:11 | b7 |  |
+| atl.cpp:499:5:499:6 | ref arg b7 | atl.cpp:503:19:503:20 | b7 |  |
+| atl.cpp:499:5:499:6 | ref arg b7 | atl.cpp:513:3:513:3 | b7 |  |
+| atl.cpp:500:10:500:11 | b7 [post update] | atl.cpp:503:19:503:20 | b7 |  |
+| atl.cpp:500:10:500:11 | b7 [post update] | atl.cpp:513:3:513:3 | b7 |  |
+| atl.cpp:500:13:500:17 | ref arg m_str | atl.cpp:503:22:503:26 | m_str |  |
+| atl.cpp:502:14:502:15 | call to CComBSTR | atl.cpp:503:5:503:6 | b8 |  |
+| atl.cpp:502:14:502:15 | call to CComBSTR | atl.cpp:504:10:504:11 | b8 |  |
+| atl.cpp:502:14:502:15 | call to CComBSTR | atl.cpp:513:3:513:3 | b8 |  |
+| atl.cpp:503:5:503:6 | ref arg b8 | atl.cpp:504:10:504:11 | b8 |  |
+| atl.cpp:503:5:503:6 | ref arg b8 | atl.cpp:513:3:513:3 | b8 |  |
+| atl.cpp:503:19:503:20 | b7 [post update] | atl.cpp:513:3:513:3 | b7 |  |
+| atl.cpp:504:10:504:11 | b8 [post update] | atl.cpp:513:3:513:3 | b8 |  |
+| atl.cpp:506:14:506:15 | call to CComBSTR | atl.cpp:508:5:508:6 | b9 |  |
+| atl.cpp:506:14:506:15 | call to CComBSTR | atl.cpp:509:5:509:6 | b9 |  |
+| atl.cpp:506:14:506:15 | call to CComBSTR | atl.cpp:512:10:512:11 | b9 |  |
+| atl.cpp:506:14:506:15 | call to CComBSTR | atl.cpp:513:3:513:3 | b9 |  |
+| atl.cpp:507:17:507:20 | safe | atl.cpp:509:21:509:24 | safe |  |
+| atl.cpp:507:17:507:20 | safe | atl.cpp:510:10:510:13 | safe |  |
+| atl.cpp:508:5:508:6 | ref arg b9 | atl.cpp:509:5:509:6 | b9 |  |
+| atl.cpp:508:5:508:6 | ref arg b9 | atl.cpp:512:10:512:11 | b9 |  |
+| atl.cpp:508:5:508:6 | ref arg b9 | atl.cpp:513:3:513:3 | b9 |  |
+| atl.cpp:509:5:509:6 | ref arg b9 | atl.cpp:512:10:512:11 | b9 |  |
+| atl.cpp:509:5:509:6 | ref arg b9 | atl.cpp:513:3:513:3 | b9 |  |
+| atl.cpp:509:20:509:24 | ref arg & ... | atl.cpp:509:21:509:24 | safe [inner post update] |  |
+| atl.cpp:509:20:509:24 | ref arg & ... | atl.cpp:510:10:510:13 | safe |  |
+| atl.cpp:509:21:509:24 | safe | atl.cpp:509:20:509:24 | & ... |  |
+| atl.cpp:512:10:512:11 | ref arg b9 | atl.cpp:513:3:513:3 | b9 |  |
+| atl.cpp:515:16:515:39 | call to indirect_source | atl.cpp:517:16:517:16 | w |  |
+| atl.cpp:515:16:515:39 | call to indirect_source | atl.cpp:521:15:521:15 | w |  |
+| atl.cpp:515:16:515:39 | call to indirect_source | atl.cpp:525:20:525:20 | w |  |
+| atl.cpp:517:16:517:16 | ref arg w | atl.cpp:521:15:521:15 | w |  |
+| atl.cpp:517:16:517:16 | ref arg w | atl.cpp:525:20:525:20 | w |  |
+| atl.cpp:517:16:517:16 | w | atl.cpp:517:16:517:17 | call to CComBSTR | TAINT |
+| atl.cpp:517:16:517:17 | call to CComBSTR | atl.cpp:518:10:518:10 | b |  |
+| atl.cpp:517:16:517:17 | call to CComBSTR | atl.cpp:523:3:523:3 | b |  |
+| atl.cpp:518:10:518:10 | b [post update] | atl.cpp:523:3:523:3 | b |  |
+| atl.cpp:520:14:520:15 | call to CComBSTR | atl.cpp:521:5:521:6 | b2 |  |
+| atl.cpp:520:14:520:15 | call to CComBSTR | atl.cpp:522:10:522:11 | b2 |  |
+| atl.cpp:520:14:520:15 | call to CComBSTR | atl.cpp:523:3:523:3 | b2 |  |
+| atl.cpp:521:5:521:6 | ref arg b2 | atl.cpp:522:10:522:11 | b2 |  |
+| atl.cpp:521:5:521:6 | ref arg b2 | atl.cpp:523:3:523:3 | b2 |  |
+| atl.cpp:521:15:521:15 | ref arg w | atl.cpp:525:20:525:20 | w |  |
+| atl.cpp:522:10:522:11 | b2 [post update] | atl.cpp:523:3:523:3 | b2 |  |
+| atl.cpp:525:16:525:21 | call to CComBSTR | atl.cpp:526:10:526:10 | b |  |
+| atl.cpp:525:16:525:21 | call to CComBSTR | atl.cpp:527:3:527:3 | b |  |
+| atl.cpp:526:10:526:10 | b [post update] | atl.cpp:527:3:527:3 | b |  |
+| atl.cpp:572:22:572:33 | call to getSafeArray | atl.cpp:573:8:573:11 | safe |  |
+| atl.cpp:572:22:572:33 | call to getSafeArray | atl.cpp:575:24:575:27 | safe |  |
+| atl.cpp:572:22:572:33 | call to getSafeArray | atl.cpp:586:11:586:14 | safe |  |
+| atl.cpp:573:8:573:11 | safe [post update] | atl.cpp:575:24:575:27 | safe |  |
+| atl.cpp:573:8:573:11 | safe [post update] | atl.cpp:586:11:586:14 | safe |  |
+| atl.cpp:575:24:575:27 | safe | atl.cpp:575:24:575:28 | call to CComSafeArray | TAINT |
+| atl.cpp:575:24:575:28 | call to CComSafeArray | atl.cpp:576:8:576:8 | c |  |
+| atl.cpp:575:24:575:28 | call to CComSafeArray | atl.cpp:577:8:577:8 | c |  |
+| atl.cpp:575:24:575:28 | call to CComSafeArray | atl.cpp:578:8:578:8 | c |  |
+| atl.cpp:575:24:575:28 | call to CComSafeArray | atl.cpp:579:8:579:8 | c |  |
+| atl.cpp:575:24:575:28 | call to CComSafeArray | atl.cpp:580:3:580:3 | c |  |
+| atl.cpp:576:8:576:8 | ref arg c | atl.cpp:577:8:577:8 | c |  |
+| atl.cpp:576:8:576:8 | ref arg c | atl.cpp:578:8:578:8 | c |  |
+| atl.cpp:576:8:576:8 | ref arg c | atl.cpp:579:8:579:8 | c |  |
+| atl.cpp:576:8:576:8 | ref arg c | atl.cpp:580:3:580:3 | c |  |
+| atl.cpp:577:8:577:8 | ref arg c | atl.cpp:578:8:578:8 | c |  |
+| atl.cpp:577:8:577:8 | ref arg c | atl.cpp:579:8:579:8 | c |  |
+| atl.cpp:577:8:577:8 | ref arg c | atl.cpp:580:3:580:3 | c |  |
+| atl.cpp:578:8:578:8 | ref arg c | atl.cpp:579:8:579:8 | c |  |
+| atl.cpp:578:8:578:8 | ref arg c | atl.cpp:580:3:580:3 | c |  |
+| atl.cpp:579:8:579:8 | c [post update] | atl.cpp:580:3:580:3 | c |  |
+| atl.cpp:582:24:582:24 | call to CComSafeArray | atl.cpp:583:10:583:10 | c |  |
+| atl.cpp:582:24:582:24 | call to CComSafeArray | atl.cpp:584:10:584:10 | c |  |
+| atl.cpp:582:24:582:24 | call to CComSafeArray | atl.cpp:585:10:585:10 | c |  |
+| atl.cpp:582:24:582:24 | call to CComSafeArray | atl.cpp:586:5:586:5 | c |  |
+| atl.cpp:582:24:582:24 | call to CComSafeArray | atl.cpp:587:10:587:10 | c |  |
+| atl.cpp:582:24:582:24 | call to CComSafeArray | atl.cpp:588:10:588:10 | c |  |
+| atl.cpp:582:24:582:24 | call to CComSafeArray | atl.cpp:589:10:589:10 | c |  |
+| atl.cpp:582:24:582:24 | call to CComSafeArray | atl.cpp:590:35:590:35 | c |  |
+| atl.cpp:582:24:582:24 | call to CComSafeArray | atl.cpp:591:3:591:3 | c |  |
+| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:584:10:584:10 | c |  |
+| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:585:10:585:10 | c |  |
+| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:586:5:586:5 | c |  |
+| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:587:10:587:10 | c |  |
+| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:588:10:588:10 | c |  |
+| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:589:10:589:10 | c |  |
+| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:590:35:590:35 | c |  |
+| atl.cpp:583:10:583:10 | ref arg c | atl.cpp:591:3:591:3 | c |  |
+| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:585:10:585:10 | c |  |
+| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:586:5:586:5 | c |  |
+| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:587:10:587:10 | c |  |
+| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:588:10:588:10 | c |  |
+| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:589:10:589:10 | c |  |
+| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:590:35:590:35 | c |  |
+| atl.cpp:584:10:584:10 | ref arg c | atl.cpp:591:3:591:3 | c |  |
+| atl.cpp:585:10:585:10 | ref arg c | atl.cpp:586:5:586:5 | c |  |
+| atl.cpp:585:10:585:10 | ref arg c | atl.cpp:587:10:587:10 | c |  |
+| atl.cpp:585:10:585:10 | ref arg c | atl.cpp:588:10:588:10 | c |  |
+| atl.cpp:585:10:585:10 | ref arg c | atl.cpp:589:10:589:10 | c |  |
+| atl.cpp:585:10:585:10 | ref arg c | atl.cpp:590:35:590:35 | c |  |
+| atl.cpp:585:10:585:10 | ref arg c | atl.cpp:591:3:591:3 | c |  |
+| atl.cpp:586:5:586:5 | ref arg c | atl.cpp:587:10:587:10 | c |  |
+| atl.cpp:586:5:586:5 | ref arg c | atl.cpp:588:10:588:10 | c |  |
+| atl.cpp:586:5:586:5 | ref arg c | atl.cpp:589:10:589:10 | c |  |
+| atl.cpp:586:5:586:5 | ref arg c | atl.cpp:590:35:590:35 | c |  |
+| atl.cpp:586:5:586:5 | ref arg c | atl.cpp:591:3:591:3 | c |  |
+| atl.cpp:587:10:587:10 | ref arg c | atl.cpp:588:10:588:10 | c |  |
+| atl.cpp:587:10:587:10 | ref arg c | atl.cpp:589:10:589:10 | c |  |
+| atl.cpp:587:10:587:10 | ref arg c | atl.cpp:590:35:590:35 | c |  |
+| atl.cpp:587:10:587:10 | ref arg c | atl.cpp:591:3:591:3 | c |  |
+| atl.cpp:588:10:588:10 | ref arg c | atl.cpp:589:10:589:10 | c |  |
+| atl.cpp:588:10:588:10 | ref arg c | atl.cpp:590:35:590:35 | c |  |
+| atl.cpp:588:10:588:10 | ref arg c | atl.cpp:591:3:591:3 | c |  |
+| atl.cpp:589:10:589:10 | ref arg c | atl.cpp:590:35:590:35 | c |  |
+| atl.cpp:589:10:589:10 | ref arg c | atl.cpp:591:3:591:3 | c |  |
+| atl.cpp:590:35:590:35 | ref arg c | atl.cpp:591:3:591:3 | c |  |
+| atl.cpp:593:24:593:24 | call to CComSafeArray | atl.cpp:594:5:594:5 | c |  |
+| atl.cpp:593:24:593:24 | call to CComSafeArray | atl.cpp:595:10:595:10 | c |  |
+| atl.cpp:593:24:593:24 | call to CComSafeArray | atl.cpp:596:10:596:10 | c |  |
+| atl.cpp:593:24:593:24 | call to CComSafeArray | atl.cpp:597:10:597:10 | c |  |
+| atl.cpp:593:24:593:24 | call to CComSafeArray | atl.cpp:598:3:598:3 | c |  |
+| atl.cpp:594:5:594:5 | ref arg c | atl.cpp:595:10:595:10 | c |  |
+| atl.cpp:594:5:594:5 | ref arg c | atl.cpp:596:10:596:10 | c |  |
+| atl.cpp:594:5:594:5 | ref arg c | atl.cpp:597:10:597:10 | c |  |
+| atl.cpp:594:5:594:5 | ref arg c | atl.cpp:598:3:598:3 | c |  |
+| atl.cpp:595:10:595:10 | ref arg c | atl.cpp:596:10:596:10 | c |  |
+| atl.cpp:595:10:595:10 | ref arg c | atl.cpp:597:10:597:10 | c |  |
+| atl.cpp:595:10:595:10 | ref arg c | atl.cpp:598:3:598:3 | c |  |
+| atl.cpp:596:10:596:10 | ref arg c | atl.cpp:597:10:597:10 | c |  |
+| atl.cpp:596:10:596:10 | ref arg c | atl.cpp:598:3:598:3 | c |  |
+| atl.cpp:597:10:597:10 | ref arg c | atl.cpp:598:3:598:3 | c |  |
+| atl.cpp:600:24:600:24 | call to CComSafeArray | atl.cpp:601:5:601:5 | c |  |
+| atl.cpp:600:24:600:24 | call to CComSafeArray | atl.cpp:602:10:602:10 | c |  |
+| atl.cpp:600:24:600:24 | call to CComSafeArray | atl.cpp:603:10:603:10 | c |  |
+| atl.cpp:600:24:600:24 | call to CComSafeArray | atl.cpp:604:3:604:3 | c |  |
+| atl.cpp:601:5:601:5 | ref arg c | atl.cpp:602:10:602:10 | c |  |
+| atl.cpp:601:5:601:5 | ref arg c | atl.cpp:603:10:603:10 | c |  |
+| atl.cpp:601:5:601:5 | ref arg c | atl.cpp:604:3:604:3 | c |  |
+| atl.cpp:602:10:602:10 | ref arg c | atl.cpp:603:10:603:10 | c |  |
+| atl.cpp:602:10:602:10 | ref arg c | atl.cpp:604:3:604:3 | c |  |
+| atl.cpp:603:10:603:10 | ref arg c | atl.cpp:604:3:604:3 | c |  |
+| atl.cpp:665:13:665:33 | call to indirect_source | atl.cpp:666:11:666:11 | x |  |
+| atl.cpp:665:13:665:33 | call to indirect_source | atl.cpp:675:20:675:20 | x |  |
+| atl.cpp:665:13:665:33 | call to indirect_source | atl.cpp:680:14:680:14 | x |  |
+| atl.cpp:665:13:665:33 | call to indirect_source | atl.cpp:688:11:688:11 | x |  |
+| atl.cpp:665:13:665:33 | call to indirect_source | atl.cpp:694:15:694:15 | x |  |
+| atl.cpp:665:13:665:33 | call to indirect_source | atl.cpp:699:24:699:24 | x |  |
+| atl.cpp:665:13:665:33 | call to indirect_source | atl.cpp:705:30:705:30 | x |  |
+| atl.cpp:666:11:666:11 | ref arg x | atl.cpp:675:20:675:20 | x |  |
+| atl.cpp:666:11:666:11 | ref arg x | atl.cpp:680:14:680:14 | x |  |
+| atl.cpp:666:11:666:11 | ref arg x | atl.cpp:688:11:688:11 | x |  |
+| atl.cpp:666:11:666:11 | ref arg x | atl.cpp:694:15:694:15 | x |  |
+| atl.cpp:666:11:666:11 | ref arg x | atl.cpp:699:24:699:24 | x |  |
+| atl.cpp:666:11:666:11 | ref arg x | atl.cpp:705:30:705:30 | x |  |
+| atl.cpp:666:11:666:11 | x | atl.cpp:666:11:666:12 | call to CPathT | TAINT |
+| atl.cpp:666:11:666:12 | call to CPathT | atl.cpp:667:27:667:27 | p |  |
+| atl.cpp:666:11:666:12 | call to CPathT | atl.cpp:668:8:668:8 | p |  |
+| atl.cpp:666:11:666:12 | call to CPathT | atl.cpp:670:12:670:12 | p |  |
+| atl.cpp:667:27:667:27 | ref arg p | atl.cpp:668:8:668:8 | p |  |
+| atl.cpp:667:27:667:27 | ref arg p | atl.cpp:670:12:670:12 | p |  |
+| atl.cpp:668:8:668:8 | p [post update] | atl.cpp:670:12:670:12 | p |  |
+| atl.cpp:668:10:668:18 | ref arg m_strPath | atl.cpp:671:11:671:19 | m_strPath |  |
+| atl.cpp:670:12:670:12 | p | atl.cpp:670:12:670:13 | call to CPathT |  |
+| atl.cpp:670:12:670:13 | call to CPathT | atl.cpp:671:8:671:9 | p2 |  |
+| atl.cpp:674:11:674:11 | call to CPathT | atl.cpp:675:5:675:5 | p |  |
+| atl.cpp:674:11:674:11 | call to CPathT | atl.cpp:676:10:676:10 | p |  |
+| atl.cpp:675:5:675:5 | ref arg p | atl.cpp:676:10:676:10 | p |  |
+| atl.cpp:675:20:675:20 | ref arg x | atl.cpp:680:14:680:14 | x |  |
+| atl.cpp:675:20:675:20 | ref arg x | atl.cpp:688:11:688:11 | x |  |
+| atl.cpp:675:20:675:20 | ref arg x | atl.cpp:694:15:694:15 | x |  |
+| atl.cpp:675:20:675:20 | ref arg x | atl.cpp:699:24:699:24 | x |  |
+| atl.cpp:675:20:675:20 | ref arg x | atl.cpp:705:30:705:30 | x |  |
+| atl.cpp:679:11:679:11 | call to CPathT | atl.cpp:680:5:680:5 | p |  |
+| atl.cpp:679:11:679:11 | call to CPathT | atl.cpp:681:10:681:10 | p |  |
+| atl.cpp:679:11:679:11 | call to CPathT | atl.cpp:684:11:684:11 | p |  |
+| atl.cpp:680:5:680:5 | ref arg p | atl.cpp:681:10:681:10 | p |  |
+| atl.cpp:680:5:680:5 | ref arg p | atl.cpp:684:11:684:11 | p |  |
+| atl.cpp:680:14:680:14 | ref arg x | atl.cpp:688:11:688:11 | x |  |
+| atl.cpp:680:14:680:14 | ref arg x | atl.cpp:694:15:694:15 | x |  |
+| atl.cpp:680:14:680:14 | ref arg x | atl.cpp:699:24:699:24 | x |  |
+| atl.cpp:680:14:680:14 | ref arg x | atl.cpp:705:30:705:30 | x |  |
+| atl.cpp:681:10:681:10 | p [post update] | atl.cpp:684:11:684:11 | p |  |
+| atl.cpp:683:11:683:12 | call to CPathT | atl.cpp:684:5:684:6 | p2 |  |
+| atl.cpp:683:11:683:12 | call to CPathT | atl.cpp:685:10:685:11 | p2 |  |
+| atl.cpp:684:5:684:6 | ref arg p2 | atl.cpp:685:10:685:11 | p2 |  |
+| atl.cpp:684:11:684:11 | call to operator char *& | atl.cpp:684:8:684:8 | call to operator+= | TAINT |
+| atl.cpp:687:11:687:12 | call to CPathT | atl.cpp:688:5:688:6 | p3 |  |
+| atl.cpp:687:11:687:12 | call to CPathT | atl.cpp:689:10:689:11 | p3 |  |
+| atl.cpp:688:5:688:6 | ref arg p3 | atl.cpp:689:10:689:11 | p3 |  |
+| atl.cpp:688:11:688:11 | ref arg x | atl.cpp:694:15:694:15 | x |  |
+| atl.cpp:688:11:688:11 | ref arg x | atl.cpp:699:24:699:24 | x |  |
+| atl.cpp:688:11:688:11 | ref arg x | atl.cpp:705:30:705:30 | x |  |
+| atl.cpp:688:11:688:11 | x | atl.cpp:688:8:688:8 | call to operator+= | TAINT |
+| atl.cpp:693:11:693:11 | call to CPathT | atl.cpp:694:5:694:5 | p |  |
+| atl.cpp:693:11:693:11 | call to CPathT | atl.cpp:695:10:695:10 | p |  |
+| atl.cpp:694:5:694:5 | ref arg p | atl.cpp:695:10:695:10 | p |  |
+| atl.cpp:694:15:694:15 | ref arg x | atl.cpp:699:24:699:24 | x |  |
+| atl.cpp:694:15:694:15 | ref arg x | atl.cpp:705:30:705:30 | x |  |
+| atl.cpp:698:11:698:11 | call to CPathT | atl.cpp:699:5:699:5 | p |  |
+| atl.cpp:698:11:698:11 | call to CPathT | atl.cpp:700:10:700:10 | p |  |
+| atl.cpp:699:5:699:5 | ref arg p | atl.cpp:700:10:700:10 | p |  |
+| atl.cpp:699:24:699:24 | ref arg x | atl.cpp:705:30:705:30 | x |  |
+| atl.cpp:704:11:704:11 | call to CPathT | atl.cpp:705:15:705:15 | p |  |
+| atl.cpp:705:17:705:28 | call to CommonPrefix | atl.cpp:706:10:706:11 | p2 |  |
+| atl.cpp:705:17:705:28 | call to CommonPrefix | atl.cpp:707:10:707:11 | p2 |  |
+| atl.cpp:706:10:706:11 | p2 [post update] | atl.cpp:707:10:707:11 | p2 |  |
+| atl.cpp:734:11:734:21 | call to source | atl.cpp:737:11:737:11 | x |  |
+| atl.cpp:734:11:734:21 | call to source | atl.cpp:749:11:749:11 | x |  |
+| atl.cpp:734:11:734:21 | call to source | atl.cpp:753:23:753:23 | x |  |
+| atl.cpp:736:23:736:23 | call to CSimpleArray | atl.cpp:737:5:737:5 | a |  |
+| atl.cpp:736:23:736:23 | call to CSimpleArray | atl.cpp:738:10:738:10 | a |  |
+| atl.cpp:736:23:736:23 | call to CSimpleArray | atl.cpp:739:5:739:5 | a |  |
+| atl.cpp:736:23:736:23 | call to CSimpleArray | atl.cpp:740:10:740:10 | a |  |
+| atl.cpp:736:23:736:23 | call to CSimpleArray | atl.cpp:744:10:744:10 | a |  |
+| atl.cpp:736:23:736:23 | call to CSimpleArray | atl.cpp:746:3:746:3 | a |  |
+| atl.cpp:737:5:737:5 | ref arg a | atl.cpp:738:10:738:10 | a |  |
+| atl.cpp:737:5:737:5 | ref arg a | atl.cpp:739:5:739:5 | a |  |
+| atl.cpp:737:5:737:5 | ref arg a | atl.cpp:740:10:740:10 | a |  |
+| atl.cpp:737:5:737:5 | ref arg a | atl.cpp:744:10:744:10 | a |  |
+| atl.cpp:737:5:737:5 | ref arg a | atl.cpp:746:3:746:3 | a |  |
+| atl.cpp:738:10:738:10 | ref arg a | atl.cpp:739:5:739:5 | a |  |
+| atl.cpp:738:10:738:10 | ref arg a | atl.cpp:740:10:740:10 | a |  |
+| atl.cpp:738:10:738:10 | ref arg a | atl.cpp:744:10:744:10 | a |  |
+| atl.cpp:738:10:738:10 | ref arg a | atl.cpp:746:3:746:3 | a |  |
+| atl.cpp:739:5:739:5 | ref arg a | atl.cpp:740:10:740:10 | a |  |
+| atl.cpp:739:5:739:5 | ref arg a | atl.cpp:744:10:744:10 | a |  |
+| atl.cpp:739:5:739:5 | ref arg a | atl.cpp:746:3:746:3 | a |  |
+| atl.cpp:740:10:740:10 | ref arg a | atl.cpp:744:10:744:10 | a |  |
+| atl.cpp:740:10:740:10 | ref arg a | atl.cpp:746:3:746:3 | a |  |
+| atl.cpp:742:23:742:24 | call to CSimpleArray | atl.cpp:743:10:743:11 | a2 |  |
+| atl.cpp:742:23:742:24 | call to CSimpleArray | atl.cpp:744:5:744:6 | a2 |  |
+| atl.cpp:742:23:742:24 | call to CSimpleArray | atl.cpp:745:10:745:11 | a2 |  |
+| atl.cpp:742:23:742:24 | call to CSimpleArray | atl.cpp:746:3:746:3 | a2 |  |
+| atl.cpp:743:10:743:11 | ref arg a2 | atl.cpp:744:5:744:6 | a2 |  |
+| atl.cpp:743:10:743:11 | ref arg a2 | atl.cpp:745:10:745:11 | a2 |  |
+| atl.cpp:743:10:743:11 | ref arg a2 | atl.cpp:746:3:746:3 | a2 |  |
+| atl.cpp:744:5:744:6 | ref arg a2 | atl.cpp:745:10:745:11 | a2 |  |
+| atl.cpp:744:5:744:6 | ref arg a2 | atl.cpp:746:3:746:3 | a2 |  |
+| atl.cpp:744:10:744:10 | a | atl.cpp:744:5:744:6 | ref arg a2 | TAINT |
+| atl.cpp:744:10:744:10 | a | atl.cpp:744:8:744:8 | call to operator= | TAINT |
+| atl.cpp:745:10:745:11 | ref arg a2 | atl.cpp:746:3:746:3 | a2 |  |
+| atl.cpp:748:23:748:23 | call to CSimpleArray | atl.cpp:749:5:749:5 | a |  |
+| atl.cpp:748:23:748:23 | call to CSimpleArray | atl.cpp:750:10:750:10 | a |  |
+| atl.cpp:748:23:748:23 | call to CSimpleArray | atl.cpp:755:3:755:3 | a |  |
+| atl.cpp:749:5:749:5 | ref arg a | atl.cpp:750:10:750:10 | a |  |
+| atl.cpp:749:5:749:5 | ref arg a | atl.cpp:755:3:755:3 | a |  |
+| atl.cpp:750:10:750:10 | ref arg a | atl.cpp:755:3:755:3 | a |  |
+| atl.cpp:752:23:752:24 | call to CSimpleArray | atl.cpp:753:15:753:16 | a2 |  |
+| atl.cpp:752:23:752:24 | call to CSimpleArray | atl.cpp:754:10:754:11 | a2 |  |
+| atl.cpp:752:23:752:24 | call to CSimpleArray | atl.cpp:755:3:755:3 | a2 |  |
+| atl.cpp:753:18:753:21 | call to Find | atl.cpp:754:13:754:15 | pos |  |
+| atl.cpp:754:10:754:11 | ref arg a2 | atl.cpp:755:3:755:3 | a2 |  |
+| atl.cpp:779:16:779:31 | call to source | atl.cpp:782:20:782:20 | x |  |
+| atl.cpp:779:16:779:31 | call to source | atl.cpp:792:26:792:26 | x |  |
+| atl.cpp:779:16:779:31 | call to source | atl.cpp:797:32:797:32 | x |  |
+| atl.cpp:779:16:779:31 | call to source | atl.cpp:803:22:803:22 | x |  |
+| atl.cpp:779:16:779:31 | call to source | atl.cpp:808:30:808:30 | x |  |
+| atl.cpp:781:33:781:33 | call to CSimpleMap | atl.cpp:782:5:782:5 | a |  |
+| atl.cpp:781:33:781:33 | call to CSimpleMap | atl.cpp:783:10:783:10 | a |  |
+| atl.cpp:781:33:781:33 | call to CSimpleMap | atl.cpp:784:3:784:3 | a |  |
+| atl.cpp:782:5:782:5 | ref arg a | atl.cpp:783:10:783:10 | a |  |
+| atl.cpp:782:5:782:5 | ref arg a | atl.cpp:784:3:784:3 | a |  |
+| atl.cpp:783:10:783:10 | ref arg a | atl.cpp:784:3:784:3 | a |  |
+| atl.cpp:786:33:786:33 | call to CSimpleMap | atl.cpp:787:16:787:16 | a |  |
+| atl.cpp:786:33:786:33 | call to CSimpleMap | atl.cpp:788:10:788:10 | a |  |
+| atl.cpp:786:33:786:33 | call to CSimpleMap | atl.cpp:789:3:789:3 | a |  |
+| atl.cpp:787:18:787:24 | call to FindKey | atl.cpp:788:23:788:25 | pos |  |
+| atl.cpp:788:10:788:10 | ref arg a | atl.cpp:789:3:789:3 | a |  |
+| atl.cpp:791:33:791:33 | call to CSimpleMap | atl.cpp:792:16:792:16 | a |  |
+| atl.cpp:791:33:791:33 | call to CSimpleMap | atl.cpp:793:10:793:10 | a |  |
+| atl.cpp:791:33:791:33 | call to CSimpleMap | atl.cpp:794:3:794:3 | a |  |
+| atl.cpp:792:18:792:24 | call to FindVal | atl.cpp:793:23:793:25 | pos |  |
+| atl.cpp:793:10:793:10 | ref arg a | atl.cpp:794:3:794:3 | a |  |
+| atl.cpp:796:33:796:33 | call to CSimpleMap | atl.cpp:797:16:797:16 | a |  |
+| atl.cpp:796:33:796:33 | call to CSimpleMap | atl.cpp:799:10:799:10 | a |  |
+| atl.cpp:796:33:796:33 | call to CSimpleMap | atl.cpp:800:3:800:3 | a |  |
+| atl.cpp:797:16:797:16 | ref arg a | atl.cpp:799:10:799:10 | a |  |
+| atl.cpp:797:16:797:16 | ref arg a | atl.cpp:800:3:800:3 | a |  |
+| atl.cpp:797:18:797:30 | call to ReverseLookup | atl.cpp:798:10:798:12 | key |  |
+| atl.cpp:797:18:797:30 | call to ReverseLookup | atl.cpp:799:19:799:21 | key |  |
+| atl.cpp:798:10:798:12 | ref arg key | atl.cpp:799:19:799:21 | key |  |
+| atl.cpp:799:10:799:10 | ref arg a | atl.cpp:800:3:800:3 | a |  |
+| atl.cpp:802:33:802:33 | call to CSimpleMap | atl.cpp:803:5:803:5 | a |  |
+| atl.cpp:802:33:802:33 | call to CSimpleMap | atl.cpp:804:10:804:10 | a |  |
+| atl.cpp:802:33:802:33 | call to CSimpleMap | atl.cpp:805:3:805:3 | a |  |
+| atl.cpp:803:5:803:5 | ref arg a | atl.cpp:804:10:804:10 | a |  |
+| atl.cpp:803:5:803:5 | ref arg a | atl.cpp:805:3:805:3 | a |  |
+| atl.cpp:804:10:804:10 | ref arg a | atl.cpp:805:3:805:3 | a |  |
+| atl.cpp:807:33:807:33 | call to CSimpleMap | atl.cpp:808:5:808:5 | a |  |
+| atl.cpp:807:33:807:33 | call to CSimpleMap | atl.cpp:809:10:809:10 | a |  |
+| atl.cpp:807:33:807:33 | call to CSimpleMap | atl.cpp:810:3:810:3 | a |  |
+| atl.cpp:808:5:808:5 | ref arg a | atl.cpp:809:10:809:10 | a |  |
+| atl.cpp:808:5:808:5 | ref arg a | atl.cpp:810:3:810:3 | a |  |
+| atl.cpp:809:10:809:10 | ref arg a | atl.cpp:810:3:810:3 | a |  |
+| atl.cpp:851:13:851:33 | call to indirect_source | atl.cpp:853:16:853:16 | x |  |
+| atl.cpp:851:13:851:33 | call to indirect_source | atl.cpp:866:19:866:19 | x |  |
+| atl.cpp:851:13:851:33 | call to indirect_source | atl.cpp:872:23:872:23 | x |  |
+| atl.cpp:851:13:851:33 | call to indirect_source | atl.cpp:877:22:877:22 | x |  |
+| atl.cpp:851:13:851:33 | call to indirect_source | atl.cpp:882:22:882:22 | x |  |
+| atl.cpp:851:13:851:33 | call to indirect_source | atl.cpp:887:24:887:24 | x |  |
+| atl.cpp:851:13:851:33 | call to indirect_source | atl.cpp:892:21:892:21 | x |  |
+| atl.cpp:851:13:851:33 | call to indirect_source | atl.cpp:897:22:897:22 | x |  |
+| atl.cpp:852:8:852:10 | call to CUrl | atl.cpp:853:3:853:5 | url |  |
+| atl.cpp:852:8:852:10 | call to CUrl | atl.cpp:854:8:854:10 | url |  |
+| atl.cpp:852:8:852:10 | call to CUrl | atl.cpp:855:8:855:10 | url |  |
+| atl.cpp:852:8:852:10 | call to CUrl | atl.cpp:856:8:856:10 | url |  |
+| atl.cpp:852:8:852:10 | call to CUrl | atl.cpp:857:8:857:10 | url |  |
+| atl.cpp:852:8:852:10 | call to CUrl | atl.cpp:858:8:858:10 | url |  |
+| atl.cpp:852:8:852:10 | call to CUrl | atl.cpp:859:8:859:10 | url |  |
+| atl.cpp:852:8:852:10 | call to CUrl | atl.cpp:860:8:860:10 | url |  |
+| atl.cpp:852:8:852:10 | call to CUrl | atl.cpp:900:1:900:1 | url |  |
+| atl.cpp:853:3:853:5 | ref arg url | atl.cpp:854:8:854:10 | url |  |
+| atl.cpp:853:3:853:5 | ref arg url | atl.cpp:855:8:855:10 | url |  |
+| atl.cpp:853:3:853:5 | ref arg url | atl.cpp:856:8:856:10 | url |  |
+| atl.cpp:853:3:853:5 | ref arg url | atl.cpp:857:8:857:10 | url |  |
+| atl.cpp:853:3:853:5 | ref arg url | atl.cpp:858:8:858:10 | url |  |
+| atl.cpp:853:3:853:5 | ref arg url | atl.cpp:859:8:859:10 | url |  |
+| atl.cpp:853:3:853:5 | ref arg url | atl.cpp:860:8:860:10 | url |  |
+| atl.cpp:853:3:853:5 | ref arg url | atl.cpp:900:1:900:1 | url |  |
+| atl.cpp:863:10:863:13 | call to CUrl | atl.cpp:866:5:866:8 | url2 |  |
+| atl.cpp:863:10:863:13 | call to CUrl | atl.cpp:867:5:867:8 | url2 |  |
+| atl.cpp:863:10:863:13 | call to CUrl | atl.cpp:869:3:869:3 | url2 |  |
+| atl.cpp:864:11:864:13 | len | atl.cpp:867:29:867:31 | len |  |
+| atl.cpp:865:10:865:15 | buffer | atl.cpp:867:20:867:25 | buffer |  |
+| atl.cpp:865:10:865:15 | buffer | atl.cpp:868:10:868:15 | buffer |  |
+| atl.cpp:866:5:866:8 | ref arg url2 | atl.cpp:867:5:867:8 | url2 |  |
+| atl.cpp:866:5:866:8 | ref arg url2 | atl.cpp:869:3:869:3 | url2 |  |
+| atl.cpp:867:20:867:25 | ref arg buffer | atl.cpp:868:10:868:15 | buffer |  |
+| atl.cpp:867:28:867:31 | ref arg & ... | atl.cpp:867:29:867:31 | len [inner post update] |  |
+| atl.cpp:867:29:867:31 | len | atl.cpp:867:28:867:31 | & ... |  |
+| atl.cpp:871:10:871:13 | call to CUrl | atl.cpp:872:5:872:8 | url2 |  |
+| atl.cpp:871:10:871:13 | call to CUrl | atl.cpp:873:10:873:13 | url2 |  |
+| atl.cpp:871:10:871:13 | call to CUrl | atl.cpp:874:3:874:3 | url2 |  |
+| atl.cpp:872:5:872:8 | ref arg url2 | atl.cpp:873:10:873:13 | url2 |  |
+| atl.cpp:872:5:872:8 | ref arg url2 | atl.cpp:874:3:874:3 | url2 |  |
+| atl.cpp:876:10:876:13 | call to CUrl | atl.cpp:877:5:877:8 | url2 |  |
+| atl.cpp:876:10:876:13 | call to CUrl | atl.cpp:878:10:878:13 | url2 |  |
+| atl.cpp:876:10:876:13 | call to CUrl | atl.cpp:879:3:879:3 | url2 |  |
+| atl.cpp:877:5:877:8 | ref arg url2 | atl.cpp:878:10:878:13 | url2 |  |
+| atl.cpp:877:5:877:8 | ref arg url2 | atl.cpp:879:3:879:3 | url2 |  |
+| atl.cpp:881:10:881:13 | call to CUrl | atl.cpp:882:5:882:8 | url2 |  |
+| atl.cpp:881:10:881:13 | call to CUrl | atl.cpp:883:10:883:13 | url2 |  |
+| atl.cpp:881:10:881:13 | call to CUrl | atl.cpp:884:3:884:3 | url2 |  |
+| atl.cpp:882:5:882:8 | ref arg url2 | atl.cpp:883:10:883:13 | url2 |  |
+| atl.cpp:882:5:882:8 | ref arg url2 | atl.cpp:884:3:884:3 | url2 |  |
+| atl.cpp:886:10:886:13 | call to CUrl | atl.cpp:887:5:887:8 | url2 |  |
+| atl.cpp:886:10:886:13 | call to CUrl | atl.cpp:888:10:888:13 | url2 |  |
+| atl.cpp:886:10:886:13 | call to CUrl | atl.cpp:889:3:889:3 | url2 |  |
+| atl.cpp:887:5:887:8 | ref arg url2 | atl.cpp:888:10:888:13 | url2 |  |
+| atl.cpp:887:5:887:8 | ref arg url2 | atl.cpp:889:3:889:3 | url2 |  |
+| atl.cpp:891:10:891:13 | call to CUrl | atl.cpp:892:5:892:8 | url2 |  |
+| atl.cpp:891:10:891:13 | call to CUrl | atl.cpp:893:10:893:13 | url2 |  |
+| atl.cpp:891:10:891:13 | call to CUrl | atl.cpp:894:3:894:3 | url2 |  |
+| atl.cpp:892:5:892:8 | ref arg url2 | atl.cpp:893:10:893:13 | url2 |  |
+| atl.cpp:892:5:892:8 | ref arg url2 | atl.cpp:894:3:894:3 | url2 |  |
+| atl.cpp:896:10:896:13 | call to CUrl | atl.cpp:897:5:897:8 | url2 |  |
+| atl.cpp:896:10:896:13 | call to CUrl | atl.cpp:898:10:898:13 | url2 |  |
+| atl.cpp:896:10:896:13 | call to CUrl | atl.cpp:899:3:899:3 | url2 |  |
+| atl.cpp:897:5:897:8 | ref arg url2 | atl.cpp:898:10:898:13 | url2 |  |
+| atl.cpp:897:5:897:8 | ref arg url2 | atl.cpp:899:3:899:3 | url2 |  |
 | bsd.cpp:17:11:17:16 | call to source | bsd.cpp:20:18:20:18 | s |  |
 | bsd.cpp:18:12:18:15 | addr | bsd.cpp:20:22:20:25 | addr |  |
 | bsd.cpp:18:12:18:15 | addr | bsd.cpp:23:8:23:11 | addr |  |

cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected

@@ -1,4 +1,91 @@
 signatureMatches
+| atl.cpp:69:3:69:15 | _U_STRINGorID | (UINT) | CComBSTR | LoadString | 0 |
+| atl.cpp:69:3:69:15 | _U_STRINGorID | (UINT) | _U_STRINGorID | _U_STRINGorID | 0 |
+| atl.cpp:70:3:70:15 | _U_STRINGorID | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 |
+| atl.cpp:257:3:257:10 | CAtlList | (UINT) | CComBSTR | LoadString | 0 |
+| atl.cpp:257:3:257:10 | CAtlList | (UINT) | CComBSTR | LoadString | 0 |
+| atl.cpp:257:3:257:10 | CAtlList | (UINT) | _U_STRINGorID | _U_STRINGorID | 0 |
+| atl.cpp:257:3:257:10 | CAtlList | (UINT) | _U_STRINGorID | _U_STRINGorID | 0 |
+| atl.cpp:407:8:407:8 | operator= | (const CComBSTR &) | CComBSTR | Append | 0 |
+| atl.cpp:407:8:407:8 | operator= | (const CComBSTR &) | CComBSTR | CComBSTR | 0 |
+| atl.cpp:409:3:409:10 | CComBSTR | (const CComBSTR &) | CComBSTR | Append | 0 |
+| atl.cpp:409:3:409:10 | CComBSTR | (const CComBSTR &) | CComBSTR | CComBSTR | 0 |
+| atl.cpp:411:3:411:10 | CComBSTR | (int,LPCOLESTR) | CComBSTR | CComBSTR | 0 |
+| atl.cpp:411:3:411:10 | CComBSTR | (int,LPCOLESTR) | CComBSTR | CComBSTR | 1 |
+| atl.cpp:412:3:412:10 | CComBSTR | (int,LPCSTR) | CComBSTR | CComBSTR | 0 |
+| atl.cpp:412:3:412:10 | CComBSTR | (int,LPCSTR) | CComBSTR | CComBSTR | 1 |
+| atl.cpp:413:3:413:10 | CComBSTR | (LPCOLESTR) | CComBSTR | Append | 0 |
+| atl.cpp:413:3:413:10 | CComBSTR | (LPCOLESTR) | CComBSTR | CComBSTR | 0 |
+| atl.cpp:414:3:414:10 | CComBSTR | (LPCSTR) | CComBSTR | Append | 0 |
+| atl.cpp:414:3:414:10 | CComBSTR | (LPCSTR) | CComBSTR | CComBSTR | 0 |
+| atl.cpp:415:3:415:10 | CComBSTR | (CComBSTR &&) | CComBSTR | CComBSTR | 0 |
+| atl.cpp:418:11:418:16 | Append | (const CComBSTR &) | CComBSTR | Append | 0 |
+| atl.cpp:418:11:418:16 | Append | (const CComBSTR &) | CComBSTR | CComBSTR | 0 |
+| atl.cpp:419:11:419:16 | Append | (wchar_t) | CComBSTR | Append | 0 |
+| atl.cpp:420:11:420:16 | Append | (char) | CComBSTR | Append | 0 |
+| atl.cpp:421:11:421:16 | Append | (LPCOLESTR) | CComBSTR | Append | 0 |
+| atl.cpp:421:11:421:16 | Append | (LPCOLESTR) | CComBSTR | CComBSTR | 0 |
+| atl.cpp:422:11:422:16 | Append | (LPCSTR) | CComBSTR | Append | 0 |
+| atl.cpp:422:11:422:16 | Append | (LPCSTR) | CComBSTR | CComBSTR | 0 |
+| atl.cpp:423:11:423:16 | Append | (LPCOLESTR,int) | CComBSTR | Append | 0 |
+| atl.cpp:423:11:423:16 | Append | (LPCOLESTR,int) | CComBSTR | Append | 1 |
+| atl.cpp:425:11:425:21 | AppendBytes | (LPCOLESTR,int) | CComBSTR | Append | 1 |
+| atl.cpp:426:11:426:21 | ArrayToBSTR | (const SAFEARRAY *) | CComSafeArray | Add | 0 |
+| atl.cpp:426:11:426:21 | ArrayToBSTR | (const SAFEARRAY *) | CComSafeArray | CComSafeArray | 0 |
+| atl.cpp:426:11:426:21 | ArrayToBSTR | (const SAFEARRAY *) | CComSafeArray | operator= | 0 |
+| atl.cpp:438:8:438:17 | LoadString | (HINSTANCE,UINT) | CComBSTR | LoadString | 0 |
+| atl.cpp:438:8:438:17 | LoadString | (HINSTANCE,UINT) | CComBSTR | LoadString | 1 |
+| atl.cpp:439:8:439:17 | LoadString | (UINT) | CComBSTR | LoadString | 0 |
+| atl.cpp:439:8:439:17 | LoadString | (UINT) | _U_STRINGorID | _U_STRINGorID | 0 |
+| atl.cpp:447:13:447:22 | operator+= | (const CComBSTR &) | CComBSTR | Append | 0 |
+| atl.cpp:447:13:447:22 | operator+= | (const CComBSTR &) | CComBSTR | CComBSTR | 0 |
+| atl.cpp:448:13:448:22 | operator+= | (LPCOLESTR) | CComBSTR | Append | 0 |
+| atl.cpp:448:13:448:22 | operator+= | (LPCOLESTR) | CComBSTR | CComBSTR | 0 |
+| atl.cpp:538:3:538:15 | CComSafeArray | (const SAFEARRAY *) | CComSafeArray | Add | 0 |
+| atl.cpp:538:3:538:15 | CComSafeArray | (const SAFEARRAY *) | CComSafeArray | CComSafeArray | 0 |
+| atl.cpp:538:3:538:15 | CComSafeArray | (const SAFEARRAY *) | CComSafeArray | operator= | 0 |
+| atl.cpp:542:11:542:13 | Add | (const SAFEARRAY *) | CComSafeArray | Add | 0 |
+| atl.cpp:542:11:542:13 | Add | (const SAFEARRAY *) | CComSafeArray | CComSafeArray | 0 |
+| atl.cpp:542:11:542:13 | Add | (const SAFEARRAY *) | CComSafeArray | operator= | 0 |
+| atl.cpp:544:11:544:13 | Add | (const T &,BOOL) | CComSafeArray<T> | Add | 0 |
+| atl.cpp:544:11:544:13 | Add | (const T &,BOOL) | CComSafeArray<T> | Add | 1 |
+| atl.cpp:763:8:763:10 | Add | (const deque &,const Allocator &) | deque<T,Allocator> | deque | 1 |
+| atl.cpp:763:8:763:10 | Add | (const forward_list &,const Allocator &) | forward_list<T,Allocator> | forward_list | 1 |
+| atl.cpp:763:8:763:10 | Add | (const list &,const Allocator &) | list<T,Allocator> | list | 1 |
+| atl.cpp:763:8:763:10 | Add | (const vector &,const Allocator &) | vector<T,Allocator> | vector | 1 |
+| atl.cpp:763:8:763:10 | Add | (deque &&,const Allocator &) | deque<T,Allocator> | deque | 1 |
+| atl.cpp:763:8:763:10 | Add | (forward_list &&,const Allocator &) | forward_list<T,Allocator> | forward_list | 1 |
+| atl.cpp:763:8:763:10 | Add | (list &&,const Allocator &) | list<T,Allocator> | list | 1 |
+| atl.cpp:763:8:763:10 | Add | (vector &&,const Allocator &) | vector<T,Allocator> | vector | 1 |
+| atl.cpp:774:8:774:12 | SetAt | (const deque &,const Allocator &) | deque<T,Allocator> | deque | 1 |
+| atl.cpp:774:8:774:12 | SetAt | (const forward_list &,const Allocator &) | forward_list<T,Allocator> | forward_list | 1 |
+| atl.cpp:774:8:774:12 | SetAt | (const list &,const Allocator &) | list<T,Allocator> | list | 1 |
+| atl.cpp:774:8:774:12 | SetAt | (const vector &,const Allocator &) | vector<T,Allocator> | vector | 1 |
+| atl.cpp:774:8:774:12 | SetAt | (deque &&,const Allocator &) | deque<T,Allocator> | deque | 1 |
+| atl.cpp:774:8:774:12 | SetAt | (forward_list &&,const Allocator &) | forward_list<T,Allocator> | forward_list | 1 |
+| atl.cpp:774:8:774:12 | SetAt | (list &&,const Allocator &) | list<T,Allocator> | list | 1 |
+| atl.cpp:774:8:774:12 | SetAt | (vector &&,const Allocator &) | vector<T,Allocator> | vector | 1 |
+| atl.cpp:775:8:775:17 | SetAtIndex | (InputIterator,InputIterator,const Allocator &) | deque<T,Allocator> | deque<InputIterator> | 2 |
+| atl.cpp:775:8:775:17 | SetAtIndex | (InputIterator,InputIterator,const Allocator &) | forward_list<T,Allocator> | forward_list | 2 |
+| atl.cpp:775:8:775:17 | SetAtIndex | (InputIterator,InputIterator,const Allocator &) | list<T,Allocator> | list<InputIterator> | 2 |
+| atl.cpp:775:8:775:17 | SetAtIndex | (InputIterator,InputIterator,const Allocator &) | vector<T,Allocator> | vector<InputIterator> | 2 |
+| atl.cpp:775:8:775:17 | SetAtIndex | (size_type,const T &,const Allocator &) | deque<T,Allocator> | deque | 1 |
+| atl.cpp:775:8:775:17 | SetAtIndex | (size_type,const T &,const Allocator &) | deque<T,Allocator> | deque | 2 |
+| atl.cpp:775:8:775:17 | SetAtIndex | (size_type,const T &,const Allocator &) | forward_list<T,Allocator> | forward_list | 1 |
+| atl.cpp:775:8:775:17 | SetAtIndex | (size_type,const T &,const Allocator &) | forward_list<T,Allocator> | forward_list | 2 |
+| atl.cpp:775:8:775:17 | SetAtIndex | (size_type,const T &,const Allocator &) | list<T,Allocator> | list | 1 |
+| atl.cpp:775:8:775:17 | SetAtIndex | (size_type,const T &,const Allocator &) | list<T,Allocator> | list | 2 |
+| atl.cpp:775:8:775:17 | SetAtIndex | (size_type,const T &,const Allocator &) | vector<T,Allocator> | vector | 1 |
+| atl.cpp:775:8:775:17 | SetAtIndex | (size_type,const T &,const Allocator &) | vector<T,Allocator> | vector | 2 |
+| atl.cpp:840:15:840:26 | SetExtraInfo | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 |
+| atl.cpp:841:15:841:25 | SetHostName | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 |
+| atl.cpp:842:15:842:25 | SetPassword | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 |
+| atl.cpp:845:15:845:27 | SetSchemeName | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 |
+| atl.cpp:846:15:846:24 | SetUrlPath | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 |
+| atl.cpp:847:15:847:25 | SetUserName | (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 |
+| constructor_delegation.cpp:10:2:10:8 | MyValue | (LPCOLESTR,int) | CComBSTR | Append | 1 |
+| constructor_delegation.cpp:19:2:19:15 | MyDerivedValue | (LPCOLESTR,int) | CComBSTR | Append | 1 |
+| standalone_iterators.cpp:103:27:103:36 | operator+= | (LPCOLESTR,int) | CComBSTR | Append | 1 |
 | stl.h:182:17:182:22 | assign | (InputIt,InputIt) | deque | assign<InputIt> | 0 |
 | stl.h:182:17:182:22 | assign | (InputIt,InputIt) | deque | assign<InputIt> | 1 |
 | stl.h:182:17:182:22 | assign | (InputIt,InputIt) | forward_list | assign<InputIt> | 0 |
@@ -267,7 +354,25 @@ signatureMatches
 | stl.h:678:33:678:38 | format | (format_string,Args &&) |  | format<Args> | 1 |
 | stl.h:683:6:683:48 | same_signature_as_format_but_different_name | (format_string,Args &&) |  | format<Args> | 0 |
 | stl.h:683:6:683:48 | same_signature_as_format_but_different_name | (format_string,Args &&) |  | format<Args> | 1 |
+| string.cpp:20:6:20:9 | sink | (char) | CComBSTR | Append | 0 |
+| taint.cpp:4:6:4:21 | arithAssignments | (LPCOLESTR,int) | CComBSTR | Append | 1 |
+| taint.cpp:249:13:249:13 | _FUN | (LPCOLESTR,int) | CComBSTR | Append | 1 |
+| taint.cpp:249:13:249:13 | operator() | (LPCOLESTR,int) | CComBSTR | Append | 1 |
+| taint.cpp:302:6:302:14 | myAssign2 | (LPCOLESTR,int) | CComBSTR | Append | 1 |
+| taint.cpp:307:6:307:14 | myAssign3 | (LPCOLESTR,int) | CComBSTR | Append | 1 |
+| taint.cpp:312:6:312:14 | myAssign4 | (LPCOLESTR,int) | CComBSTR | Append | 1 |
+| taint.cpp:523:7:523:13 | _strset | (LPCOLESTR,int) | CComBSTR | Append | 1 |
+| vector.cpp:333:6:333:35 | vector_iterator_assign_wrapper | (LPCOLESTR,int) | CComBSTR | Append | 1 |
 getSignatureParameterName
+| (CAtlFile &) | CAtlFile | CAtlFile | 0 | CAtlFile & |
+| (CComBSTR &&) | CComBSTR | CComBSTR | 0 | CComBSTR && |
+| (CRegKey &) | CRegKey | CRegKey | 0 | CRegKey & |
+| (DWORD &,LPCTSTR) | CRegKey | QueryValue | 0 | DWORD & |
+| (DWORD &,LPCTSTR) | CRegKey | QueryValue | 1 | LPCTSTR |
+| (HANDLE) | CAtlFile | CAtlFile | 0 | HANDLE |
+| (HINSTANCE,UINT) | CComBSTR | LoadString | 0 | HINSTANCE |
+| (HINSTANCE,UINT) | CComBSTR | LoadString | 1 | UINT |
+| (HKEY) | CRegKey | CRegKey | 0 | HKEY |
 | (InputIt,InputIt) | deque | assign<InputIt> | 0 | func:0 |
 | (InputIt,InputIt) | deque | assign<InputIt> | 1 | func:0 |
 | (InputIt,InputIt) | forward_list | assign<InputIt> | 0 | func:0 |
@@ -288,6 +393,33 @@ getSignatureParameterName
 | (InputIterator,InputIterator,const Allocator &) | vector<T,Allocator> | vector<InputIterator> | 0 | func:0 |
 | (InputIterator,InputIterator,const Allocator &) | vector<T,Allocator> | vector<InputIterator> | 1 | func:0 |
 | (InputIterator,InputIterator,const Allocator &) | vector<T,Allocator> | vector<InputIterator> | 2 | const class:1 & |
+| (LPCOLESTR) | CComBSTR | Append | 0 | LPCOLESTR |
+| (LPCOLESTR) | CComBSTR | CComBSTR | 0 | LPCOLESTR |
+| (LPCOLESTR,int) | CComBSTR | Append | 0 | LPCOLESTR |
+| (LPCOLESTR,int) | CComBSTR | Append | 1 | int |
+| (LPCSTR) | CComBSTR | Append | 0 | LPCSTR |
+| (LPCSTR) | CComBSTR | CComBSTR | 0 | LPCSTR |
+| (LPCTSTR) | _U_STRINGorID | _U_STRINGorID | 0 | LPCTSTR |
+| (LPCTSTR,DWORD *,void *,ULONG *) | CRegKey | QueryValue | 0 | LPCTSTR |
+| (LPCTSTR,DWORD *,void *,ULONG *) | CRegKey | QueryValue | 1 | DWORD * |
+| (LPCTSTR,DWORD *,void *,ULONG *) | CRegKey | QueryValue | 2 | void * |
+| (LPCTSTR,DWORD *,void *,ULONG *) | CRegKey | QueryValue | 3 | ULONG * |
+| (LPTSTR,LPCTSTR,DWORD *) | CRegKey | QueryValue | 0 | LPTSTR |
+| (LPTSTR,LPCTSTR,DWORD *) | CRegKey | QueryValue | 1 | LPCTSTR |
+| (LPTSTR,LPCTSTR,DWORD *) | CRegKey | QueryValue | 2 | DWORD * |
+| (UINT) | CComBSTR | LoadString | 0 | UINT |
+| (UINT) | _U_STRINGorID | _U_STRINGorID | 0 | UINT |
+| (char) | CComBSTR | Append | 0 | char |
+| (const CComBSTR &) | CComBSTR | Append | 0 | const CComBSTR & |
+| (const CComBSTR &) | CComBSTR | CComBSTR | 0 | const CComBSTR & |
+| (const CComSafeArray &) | CComSafeArray | CComSafeArray | 0 | const CComSafeArray & |
+| (const CComSafeArray &) | CComSafeArray | operator= | 0 | const CComSafeArray & |
+| (const SAFEARRAY &) | CComSafeArray | CComSafeArray | 0 | const SAFEARRAY & |
+| (const SAFEARRAY *) | CComSafeArray | Add | 0 | const SAFEARRAY * |
+| (const SAFEARRAY *) | CComSafeArray | CComSafeArray | 0 | const SAFEARRAY * |
+| (const SAFEARRAY *) | CComSafeArray | operator= | 0 | const SAFEARRAY * |
+| (const T &,BOOL) | CComSafeArray<T> | Add | 0 | const class:0 & |
+| (const T &,BOOL) | CComSafeArray<T> | Add | 1 | BOOL |
 | (const deque &) | deque | deque | 0 | const deque & |
 | (const deque &,const Allocator &) | deque<T,Allocator> | deque | 0 | const deque & |
 | (const deque &,const Allocator &) | deque<T,Allocator> | deque | 1 | const class:1 & |
@@ -348,6 +480,10 @@ getSignatureParameterName
 | (forward_list &&) | forward_list | forward_list | 0 | forward_list && |
 | (forward_list &&,const Allocator &) | forward_list<T,Allocator> | forward_list | 0 | forward_list && |
 | (forward_list &&,const Allocator &) | forward_list<T,Allocator> | forward_list | 1 | const class:1 & |
+| (int,LPCOLESTR) | CComBSTR | CComBSTR | 0 | int |
+| (int,LPCOLESTR) | CComBSTR | CComBSTR | 1 | LPCOLESTR |
+| (int,LPCSTR) | CComBSTR | CComBSTR | 0 | int |
+| (int,LPCSTR) | CComBSTR | CComBSTR | 1 | LPCSTR |
 | (list &&) | list | list | 0 | list && |
 | (list &&,const Allocator &) | list<T,Allocator> | list | 0 | list && |
 | (list &&,const Allocator &) | list<T,Allocator> | list | 1 | const class:1 & |
@@ -374,11 +510,294 @@ getSignatureParameterName
 | (vector &&) | vector | vector | 0 | vector && |
 | (vector &&,const Allocator &) | vector<T,Allocator> | vector | 0 | vector && |
 | (vector &&,const Allocator &) | vector<T,Allocator> | vector | 1 | const class:1 & |
+| (wchar_t) | CComBSTR | Append | 0 | wchar_t |
 getParameterTypeName
+| arrayassignment.cpp:3:6:3:9 | sink | 0 | int |
+| arrayassignment.cpp:4:6:4:9 | sink | 0 | MyInt |
+| arrayassignment.cpp:5:6:5:9 | sink | 0 | MyArray |
+| arrayassignment.cpp:37:7:37:7 | MyInt | 0 | const MyInt & |
+| arrayassignment.cpp:44:9:44:17 | operator= | 0 | const int & |
+| arrayassignment.cpp:45:9:45:17 | operator= | 0 | const MyInt & |
+| arrayassignment.cpp:83:7:83:7 | MyArray | 0 | MyArray && |
+| arrayassignment.cpp:83:7:83:7 | MyArray | 0 | const MyArray & |
+| arrayassignment.cpp:83:7:83:7 | operator= | 0 | MyArray && |
+| arrayassignment.cpp:83:7:83:7 | operator= | 0 | const MyArray & |
+| arrayassignment.cpp:88:7:88:9 | get | 0 | int |
+| arrayassignment.cpp:90:7:90:16 | operator[] | 0 | int |
+| arrayassignment.cpp:124:6:124:9 | sink | 0 | int * |
+| atl.cpp:28:8:28:8 | operator= | 0 | __POSITION && |
+| atl.cpp:28:8:28:8 | operator= | 0 | const __POSITION & |
+| atl.cpp:50:16:50:16 | operator= | 0 | const tagSAFEARRAYBOUND & |
+| atl.cpp:50:16:50:16 | operator= | 0 | tagSAFEARRAYBOUND && |
+| atl.cpp:55:16:55:16 | operator= | 0 | const tagVARIANT & |
+| atl.cpp:55:16:55:16 | operator= | 0 | tagVARIANT && |
+| atl.cpp:59:16:59:16 | operator= | 0 | const tagSAFEARRAY & |
+| atl.cpp:59:16:59:16 | operator= | 0 | tagSAFEARRAY && |
+| atl.cpp:68:8:68:8 | _U_STRINGorID | 0 | _U_STRINGorID && |
+| atl.cpp:68:8:68:8 | _U_STRINGorID | 0 | const _U_STRINGorID & |
+| atl.cpp:68:8:68:8 | operator= | 0 | _U_STRINGorID && |
+| atl.cpp:68:8:68:8 | operator= | 0 | const _U_STRINGorID & |
+| atl.cpp:69:3:69:15 | _U_STRINGorID | 0 | UINT |
+| atl.cpp:70:3:70:15 | _U_STRINGorID | 0 | LPCTSTR |
+| atl.cpp:194:10:194:12 | Add | 0 | INARGTYPclass:0 |
+| atl.cpp:196:10:196:15 | Append | 0 | const CAtlArray & |
+| atl.cpp:197:8:197:11 | Copy | 0 | const CAtlArray & |
+| atl.cpp:199:6:199:10 | GetAt | 0 | size_t |
+| atl.cpp:203:8:203:20 | InsertArrayAt | 0 | size_t |
+| atl.cpp:203:8:203:20 | InsertArrayAt | 1 | const CAtlArray * |
+| atl.cpp:204:8:204:15 | InsertAt | 0 | size_t |
+| atl.cpp:204:8:204:15 | InsertAt | 1 | INARGTYPclass:0 |
+| atl.cpp:204:8:204:15 | InsertAt | 2 | size_t |
+| atl.cpp:209:8:209:16 | SetAtGrow | 0 | size_t |
+| atl.cpp:209:8:209:16 | SetAtGrow | 1 | INARGTYPclass:0 |
+| atl.cpp:211:6:211:15 | operator[] | 0 | size_t |
+| atl.cpp:257:3:257:10 | CAtlList | 0 | UINT |
+| atl.cpp:257:3:257:10 | CAtlList | 0 | UINT |
+| atl.cpp:260:12:260:18 | AddHead | 0 | INARGTYPclass:0 |
+| atl.cpp:260:12:260:18 | AddHead | 0 | INARGTYPclass:0 |
+| atl.cpp:261:8:261:18 | AddHeadList | 0 | const CAtlList * |
+| atl.cpp:261:8:261:18 | AddHeadList | 0 | const CAtlList * |
+| atl.cpp:263:12:263:18 | AddTail | 0 | INARGTYPclass:0 |
+| atl.cpp:263:12:263:18 | AddTail | 0 | INARGTYPclass:0 |
+| atl.cpp:264:8:264:18 | AddTailList | 0 | const CAtlList * |
+| atl.cpp:264:8:264:18 | AddTailList | 0 | const CAtlList * |
+| atl.cpp:265:12:265:15 | Find | 0 | INARGTYPclass:0 |
+| atl.cpp:265:12:265:15 | Find | 0 | INARGTYPclass:0 |
+| atl.cpp:265:12:265:15 | Find | 1 | POSITION |
+| atl.cpp:265:12:265:15 | Find | 1 | POSITION |
+| atl.cpp:266:12:266:20 | FindIndex | 0 | size_t |
+| atl.cpp:266:12:266:20 | FindIndex | 0 | size_t |
+| atl.cpp:267:6:267:10 | GetAt | 0 | POSITION |
+| atl.cpp:267:6:267:10 | GetAt | 0 | POSITION |
+| atl.cpp:280:12:280:22 | InsertAfter | 0 | POSITION |
+| atl.cpp:280:12:280:22 | InsertAfter | 0 | POSITION |
+| atl.cpp:280:12:280:22 | InsertAfter | 1 | INARGTYPclass:0 |
+| atl.cpp:280:12:280:22 | InsertAfter | 1 | INARGTYPclass:0 |
+| atl.cpp:281:12:281:23 | InsertBefore | 0 | POSITION |
+| atl.cpp:281:12:281:23 | InsertBefore | 0 | POSITION |
+| atl.cpp:281:12:281:23 | InsertBefore | 1 | INARGTYPclass:0 |
+| atl.cpp:281:12:281:23 | InsertBefore | 1 | INARGTYPclass:0 |
+| atl.cpp:291:8:291:12 | SetAt | 0 | POSITION |
+| atl.cpp:291:8:291:12 | SetAt | 0 | POSITION |
+| atl.cpp:291:8:291:12 | SetAt | 1 | INARGTYPclass:0 |
+| atl.cpp:291:8:291:12 | SetAt | 1 | INARGTYPclass:0 |
+| atl.cpp:401:8:401:8 | operator= | 0 | IUnknown && |
+| atl.cpp:401:8:401:8 | operator= | 0 | const IUnknown & |
+| atl.cpp:403:8:403:8 | operator= | 0 | ISequentialStream && |
+| atl.cpp:403:8:403:8 | operator= | 0 | const ISequentialStream & |
+| atl.cpp:405:8:405:8 | operator= | 0 | IStream && |
+| atl.cpp:405:8:405:8 | operator= | 0 | const IStream & |
+| atl.cpp:407:8:407:8 | operator= | 0 | const CComBSTR & |
+| atl.cpp:409:3:409:10 | CComBSTR | 0 | const CComBSTR & |
+| atl.cpp:410:3:410:10 | CComBSTR | 0 | int |
+| atl.cpp:411:3:411:10 | CComBSTR | 0 | int |
+| atl.cpp:411:3:411:10 | CComBSTR | 1 | LPCOLESTR |
+| atl.cpp:412:3:412:10 | CComBSTR | 0 | int |
+| atl.cpp:412:3:412:10 | CComBSTR | 1 | LPCSTR |
+| atl.cpp:413:3:413:10 | CComBSTR | 0 | LPCOLESTR |
+| atl.cpp:414:3:414:10 | CComBSTR | 0 | LPCSTR |
+| atl.cpp:415:3:415:10 | CComBSTR | 0 | CComBSTR && |
+| atl.cpp:418:11:418:16 | Append | 0 | const CComBSTR & |
+| atl.cpp:419:11:419:16 | Append | 0 | wchar_t |
+| atl.cpp:420:11:420:16 | Append | 0 | char |
+| atl.cpp:421:11:421:16 | Append | 0 | LPCOLESTR |
+| atl.cpp:422:11:422:16 | Append | 0 | LPCSTR |
+| atl.cpp:423:11:423:16 | Append | 0 | LPCOLESTR |
+| atl.cpp:423:11:423:16 | Append | 1 | int |
+| atl.cpp:424:11:424:20 | AppendBSTR | 0 | BSTR |
+| atl.cpp:425:11:425:21 | AppendBytes | 0 | const char * |
+| atl.cpp:425:11:425:21 | AppendBytes | 1 | int |
+| atl.cpp:426:11:426:21 | ArrayToBSTR | 0 | const SAFEARRAY * |
+| atl.cpp:427:11:427:20 | AssignBSTR | 0 | const BSTR |
+| atl.cpp:428:8:428:13 | Attach | 0 | BSTR |
+| atl.cpp:429:11:429:21 | BSTRToArray | 0 | LPSAFEARRAY * |
+| atl.cpp:432:11:432:16 | CopyTo | 0 | BSTR * |
+| atl.cpp:434:11:434:16 | CopyTo | 0 | VARIANT * |
+| atl.cpp:438:8:438:17 | LoadString | 0 | HINSTANCE |
+| atl.cpp:438:8:438:17 | LoadString | 1 | UINT |
+| atl.cpp:439:8:439:17 | LoadString | 0 | UINT |
+| atl.cpp:440:11:440:24 | ReadFromStream | 0 | IStream * |
+| atl.cpp:442:11:442:23 | WriteToStream | 0 | IStream * |
+| atl.cpp:447:13:447:22 | operator+= | 0 | const CComBSTR & |
+| atl.cpp:448:13:448:22 | operator+= | 0 | LPCOLESTR |
+| atl.cpp:538:3:538:15 | CComSafeArray | 0 | const SAFEARRAY * |
+| atl.cpp:542:11:542:13 | Add | 0 | const SAFEARRAY * |
+| atl.cpp:544:11:544:13 | Add | 0 | const class:0 & |
+| atl.cpp:544:11:544:13 | Add | 1 | BOOL |
+| atl.cpp:552:6:552:10 | GetAt | 0 | LONG |
+| atl.cpp:563:11:563:15 | SetAt | 0 | LONG |
+| atl.cpp:563:11:563:15 | SetAt | 1 | const class:0 & |
+| atl.cpp:563:11:563:15 | SetAt | 2 | BOOL |
+| atl.cpp:565:6:565:15 | operator[] | 0 | long |
+| atl.cpp:566:6:566:15 | operator[] | 0 | int |
+| atl.cpp:610:3:610:8 | CPathT | 0 | PCXSTR |
+| atl.cpp:611:3:611:8 | CPathT | 0 | const CPathT & |
+| atl.cpp:615:8:615:19 | AddExtension | 0 | PCXSTR |
+| atl.cpp:616:8:616:13 | Append | 0 | PCXSTR |
+| atl.cpp:619:8:619:14 | Combine | 0 | PCXSTR |
+| atl.cpp:619:8:619:14 | Combine | 1 | PCXSTR |
+| atl.cpp:620:22:620:33 | CommonPrefix | 0 | PCXSTR |
+| atl.cpp:657:23:657:32 | operator+= | 0 | PCXSTR |
+| atl.cpp:717:8:717:10 | Add | 0 | const class:0 & |
+| atl.cpp:718:7:718:10 | Find | 0 | const class:0 & |
+| atl.cpp:729:6:729:15 | operator[] | 0 | int |
+| atl.cpp:730:21:730:29 | operator= | 0 | const CSimpleArray & |
+| atl.cpp:763:8:763:10 | Add | 0 | const class:0 & |
+| atl.cpp:763:8:763:10 | Add | 1 | const class:1 & |
+| atl.cpp:764:7:764:13 | FindKey | 0 | const class:0 & |
+| atl.cpp:765:7:765:13 | FindVal | 0 | const class:1 & |
+| atl.cpp:768:9:768:18 | GetValueAt | 0 | int |
+| atl.cpp:769:8:769:13 | Lookup | 0 | const class:0 & |
+| atl.cpp:773:8:773:20 | ReverseLookup | 0 | const class:1 & |
+| atl.cpp:774:8:774:12 | SetAt | 0 | const class:0 & |
+| atl.cpp:774:8:774:12 | SetAt | 1 | const class:1 & |
+| atl.cpp:775:8:775:17 | SetAtIndex | 0 | int |
+| atl.cpp:775:8:775:17 | SetAtIndex | 1 | const class:0 & |
+| atl.cpp:775:8:775:17 | SetAtIndex | 2 | const class:1 & |
+| atl.cpp:814:9:814:17 | operator= | 0 | const CUrl & |
+| atl.cpp:816:3:816:6 | CUrl | 0 | const CUrl & |
+| atl.cpp:819:15:819:26 | Canonicalize | 0 | DWORD |
+| atl.cpp:822:8:822:15 | CrackUrl | 0 | LPCTSTR |
+| atl.cpp:822:8:822:15 | CrackUrl | 1 | DWORD |
+| atl.cpp:823:15:823:23 | CreateUrl | 0 | LPTSTR |
+| atl.cpp:823:15:823:23 | CreateUrl | 1 | DWORD * |
+| atl.cpp:823:15:823:23 | CreateUrl | 2 | DWORD |
+| atl.cpp:840:15:840:26 | SetExtraInfo | 0 | LPCTSTR |
+| atl.cpp:841:15:841:25 | SetHostName | 0 | LPCTSTR |
+| atl.cpp:842:15:842:25 | SetPassword | 0 | LPCTSTR |
+| atl.cpp:843:15:843:27 | SetPortNumber | 0 | ATL_URL_PORT |
+| atl.cpp:844:15:844:23 | SetScheme | 0 | ATL_URL_SCHEME |
+| atl.cpp:845:15:845:27 | SetSchemeName | 0 | LPCTSTR |
+| atl.cpp:846:15:846:24 | SetUrlPath | 0 | LPCTSTR |
+| atl.cpp:847:15:847:25 | SetUserName | 0 | LPCTSTR |
+| bsd.cpp:6:8:6:8 | operator= | 0 | const sockaddr & |
+| bsd.cpp:6:8:6:8 | operator= | 0 | sockaddr && |
+| bsd.cpp:12:5:12:10 | accept | 0 | int |
+| bsd.cpp:12:5:12:10 | accept | 1 | sockaddr * |
+| bsd.cpp:12:5:12:10 | accept | 2 | int * |
+| bsd.cpp:14:6:14:9 | sink | 0 | sockaddr |
+| constructor_delegation.cpp:5:7:5:7 | MyValue | 0 | MyValue && |
+| constructor_delegation.cpp:5:7:5:7 | MyValue | 0 | const MyValue & |
+| constructor_delegation.cpp:5:7:5:7 | operator= | 0 | MyValue && |
+| constructor_delegation.cpp:5:7:5:7 | operator= | 0 | const MyValue & |
+| constructor_delegation.cpp:8:2:8:8 | MyValue | 0 | int |
+| constructor_delegation.cpp:9:2:9:8 | MyValue | 0 | int |
+| constructor_delegation.cpp:9:2:9:8 | MyValue | 1 | bool |
+| constructor_delegation.cpp:10:2:10:8 | MyValue | 0 | int |
+| constructor_delegation.cpp:10:2:10:8 | MyValue | 1 | int |
+| constructor_delegation.cpp:11:2:11:8 | MyValue | 0 | int |
+| constructor_delegation.cpp:11:2:11:8 | MyValue | 1 | bool |
+| constructor_delegation.cpp:11:2:11:8 | MyValue | 2 | bool |
+| constructor_delegation.cpp:16:7:16:7 | MyDerivedValue | 0 | MyDerivedValue && |
+| constructor_delegation.cpp:16:7:16:7 | MyDerivedValue | 0 | const MyDerivedValue & |
+| constructor_delegation.cpp:16:7:16:7 | operator= | 0 | MyDerivedValue && |
+| constructor_delegation.cpp:16:7:16:7 | operator= | 0 | const MyDerivedValue & |
+| constructor_delegation.cpp:19:2:19:15 | MyDerivedValue | 0 | bool |
+| constructor_delegation.cpp:19:2:19:15 | MyDerivedValue | 1 | int |
+| copyableclass.cpp:8:2:8:16 | MyCopyableClass | 0 | int |
+| copyableclass.cpp:9:2:9:16 | MyCopyableClass | 0 | const MyCopyableClass & |
+| copyableclass.cpp:10:19:10:27 | operator= | 0 | const MyCopyableClass & |
+| copyableclass_declonly.cpp:8:2:8:24 | MyCopyableClassDeclOnly | 0 | int |
+| copyableclass_declonly.cpp:9:2:9:24 | MyCopyableClassDeclOnly | 0 | const MyCopyableClassDeclOnly & |
+| copyableclass_declonly.cpp:10:27:10:35 | operator= | 0 | const MyCopyableClassDeclOnly & |
+| file://:0:0:0:0 | operator delete | 0 | void * |
+| file://:0:0:0:0 | operator new | 0 | unsigned long |
+| file://:0:0:0:0 | operator= | 0 | __va_list_tag && |
+| file://:0:0:0:0 | operator= | 0 | const __va_list_tag & |
+| format.cpp:3:16:3:16 | operator= | 0 | FILE && |
+| format.cpp:3:16:3:16 | operator= | 0 | const FILE & |
+| format.cpp:5:5:5:12 | snprintf | 0 | char * |
+| format.cpp:5:5:5:12 | snprintf | 1 | size_t |
+| format.cpp:5:5:5:12 | snprintf | 2 | const char * |
+| format.cpp:6:5:6:11 | sprintf | 0 | char * |
+| format.cpp:6:5:6:11 | sprintf | 1 | const char * |
+| format.cpp:7:5:7:12 | swprintf | 0 | wchar_t * |
+| format.cpp:7:5:7:12 | swprintf | 1 | size_t |
+| format.cpp:7:5:7:12 | swprintf | 2 | const wchar_t * |
+| format.cpp:14:5:14:13 | vsnprintf | 0 | char * |
+| format.cpp:14:5:14:13 | vsnprintf | 1 | size_t |
+| format.cpp:14:5:14:13 | vsnprintf | 2 | const char * |
+| format.cpp:14:5:14:13 | vsnprintf | 3 | va_list |
+| format.cpp:16:5:16:13 | mysprintf | 0 | char * |
+| format.cpp:16:5:16:13 | mysprintf | 1 | size_t |
+| format.cpp:16:5:16:13 | mysprintf | 2 | const char * |
+| format.cpp:28:5:28:10 | sscanf | 0 | const char * |
+| format.cpp:28:5:28:10 | sscanf | 1 | const char * |
+| format.cpp:142:8:142:13 | strlen | 0 | const char * |
+| format.cpp:143:8:143:13 | wcslen | 0 | const wchar_t * |
+| format.cpp:169:6:169:9 | test | 0 | format_string |
+| map.cpp:8:6:8:9 | sink | 0 | char * |
+| map.cpp:9:6:9:9 | sink | 0 | const char * |
+| map.cpp:10:6:10:9 | sink | 0 | bool |
+| map.cpp:11:6:11:9 | sink | 0 | pair |
+| map.cpp:12:6:12:9 | sink | 0 | map, allocator<pair<char *const, char *>>> |
+| map.cpp:13:6:13:9 | sink | 0 | iterator |
+| map.cpp:14:6:14:9 | sink | 0 | unordered_map, equal_to<char *>, allocator<pair<char *const, char *>>> |
+| map.cpp:15:6:15:9 | sink | 0 | iterator |
+| map.cpp:16:6:16:9 | sink | 0 | unordered_map, hash<char *>, equal_to<char *>, allocator<pair<char *const, pair<int, int>>>> |
+| map.cpp:17:6:17:9 | sink | 0 | iterator |
+| map.cpp:442:7:442:19 | indirect_sink | 0 | int * |
+| movableclass.cpp:5:7:5:7 | MyMovableClass | 0 | const MyMovableClass & |
+| movableclass.cpp:5:7:5:7 | operator= | 0 | const MyMovableClass & |
+| movableclass.cpp:8:2:8:15 | MyMovableClass | 0 | int |
+| movableclass.cpp:9:2:9:15 | MyMovableClass | 0 | MyMovableClass && |
+| movableclass.cpp:13:18:13:26 | operator= | 0 | MyMovableClass && |
+| set.cpp:8:6:8:9 | sink | 0 | char * |
+| set.cpp:9:6:9:9 | sink | 0 | set, allocator<char *>> |
+| set.cpp:10:6:10:9 | sink | 0 | iterator |
+| set.cpp:11:6:11:9 | sink | 0 | unordered_set, equal_to<char *>, allocator<char *>> |
+| set.cpp:12:6:12:9 | sink | 0 | iterator |
+| smart_pointer.cpp:4:6:4:9 | sink | 0 | int |
+| smart_pointer.cpp:5:6:5:9 | sink | 0 | int * |
 | smart_pointer.cpp:7:27:7:30 | sink | 0 | shared_ptr & |
 | smart_pointer.cpp:7:27:7:30 | sink | 0 | shared_ptr & |
 | smart_pointer.cpp:8:27:8:30 | sink | 0 | unique_ptr & |
 | smart_pointer.cpp:8:27:8:30 | sink | 0 | unique_ptr & |
+| smart_pointer.cpp:60:8:60:8 | operator= | 0 | A && |
+| smart_pointer.cpp:60:8:60:8 | operator= | 0 | const A & |
+| smart_pointer.cpp:70:6:70:14 | getNumber | 0 | shared_ptr |
+| smart_pointer.cpp:80:8:80:8 | operator= | 0 | B && |
+| smart_pointer.cpp:80:8:80:8 | operator= | 0 | const B & |
+| smart_pointer.cpp:86:6:86:24 | test_operator_arrow | 0 | unique_ptr |
+| smart_pointer.cpp:86:6:86:24 | test_operator_arrow | 1 | unique_ptr |
+| smart_pointer.cpp:97:6:97:12 | taint_x | 0 | A * |
+| smart_pointer.cpp:107:8:107:8 | C | 0 | C && |
+| smart_pointer.cpp:107:8:107:8 | C | 0 | const C & |
+| smart_pointer.cpp:107:8:107:8 | operator= | 0 | C && |
+| smart_pointer.cpp:107:8:107:8 | operator= | 0 | const C & |
+| smart_pointer.cpp:112:6:112:19 | taint_x_shared | 0 | shared_ptr |
+| smart_pointer.cpp:116:6:116:24 | taint_x_shared_cref | 0 | const shared_ptr & |
+| smart_pointer.cpp:120:6:120:18 | getNumberCRef | 0 | const shared_ptr & |
+| smart_pointer.cpp:124:5:124:27 | nested_shared_ptr_taint | 0 | shared_ptr |
+| smart_pointer.cpp:124:5:124:27 | nested_shared_ptr_taint | 1 | unique_ptr> |
+| smart_pointer.cpp:132:5:132:32 | nested_shared_ptr_taint_cref | 0 | shared_ptr |
+| smart_pointer.cpp:132:5:132:32 | nested_shared_ptr_taint_cref | 1 | unique_ptr> |
+| standalone_iterators.cpp:5:6:5:9 | sink | 0 | int |
+| standalone_iterators.cpp:7:7:7:7 | operator= | 0 | const int_iterator_by_typedefs & |
+| standalone_iterators.cpp:7:7:7:7 | operator= | 0 | int_iterator_by_typedefs && |
+| standalone_iterators.cpp:16:30:16:39 | operator++ | 0 | int |
+| standalone_iterators.cpp:20:7:20:7 | operator= | 0 | const int_iterator_by_trait & |
+| standalone_iterators.cpp:20:7:20:7 | operator= | 0 | int_iterator_by_trait && |
+| standalone_iterators.cpp:23:27:23:36 | operator++ | 0 | int |
+| standalone_iterators.cpp:36:7:36:7 | operator= | 0 | const non_iterator & |
+| standalone_iterators.cpp:36:7:36:7 | operator= | 0 | non_iterator && |
+| standalone_iterators.cpp:39:18:39:27 | operator++ | 0 | int |
+| standalone_iterators.cpp:43:6:43:18 | test_typedefs | 0 | int_iterator_by_typedefs |
+| standalone_iterators.cpp:49:6:49:15 | test_trait | 0 | int_iterator_by_trait |
+| standalone_iterators.cpp:55:6:55:22 | test_non_iterator | 0 | non_iterator |
+| standalone_iterators.cpp:63:7:63:7 | operator= | 0 | const insert_iterator_by_trait & |
+| standalone_iterators.cpp:63:7:63:7 | operator= | 0 | insert_iterator_by_trait && |
+| standalone_iterators.cpp:66:30:66:39 | operator++ | 0 | int |
+| standalone_iterators.cpp:68:30:68:39 | operator-- | 0 | int |
+| standalone_iterators.cpp:70:31:70:39 | operator= | 0 | int |
+| standalone_iterators.cpp:82:7:82:7 | container | 0 | const container & |
+| standalone_iterators.cpp:82:7:82:7 | container | 0 | container && |
+| standalone_iterators.cpp:82:7:82:7 | operator= | 0 | const container & |
+| standalone_iterators.cpp:82:7:82:7 | operator= | 0 | container && |
+| standalone_iterators.cpp:88:6:88:9 | sink | 0 | container |
+| standalone_iterators.cpp:102:6:102:9 | sink | 0 | insert_iterator_by_trait |
+| standalone_iterators.cpp:103:27:103:36 | operator+= | 0 | insert_iterator_by_trait & |
+| standalone_iterators.cpp:103:27:103:36 | operator+= | 1 | int |
 | stl.h:29:34:29:40 | forward | 0 | remove_reference_t & |
 | stl.h:29:34:29:40 | forward | 0 | remove_reference_t & |
 | stl.h:29:34:29:40 | forward | 0 | remove_reference_t & |
@@ -409,6 +828,16 @@ getParameterTypeName
 | stl.h:61:13:61:22 | operator+= | 0 | int |
 | stl.h:62:13:62:22 | operator-= | 0 | int |
 | stl.h:64:18:64:27 | operator[] | 0 | int |
+| stl.h:67:9:67:9 | operator= | 0 | const input_iterator_tag & |
+| stl.h:67:9:67:9 | operator= | 0 | input_iterator_tag && |
+| stl.h:68:9:68:9 | operator= | 0 | const forward_iterator_tag & |
+| stl.h:68:9:68:9 | operator= | 0 | forward_iterator_tag && |
+| stl.h:69:9:69:9 | operator= | 0 | bidirectional_iterator_tag && |
+| stl.h:69:9:69:9 | operator= | 0 | const bidirectional_iterator_tag & |
+| stl.h:70:9:70:9 | operator= | 0 | const random_access_iterator_tag & |
+| stl.h:70:9:70:9 | operator= | 0 | random_access_iterator_tag && |
+| stl.h:72:9:72:9 | operator= | 0 | const output_iterator_tag & |
+| stl.h:72:9:72:9 | operator= | 0 | output_iterator_tag && |
 | stl.h:86:22:86:41 | back_insert_iterator | 0 | class:0 & |
 | stl.h:86:22:86:41 | back_insert_iterator | 0 | class:0 & |
 | stl.h:88:25:88:33 | operator= | 0 | value_type && |
@@ -733,12 +1162,262 @@ getParameterTypeName
 | stl.h:678:33:678:38 | format | 1 | func:0 && |
 | stl.h:683:6:683:48 | same_signature_as_format_but_different_name | 0 | format_string |
 | stl.h:683:6:683:48 | same_signature_as_format_but_different_name | 1 | func:0 && |
+| string.cpp:17:6:17:9 | sink | 0 | const char * |
+| string.cpp:18:6:18:9 | sink | 0 | const string & |
+| string.cpp:19:6:19:9 | sink | 0 | const char * |
+| string.cpp:19:6:19:9 | sink | 1 | const char * |
+| string.cpp:20:6:20:9 | sink | 0 | char |
+| string.cpp:21:6:21:9 | sink | 0 | iterator |
+| stringstream.cpp:13:6:13:9 | sink | 0 | int |
+| stringstream.cpp:15:6:15:9 | sink | 0 | const string & |
 | stringstream.cpp:18:6:18:9 | sink | 0 | const basic_ostream> & |
 | stringstream.cpp:21:6:21:9 | sink | 0 | const basic_istream> & |
 | stringstream.cpp:24:6:24:9 | sink | 0 | const basic_iostream> & |
+| stringstream.cpp:26:6:26:29 | test_stringstream_string | 0 | int |
+| stringstream.cpp:70:6:70:26 | test_stringstream_int | 0 | int |
+| structlikeclass.cpp:5:7:5:7 | StructLikeClass | 0 | StructLikeClass && |
+| structlikeclass.cpp:5:7:5:7 | StructLikeClass | 0 | const StructLikeClass & |
+| structlikeclass.cpp:5:7:5:7 | operator= | 0 | StructLikeClass && |
+| structlikeclass.cpp:5:7:5:7 | operator= | 0 | const StructLikeClass & |
+| structlikeclass.cpp:8:2:8:16 | StructLikeClass | 0 | int |
 | swap1.cpp:14:9:14:9 | move | 0 | func:0 & |
+| swap1.cpp:24:9:24:13 | Class | 0 | Class && |
+| swap1.cpp:25:9:25:13 | Class | 0 | const Class & |
+| swap1.cpp:27:16:27:24 | operator= | 0 | const Class & |
+| swap1.cpp:34:16:34:24 | operator= | 0 | Class && |
+| swap1.cpp:40:16:40:26 | copy_assign | 0 | const Class & |
+| swap1.cpp:47:16:47:26 | move_assign | 0 | Class && |
+| swap1.cpp:53:14:53:17 | swap | 0 | Class & |
+| swap1.cpp:61:10:61:13 | swap | 0 | Class & |
+| swap1.cpp:61:10:61:13 | swap | 1 | Class & |
 | swap2.cpp:14:9:14:9 | move | 0 | func:0 & |
+| swap2.cpp:24:9:24:13 | Class | 0 | Class && |
+| swap2.cpp:25:9:25:13 | Class | 0 | const Class & |
+| swap2.cpp:27:16:27:24 | operator= | 0 | const Class & |
+| swap2.cpp:34:16:34:24 | operator= | 0 | Class && |
+| swap2.cpp:40:16:40:26 | copy_assign | 0 | const Class & |
+| swap2.cpp:47:16:47:26 | move_assign | 0 | Class && |
+| swap2.cpp:53:14:53:17 | swap | 0 | Class & |
+| swap2.cpp:61:10:61:13 | swap | 0 | Class & |
+| swap2.cpp:61:10:61:13 | swap | 1 | Class & |
 | swap.h:4:20:4:23 | swap | 0 | func:0 & |
 | swap.h:4:20:4:23 | swap | 1 | func:0 & |
+| taint.cpp:4:6:4:21 | arithAssignments | 0 | int |
+| taint.cpp:4:6:4:21 | arithAssignments | 1 | int |
+| taint.cpp:22:5:22:13 | increment | 0 | int |
+| taint.cpp:23:5:23:8 | zero | 0 | int |
+| taint.cpp:69:7:69:7 | MyClass | 0 | MyClass && |
+| taint.cpp:69:7:69:7 | MyClass | 0 | const MyClass & |
+| taint.cpp:69:7:69:7 | operator= | 0 | MyClass && |
+| taint.cpp:69:7:69:7 | operator= | 0 | const MyClass & |
+| taint.cpp:100:6:100:15 | array_test | 0 | int |
+| taint.cpp:142:5:142:10 | select | 0 | int |
+| taint.cpp:142:5:142:10 | select | 1 | int |
+| taint.cpp:142:5:142:10 | select | 2 | int |
+| taint.cpp:150:6:150:12 | fn_test | 0 | int |
+| taint.cpp:156:7:156:12 | strcpy | 0 | char * |
+| taint.cpp:156:7:156:12 | strcpy | 1 | const char * |
+| taint.cpp:157:7:157:12 | strcat | 0 | char * |
+| taint.cpp:157:7:157:12 | strcat | 1 | const char * |
+| taint.cpp:180:7:180:12 | callee | 0 | int * |
+| taint.cpp:190:7:190:12 | memcpy | 0 | void * |
+| taint.cpp:190:7:190:12 | memcpy | 1 | void * |
+| taint.cpp:190:7:190:12 | memcpy | 2 | int |
+| taint.cpp:192:6:192:16 | test_memcpy | 0 | int * |
+| taint.cpp:228:11:228:11 | (unnamed constructor) | 0 | const lambda [] type at line 233, col. 11 & |
+| taint.cpp:228:11:228:11 | (unnamed constructor) | 0 | lambda [] type at line 233, col. 11 && |
+| taint.cpp:228:11:228:11 | operator= | 0 | const lambda [] type at line 233, col. 11 & |
+| taint.cpp:235:11:235:11 | (unnamed constructor) | 0 | const lambda [] type at line 240, col. 11 & |
+| taint.cpp:235:11:235:11 | (unnamed constructor) | 0 | lambda [] type at line 240, col. 11 && |
+| taint.cpp:235:11:235:11 | operator= | 0 | const lambda [] type at line 240, col. 11 & |
+| taint.cpp:243:11:243:11 | (unnamed constructor) | 0 | const lambda [] type at line 248, col. 11 & |
+| taint.cpp:243:11:243:11 | (unnamed constructor) | 0 | lambda [] type at line 248, col. 11 && |
+| taint.cpp:243:11:243:11 | operator= | 0 | const lambda [] type at line 248, col. 11 & |
+| taint.cpp:249:11:249:11 | (unnamed constructor) | 0 | const lambda [] type at line 254, col. 11 & |
+| taint.cpp:249:11:249:11 | (unnamed constructor) | 0 | lambda [] type at line 254, col. 11 && |
+| taint.cpp:249:11:249:11 | operator= | 0 | const lambda [] type at line 254, col. 11 & |
+| taint.cpp:249:13:249:13 | _FUN | 0 | int |
+| taint.cpp:249:13:249:13 | _FUN | 1 | int |
+| taint.cpp:249:13:249:13 | operator() | 0 | int |
+| taint.cpp:249:13:249:13 | operator() | 1 | int |
+| taint.cpp:255:11:255:11 | (unnamed constructor) | 0 | const lambda [] type at line 260, col. 11 & |
+| taint.cpp:255:11:255:11 | (unnamed constructor) | 0 | lambda [] type at line 260, col. 11 && |
+| taint.cpp:255:11:255:11 | operator= | 0 | const lambda [] type at line 260, col. 11 & |
+| taint.cpp:255:13:255:13 | _FUN | 0 | int & |
+| taint.cpp:255:13:255:13 | _FUN | 1 | int & |
+| taint.cpp:255:13:255:13 | _FUN | 2 | int & |
+| taint.cpp:255:13:255:13 | operator() | 0 | int & |
+| taint.cpp:255:13:255:13 | operator() | 1 | int & |
+| taint.cpp:255:13:255:13 | operator() | 2 | int & |
+| taint.cpp:266:5:266:6 | id | 0 | int |
+| taint.cpp:297:6:297:14 | myAssign1 | 0 | int & |
+| taint.cpp:297:6:297:14 | myAssign1 | 1 | int & |
+| taint.cpp:302:6:302:14 | myAssign2 | 0 | int & |
+| taint.cpp:302:6:302:14 | myAssign2 | 1 | int |
+| taint.cpp:307:6:307:14 | myAssign3 | 0 | int * |
+| taint.cpp:307:6:307:14 | myAssign3 | 1 | int |
+| taint.cpp:312:6:312:14 | myAssign4 | 0 | int * |
+| taint.cpp:312:6:312:14 | myAssign4 | 1 | int |
+| taint.cpp:320:6:320:16 | myNotAssign | 0 | int & |
+| taint.cpp:320:6:320:16 | myNotAssign | 1 | int & |
+| taint.cpp:361:7:361:12 | strdup | 0 | const char * |
+| taint.cpp:362:7:362:13 | strndup | 0 | const char * |
+| taint.cpp:362:7:362:13 | strndup | 1 | size_t |
+| taint.cpp:363:10:363:15 | wcsdup | 0 | const wchar_t * |
+| taint.cpp:364:7:364:13 | strdupa | 0 | const char * |
+| taint.cpp:365:7:365:14 | strndupa | 0 | const char * |
+| taint.cpp:365:7:365:14 | strndupa | 1 | size_t |
+| taint.cpp:367:6:367:16 | test_strdup | 0 | char * |
+| taint.cpp:379:6:379:17 | test_strndup | 0 | int |
+| taint.cpp:387:6:387:16 | test_wcsdup | 0 | wchar_t * |
+| taint.cpp:397:6:397:17 | test_strdupa | 0 | char * |
+| taint.cpp:409:6:409:18 | test_strndupa | 0 | int |
+| taint.cpp:419:7:419:7 | MyClass2 | 0 | MyClass2 && |
+| taint.cpp:419:7:419:7 | MyClass2 | 0 | const MyClass2 & |
+| taint.cpp:419:7:419:7 | operator= | 0 | MyClass2 && |
+| taint.cpp:419:7:419:7 | operator= | 0 | const MyClass2 & |
+| taint.cpp:421:2:421:9 | MyClass2 | 0 | int |
+| taint.cpp:422:7:422:15 | setMember | 0 | int |
+| taint.cpp:428:7:428:7 | MyClass3 | 0 | MyClass3 && |
+| taint.cpp:428:7:428:7 | MyClass3 | 0 | const MyClass3 & |
+| taint.cpp:428:7:428:7 | operator= | 0 | MyClass3 && |
+| taint.cpp:428:7:428:7 | operator= | 0 | const MyClass3 & |
+| taint.cpp:430:2:430:9 | MyClass3 | 0 | const char * |
+| taint.cpp:431:7:431:15 | setString | 0 | const char * |
+| taint.cpp:474:6:474:9 | swop | 0 | int & |
+| taint.cpp:474:6:474:9 | swop | 1 | int & |
+| taint.cpp:500:5:500:12 | getdelim | 0 | char ** |
+| taint.cpp:500:5:500:12 | getdelim | 1 | size_t * |
+| taint.cpp:500:5:500:12 | getdelim | 2 | int |
+| taint.cpp:500:5:500:12 | getdelim | 3 | FILE * |
+| taint.cpp:502:6:502:18 | test_getdelim | 0 | FILE * |
+| taint.cpp:512:7:512:12 | strtok | 0 | char * |
+| taint.cpp:512:7:512:12 | strtok | 1 | const char * |
+| taint.cpp:514:6:514:16 | test_strtok | 0 | char * |
+| taint.cpp:523:7:523:13 | _strset | 0 | char * |
+| taint.cpp:523:7:523:13 | _strset | 1 | int |
+| taint.cpp:525:6:525:18 | test_strset_1 | 0 | char * |
+| taint.cpp:525:6:525:18 | test_strset_1 | 1 | char |
+| taint.cpp:531:6:531:18 | test_strset_2 | 0 | char * |
+| taint.cpp:538:7:538:13 | mempcpy | 0 | void * |
+| taint.cpp:538:7:538:13 | mempcpy | 1 | const void * |
+| taint.cpp:538:7:538:13 | mempcpy | 2 | size_t |
+| taint.cpp:540:6:540:17 | test_mempcpy | 0 | int * |
+| taint.cpp:548:7:548:13 | memccpy | 0 | void * |
+| taint.cpp:548:7:548:13 | memccpy | 1 | const void * |
+| taint.cpp:548:7:548:13 | memccpy | 2 | int |
+| taint.cpp:548:7:548:13 | memccpy | 3 | size_t |
+| taint.cpp:550:6:550:17 | test_memccpy | 0 | int * |
+| taint.cpp:558:7:558:12 | strcat | 0 | char * |
+| taint.cpp:558:7:558:12 | strcat | 1 | const char * |
+| taint.cpp:560:6:560:16 | test_strcat | 0 | char * |
+| taint.cpp:560:6:560:16 | test_strcat | 1 | char * |
+| taint.cpp:560:6:560:16 | test_strcat | 2 | char * |
+| taint.cpp:560:6:560:16 | test_strcat | 3 | char * |
+| taint.cpp:570:16:570:25 | _mbsncat_l | 0 | unsigned char * |
+| taint.cpp:570:16:570:25 | _mbsncat_l | 1 | const unsigned char * |
+| taint.cpp:570:16:570:25 | _mbsncat_l | 2 | int |
+| taint.cpp:570:16:570:25 | _mbsncat_l | 3 | _locale_t |
+| taint.cpp:572:6:572:20 | test__mbsncat_l | 0 | unsigned char * |
+| taint.cpp:572:6:572:20 | test__mbsncat_l | 1 | const unsigned char * |
+| taint.cpp:572:6:572:20 | test__mbsncat_l | 2 | unsigned char * |
+| taint.cpp:572:6:572:20 | test__mbsncat_l | 3 | _locale_t |
+| taint.cpp:572:6:572:20 | test__mbsncat_l | 4 | _locale_t |
+| taint.cpp:572:6:572:20 | test__mbsncat_l | 5 | int |
+| taint.cpp:589:7:589:12 | strsep | 0 | char ** |
+| taint.cpp:589:7:589:12 | strsep | 1 | const char * |
+| taint.cpp:591:6:591:16 | test_strsep | 0 | char * |
+| taint.cpp:602:7:602:13 | _strinc | 0 | const char * |
+| taint.cpp:602:7:602:13 | _strinc | 1 | _locale_t |
+| taint.cpp:603:16:603:22 | _mbsinc | 0 | const unsigned char * |
+| taint.cpp:604:16:604:22 | _strdec | 0 | const unsigned char * |
+| taint.cpp:604:16:604:22 | _strdec | 1 | const unsigned char * |
+| taint.cpp:606:6:606:17 | test__strinc | 0 | char * |
+| taint.cpp:606:6:606:17 | test__strinc | 1 | char * |
+| taint.cpp:606:6:606:17 | test__strinc | 2 | char * |
+| taint.cpp:606:6:606:17 | test__strinc | 3 | char * |
+| taint.cpp:606:6:606:17 | test__strinc | 4 | _locale_t |
+| taint.cpp:616:6:616:17 | test__mbsinc | 0 | unsigned char * |
+| taint.cpp:616:6:616:17 | test__mbsinc | 1 | char * |
+| taint.cpp:616:6:616:17 | test__mbsinc | 2 | unsigned char * |
+| taint.cpp:616:6:616:17 | test__mbsinc | 3 | char * |
+| taint.cpp:626:6:626:17 | test__strdec | 0 | const unsigned char * |
+| taint.cpp:626:6:626:17 | test__strdec | 1 | unsigned char * |
+| taint.cpp:626:6:626:17 | test__strdec | 2 | unsigned char * |
+| taint.cpp:626:6:626:17 | test__strdec | 3 | unsigned char * |
+| taint.cpp:626:6:626:17 | test__strdec | 4 | unsigned char * |
+| taint.cpp:645:14:645:22 | _strnextc | 0 | const char * |
+| taint.cpp:647:6:647:19 | test__strnextc | 0 | const char * |
+| taint.cpp:659:7:659:7 | operator= | 0 | C_no_const_member_function && |
+| taint.cpp:659:7:659:7 | operator= | 0 | const C_no_const_member_function & |
+| taint.cpp:665:6:665:25 | test_no_const_member | 0 | char * |
+| taint.cpp:671:7:671:7 | operator= | 0 | C_const_member_function && |
+| taint.cpp:671:7:671:7 | operator= | 0 | const C_const_member_function & |
+| taint.cpp:677:6:677:27 | test_with_const_member | 0 | char * |
+| taint.cpp:683:6:683:20 | argument_source | 0 | void * |
+| taint.cpp:685:8:685:8 | operator= | 0 | const two_members & |
+| taint.cpp:685:8:685:8 | operator= | 0 | two_members && |
+| taint.cpp:707:8:707:14 | strncpy | 0 | char * |
+| taint.cpp:707:8:707:14 | strncpy | 1 | const char * |
+| taint.cpp:707:8:707:14 | strncpy | 2 | unsigned long |
+| taint.cpp:709:6:709:17 | test_strncpy | 0 | char * |
+| taint.cpp:709:6:709:17 | test_strncpy | 1 | char * |
+| taint.cpp:725:10:725:15 | strtol | 0 | const char * |
+| taint.cpp:725:10:725:15 | strtol | 1 | char ** |
+| taint.cpp:725:10:725:15 | strtol | 2 | int |
+| taint.cpp:727:6:727:16 | test_strtol | 0 | char * |
+| taint.cpp:735:7:735:12 | malloc | 0 | size_t |
+| taint.cpp:736:7:736:13 | realloc | 0 | void * |
+| taint.cpp:736:7:736:13 | realloc | 1 | size_t |
+| taint.cpp:744:6:744:32 | test_realloc_2_indirections | 0 | int ** |
+| taint.cpp:751:9:751:9 | operator= | 0 | A && |
+| taint.cpp:751:9:751:9 | operator= | 0 | const A & |
+| taint.cpp:758:5:758:11 | sprintf | 0 | char * |
+| taint.cpp:758:5:758:11 | sprintf | 1 | const char * |
+| taint.cpp:760:6:760:23 | call_sprintf_twice | 0 | char * |
+| taint.cpp:760:6:760:23 | call_sprintf_twice | 1 | char * |
+| taint.cpp:771:8:771:8 | operator= | 0 | TaintInheritingContentObject && |
+| taint.cpp:771:8:771:8 | operator= | 0 | const TaintInheritingContentObject & |
+| taint.cpp:775:30:775:35 | source | 0 | bool |
+| taint.cpp:782:7:782:11 | fopen | 0 | const char * |
+| taint.cpp:782:7:782:11 | fopen | 1 | const char * |
+| taint.cpp:783:5:783:11 | fopen_s | 0 | FILE ** |
+| taint.cpp:783:5:783:11 | fopen_s | 1 | const char * |
+| taint.cpp:783:5:783:11 | fopen_s | 2 | const char * |
+| taint.cpp:785:6:785:15 | fopen_test | 0 | char * |
+| vector.cpp:13:6:13:9 | sink | 0 | int |
 | vector.cpp:14:27:14:30 | sink | 0 | vector> & |
 | vector.cpp:14:27:14:30 | sink | 0 | vector> & |
+| vector.cpp:16:6:16:37 | test_range_based_for_loop_vector | 0 | int |
+| vector.cpp:37:6:37:23 | test_element_taint | 0 | int |
+| vector.cpp:145:8:145:8 | operator= | 0 | MyPair && |
+| vector.cpp:145:8:145:8 | operator= | 0 | const MyPair & |
+| vector.cpp:150:8:150:8 | MyVectorContainer | 0 | const MyVectorContainer & |
+| vector.cpp:150:8:150:8 | operator= | 0 | MyVectorContainer && |
+| vector.cpp:150:8:150:8 | operator= | 0 | const MyVectorContainer & |
+| vector.cpp:216:6:216:9 | sink | 0 | iterator & |
+| vector.cpp:231:6:231:9 | sink | 0 | vector> & |
+| vector.cpp:232:6:232:9 | sink | 0 | vector> & |
+| vector.cpp:279:6:279:9 | sink | 0 | int * |
+| vector.cpp:295:6:295:9 | sink | 0 | iterator |
+| vector.cpp:329:6:329:33 | taint_vector_output_iterator | 0 | iterator |
+| vector.cpp:333:6:333:35 | vector_iterator_assign_wrapper | 0 | iterator |
+| vector.cpp:333:6:333:35 | vector_iterator_assign_wrapper | 1 | int |
+| vector.cpp:337:6:337:32 | test_vector_output_iterator | 0 | int |
+| vector.cpp:417:6:417:25 | test_vector_inserter | 0 | char * |
+| vector.cpp:454:7:454:12 | memcpy | 0 | void * |
+| vector.cpp:454:7:454:12 | memcpy | 1 | const void * |
+| vector.cpp:454:7:454:12 | memcpy | 2 | size_t |
+| vector.cpp:461:6:461:9 | sink | 0 | vector> & |
+| vector.cpp:462:6:462:9 | sink | 0 | string & |
+| zmq.cpp:9:8:9:8 | operator= | 0 | const zmq_msg_t & |
+| zmq.cpp:9:8:9:8 | operator= | 0 | zmq_msg_t && |
+| zmq.cpp:14:5:14:21 | zmq_msg_init_data | 0 | zmq_msg_t * |
+| zmq.cpp:14:5:14:21 | zmq_msg_init_data | 1 | void * |
+| zmq.cpp:14:5:14:21 | zmq_msg_init_data | 2 | size_t |
+| zmq.cpp:14:5:14:21 | zmq_msg_init_data | 3 | zmq_free_fn * |
+| zmq.cpp:14:5:14:21 | zmq_msg_init_data | 4 | void * |
+| zmq.cpp:15:7:15:18 | zmq_msg_data | 0 | zmq_msg_t * |
+| zmq.cpp:17:6:17:13 | test_zmc | 0 | void * |
+| zmq.cpp:17:6:17:13 | test_zmc | 1 | char * |
+| zmq.cpp:17:6:17:13 | test_zmc | 2 | size_t |

cpp/ql/test/library-tests/ir/ir/aliased_ir.expected

@@ -2490,7 +2490,7 @@ destructors_for_temps.cpp:
 #   47|     v47_6(void)                         = ^IndirectReadSideEffect[-1]            : &:r47_1, ~m47_5
 #   47|     m47_7(ClassWithDestructor2)         = ^IndirectMayWriteSideEffect[-1]        : &:r47_1
 #   47|     m47_8(unknown)                      = Chi                                    : total:m47_5, partial:m47_7
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #   47|   Block 4
 #   47|     v47_9(void)                         = NoOp                                   : 
@@ -2574,7 +2574,7 @@ destructors_for_temps.cpp:
 #   52|     v52_6(void)                         = ^IndirectReadSideEffect[-1]            : &:r52_1, ~m52_5
 #   52|     m52_7(ClassWithDestructor2)         = ^IndirectMayWriteSideEffect[-1]        : &:r52_1
 #   52|     m52_8(unknown)                      = Chi                                    : total:m52_5, partial:m52_7
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #   51|   Block 4
 #   51|     r51_32(glval<ClassWithDestructor2>) = VariableAddress[#temp51:75]            : 
@@ -2656,7 +2656,7 @@ destructors_for_temps.cpp:
 #   55|     m55_29(ClassWithConstructor)        = ^IndirectMayWriteSideEffect[-1]       : &:r55_5
 #   55|     m55_30(unknown)                     = Chi                                   : total:m55_28, partial:m55_29
 #   55|     v55_31(void)                        = ThrowValue                            : &:r55_5, ~m55_30
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #   55|   Block 4
 #   55|     r55_32(glval<ClassWithDestructor2>) = VariableAddress[#temp55:75]           : 
@@ -2721,7 +2721,7 @@ destructors_for_temps.cpp:
 #   59|     m59_20(unknown)                    = Chi                                   : total:m59_17, partial:m59_19
 #   59|     m59_21(char)                       = Store[#throw59:9]                     : &:r59_4, r59_15
 #   59|     v59_22(void)                       = ThrowValue                            : &:r59_4, m59_21
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #   59|   Block 4
 #   59|     r59_23(char)        = Constant[97]               : 
@@ -3120,7 +3120,7 @@ ir.c:
 #   25|     v25_4(void)           = Call[ExRaiseAccessViolation]            : func:r25_1, 0:r25_3
 #   25|     m25_5(unknown)        = ^CallSideEffect                         : ~m21_4
 #   25|     m25_6(unknown)        = Chi                                     : total:m21_4, partial:m25_5
-#-----|   Exception -> Block 3
+#-----|   C++ Exception -> Block 3
 
 #   26|   Block 1
 #   26|     r26_1(int)  = Constant[0]       : 
@@ -3167,7 +3167,7 @@ ir.c:
 #   36|     v36_3(void)           = Call[ExRaiseAccessViolation]            : func:r36_1, 0:r36_2
 #   36|     m36_4(unknown)        = ^CallSideEffect                         : ~m32_4
 #   36|     m36_5(unknown)        = Chi                                     : total:m32_4, partial:m36_4
-#-----|   Exception -> Block 4
+#-----|   C++ Exception -> Block 4
 
 #   32|   Block 1
 #   32|     v32_5(void) = Unwind       : 
@@ -3202,7 +3202,7 @@ ir.c:
 #   40|     v40_3(void)           = Call[ExRaiseAccessViolation]            : func:r40_1, 0:r40_2
 #   40|     m40_4(unknown)        = ^CallSideEffect                         : ~m36_5
 #   40|     m40_5(unknown)        = Chi                                     : total:m36_5, partial:m40_4
-#-----|   Exception -> Block 1
+#-----|   C++ Exception -> Block 1
 
 #   32|   Block 6
 #   32|     v32_8(void) = Unreached : 
@@ -3241,7 +3241,7 @@ ir.c:
 #   62|     v62_3(void)           = Call[ExRaiseAccessViolation]            : func:r62_1, 0:r62_2
 #   62|     m62_4(unknown)        = ^CallSideEffect                         : ~m57_4
 #   62|     m62_5(unknown)        = Chi                                     : total:m57_4, partial:m62_4
-#-----|   Exception -> Block 1
+#-----|   C++ Exception -> Block 1
 
 #   66|   Block 1
 #   66|     r66_1(int)        = Constant[1]        : 
@@ -3263,7 +3263,7 @@ ir.c:
 #   73|     v73_3(void)           = Call[ExRaiseAccessViolation]            : func:r73_1, 0:r73_2
 #   73|     m73_4(unknown)        = ^CallSideEffect                         : ~m70_4
 #   73|     m73_5(unknown)        = Chi                                     : total:m70_4, partial:m73_4
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #   70|   Block 1
 #   70|     v70_5(void) = Unwind       : 
@@ -3276,7 +3276,7 @@ ir.c:
 #   76|     v76_3(void)           = Call[ExRaiseAccessViolation]            : func:r76_1, 0:r76_2
 #   76|     m76_4(unknown)        = ^CallSideEffect                         : ~m73_5
 #   76|     m76_5(unknown)        = Chi                                     : total:m73_5, partial:m76_4
-#-----|   Exception -> Block 1
+#-----|   C++ Exception -> Block 1
 
 #   80| void raise_access_violation()
 #   80|   Block 0
@@ -3289,7 +3289,7 @@ ir.c:
 #   81|     v81_3(void)           = Call[ExRaiseAccessViolation]            : func:r81_1, 0:r81_2
 #   81|     m81_4(unknown)        = ^CallSideEffect                         : ~m80_4
 #   81|     m81_5(unknown)        = Chi                                     : total:m80_4, partial:m81_4
-#-----|   Exception -> Block 1
+#-----|   C++ Exception -> Block 1
 
 #   80|   Block 1
 #   80|     v80_5(void) = Unwind       : 
@@ -6976,7 +6976,7 @@ ir.cpp:
 #  728|     r728_3(char *)          = Convert                          : r728_2
 #  728|     m728_4(char *)          = Store[#throw728:7]               : &:r728_1, r728_3
 #  728|     v728_5(void)            = ThrowValue                       : &:r728_1, m728_4
-#-----|   Exception -> Block 6
+#-----|   C++ Exception -> Block 6
 
 #  730|   Block 4
 #  730|     r730_1(glval<int>) = VariableAddress[x] : 
@@ -6995,7 +6995,7 @@ ir.cpp:
 
 #  735|   Block 6
 #  735|     v735_1(void) = CatchByType[const char *] : 
-#-----|   Exception -> Block 8
+#-----|   C++ Exception -> Block 8
 #-----|   Goto -> Block 7
 
 #  735|   Block 7
@@ -7017,11 +7017,11 @@ ir.cpp:
 #  736|     m736_11(String)        = ^IndirectMayWriteSideEffect[-1] : &:r736_1
 #  736|     m736_12(unknown)       = Chi                             : total:m736_9, partial:m736_11
 #  736|     v736_13(void)          = ThrowValue                      : &:r736_1, ~m736_12
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #  738|   Block 8
 #  738|     v738_1(void) = CatchByType[const String &] : 
-#-----|   Exception -> Block 10
+#-----|   C++ Exception -> Block 10
 #-----|   Goto -> Block 9
 
 #  738|   Block 9
@@ -7035,7 +7035,7 @@ ir.cpp:
 #  740|   Block 10
 #  740|     v740_1(void) = CatchAny : 
 #  741|     v741_1(void) = ReThrow  : 
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #  743|   Block 11
 #  743|     v743_1(void)  = NoOp       : 
@@ -9943,7 +9943,7 @@ ir.cpp:
 # 1195|     r1195_3(char *)          = Convert                          : r1195_2
 # 1195|     m1195_4(char *)          = Store[#throw1195:7]              : &:r1195_1, r1195_3
 # 1195|     v1195_5(void)            = ThrowValue                       : &:r1195_1, m1195_4
-#-----|   Exception -> Block 6
+#-----|   C++ Exception -> Block 6
 
 # 1197|   Block 4
 # 1197|     r1197_1(glval<int>) = VariableAddress[x] : 
@@ -9962,7 +9962,7 @@ ir.cpp:
 
 # 1202|   Block 6
 # 1202|     v1202_1(void) = CatchByType[const char *] : 
-#-----|   Exception -> Block 8
+#-----|   C++ Exception -> Block 8
 #-----|   Goto -> Block 7
 
 # 1202|   Block 7
@@ -9984,11 +9984,11 @@ ir.cpp:
 # 1203|     m1203_11(String)        = ^IndirectMayWriteSideEffect[-1] : &:r1203_1
 # 1203|     m1203_12(unknown)       = Chi                             : total:m1203_9, partial:m1203_11
 # 1203|     v1203_13(void)          = ThrowValue                      : &:r1203_1, ~m1203_12
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 # 1205|   Block 8
 # 1205|     v1205_1(void) = CatchByType[const String &] : 
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 #-----|   Goto -> Block 9
 
 # 1205|   Block 9
@@ -16924,7 +16924,7 @@ ir.cpp:
 # 2281|     v2281_6(void)            = ^IndirectReadSideEffect[-1]      : &:r2281_1, ~m2281_5
 # 2281|     m2281_7(String)          = ^IndirectMayWriteSideEffect[-1]  : &:r2281_1
 # 2281|     m2281_8(unknown)         = Chi                              : total:m2281_5, partial:m2281_7
-#-----|   Exception -> Block 5
+#-----|   C++ Exception -> Block 5
 
 # 2280|   Block 4
 # 2280|     r2280_1(glval<String>)   = VariableAddress[s2]             : 
@@ -16956,7 +16956,7 @@ ir.cpp:
 
 # 2282|   Block 5
 # 2282|     v2282_1(void) = CatchByType[const char *] : 
-#-----|   Exception -> Block 7
+#-----|   C++ Exception -> Block 7
 #-----|   Goto -> Block 6
 
 # 2282|   Block 6
@@ -16978,11 +16978,11 @@ ir.cpp:
 # 2283|     m2283_11(String)        = ^IndirectMayWriteSideEffect[-1] : &:r2283_1
 # 2283|     m2283_12(unknown)       = Chi                             : total:m2283_9, partial:m2283_11
 # 2283|     v2283_13(void)          = ThrowValue                      : &:r2283_1, ~m2283_12
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 # 2285|   Block 7
 # 2285|     v2285_1(void) = CatchByType[const String &] : 
-#-----|   Exception -> Block 9
+#-----|   C++ Exception -> Block 9
 #-----|   Goto -> Block 8
 
 # 2285|   Block 8
@@ -16996,7 +16996,7 @@ ir.cpp:
 # 2287|   Block 9
 # 2287|     v2287_1(void) = CatchAny : 
 # 2288|     v2288_1(void) = ReThrow  : 
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 # 2290|   Block 10
 # 2290|     m2290_1(unknown) = Phi        : from 4:~m2281_24, from 8:~m2281_8
@@ -18266,7 +18266,7 @@ ir.cpp:
 # 2454|     v2454_6(void)                       = ^IndirectReadSideEffect[-1]           : &:r2454_1, m2452_8
 # 2454|     m2454_7(ClassWithDestructor)        = ^IndirectMayWriteSideEffect[-1]       : &:r2454_1
 # 2454|     m2454_8(ClassWithDestructor)        = Chi                                   : total:m2452_8, partial:m2454_7
-#-----|   Exception -> Block 1
+#-----|   C++ Exception -> Block 1
 
 # 2451|   Block 1
 # 2451|     v2451_7(void) = Unwind       : 
@@ -18693,7 +18693,7 @@ ir.cpp:
 # 2537|     r2537_2(int)                        = Constant[42]                         : 
 # 2537|     m2537_3(int)                        = Store[#throw2537:5]                  : &:r2537_1, r2537_2
 # 2537|     v2537_4(void)                       = ThrowValue                           : &:r2537_1, m2537_3
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 # 2534|   Block 1
 # 2534|     m2534_5(unknown) = Phi          : from 3:~m2541_6, from 4:~m2541_14
@@ -18702,7 +18702,7 @@ ir.cpp:
 
 # 2539|   Block 2
 # 2539|     v2539_1(void) = CatchByType[char] : 
-#-----|   Exception -> Block 4
+#-----|   C++ Exception -> Block 4
 #-----|   Goto -> Block 3
 
 # 2539|   Block 3
@@ -38962,7 +38962,7 @@ try_except.cpp:
 #   48|     r48_2(int)        = Constant[1]                  : 
 #   48|     m48_3(int)        = Store[#throw48:13]           : &:r48_1, r48_2
 #   48|     v48_4(void)       = ThrowValue                   : &:r48_1, m48_3
-#-----|   Exception -> Block 4
+#-----|   C++ Exception -> Block 4
 
 #   51|   Block 2
 #   51|     r51_1(int)  = Constant[0]       : 

cpp/ql/test/library-tests/ir/ir/raw_ir.expected

@@ -822,7 +822,7 @@ coroutines.cpp:
 
 #-----|   Block 6
 #-----|     v0_24(void) = ReThrow : 
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #   87|   Block 7
 #   87|     r87_52(glval<promise_type>) = VariableAddress[(unnamed local variable)] : 
@@ -1001,7 +1001,7 @@ coroutines.cpp:
 
 #-----|   Block 6
 #-----|     v0_28(void) = ReThrow : 
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #   91|   Block 7
 #   91|     r91_54(glval<promise_type>) = VariableAddress[(unnamed local variable)] : 
@@ -1239,7 +1239,7 @@ coroutines.cpp:
 
 #-----|   Block 8
 #-----|     v0_34(void) = ReThrow : 
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #   95|   Block 9
 #   95|     r95_54(glval<promise_type>) = VariableAddress[(unnamed local variable)] : 
@@ -1469,7 +1469,7 @@ coroutines.cpp:
 
 #-----|   Block 8
 #-----|     v0_27(void) = ReThrow : 
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #   99|   Block 9
 #   99|     r99_54(glval<promise_type>) = VariableAddress[(unnamed local variable)] : 
@@ -1707,7 +1707,7 @@ coroutines.cpp:
 
 #-----|   Block 8
 #-----|     v0_34(void) = ReThrow : 
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #  103|   Block 9
 #  103|     r103_54(glval<promise_type>) = VariableAddress[(unnamed local variable)] : 
@@ -1949,7 +1949,7 @@ coroutines.cpp:
 
 #-----|   Block 8
 #-----|     v0_34(void) = ReThrow : 
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #  108|   Block 9
 #  108|     r108_54(glval<promise_type>) = VariableAddress[(unnamed local variable)] : 
@@ -2350,7 +2350,7 @@ destructors_for_temps.cpp:
 #   47|     mu47_4(unknown)                     = ^CallSideEffect                        : ~m?
 #   47|     v47_5(void)                         = ^IndirectReadSideEffect[-1]            : &:r47_1, ~m?
 #   47|     mu47_6(ClassWithDestructor2)        = ^IndirectMayWriteSideEffect[-1]        : &:r47_1
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #   47|   Block 4
 #   47|     v47_7(void)                        = NoOp                                   : 
@@ -2417,7 +2417,7 @@ destructors_for_temps.cpp:
 #   52|     mu52_4(unknown)                    = ^CallSideEffect                        : ~m?
 #   52|     v52_5(void)                        = ^IndirectReadSideEffect[-1]            : &:r52_1, ~m?
 #   52|     mu52_6(ClassWithDestructor2)       = ^IndirectMayWriteSideEffect[-1]        : &:r52_1
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #   51|   Block 4
 #   51|     r51_24(glval<ClassWithDestructor2>) = VariableAddress[#temp51:75]            : 
@@ -2484,7 +2484,7 @@ destructors_for_temps.cpp:
 #   55|     mu55_21(unknown)                   = ^CallSideEffect                       : ~m?
 #   55|     mu55_22(ClassWithConstructor)      = ^IndirectMayWriteSideEffect[-1]       : &:r55_5
 #   55|     v55_23(void)                       = ThrowValue                            : &:r55_5, ~m?
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #   55|   Block 4
 #   55|     r55_24(glval<ClassWithDestructor2>) = VariableAddress[#temp55:75]           : 
@@ -2539,7 +2539,7 @@ destructors_for_temps.cpp:
 #   59|     mu59_15(ClassWithDestructor2)      = ^IndirectMayWriteSideEffect[-1]       : &:r59_5
 #   59|     mu59_16(char)                      = Store[#throw59:9]                     : &:r59_4, r59_12
 #   59|     v59_17(void)                       = ThrowValue                            : &:r59_4, ~m?
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #   59|   Block 4
 #   59|     r59_18(char)        = Constant[97]               : 
@@ -2884,7 +2884,7 @@ ir.c:
 #   25|     r25_3(int)            = Load[x]                                 : &:r25_2, ~m?
 #   25|     v25_4(void)           = Call[ExRaiseAccessViolation]            : func:r25_1, 0:r25_3
 #   25|     mu25_5(unknown)       = ^CallSideEffect                         : ~m?
-#-----|   Exception -> Block 6
+#-----|   C++ Exception -> Block 6
 
 #   21|   Block 1
 #   21|     v21_6(void) = AliasedUse   : ~m?
@@ -2941,7 +2941,7 @@ ir.c:
 #   36|     r36_2(int)            = Constant[0]                             : 
 #   36|     v36_3(void)           = Call[ExRaiseAccessViolation]            : func:r36_1, 0:r36_2
 #   36|     mu36_4(unknown)       = ^CallSideEffect                         : ~m?
-#-----|   Exception -> Block 5
+#-----|   C++ Exception -> Block 5
 
 #   32|   Block 1
 #   32|     v32_4(void) = AliasedUse   : ~m?
@@ -2977,7 +2977,7 @@ ir.c:
 #   40|     r40_2(int)            = Constant[1]                             : 
 #   40|     v40_3(void)           = Call[ExRaiseAccessViolation]            : func:r40_1, 0:r40_2
 #   40|     mu40_4(unknown)       = ^CallSideEffect                         : ~m?
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #   42|   Block 7
 #   42|     v42_1(void) = NoOp       : 
@@ -3022,7 +3022,7 @@ ir.c:
 #   62|     r62_2(int)            = Constant[0]                             : 
 #   62|     v62_3(void)           = Call[ExRaiseAccessViolation]            : func:r62_1, 0:r62_2
 #   62|     mu62_4(unknown)       = ^CallSideEffect                         : ~m?
-#-----|   Exception -> Block 3
+#-----|   C++ Exception -> Block 3
 
 #   57|   Block 1
 #   57|     v57_4(void) = AliasedUse   : ~m?
@@ -3049,7 +3049,7 @@ ir.c:
 #   73|     r73_2(int)            = Constant[0]                             : 
 #   73|     v73_3(void)           = Call[ExRaiseAccessViolation]            : func:r73_1, 0:r73_2
 #   73|     mu73_4(unknown)       = ^CallSideEffect                         : ~m?
-#-----|   Exception -> Block 3
+#-----|   C++ Exception -> Block 3
 
 #   70|   Block 1
 #   70|     v70_4(void) = AliasedUse   : ~m?
@@ -3064,7 +3064,7 @@ ir.c:
 #   76|     r76_2(int)            = Constant[0]                             : 
 #   76|     v76_3(void)           = Call[ExRaiseAccessViolation]            : func:r76_1, 0:r76_2
 #   76|     mu76_4(unknown)       = ^CallSideEffect                         : ~m?
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #   78|   Block 4
 #   78|     v78_1(void) = NoOp       : 
@@ -3080,7 +3080,7 @@ ir.c:
 #   81|     r81_2(int)            = Constant[1]                             : 
 #   81|     v81_3(void)           = Call[ExRaiseAccessViolation]            : func:r81_1, 0:r81_2
 #   81|     mu81_4(unknown)       = ^CallSideEffect                         : ~m?
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #   80|   Block 1
 #   80|     v80_4(void) = AliasedUse   : ~m?
@@ -6615,7 +6615,7 @@ ir.cpp:
 #  728|     r728_3(char *)          = Convert                          : r728_2
 #  728|     mu728_4(char *)         = Store[#throw728:7]               : &:r728_1, r728_3
 #  728|     v728_5(void)            = ThrowValue                       : &:r728_1, ~m?
-#-----|   Exception -> Block 9
+#-----|   C++ Exception -> Block 9
 
 #  730|   Block 4
 #  730|     r730_1(glval<int>) = VariableAddress[x] : 
@@ -6654,7 +6654,7 @@ ir.cpp:
 #  731|     v731_18(void)            = ^BufferReadSideEffect[0]        : &:r731_15, ~m?
 #  731|     mu731_19(String)         = ^IndirectMayWriteSideEffect[-1] : &:r731_11
 #  731|     v731_20(void)            = ThrowValue                      : &:r731_11, ~m?
-#-----|   Exception -> Block 9
+#-----|   C++ Exception -> Block 9
 
 #  733|   Block 8
 #  733|     r733_1(int)        = Constant[7]        : 
@@ -6664,7 +6664,7 @@ ir.cpp:
 
 #  735|   Block 9
 #  735|     v735_1(void) = CatchByType[const char *] : 
-#-----|   Exception -> Block 11
+#-----|   C++ Exception -> Block 11
 #-----|   Goto -> Block 10
 
 #  735|   Block 10
@@ -6682,11 +6682,11 @@ ir.cpp:
 #  736|     v736_8(void)           = ^BufferReadSideEffect[0]        : &:r736_5, ~m?
 #  736|     mu736_9(String)        = ^IndirectMayWriteSideEffect[-1] : &:r736_1
 #  736|     v736_10(void)          = ThrowValue                      : &:r736_1, ~m?
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #  738|   Block 11
 #  738|     v738_1(void) = CatchByType[const String &] : 
-#-----|   Exception -> Block 13
+#-----|   C++ Exception -> Block 13
 #-----|   Goto -> Block 12
 
 #  738|   Block 12
@@ -6700,7 +6700,7 @@ ir.cpp:
 #  740|   Block 13
 #  740|     v740_1(void) = CatchAny : 
 #  741|     v741_1(void) = ReThrow  : 
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 #  743|   Block 14
 #  743|     v743_1(void) = NoOp       : 
@@ -9285,7 +9285,7 @@ ir.cpp:
 # 1195|     r1195_3(char *)          = Convert                          : r1195_2
 # 1195|     mu1195_4(char *)         = Store[#throw1195:7]              : &:r1195_1, r1195_3
 # 1195|     v1195_5(void)            = ThrowValue                       : &:r1195_1, ~m?
-#-----|   Exception -> Block 9
+#-----|   C++ Exception -> Block 9
 
 # 1197|   Block 4
 # 1197|     r1197_1(glval<int>) = VariableAddress[x] : 
@@ -9324,7 +9324,7 @@ ir.cpp:
 # 1198|     v1198_18(void)            = ^BufferReadSideEffect[0]        : &:r1198_15, ~m?
 # 1198|     mu1198_19(String)         = ^IndirectMayWriteSideEffect[-1] : &:r1198_11
 # 1198|     v1198_20(void)            = ThrowValue                      : &:r1198_11, ~m?
-#-----|   Exception -> Block 9
+#-----|   C++ Exception -> Block 9
 
 # 1200|   Block 8
 # 1200|     r1200_1(int)        = Constant[7]        : 
@@ -9334,7 +9334,7 @@ ir.cpp:
 
 # 1202|   Block 9
 # 1202|     v1202_1(void) = CatchByType[const char *] : 
-#-----|   Exception -> Block 11
+#-----|   C++ Exception -> Block 11
 #-----|   Goto -> Block 10
 
 # 1202|   Block 10
@@ -9352,11 +9352,11 @@ ir.cpp:
 # 1203|     v1203_8(void)           = ^BufferReadSideEffect[0]        : &:r1203_5, ~m?
 # 1203|     mu1203_9(String)        = ^IndirectMayWriteSideEffect[-1] : &:r1203_1
 # 1203|     v1203_10(void)          = ThrowValue                      : &:r1203_1, ~m?
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 # 1205|   Block 11
 # 1205|     v1205_1(void) = CatchByType[const String &] : 
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 #-----|   Goto -> Block 12
 
 # 1205|   Block 12
@@ -15571,7 +15571,7 @@ ir.cpp:
 # 2281|     mu2281_4(unknown)        = ^CallSideEffect                  : ~m?
 # 2281|     v2281_5(void)            = ^IndirectReadSideEffect[-1]      : &:r2281_1, ~m?
 # 2281|     mu2281_6(String)         = ^IndirectMayWriteSideEffect[-1]  : &:r2281_1
-#-----|   Exception -> Block 5
+#-----|   C++ Exception -> Block 5
 
 # 2280|   Block 4
 # 2280|     r2280_1(glval<String>)   = VariableAddress[s2]             : 
@@ -15596,7 +15596,7 @@ ir.cpp:
 
 # 2282|   Block 5
 # 2282|     v2282_1(void) = CatchByType[const char *] : 
-#-----|   Exception -> Block 7
+#-----|   C++ Exception -> Block 7
 #-----|   Goto -> Block 6
 
 # 2282|   Block 6
@@ -15614,11 +15614,11 @@ ir.cpp:
 # 2283|     v2283_8(void)           = ^BufferReadSideEffect[0]        : &:r2283_5, ~m?
 # 2283|     mu2283_9(String)        = ^IndirectMayWriteSideEffect[-1] : &:r2283_1
 # 2283|     v2283_10(void)          = ThrowValue                      : &:r2283_1, ~m?
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 # 2285|   Block 7
 # 2285|     v2285_1(void) = CatchByType[const String &] : 
-#-----|   Exception -> Block 9
+#-----|   C++ Exception -> Block 9
 #-----|   Goto -> Block 8
 
 # 2285|   Block 8
@@ -15632,7 +15632,7 @@ ir.cpp:
 # 2287|   Block 9
 # 2287|     v2287_1(void) = CatchAny : 
 # 2288|     v2288_1(void) = ReThrow  : 
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 # 2290|   Block 10
 # 2290|     v2290_1(void) = NoOp       : 
@@ -16699,7 +16699,7 @@ ir.cpp:
 # 2454|     mu2454_4(unknown)                   = ^CallSideEffect                       : ~m?
 # 2454|     v2454_5(void)                       = ^IndirectReadSideEffect[-1]           : &:r2454_1, ~m?
 # 2454|     mu2454_6(ClassWithDestructor)       = ^IndirectMayWriteSideEffect[-1]       : &:r2454_1
-#-----|   Exception -> Block 3
+#-----|   C++ Exception -> Block 3
 
 # 2451|   Block 1
 # 2451|     v2451_6(void) = AliasedUse   : ~m?
@@ -17102,7 +17102,7 @@ ir.cpp:
 # 2537|     r2537_2(int)                        = Constant[42]                         : 
 # 2537|     mu2537_3(int)                       = Store[#throw2537:5]                  : &:r2537_1, r2537_2
 # 2537|     v2537_4(void)                       = ThrowValue                           : &:r2537_1, ~m?
-#-----|   Exception -> Block 2
+#-----|   C++ Exception -> Block 2
 
 # 2534|   Block 1
 # 2534|     v2534_4(void) = AliasedUse   : ~m?
@@ -17110,7 +17110,7 @@ ir.cpp:
 
 # 2539|   Block 2
 # 2539|     v2539_1(void) = CatchByType[char] : 
-#-----|   Exception -> Block 4
+#-----|   C++ Exception -> Block 4
 #-----|   Goto -> Block 3
 
 # 2539|   Block 3
@@ -37343,7 +37343,7 @@ try_except.cpp:
 #   48|     r48_2(int)        = Constant[1]                  : 
 #   48|     mu48_3(int)       = Store[#throw48:13]           : &:r48_1, r48_2
 #   48|     v48_4(void)       = ThrowValue                   : &:r48_1, ~m?
-#-----|   Exception -> Block 6
+#-----|   C++ Exception -> Block 6
 
 #   51|   Block 4
 #   51|     r51_1(int)  = Constant[0]       : 

cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.expected

@@ -5,6 +5,7 @@
 | macros.cpp:14:2:14:37 | call to printf | Format for printf (in a macro expansion) expects 4 arguments but given 3 |
 | macros.cpp:21:2:21:36 | call to printf | Format for printf (in a macro expansion) expects 4 arguments but given 3 |
 | macros.cpp:32:2:32:25 | call to printf | Format for printf (in a macro expansion) expects 1 arguments but given 0 |
+| syntax_errors.c:15:5:15:10 | call to printf | Format for printf expects 2 arguments but given 0 |
 | test.c:9:2:9:7 | call to printf | Format for printf expects 1 arguments but given 0 |
 | test.c:12:2:12:7 | call to printf | Format for printf expects 2 arguments but given 1 |
 | test.c:15:2:15:7 | call to printf | Format for printf expects 3 arguments but given 2 |

cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/syntax_errors.c

@@ -3,5 +3,16 @@
 extern int printf(const char *fmt, ...);
 
 void test_syntax_error() {
-    printf("Error code %d: " FMT_MSG, 0, "");
+    // GOOD
+    printf("Error code %d: " UNDEFINED_MACRO, 0, "");
+
+    // GOOD
+    printf("%d%d",
+        (UNDEFINED_MACRO)1,
+        (UNDEFINED_MACRO)2);
+
+    // GOOD [FALSE POSITIVE]
+    printf("%d%d"
+        UNDEFINED_MACRO,
+        1, 2);
 }

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/tests.c

@@ -3,9 +3,10 @@
 int printf(const char * format, ...);
 int fprintf();
 
-void f() {
+void f(UNKNOWN_CHAR * str) {
     printf("%s", 1); // BAD
     printf("%s", implicit_function()); // GOOD - we should ignore the type
     sprintf(0, "%s", ""); // GOOD
     fprintf(0, "%s", ""); // GOOD
+    printf("%s", str); // GOOD - erroneous type is ignored
 }

cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/errors.c

@@ -0,0 +1,11 @@
+// semmle-extractor-options: --expect_errors
+
+typedef unsigned long size_t;
+typedef int wchar_t;
+
+int swprintf(wchar_t *s, size_t n, const wchar_t *format, ...);
+
+void test_extraction_errors() {
+    WCHAR buffer[3];
+    swprintf(buffer, 3, L"abc");
+}

csharp/.vscode/launch.json

@@ -75,6 +75,7 @@
             "env": {},
             "stopAtEntry": true,
             "justMyCode": false,
+            "requireExactSource": false,
             "suppressJITOptimizations": true
         },
     ]

csharp/BUILD.bazel

@@ -74,8 +74,9 @@ test_suite(
     name = "unit-tests",
     tags = ["csharp"],
     tests = [
-        "//csharp/autobuilder/Semmle.Autobuild.CSharp.Tests",
-        "//csharp/autobuilder/Semmle.Autobuild.Cpp.Tests",
-        "//csharp/extractor/Semmle.Extraction.Tests",
+        "//csharp/autobuilder/Semmle.Autobuild.CSharp.Tests:acst",
+        "//csharp/autobuilder/Semmle.Autobuild.Cpp.Tests:acpt",
+        "//csharp/extractor/Semmle.Extraction.Tests:et",
+        "//csharp/extractor/Semmle.Util.Tests:ut",
     ],
 )

csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BUILD.bazel

@@ -4,7 +4,8 @@ load(
 )
 
 codeql_xunit_test(
-    name = "Semmle.Autobuild.CSharp.Tests",
+    # short name as we run into long path limitations on Windows
+    name = "acst",
     srcs = glob([
         "*.cs",
     ]),

csharp/autobuilder/Semmle.Autobuild.CSharp/BUILD.bazel

@@ -17,6 +17,5 @@ codeql_csharp_binary(
         "//csharp/extractor/Semmle.Extraction.CSharp.Standalone:bin/Semmle.Extraction.CSharp.Standalone",
         "//csharp/extractor/Semmle.Util",
         "@paket.main//microsoft.build",
-        "@paket.main//newtonsoft.json",
     ],
 )

csharp/autobuilder/Semmle.Autobuild.CSharp/paket.references

@@ -1,2 +1 @@
-Newtonsoft.Json
 Microsoft.Build

csharp/autobuilder/Semmle.Autobuild.Cpp.Tests/BUILD.bazel

@@ -4,7 +4,8 @@ load(
 )
 
 codeql_xunit_test(
-    name = "Semmle.Autobuild.Cpp.Tests",
+    # short name as we run into long path limitations on Windows
+    name = "acpt",
     srcs = glob([
         "*.cs",
     ]),

csharp/documentation/library-coverage/coverage.csv

@@ -14,6 +14,7 @@ Microsoft.Android.Build,,1,14,,,,,,,,,,,,,1,,,,,,12,2
 Microsoft.Apple.Build,,,7,,,,,,,,,,,,,,,,,,,7,
 Microsoft.ApplicationBlocks.Data,28,,,,,,,,,,,,28,,,,,,,,,,
 Microsoft.AspNetCore.Components,,2,1,,,,,,,,,,,,,,,,2,,,1,
+Microsoft.AspNetCore.Mvc,,,2,,,,,,,,,,,,,,,,,,,,2
 Microsoft.AspNetCore.WebUtilities,,,2,,,,,,,,,,,,,,,,,,,2,
 Microsoft.CSharp,,,2,,,,,,,,,,,,,,,,,,,2,
 Microsoft.Diagnostics.Tools.Pgo,,,25,,,,,,,,,,,,,,,,,,,2,23

csharp/documentation/library-coverage/coverage.rst

@@ -9,6 +9,6 @@ C# framework & library support
    Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
    `ServiceStack <https://servicestack.net/>`_,"``ServiceStack.*``, ``ServiceStack``",,7,194,
    System,"``System.*``, ``System``",47,10819,54,5
-   Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``JsonToItemsTaskFactory``, ``Microsoft.Android.Build``, ``Microsoft.Apple.Build``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NET.Sdk.WebAssembly``, ``Microsoft.NET.WebAssembly.Webcil``, ``Microsoft.VisualBasic``, ``Microsoft.WebAssembly.Build.Tasks``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",59,2071,150,2
-   Totals,,106,12897,398,7
+   Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``JsonToItemsTaskFactory``, ``Microsoft.Android.Build``, ``Microsoft.Apple.Build``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.Mvc``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NET.Sdk.WebAssembly``, ``Microsoft.NET.WebAssembly.Webcil``, ``Microsoft.VisualBasic``, ``Microsoft.WebAssembly.Build.Tasks``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",59,2073,150,2
+   Totals,,106,12899,398,7
 

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/BUILD.bazel

@@ -10,11 +10,11 @@ codeql_csharp_library(
         "SourceGenerators/**/*.cs",
     ]),
     allow_unsafe_blocks = True,
-    internals_visible_to = ["Semmle.Extraction.Tests"],
-    nowarn = ["CA1822"],
+    internals_visible_to = ["et"],
     visibility = ["//csharp:__subpackages__"],
     deps = [
         "//csharp/extractor/Semmle.Extraction.CSharp",
         "//csharp/extractor/Semmle.Util",
+        "@paket.main//newtonsoft.json",
     ],
 )

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/paket.references

@@ -0,0 +1 @@
+Newtonsoft.Json

csharp/extractor/Semmle.Extraction.CSharp.StubGenerator/BUILD.bazel

@@ -8,7 +8,7 @@ codeql_csharp_library(
     srcs = glob([
         "*.cs",
     ]),
-    internals_visible_to = ["Semmle.Extraction.Tests"],
+    internals_visible_to = ["et"],
     visibility = ["//csharp:__subpackages__"],
     deps = [
         "//csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching",

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/Pattern.cs

@@ -28,20 +28,20 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                 case DeclarationPatternSyntax declPattern:
                     // Creates a single local variable declaration.
                     {
-                        if (declPattern.Designation is VariableDesignationSyntax designation)
+                        switch (declPattern.Designation)
                         {
-                            if (cx.GetModel(syntax).GetDeclaredSymbol(designation) is ILocalSymbol symbol)
-                            {
-                                var type = symbol.GetAnnotatedType();
-                                return VariableDeclaration.Create(cx, symbol, type, declPattern.Type, cx.CreateLocation(syntax.GetLocation()), false, parent, child);
-                            }
-                            if (designation is DiscardDesignationSyntax)
-                            {
+                            case SingleVariableDesignationSyntax singleDesignation:
+                                if (cx.GetModel(syntax).GetDeclaredSymbol(singleDesignation) is ILocalSymbol symbol)
+                                {
+                                    var type = symbol.GetAnnotatedType();
+                                    return VariableDeclaration.Create(cx, symbol, type, declPattern.Type, cx.CreateLocation(syntax.GetLocation()), false, parent, child);
+                                }
+                                throw new InternalError(singleDesignation, "Unable to get the declared symbol of the declaration pattern designation.");
+                            case DiscardDesignationSyntax _:
                                 return Expressions.TypeAccess.Create(cx, declPattern.Type, parent, child);
-                            }
-                            throw new InternalError(designation, "Designation pattern not handled");
+                            default:
+                                throw new InternalError($"declaration pattern designation of type {declPattern.Designation.GetType()} is unhandled");
                         }
-                        throw new InternalError(declPattern, "Declaration pattern not handled");
                     }
 
                 case RecursivePatternSyntax recPattern:
@@ -59,7 +59,6 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                             if (cx.GetModel(syntax).GetDeclaredSymbol(varDesignation) is ILocalSymbol symbol)
                             {
                                 var type = symbol.GetAnnotatedType();
-
                                 return VariableDeclaration.Create(cx, symbol, type, null, cx.CreateLocation(syntax.GetLocation()), true, parent, child);
                             }
 

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Patterns/RecursivePattern.cs

@@ -22,7 +22,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                 Expressions.TypeAccess.Create(cx, t, this, 1);
 
             // Extract the local variable declaration
-            if (syntax.Designation is VariableDesignationSyntax designation && cx.GetModel(syntax).GetDeclaredSymbol(designation) is ILocalSymbol symbol)
+            if (syntax.Designation is SingleVariableDesignationSyntax designation && cx.GetModel(syntax).GetDeclaredSymbol(designation) is ILocalSymbol symbol)
             {
                 var type = symbol.GetAnnotatedType();
 

csharp/extractor/Semmle.Extraction.Tests/BUILD.bazel

@@ -4,7 +4,8 @@ load(
 )
 
 codeql_xunit_test(
-    name = "Semmle.Extraction.Tests",
+    # short name as we run into long path limitations on Windows
+    name = "et",
     srcs = glob([
         "*.cs",
     ]),

csharp/extractor/Semmle.Util.Tests/BUILD.bazel

@@ -4,7 +4,8 @@ load(
 )
 
 codeql_xunit_test(
-    name = "Semmle.Util.Tests",
+    # short name as we run into long path limitations on Windows
+    name = "ut",
     srcs = glob([
         "*.cs",
     ]),

csharp/extractor/Semmle.Util.Tests/LongPaths.cs

@@ -1,5 +1,6 @@
 using Xunit;
 using System;
+using System.Collections.Generic;
 using System.IO;
 using System.Linq;
 using Semmle.Util;
@@ -10,39 +11,51 @@ namespace SemmleTests.Semmle.Util
     /// Ensure that the Extractor works with long paths.
     /// These should be handled by .NET Core.
     /// </summary>
-    public sealed class LongPaths : IDisposable
+    public sealed class LongPaths
     {
-        private static readonly string tmpDir = Path.GetTempPath();
-        private static readonly string shortPath = Path.Combine(tmpDir, "test.txt");
-        private static readonly string longPath = Path.Combine(tmpDir, "aaaaaaaaaaaaaaaaaaaaaaaaaaaa", "bbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
+        private static readonly string tmpDir = Environment.GetEnvironmentVariable("TEST_TMPDIR") ?? Path.GetTempPath();
+        private static readonly string longPathDir = Path.Combine(tmpDir, "aaaaaaaaaaaaaaaaaaaaaaaaaaaa", "bbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
             "ccccccccccccccccccccccccccccccc", "ddddddddddddddddddddddddddddddddddddd", "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeee", "fffffffffffffffffffffffffffffffff",
-            "ggggggggggggggggggggggggggggggggggg", "hhhhhhhhhhhhhhhhhhhhhhhhhhhhhh", "iiiiiiiiiiiiiiii.txt");
+            "ggggggggggggggggggggggggggggggggggg", "hhhhhhhhhhhhhhhhhhhhhhhhhhhhhh");
+
+        private static string MakeLongPath()
+        {
+            var uniquePostfix = Guid.NewGuid().ToString("N");
+            return Path.Combine(longPathDir, $"iiiiiiiiiiiiiiii{uniquePostfix}.txt");
+        }
+
+        private static string MakeShortPath()
+        {
+            var uniquePostfix = Guid.NewGuid().ToString("N");
+            return Path.Combine(tmpDir, $"test{uniquePostfix}.txt");
+        }
 
         public LongPaths()
         {
-            CleanUp();
+            // Create directory to avoid directory not found exceptions when deleting files
+            Directory.CreateDirectory(longPathDir);
         }
 
-        public void Dispose()
+        private static void Cleanup(params IEnumerable<string> paths)
         {
-            CleanUp();
+            foreach (var path in paths)
+            {
+                File.Delete(path);
+            }
         }
 
-        private static void CleanUp()
+        private static void WithSetUpAndTearDown(Action<string, string> test)
         {
+            var longPath = MakeLongPath();
+            var shortPath = MakeShortPath();
+            Cleanup(longPath, shortPath);
             try
             {
-                File.Delete(shortPath);
+                test(longPath, shortPath);
             }
-            catch (DirectoryNotFoundException)
-            {
-            }
-            try
-            {
-                File.Delete(longPath);
-            }
-            catch (DirectoryNotFoundException)
+            finally
             {
+                Cleanup(longPath, shortPath);
             }
         }
 
@@ -63,122 +76,143 @@ namespace SemmleTests.Semmle.Util
         [Fact]
         public void Delete()
         {
-            // OK Do not exist.
-            File.Delete(shortPath);
-            File.Delete(longPath);
+            WithSetUpAndTearDown((longPath, shortPath) =>
+            {
+                // OK Do not exist.
+                File.Delete(shortPath);
+                File.Delete(longPath);
+            });
         }
 
         [Fact]
         public void Move()
         {
-            File.WriteAllText(shortPath, "abc");
-            Directory.CreateDirectory(Path.GetDirectoryName(longPath)!);
-            File.Delete(longPath);
-            File.Move(shortPath, longPath);
-            File.Move(longPath, shortPath);
-            Assert.Equal("abc", File.ReadAllText(shortPath));
+            WithSetUpAndTearDown((longPath, shortPath) =>
+            {
+                File.WriteAllText(shortPath, "abc");
+                File.Delete(longPath);
+                File.Move(shortPath, longPath);
+                File.Move(longPath, shortPath);
+                Assert.Equal("abc", File.ReadAllText(shortPath));
+            });
         }
 
         [Fact]
         public void Replace()
         {
-            File.WriteAllText(shortPath, "abc");
-            File.Delete(longPath);
-            Directory.CreateDirectory(Path.GetDirectoryName(longPath)!);
-            File.Move(shortPath, longPath);
-            File.WriteAllText(shortPath, "def");
-            FileUtils.MoveOrReplace(shortPath, longPath);
-            File.WriteAllText(shortPath, "abc");
-            FileUtils.MoveOrReplace(longPath, shortPath);
-            Assert.Equal("def", File.ReadAllText(shortPath));
+            WithSetUpAndTearDown((longPath, shortPath) =>
+            {
+                File.WriteAllText(shortPath, "abc");
+                File.Move(shortPath, longPath);
+                File.WriteAllText(shortPath, "def");
+                FileUtils.MoveOrReplace(shortPath, longPath);
+                File.WriteAllText(shortPath, "abc");
+                FileUtils.MoveOrReplace(longPath, shortPath);
+                Assert.Equal("def", File.ReadAllText(shortPath));
+            });
         }
 
-        private readonly byte[] buffer1 = new byte[10] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 };
+        private readonly byte[] buffer1 = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 };
 
         [Fact]
         public void CreateShortStream()
         {
-            var buffer2 = new byte[10];
-
-            using (var s1 = new FileStream(shortPath, FileMode.Create, FileAccess.Write, FileShare.None))
+            WithSetUpAndTearDown((_, shortPath) =>
             {
-                s1.Write(buffer1, 0, 10);
-            }
+                var buffer2 = new byte[10];
 
-            using (var s2 = new FileStream(shortPath, FileMode.Open, FileAccess.Read, FileShare.None))
-            {
-                Assert.Equal(10, s2.Read(buffer2, 0, 10));
-                Assert.True(Enumerable.SequenceEqual(buffer1, buffer2));
-            }
+                using (var s1 = new FileStream(shortPath, FileMode.Create, FileAccess.Write, FileShare.None))
+                {
+                    s1.Write(buffer1, 0, 10);
+                }
+
+                using (var s2 = new FileStream(shortPath, FileMode.Open, FileAccess.Read, FileShare.None))
+                {
+                    Assert.Equal(10, s2.Read(buffer2, 0, 10));
+                    Assert.True(Enumerable.SequenceEqual(buffer1, buffer2));
+                }
+            });
         }
 
         [Fact]
         public void CreateLongStream()
         {
-            var buffer2 = new byte[10];
-
-            Directory.CreateDirectory(Path.GetDirectoryName(longPath)!);
-
-            using (var s3 = new FileStream(longPath, FileMode.Create, FileAccess.Write, FileShare.None))
+            WithSetUpAndTearDown((longPath, _) =>
             {
-                s3.Write(buffer1, 0, 10);
-            }
+                var buffer2 = new byte[10];
 
-            using (var s4 = new FileStream(longPath, FileMode.Open, FileAccess.Read, FileShare.None))
-            {
-                Assert.Equal(10, s4.Read(buffer2, 0, 10));
-                Assert.True(Enumerable.SequenceEqual(buffer1, buffer2));
-            }
+                Directory.CreateDirectory(Path.GetDirectoryName(longPath)!);
+
+                using (var s3 = new FileStream(longPath, FileMode.Create, FileAccess.Write, FileShare.None))
+                {
+                    s3.Write(buffer1, 0, 10);
+                }
+
+                using (var s4 = new FileStream(longPath, FileMode.Open, FileAccess.Read, FileShare.None))
+                {
+                    Assert.Equal(10, s4.Read(buffer2, 0, 10));
+                    Assert.True(Enumerable.SequenceEqual(buffer1, buffer2));
+                }
+            });
         }
 
         [Fact]
         public void FileDoesNotExist()
         {
-            // File does not exist
-            Assert.Throws<System.IO.FileNotFoundException>(() =>
+            WithSetUpAndTearDown((longPath, _) =>
             {
-                using (new FileStream(longPath, FileMode.Open, FileAccess.Read, FileShare.None))
+                // File does not exist
+                Assert.Throws<System.IO.FileNotFoundException>(() =>
                 {
-                    //
-                }
+                    using (new FileStream(longPath, FileMode.Open, FileAccess.Read, FileShare.None))
+                    {
+                        //
+                    }
+                });
             });
         }
 
         [Fact]
         public void OverwriteFile()
         {
-            using (var s1 = new FileStream(longPath, FileMode.Create, FileAccess.Write, FileShare.None))
+            WithSetUpAndTearDown((longPath, _) =>
             {
-                s1.Write(buffer1, 0, 10);
-            }
+                using (var s1 = new FileStream(longPath, FileMode.Create, FileAccess.Write, FileShare.None))
+                {
+                    s1.Write(buffer1, 0, 10);
+                }
 
-            byte[] buffer2 = { 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 };
+                byte[] buffer2 = { 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 };
 
-            using (var s2 = new FileStream(longPath, FileMode.Create, FileAccess.Write, FileShare.None))
-            {
-                s2.Write(buffer2, 0, 10);
-            }
+                using (var s2 = new FileStream(longPath, FileMode.Create, FileAccess.Write, FileShare.None))
+                {
+                    s2.Write(buffer2, 0, 10);
+                }
 
-            byte[] buffer3 = new byte[10];
+                byte[] buffer3 = new byte[10];
 
-            using (var s3 = new FileStream(longPath, FileMode.Open, FileAccess.Read, FileShare.None))
-            {
-                Assert.Equal(10, s3.Read(buffer3, 0, 10));
-            }
+                using (var s3 = new FileStream(longPath, FileMode.Open, FileAccess.Read, FileShare.None))
+                {
+                    Assert.Equal(10, s3.Read(buffer3, 0, 10));
+                }
 
-            Assert.True(Enumerable.SequenceEqual(buffer2, buffer3));
+                Assert.True(Enumerable.SequenceEqual(buffer2, buffer3));
+            });
         }
 
         [Fact]
         public void LongFileExists()
         {
-            Assert.False(File.Exists("no such file"));
-            Assert.False(File.Exists("\":"));
-            Assert.False(File.Exists(@"C:\"));  // A directory
+            WithSetUpAndTearDown((longPath, _) =>
+            {
+                Assert.False(File.Exists("no such file"));
+                Assert.False(File.Exists("\":"));
+                Assert.False(File.Exists(@"C:\"));  // A directory
 
-            Assert.False(File.Exists(longPath));
-            new FileStream(longPath, FileMode.Create, FileAccess.Write, FileShare.None).Close();
-            Assert.True(File.Exists(longPath));
+                Assert.False(File.Exists(longPath));
+                new FileStream(longPath, FileMode.Create, FileAccess.Write, FileShare.None).Close();
+                Assert.True(File.Exists(longPath));
+            });
         }
     }
 }

csharp/paket.dependencies

@@ -2,9 +2,8 @@ framework: net9.0
 storage: none
 source https://api.nuget.org/v3/index.json
 # behave like nuget in choosing transitive dependency versions
-strategy: min
+strategy: max
 
-nuget MessagePack >= 2.5.187
 nuget Basic.CompilerLog.Util
 nuget Mono.Posix.NETStandard
 nuget Newtonsoft.Json
@@ -12,9 +11,9 @@ nuget xunit
 nuget xunit.runner.visualstudio
 nuget xunit.runner.utility
 nuget Microsoft.NET.Test.Sdk
-nuget Microsoft.CodeAnalysis.CSharp 4.9.2
-nuget Microsoft.CodeAnalysis 4.9.2
-nuget Microsoft.Build 17.8.3
+nuget Microsoft.CodeAnalysis.CSharp 4.12.0
+nuget Microsoft.CodeAnalysis 4.12.0
+nuget Microsoft.Build 17.12.6
 nuget Microsoft.Win32.Primitives
 nuget System.Net.Primitives
 nuget System.Security.Principal

csharp/paket.lock

@@ -1,71 +1,108 @@
 STORAGE: NONE
-STRATEGY: MIN
+STRATEGY: MAX
 RESTRICTION: == net9.0
 NUGET
   remote: https://api.nuget.org/v3/index.json
-    Basic.CompilerLog.Util (0.7.9)
-      MessagePack (>= 2.5.129)
-      Microsoft.CodeAnalysis (>= 4.9.2)
-      Microsoft.CodeAnalysis.CSharp (>= 4.9.2)
-      Microsoft.CodeAnalysis.VisualBasic (>= 4.9.2)
-      Microsoft.Extensions.ObjectPool (>= 7.0.13)
-      MSBuild.StructuredLogger (>= 2.2.235)
+    Basic.CompilerLog.Util (0.9.4)
+      MessagePack (>= 2.5.187)
+      Microsoft.CodeAnalysis (>= 4.11)
+      Microsoft.CodeAnalysis.CSharp (>= 4.11)
+      Microsoft.CodeAnalysis.VisualBasic (>= 4.11)
+      Microsoft.Extensions.ObjectPool (>= 9.0)
+      MSBuild.StructuredLogger (>= 2.2.243)
+      System.Buffers (>= 4.6)
     Humanizer.Core (2.14.1)
-    MessagePack (2.5.192)
-      MessagePack.Annotations (>= 2.5.192)
-      Microsoft.NET.StringTools (>= 17.6.3)
-    MessagePack.Annotations (2.5.192)
-    Microsoft.Build (17.8.3)
-      Microsoft.Build.Framework (>= 17.8.3)
-      Microsoft.NET.StringTools (>= 17.8.3)
-      System.Collections.Immutable (>= 7.0)
-      System.Configuration.ConfigurationManager (>= 7.0)
-      System.Reflection.Metadata (>= 7.0)
-      System.Reflection.MetadataLoadContext (>= 7.0)
-      System.Security.Principal.Windows (>= 5.0)
-      System.Threading.Tasks.Dataflow (>= 7.0)
-    Microsoft.Build.Framework (17.8.3)
-    Microsoft.Build.Utilities.Core (17.5)
-      Microsoft.Build.Framework (>= 17.5)
-      Microsoft.NET.StringTools (>= 17.5)
-      System.Collections.Immutable (>= 6.0)
-      System.Configuration.ConfigurationManager (>= 6.0)
-    Microsoft.CodeAnalysis (4.9.2)
-      Microsoft.CodeAnalysis.CSharp.Workspaces (4.9.2)
-      Microsoft.CodeAnalysis.VisualBasic.Workspaces (4.9.2)
-    Microsoft.CodeAnalysis.Analyzers (3.3.4)
-    Microsoft.CodeAnalysis.Common (4.9.2)
+    MessagePack (3.0.3)
+      MessagePack.Annotations (>= 3.0.3)
+      MessagePackAnalyzer (>= 3.0.3)
+      Microsoft.NET.StringTools (>= 17.11.4)
+    MessagePack.Annotations (3.0.3)
+    MessagePackAnalyzer (3.0.3)
+    Microsoft.Bcl.AsyncInterfaces (9.0)
+    Microsoft.Build (17.12.6)
+      Microsoft.Build.Framework (>= 17.12.6)
+      Microsoft.NET.StringTools (>= 17.12.6)
+      System.Collections.Immutable (>= 8.0)
+      System.Configuration.ConfigurationManager (>= 8.0)
+      System.Reflection.Metadata (>= 8.0)
+      System.Reflection.MetadataLoadContext (>= 8.0)
+    Microsoft.Build.Framework (17.12.6)
+    Microsoft.Build.Utilities.Core (17.12.6)
+      Microsoft.Build.Framework (>= 17.12.6)
+      Microsoft.NET.StringTools (>= 17.12.6)
+      System.Collections.Immutable (>= 8.0)
+      System.Configuration.ConfigurationManager (>= 8.0)
+    Microsoft.CodeAnalysis (4.12)
+      Humanizer.Core (>= 2.14.1)
+      Microsoft.Bcl.AsyncInterfaces (>= 8.0)
+      Microsoft.CodeAnalysis.Analyzers (>= 3.3.4)
+      Microsoft.CodeAnalysis.CSharp.Workspaces (4.12)
+      Microsoft.CodeAnalysis.VisualBasic.Workspaces (4.12)
+      System.Buffers (>= 4.5.1)
+      System.Collections.Immutable (>= 8.0)
+      System.Composition (>= 8.0)
+      System.IO.Pipelines (>= 8.0)
+      System.Memory (>= 4.5.5)
+      System.Numerics.Vectors (>= 4.5)
+      System.Reflection.Metadata (>= 8.0)
+      System.Runtime.CompilerServices.Unsafe (>= 6.0)
+      System.Text.Encoding.CodePages (>= 7.0)
+      System.Threading.Channels (>= 7.0)
+      System.Threading.Tasks.Extensions (>= 4.5.4)
+    Microsoft.CodeAnalysis.Analyzers (3.11)
+    Microsoft.CodeAnalysis.Common (4.12)
       Microsoft.CodeAnalysis.Analyzers (>= 3.3.4)
       System.Collections.Immutable (>= 8.0)
       System.Reflection.Metadata (>= 8.0)
-      System.Runtime.CompilerServices.Unsafe (>= 6.0)
-    Microsoft.CodeAnalysis.CSharp (4.9.2)
-      Microsoft.CodeAnalysis.Common (4.9.2)
-    Microsoft.CodeAnalysis.CSharp.Workspaces (4.9.2)
+    Microsoft.CodeAnalysis.CSharp (4.12)
+      Microsoft.CodeAnalysis.Analyzers (>= 3.3.4)
+      Microsoft.CodeAnalysis.Common (4.12)
+      System.Collections.Immutable (>= 8.0)
+      System.Reflection.Metadata (>= 8.0)
+    Microsoft.CodeAnalysis.CSharp.Workspaces (4.12)
       Humanizer.Core (>= 2.14.1)
-      Microsoft.CodeAnalysis.Common (4.9.2)
-      Microsoft.CodeAnalysis.CSharp (4.9.2)
-      Microsoft.CodeAnalysis.Workspaces.Common (4.9.2)
-    Microsoft.CodeAnalysis.VisualBasic (4.9.2)
-      Microsoft.CodeAnalysis.Common (4.9.2)
-    Microsoft.CodeAnalysis.VisualBasic.Workspaces (4.9.2)
-      Microsoft.CodeAnalysis.Common (4.9.2)
-      Microsoft.CodeAnalysis.VisualBasic (4.9.2)
-      Microsoft.CodeAnalysis.Workspaces.Common (4.9.2)
-    Microsoft.CodeAnalysis.Workspaces.Common (4.9.2)
-      Humanizer.Core (>= 2.14.1)
-      Microsoft.CodeAnalysis.Common (4.9.2)
+      Microsoft.CodeAnalysis.Analyzers (>= 3.3.4)
+      Microsoft.CodeAnalysis.Common (4.12)
+      Microsoft.CodeAnalysis.CSharp (4.12)
+      Microsoft.CodeAnalysis.Workspaces.Common (4.12)
+      System.Collections.Immutable (>= 8.0)
       System.Composition (>= 8.0)
       System.IO.Pipelines (>= 8.0)
-      System.Threading.Channels (>= 8.0)
+      System.Reflection.Metadata (>= 8.0)
+      System.Threading.Channels (>= 7.0)
+    Microsoft.CodeAnalysis.VisualBasic (4.12)
+      Microsoft.CodeAnalysis.Analyzers (>= 3.3.4)
+      Microsoft.CodeAnalysis.Common (4.12)
+      System.Collections.Immutable (>= 8.0)
+      System.Reflection.Metadata (>= 8.0)
+    Microsoft.CodeAnalysis.VisualBasic.Workspaces (4.12)
+      Humanizer.Core (>= 2.14.1)
+      Microsoft.CodeAnalysis.Analyzers (>= 3.3.4)
+      Microsoft.CodeAnalysis.Common (4.12)
+      Microsoft.CodeAnalysis.VisualBasic (4.12)
+      Microsoft.CodeAnalysis.Workspaces.Common (4.12)
+      System.Collections.Immutable (>= 8.0)
+      System.Composition (>= 8.0)
+      System.IO.Pipelines (>= 8.0)
+      System.Reflection.Metadata (>= 8.0)
+      System.Threading.Channels (>= 7.0)
+    Microsoft.CodeAnalysis.Workspaces.Common (4.12)
+      Humanizer.Core (>= 2.14.1)
+      Microsoft.CodeAnalysis.Analyzers (>= 3.3.4)
+      Microsoft.CodeAnalysis.Common (4.12)
+      System.Collections.Immutable (>= 8.0)
+      System.Composition (>= 8.0)
+      System.IO.Pipelines (>= 8.0)
+      System.Reflection.Metadata (>= 8.0)
+      System.Threading.Channels (>= 7.0)
     Microsoft.CodeCoverage (17.12)
-    Microsoft.Extensions.ObjectPool (7.0.13)
-    Microsoft.NET.StringTools (17.8.3)
+    Microsoft.Extensions.ObjectPool (9.0)
+    Microsoft.NET.StringTools (17.12.6)
     Microsoft.NET.Test.Sdk (17.12)
       Microsoft.CodeCoverage (>= 17.12)
       Microsoft.TestPlatform.TestHost (>= 17.12)
-    Microsoft.NETCore.Platforms (1.1.1)
-    Microsoft.NETCore.Targets (1.1.3)
+    Microsoft.NETCore.Platforms (7.0.4)
+    Microsoft.NETCore.Targets (5.0)
     Microsoft.TestPlatform.ObjectModel (17.12)
       System.Reflection.Metadata (>= 1.6)
     Microsoft.TestPlatform.TestHost (17.12)
@@ -75,36 +112,34 @@ NUGET
       Microsoft.NETCore.Platforms (>= 1.1)
       Microsoft.NETCore.Targets (>= 1.1)
       System.Runtime (>= 4.3)
-    Microsoft.Win32.SystemEvents (7.0)
     Mono.Posix.NETStandard (1.0)
-    MSBuild.StructuredLogger (2.2.235)
+    MSBuild.StructuredLogger (2.2.386)
       Microsoft.Build.Framework (>= 17.5)
       Microsoft.Build.Utilities.Core (>= 17.5)
+      System.Collections.Immutable (>= 8.0)
     Newtonsoft.Json (13.0.3)
-    System.Collections.Immutable (8.0)
-    System.Composition (8.0)
-      System.Composition.AttributedModel (>= 8.0)
-      System.Composition.Convention (>= 8.0)
-      System.Composition.Hosting (>= 8.0)
-      System.Composition.Runtime (>= 8.0)
-      System.Composition.TypedParts (>= 8.0)
-    System.Composition.AttributedModel (8.0)
-    System.Composition.Convention (8.0)
-      System.Composition.AttributedModel (>= 8.0)
-    System.Composition.Hosting (8.0)
-      System.Composition.Runtime (>= 8.0)
-    System.Composition.Runtime (8.0)
-    System.Composition.TypedParts (8.0)
-      System.Composition.AttributedModel (>= 8.0)
-      System.Composition.Hosting (>= 8.0)
-      System.Composition.Runtime (>= 8.0)
-    System.Configuration.ConfigurationManager (7.0)
-      System.Diagnostics.EventLog (>= 7.0)
-      System.Security.Cryptography.ProtectedData (>= 7.0)
-      System.Security.Permissions (>= 7.0)
-    System.Diagnostics.EventLog (7.0)
-    System.Drawing.Common (7.0)
-      Microsoft.Win32.SystemEvents (>= 7.0)
+    System.Buffers (4.6)
+    System.Collections.Immutable (9.0)
+    System.Composition (9.0)
+      System.Composition.AttributedModel (>= 9.0)
+      System.Composition.Convention (>= 9.0)
+      System.Composition.Hosting (>= 9.0)
+      System.Composition.Runtime (>= 9.0)
+      System.Composition.TypedParts (>= 9.0)
+    System.Composition.AttributedModel (9.0)
+    System.Composition.Convention (9.0)
+      System.Composition.AttributedModel (>= 9.0)
+    System.Composition.Hosting (9.0)
+      System.Composition.Runtime (>= 9.0)
+    System.Composition.Runtime (9.0)
+    System.Composition.TypedParts (9.0)
+      System.Composition.AttributedModel (>= 9.0)
+      System.Composition.Hosting (>= 9.0)
+      System.Composition.Runtime (>= 9.0)
+    System.Configuration.ConfigurationManager (9.0)
+      System.Diagnostics.EventLog (>= 9.0)
+      System.Security.Cryptography.ProtectedData (>= 9.0)
+    System.Diagnostics.EventLog (9.0)
     System.IO (4.3)
       Microsoft.NETCore.Platforms (>= 1.1)
       Microsoft.NETCore.Targets (>= 1.1)
@@ -122,52 +157,47 @@ NUGET
       System.Threading.Tasks (>= 4.3)
     System.IO.FileSystem.Primitives (4.3)
       System.Runtime (>= 4.3)
-    System.IO.Pipelines (8.0)
+    System.IO.Pipelines (9.0)
+    System.Memory (4.6)
     System.Net.Primitives (4.3.1)
       Microsoft.NETCore.Platforms (>= 1.1.1)
       Microsoft.NETCore.Targets (>= 1.1.3)
       System.Runtime (>= 4.3.1)
       System.Runtime.Handles (>= 4.3)
-    System.Reflection.Metadata (8.0)
-      System.Collections.Immutable (>= 8.0)
-    System.Reflection.MetadataLoadContext (7.0)
-      System.Collections.Immutable (>= 7.0)
-      System.Reflection.Metadata (>= 7.0)
+    System.Numerics.Vectors (4.6)
+    System.Reflection.Metadata (9.0)
+    System.Reflection.MetadataLoadContext (9.0)
     System.Runtime (4.3.1)
       Microsoft.NETCore.Platforms (>= 1.1.1)
       Microsoft.NETCore.Targets (>= 1.1.3)
-    System.Runtime.CompilerServices.Unsafe (6.0)
+    System.Runtime.CompilerServices.Unsafe (6.1)
     System.Runtime.Handles (4.3)
       Microsoft.NETCore.Platforms (>= 1.1)
       Microsoft.NETCore.Targets (>= 1.1)
       System.Runtime (>= 4.3)
-    System.Security.Cryptography.ProtectedData (7.0)
-    System.Security.Permissions (7.0)
-      System.Windows.Extensions (>= 7.0)
+    System.Security.Cryptography.ProtectedData (9.0)
     System.Security.Principal (4.3)
       System.Runtime (>= 4.3)
-    System.Security.Principal.Windows (5.0)
     System.Text.Encoding (4.3)
       Microsoft.NETCore.Platforms (>= 1.1)
       Microsoft.NETCore.Targets (>= 1.1)
       System.Runtime (>= 4.3)
-    System.Threading.Channels (8.0)
+    System.Text.Encoding.CodePages (9.0)
+    System.Threading.Channels (9.0)
     System.Threading.Tasks (4.3)
       Microsoft.NETCore.Platforms (>= 1.1)
       Microsoft.NETCore.Targets (>= 1.1)
       System.Runtime (>= 4.3)
-    System.Threading.Tasks.Dataflow (7.0)
+    System.Threading.Tasks.Extensions (4.6)
     System.Threading.ThreadPool (4.3)
       System.Runtime (>= 4.3)
       System.Runtime.Handles (>= 4.3)
-    System.Windows.Extensions (7.0)
-      System.Drawing.Common (>= 7.0)
     xunit (2.9.2)
       xunit.analyzers (>= 1.16)
       xunit.assert (>= 2.9.2)
       xunit.core (2.9.2)
     xunit.abstractions (2.0.3)
-    xunit.analyzers (1.16)
+    xunit.analyzers (1.17)
     xunit.assert (2.9.2)
     xunit.core (2.9.2)
       xunit.extensibility.core (2.9.2)

csharp/ql/integration-tests/posix/standalone_dependencies_executing_runtime/Assemblies.expected

@@ -2,6 +2,7 @@
 | [...]/csharp/tools/[...]/Humanizer.dll |
 | [...]/csharp/tools/[...]/MessagePack.Annotations.dll |
 | [...]/csharp/tools/[...]/MessagePack.dll |
+| [...]/csharp/tools/[...]/Microsoft.Bcl.AsyncInterfaces.dll |
 | [...]/csharp/tools/[...]/Microsoft.Build.Framework.dll |
 | [...]/csharp/tools/[...]/Microsoft.Build.Utilities.Core.dll |
 | [...]/csharp/tools/[...]/Microsoft.Build.dll |
@@ -18,7 +19,6 @@
 | [...]/csharp/tools/[...]/Microsoft.VisualBasic.dll |
 | [...]/csharp/tools/[...]/Microsoft.Win32.Primitives.dll |
 | [...]/csharp/tools/[...]/Microsoft.Win32.Registry.dll |
-| [...]/csharp/tools/[...]/Microsoft.Win32.SystemEvents.dll |
 | [...]/csharp/tools/[...]/Mono.Posix.NETStandard.dll |
 | [...]/csharp/tools/[...]/Newtonsoft.Json.dll |
 | [...]/csharp/tools/[...]/StructuredLogger.dll |
@@ -58,7 +58,6 @@
 | [...]/csharp/tools/[...]/System.Diagnostics.Tools.dll |
 | [...]/csharp/tools/[...]/System.Diagnostics.TraceSource.dll |
 | [...]/csharp/tools/[...]/System.Diagnostics.Tracing.dll |
-| [...]/csharp/tools/[...]/System.Drawing.Common.dll |
 | [...]/csharp/tools/[...]/System.Drawing.Primitives.dll |
 | [...]/csharp/tools/[...]/System.Drawing.dll |
 | [...]/csharp/tools/[...]/System.Dynamic.Runtime.dll |
@@ -155,7 +154,6 @@
 | [...]/csharp/tools/[...]/System.Security.Cryptography.ProtectedData.dll |
 | [...]/csharp/tools/[...]/System.Security.Cryptography.X509Certificates.dll |
 | [...]/csharp/tools/[...]/System.Security.Cryptography.dll |
-| [...]/csharp/tools/[...]/System.Security.Permissions.dll |
 | [...]/csharp/tools/[...]/System.Security.Principal.Windows.dll |
 | [...]/csharp/tools/[...]/System.Security.Principal.dll |
 | [...]/csharp/tools/[...]/System.Security.SecureString.dll |
@@ -183,7 +181,6 @@
 | [...]/csharp/tools/[...]/System.ValueTuple.dll |
 | [...]/csharp/tools/[...]/System.Web.HttpUtility.dll |
 | [...]/csharp/tools/[...]/System.Web.dll |
-| [...]/csharp/tools/[...]/System.Windows.Extensions.dll |
 | [...]/csharp/tools/[...]/System.Windows.dll |
 | [...]/csharp/tools/[...]/System.Xml.Linq.dll |
 | [...]/csharp/tools/[...]/System.Xml.ReaderWriter.dll |

csharp/ql/lib/change-notes/2024-12-04-dotnet9.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The C# extractor now supports *basic* extraction of .NET 9 projects. There might be limited support for extraction of code using the new C# 13 language features.

csharp/ql/lib/change-notes/2024-12-05-aspnetcore-mvc-model.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added flow summaries for the `Microsoft.AspNetCore.Mvc.Controller::View` method.

csharp/ql/lib/ext/Microsoft.AspNetCore.Mvc.model.yml

@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: summaryModel
+    data:
+      - ["Microsoft.AspNetCore.Mvc", "Controller", True, "View", "", "", "Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "value", "manual"]
+      - ["Microsoft.AspNetCore.Mvc", "Controller", True, "View", "", "", "Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag]", "ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "value", "manual"]

csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected

@@ -1506,6 +1506,14 @@ summary
 | Microsoft.AspNetCore.Mvc;ApiBehaviorOptions;GetEnumerator;();Argument[this].Element;ReturnValue.Property[System.Collections.IEnumerator.Current];value;manual |
 | Microsoft.AspNetCore.Mvc;ApiBehaviorOptions;set_InvalidModelStateResponseFactory;(System.Func<Microsoft.AspNetCore.Mvc.ActionContext,Microsoft.AspNetCore.Mvc.IActionResult>);Argument[0];Argument[0].Parameter[delegate-self];value;hq-generated |
 | Microsoft.AspNetCore.Mvc;Controller;OnActionExecutionAsync;(Microsoft.AspNetCore.Mvc.Filters.ActionExecutingContext,Microsoft.AspNetCore.Mvc.Filters.ActionExecutionDelegate);Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated |
+| Microsoft.AspNetCore.Mvc;Controller;View;();Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual |
+| Microsoft.AspNetCore.Mvc;Controller;View;();Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual |
+| Microsoft.AspNetCore.Mvc;Controller;View;(System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual |
+| Microsoft.AspNetCore.Mvc;Controller;View;(System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual |
+| Microsoft.AspNetCore.Mvc;Controller;View;(System.String);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual |
+| Microsoft.AspNetCore.Mvc;Controller;View;(System.String);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual |
+| Microsoft.AspNetCore.Mvc;Controller;View;(System.String,System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual |
+| Microsoft.AspNetCore.Mvc;Controller;View;(System.String,System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual |
 | Microsoft.AspNetCore.Mvc;ControllerBase;TryUpdateModelAsync;(System.Object,System.Type,System.String,Microsoft.AspNetCore.Mvc.ModelBinding.IValueProvider,System.Func<Microsoft.AspNetCore.Mvc.ModelBinding.ModelMetadata,System.Boolean>);Argument[4];Argument[4].Parameter[delegate-self];value;hq-generated |
 | Microsoft.AspNetCore.Mvc;ControllerBase;TryUpdateModelAsync<TModel>;(TModel,System.String,Microsoft.AspNetCore.Mvc.ModelBinding.IValueProvider,System.Func<Microsoft.AspNetCore.Mvc.ModelBinding.ModelMetadata,System.Boolean>);Argument[3];Argument[3].Parameter[delegate-self];value;hq-generated |
 | Microsoft.AspNetCore.Mvc;ControllerBase;TryUpdateModelAsync<TModel>;(TModel,System.String,System.Func<Microsoft.AspNetCore.Mvc.ModelBinding.ModelMetadata,System.Boolean>);Argument[2];Argument[2].Parameter[delegate-self];value;hq-generated |

csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected

@@ -555,6 +555,14 @@
 | Microsoft.AspNetCore.Mvc.ViewFeatures;TryGetValueDelegate;BeginInvoke;(System.Object,System.String,System.Object,System.AsyncCallback,System.Object);Argument[3];Argument[3].Parameter[delegate-self];value;hq-generated |
 | Microsoft.AspNetCore.Mvc.ViewFeatures;ViewDataInfo;ViewDataInfo;(System.Object,System.Reflection.PropertyInfo,System.Func<System.Object>);Argument[2];Argument[2].Parameter[delegate-self];value;hq-generated |
 | Microsoft.AspNetCore.Mvc;ApiBehaviorOptions;set_InvalidModelStateResponseFactory;(System.Func<Microsoft.AspNetCore.Mvc.ActionContext,Microsoft.AspNetCore.Mvc.IActionResult>);Argument[0];Argument[0].Parameter[delegate-self];value;hq-generated |
+| Microsoft.AspNetCore.Mvc;Controller;View;();Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual |
+| Microsoft.AspNetCore.Mvc;Controller;View;();Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual |
+| Microsoft.AspNetCore.Mvc;Controller;View;(System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual |
+| Microsoft.AspNetCore.Mvc;Controller;View;(System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual |
+| Microsoft.AspNetCore.Mvc;Controller;View;(System.String);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual |
+| Microsoft.AspNetCore.Mvc;Controller;View;(System.String);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual |
+| Microsoft.AspNetCore.Mvc;Controller;View;(System.String,System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewBag];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual |
+| Microsoft.AspNetCore.Mvc;Controller;View;(System.String,System.Object);Argument[this].Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue.Property[Microsoft.AspNetCore.Mvc.Controller.ViewData].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];value;manual |
 | Microsoft.AspNetCore.Mvc;ControllerBase;TryUpdateModelAsync;(System.Object,System.Type,System.String,Microsoft.AspNetCore.Mvc.ModelBinding.IValueProvider,System.Func<Microsoft.AspNetCore.Mvc.ModelBinding.ModelMetadata,System.Boolean>);Argument[4];Argument[4].Parameter[delegate-self];value;hq-generated |
 | Microsoft.AspNetCore.Mvc;ControllerBase;TryUpdateModelAsync<TModel>;(TModel,System.String,Microsoft.AspNetCore.Mvc.ModelBinding.IValueProvider,System.Func<Microsoft.AspNetCore.Mvc.ModelBinding.ModelMetadata,System.Boolean>);Argument[3];Argument[3].Parameter[delegate-self];value;hq-generated |
 | Microsoft.AspNetCore.Mvc;ControllerBase;TryUpdateModelAsync<TModel>;(TModel,System.String,System.Func<Microsoft.AspNetCore.Mvc.ModelBinding.ModelMetadata,System.Boolean>);Argument[2];Argument[2].Parameter[delegate-self];value;hq-generated |

csharp/ql/test/library-tests/frameworks/format/StringFormatItemParameter.expected

@@ -1,4 +1,3 @@
-| Console | Write(string, ReadOnlySpan<object>) | arg |
 | Console | Write(string, object) | arg0 |
 | Console | Write(string, object, object) | arg0 |
 | Console | Write(string, object, object) | arg1 |
@@ -6,7 +5,7 @@
 | Console | Write(string, object, object, object) | arg1 |
 | Console | Write(string, object, object, object) | arg2 |
 | Console | Write(string, params Object[]) | arg |
-| Console | WriteLine(string, ReadOnlySpan<object>) | arg |
+| Console | Write(string, params ReadOnlySpan<object>) | arg |
 | Console | WriteLine(string, object) | arg0 |
 | Console | WriteLine(string, object, object) | arg0 |
 | Console | WriteLine(string, object, object) | arg1 |
@@ -14,10 +13,10 @@
 | Console | WriteLine(string, object, object, object) | arg1 |
 | Console | WriteLine(string, object, object, object) | arg2 |
 | Console | WriteLine(string, params Object[]) | arg |
+| Console | WriteLine(string, params ReadOnlySpan<object>) | arg |
 | Debug | Assert(bool, string, string, params Object[]) | args |
 | Debug | Print(string, params Object[]) | args |
 | Debug | WriteLine(string, params Object[]) | args |
-| StringBuilder | AppendFormat(IFormatProvider, string, ReadOnlySpan<object>) | args |
 | StringBuilder | AppendFormat(IFormatProvider, string, object) | arg0 |
 | StringBuilder | AppendFormat(IFormatProvider, string, object, object) | arg0 |
 | StringBuilder | AppendFormat(IFormatProvider, string, object, object) | arg1 |
@@ -25,7 +24,7 @@
 | StringBuilder | AppendFormat(IFormatProvider, string, object, object, object) | arg1 |
 | StringBuilder | AppendFormat(IFormatProvider, string, object, object, object) | arg2 |
 | StringBuilder | AppendFormat(IFormatProvider, string, params Object[]) | args |
-| StringBuilder | AppendFormat(string, ReadOnlySpan<object>) | args |
+| StringBuilder | AppendFormat(IFormatProvider, string, params ReadOnlySpan<object>) | args |
 | StringBuilder | AppendFormat(string, object) | arg0 |
 | StringBuilder | AppendFormat(string, object, object) | arg0 |
 | StringBuilder | AppendFormat(string, object, object) | arg1 |
@@ -33,8 +32,8 @@
 | StringBuilder | AppendFormat(string, object, object, object) | arg1 |
 | StringBuilder | AppendFormat(string, object, object, object) | arg2 |
 | StringBuilder | AppendFormat(string, params Object[]) | args |
+| StringBuilder | AppendFormat(string, params ReadOnlySpan<object>) | args |
 | Strings | MyStringFormat(string, params Object[]) | args |
-| TextWriter | Write(string, ReadOnlySpan<object>) | arg |
 | TextWriter | Write(string, object) | arg0 |
 | TextWriter | Write(string, object, object) | arg0 |
 | TextWriter | Write(string, object, object) | arg1 |
@@ -42,7 +41,7 @@
 | TextWriter | Write(string, object, object, object) | arg1 |
 | TextWriter | Write(string, object, object, object) | arg2 |
 | TextWriter | Write(string, params Object[]) | arg |
-| TextWriter | WriteLine(string, ReadOnlySpan<object>) | arg |
+| TextWriter | Write(string, params ReadOnlySpan<object>) | arg |
 | TextWriter | WriteLine(string, object) | arg0 |
 | TextWriter | WriteLine(string, object, object) | arg0 |
 | TextWriter | WriteLine(string, object, object) | arg1 |
@@ -50,7 +49,7 @@
 | TextWriter | WriteLine(string, object, object, object) | arg1 |
 | TextWriter | WriteLine(string, object, object, object) | arg2 |
 | TextWriter | WriteLine(string, params Object[]) | arg |
-| string | Format(IFormatProvider, string, ReadOnlySpan<object>) | args |
+| TextWriter | WriteLine(string, params ReadOnlySpan<object>) | arg |
 | string | Format(IFormatProvider, string, object) | arg0 |
 | string | Format(IFormatProvider, string, object, object) | arg0 |
 | string | Format(IFormatProvider, string, object, object) | arg1 |
@@ -58,7 +57,7 @@
 | string | Format(IFormatProvider, string, object, object, object) | arg1 |
 | string | Format(IFormatProvider, string, object, object, object) | arg2 |
 | string | Format(IFormatProvider, string, params Object[]) | args |
-| string | Format(string, ReadOnlySpan<object>) | args |
+| string | Format(IFormatProvider, string, params ReadOnlySpan<object>) | args |
 | string | Format(string, object) | arg0 |
 | string | Format(string, object, object) | arg0 |
 | string | Format(string, object, object) | arg1 |
@@ -66,3 +65,4 @@
 | string | Format(string, object, object, object) | arg1 |
 | string | Format(string, object, object, object) | arg2 |
 | string | Format(string, params Object[]) | args |
+| string | Format(string, params ReadOnlySpan<object>) | args |

csharp/ql/test/library-tests/methods/Parameters4.ql

@@ -4,5 +4,5 @@
 
 import csharp
 
-where forall(Parameter p | p.isParams() | p.getType() instanceof ArrayType)
+where forall(Parameter p | p.isParams() and p.fromSource() | p.getType() instanceof ArrayType)
 select 1

csharp/ql/test/query-tests/Telemetry/DatabaseQuality/IsNotOkayCall.expected

@@ -1,4 +1,3 @@
 | Quality.cs:26:19:26:26 | access to indexer | Call without target $@. | Quality.cs:26:19:26:26 | access to indexer | access to indexer |
 | Quality.cs:29:21:29:27 | access to indexer | Call without target $@. | Quality.cs:29:21:29:27 | access to indexer | access to indexer |
 | Quality.cs:32:9:32:21 | access to indexer | Call without target $@. | Quality.cs:32:9:32:21 | access to indexer | access to indexer |
-| Quality.cs:34:21:34:25 | object creation of type null | Call without target $@. | Quality.cs:34:21:34:25 | object creation of type null | object creation of type null |

csharp/ql/test/query-tests/Telemetry/DatabaseQuality/NoTarget.expected

@@ -10,6 +10,5 @@
 | Quality.cs:26:19:26:26 | access to indexer | Call without target $@. | Quality.cs:26:19:26:26 | access to indexer | access to indexer |
 | Quality.cs:29:21:29:27 | access to indexer | Call without target $@. | Quality.cs:29:21:29:27 | access to indexer | access to indexer |
 | Quality.cs:32:9:32:21 | access to indexer | Call without target $@. | Quality.cs:32:9:32:21 | access to indexer | access to indexer |
-| Quality.cs:34:21:34:25 | object creation of type null | Call without target $@. | Quality.cs:34:21:34:25 | object creation of type null | object creation of type null |
 | Quality.cs:38:16:38:26 | access to property MyProperty2 | Call without target $@. | Quality.cs:38:16:38:26 | access to property MyProperty2 | access to property MyProperty2 |
 | Quality.cs:50:20:50:26 | object creation of type T | Call without target $@. | Quality.cs:50:20:50:26 | object creation of type T | object creation of type T |

csharp/ql/test/query-tests/Telemetry/DatabaseQuality/Quality.cs

@@ -31,7 +31,7 @@ public class Test
         Span<byte> guidBytes = stackalloc byte[16];
         guidBytes[08] = 1;          // TODO: this indexer call has no target, because the target is a `ref` returning getter.
 
-        new MyList([new(), new Test()]);        // TODO: the `new()` call has no target, which is unexpected, as we know at compile time, that this is a `new Test()` call.
+        new MyList([new(), new Test()]);
     }
 
     public int MyProperty1 { get; }

csharp/scripts/BUILD.bazel

@@ -1,3 +1,5 @@
+load("@rules_python//python:defs.bzl", "py_binary")
+
 py_binary(
     name = "gen-git-assembly-info",
     srcs = ["gen-git-assembly-info.py"],

go/BUILD.bazel

@@ -1,5 +1,6 @@
 load("@gazelle//:def.bzl", "gazelle")
 load("@rules_pkg//pkg:mappings.bzl", "pkg_files")
+load("@rules_python//python:defs.bzl", "py_binary")
 load("//misc/bazel:pkg.bzl", "codeql_pack", "codeql_pkg_files")
 
 gazelle(

go/ql/lib/change-notes/2024-12-06-improve-flow-out-of-variadic-parameter.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Data flow out of variadic parameters now works in more situations. Summary models defined using models-as-data work. Source models defined using models-as-data do not work yet.

go/ql/lib/semmle/go/dataflow/internal/ContainerFlow.qll

@@ -66,6 +66,11 @@ predicate containerReadStep(Node node1, Node node2, Content c) {
     (
       node2.(Read).readsElement(node1, _)
       or
+      exists(ImplicitVarargsSlice ivs |
+        node1.(PostUpdateNode).getPreUpdateNode() = ivs and
+        node2.(PostUpdateNode).getPreUpdateNode() = ivs.getCallNode().getAnImplicitVarargsArgument()
+      )
+      or
       node2.(RangeElementNode).getBase() = node1
       or
       // To model data flow from array elements of the base of a `SliceNode` to

go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll

@@ -845,6 +845,9 @@ module Public {
         or
         preupd = getAWrittenNode()
         or
+        preupd instanceof ImplicitVarargsSlice and
+        mutableType(preupd.(ImplicitVarargsSlice).getType().(SliceType).getElementType())
+        or
         preupd = any(ArgumentNode arg).getACorrespondingSyntacticArgument() and
         mutableType(preupd.getType())
       ) and

go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/completetest.ql

@@ -9,9 +9,9 @@ import semmle.go.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 import TestUtilities.InlineFlowTest
 
 module Config implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { sourceNode(src, "qltest") }
+  predicate isSource(DataFlow::Node source) { sourceNode(source, "qltest") }
 
-  predicate isSink(DataFlow::Node src) { sinkNode(src, "qltest") }
+  predicate isSink(DataFlow::Node sink) { sinkNode(sink, "qltest") }
 }
 
 import ValueFlowTest<Config>

go/ql/test/library-tests/semmle/go/dataflow/VarArgs/main.go

@@ -4,7 +4,7 @@ func source() string {
 	return "untrusted data"
 }
 
-func sink(string) {
+func sink(any) {
 }
 
 type A struct {
@@ -19,6 +19,10 @@ func functionWithVarArgsParameter(s ...string) string {
 	return s[1]
 }
 
+func functionWithVarArgsOutParameter(in string, out ...*string) {
+	*out[0] = in
+}
+
 func functionWithSliceOfStructsParameter(s []A) string {
 	return s[1].f
 }
@@ -38,6 +42,12 @@ func main() {
 	sink(functionWithVarArgsParameter(sSlice...)) // $ hasValueFlow="call to functionWithVarArgsParameter"
 	sink(functionWithVarArgsParameter(s0, s1))    // $ hasValueFlow="call to functionWithVarArgsParameter"
 
+	var out1 *string
+	var out2 *string
+	functionWithVarArgsOutParameter(source(), out1, out2)
+	sink(out1) // $ MISSING: hasValueFlow="out1"
+	sink(out2) // $ MISSING: hasValueFlow="out2"
+
 	sliceOfStructs := []A{{f: source()}}
 	sink(sliceOfStructs[0].f) // $ hasValueFlow="selection of f"
 

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.expected

@@ -0,0 +1,2 @@
+testFailures
+invalidModelRow

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ext.yml

@@ -0,0 +1,21 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: summaryModel
+    data:
+      - ["github.com/nonexistent/test", "", False, "FunctionWithParameter", "", "", "Argument[0]", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithSliceParameter", "", "", "Argument[0].ArrayElement", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsParameter", "", "", "Argument[0].ArrayElement", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsOutParameter", "", "", "Argument[0]", "Argument[1].ArrayElement", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithSliceOfStructsParameter", "", "", "Argument[0].ArrayElement.Field[github.com/nonexistent/test.A.Field]", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsOfStructsParameter", "", "", "Argument[0].ArrayElement.Field[github.com/nonexistent/test.A.Field]", "ReturnValue", "value", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/nonexistent/test", "", False, "VariadicSource", "", "", "Argument[0]", "qltest", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/nonexistent/test", "", False, "VariadicSink", "", "", "Argument[0]", "qltest", "manual"]

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ql

@@ -0,0 +1,22 @@
+import go
+import semmle.go.dataflow.ExternalFlow
+import ModelValidation
+import TestUtilities.InlineFlowTest
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    sourceNode(source, "qltest")
+    or
+    exists(Function fn | fn.hasQualifiedName(_, ["source", "taint"]) |
+      source = fn.getACall().getResult()
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    sinkNode(sink, "qltest")
+    or
+    exists(Function fn | fn.hasQualifiedName(_, "sink") | sink = fn.getACall().getAnArgument())
+  }
+}
+
+import FlowTest<Config, Config>

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/go.mod

@@ -0,0 +1,5 @@
+module semmle.go.Packages
+
+go 1.23
+
+require github.com/nonexistent/test v0.0.0-20200203000000-0000000000000

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/main.go

@@ -0,0 +1,51 @@
+package main
+
+import (
+	"github.com/nonexistent/test"
+)
+
+func source() string {
+	return "untrusted data"
+}
+
+func sink(any) {
+}
+
+func main() {
+	s := source()
+	sink(test.FunctionWithParameter(s)) // $ hasValueFlow="call to FunctionWithParameter"
+
+	stringSlice := []string{source()}
+	sink(stringSlice[0]) // $ hasValueFlow="index expression"
+
+	s0 := ""
+	s1 := source()
+	sSlice := []string{s0, s1}
+	sink(test.FunctionWithParameter(sSlice[1]))        // $ hasValueFlow="call to FunctionWithParameter"
+	sink(test.FunctionWithSliceParameter(sSlice))      // $ hasValueFlow="call to FunctionWithSliceParameter"
+	sink(test.FunctionWithVarArgsParameter(sSlice...)) // $ hasValueFlow="call to FunctionWithVarArgsParameter"
+	sink(test.FunctionWithVarArgsParameter(s0, s1))    // $ hasValueFlow="call to FunctionWithVarArgsParameter"
+
+	var out1 *string
+	var out2 *string
+	test.FunctionWithVarArgsOutParameter(source(), out1, out2)
+	sink(out1) // $ hasValueFlow="out1"
+	sink(out2) // $ hasValueFlow="out2"
+
+	sliceOfStructs := []test.A{{Field: source()}}
+	sink(sliceOfStructs[0].Field) // $ hasValueFlow="selection of Field"
+
+	a0 := test.A{Field: ""}
+	a1 := test.A{Field: source()}
+	aSlice := []test.A{a0, a1}
+	sink(test.FunctionWithSliceOfStructsParameter(aSlice))      // $ hasValueFlow="call to FunctionWithSliceOfStructsParameter"
+	sink(test.FunctionWithVarArgsOfStructsParameter(aSlice...)) // $ hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
+	sink(test.FunctionWithVarArgsOfStructsParameter(a0, a1))    // $ hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
+
+	var variadicSource string
+	test.VariadicSource(&variadicSource)
+	sink(variadicSource) // $ MISSING: hasTaintFlow="variadicSource"
+
+	test.VariadicSink(source()) // $ hasTaintFlow="[]type{args}"
+
+}

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/github.com/nonexistent/test/stub.go

@@ -0,0 +1,31 @@
+package test
+
+type A struct {
+	Field string
+}
+
+func FunctionWithParameter(s string) string {
+	return ""
+}
+
+func FunctionWithSliceParameter(s []string) string {
+	return ""
+}
+
+func FunctionWithVarArgsParameter(s ...string) string {
+	return ""
+}
+func FunctionWithVarArgsOutParameter(in string, out ...*string) {
+}
+
+func FunctionWithSliceOfStructsParameter(s []A) string {
+	return ""
+}
+
+func FunctionWithVarArgsOfStructsParameter(s ...A) string {
+	return ""
+}
+
+func VariadicSource(s ...*string) {}
+
+func VariadicSink(s ...string) {}