Ensure unique name for qhelp artifact

.github/workflows/check-change-note.yml

@@ -16,6 +16,7 @@ on:
       - "shared/**/*.qll"
       - "!**/experimental/**"
       - "!ql/**"
+      - "!rust/**"
       - ".github/workflows/check-change-note.yml"
 
 jobs:

.github/workflows/go-tests.yml

@@ -14,7 +14,7 @@ on:
   pull_request:
     paths:
       - "go/**"
-      - "!go/documentation/**"      
+      - "!go/documentation/**"
       - "shared/**"
       - .github/workflows/go-tests.yml
       - .github/actions/**
@@ -31,6 +31,10 @@ jobs:
     if: github.repository_owner == 'github'
     name: Test Linux (Ubuntu)
     runs-on: ubuntu-latest-xl
+    strategy:
+      fail-fast: false
+      matrix:
+        go-version: ['~1.24.0', '1.25.0-rc.1']
     steps:
       - name: Check out code
         uses: actions/checkout@v4
@@ -38,3 +42,4 @@ jobs:
         uses: ./go/actions/test
         with:
           run-code-checks: true
+          go-test-version: ${{ matrix.go-version }}

.github/workflows/ql-for-ql-dataset_measure.yml

@@ -53,7 +53,7 @@ jobs:
       - name: Create database
         run: |
           "${CODEQL}" database create \
-          --search-path "${{ github.workspace }}" \
+          --search-path "${{ github.workspace }}"
           --threads 4 \
             --language ql --source-root "${{ github.workspace }}/repo" \
             "${{ runner.temp }}/database"

.pre-commit-config.yaml

@@ -9,7 +9,7 @@ repos:
       - id: trailing-whitespace
         exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
       - id: end-of-file-fixer
-        exclude: Cargo.lock$|/test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
+        exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
 
   - repo: https://github.com/pre-commit/mirrors-clang-format
     rev: v17.0.6

Cargo.toml

@@ -11,3 +11,8 @@ members = [
     "rust/autobuild",
 ]
 exclude = ["mad-generation-build"]
+
+[patch.crates-io]
+# patch for build script bug preventing bazel build
+# see https://github.com/rust-lang/rustc_apfloat/pull/17
+rustc_apfloat = { git = "https://github.com/redsun82/rustc_apfloat.git", rev = "32968f16ef1b082243f9bf43a3fbd65c381b3e27" }

MODULE.bazel

@@ -15,7 +15,7 @@ local_path_override(
 # see https://registry.bazel.build/ for a list of available packages
 
 bazel_dep(name = "platforms", version = "0.0.11")
-bazel_dep(name = "rules_go", version = "0.50.1")
+bazel_dep(name = "rules_go", version = "0.55.1-codeql.1")
 bazel_dep(name = "rules_pkg", version = "1.0.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
 bazel_dep(name = "rules_python", version = "0.40.0")
@@ -37,7 +37,7 @@ bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True
 # the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies.
 RUST_EDITION = "2024"
 
-RUST_VERSION = "1.86.0"
+RUST_VERSION = "1.85.0"
 
 rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
 rust.toolchain(
@@ -71,11 +71,11 @@ use_repo(
 tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
 use_repo(
     tree_sitter_extractors_deps,
-    "vendor_ts__anyhow-1.0.98",
+    "vendor_ts__anyhow-1.0.97",
     "vendor_ts__argfile-0.2.1",
-    "vendor_ts__chalk-ir-0.103.0",
-    "vendor_ts__chrono-0.4.41",
-    "vendor_ts__clap-4.5.40",
+    "vendor_ts__chalk-ir-0.100.0",
+    "vendor_ts__chrono-0.4.40",
+    "vendor_ts__clap-4.5.35",
     "vendor_ts__dunce-1.0.5",
     "vendor_ts__either-1.15.0",
     "vendor_ts__encoding-0.2.33",
@@ -87,33 +87,33 @@ use_repo(
     "vendor_ts__lazy_static-1.5.0",
     "vendor_ts__mustache-0.9.0",
     "vendor_ts__num-traits-0.2.19",
-    "vendor_ts__num_cpus-1.17.0",
-    "vendor_ts__proc-macro2-1.0.95",
+    "vendor_ts__num_cpus-1.16.0",
+    "vendor_ts__proc-macro2-1.0.94",
     "vendor_ts__quote-1.0.40",
-    "vendor_ts__ra_ap_base_db-0.0.288",
-    "vendor_ts__ra_ap_cfg-0.0.288",
-    "vendor_ts__ra_ap_hir-0.0.288",
-    "vendor_ts__ra_ap_hir_def-0.0.288",
-    "vendor_ts__ra_ap_hir_expand-0.0.288",
-    "vendor_ts__ra_ap_hir_ty-0.0.288",
-    "vendor_ts__ra_ap_ide_db-0.0.288",
-    "vendor_ts__ra_ap_intern-0.0.288",
-    "vendor_ts__ra_ap_load-cargo-0.0.288",
-    "vendor_ts__ra_ap_parser-0.0.288",
-    "vendor_ts__ra_ap_paths-0.0.288",
-    "vendor_ts__ra_ap_project_model-0.0.288",
-    "vendor_ts__ra_ap_span-0.0.288",
-    "vendor_ts__ra_ap_stdx-0.0.288",
-    "vendor_ts__ra_ap_syntax-0.0.288",
-    "vendor_ts__ra_ap_vfs-0.0.288",
-    "vendor_ts__rand-0.9.1",
+    "vendor_ts__ra_ap_base_db-0.0.273",
+    "vendor_ts__ra_ap_cfg-0.0.273",
+    "vendor_ts__ra_ap_hir-0.0.273",
+    "vendor_ts__ra_ap_hir_def-0.0.273",
+    "vendor_ts__ra_ap_hir_expand-0.0.273",
+    "vendor_ts__ra_ap_hir_ty-0.0.273",
+    "vendor_ts__ra_ap_ide_db-0.0.273",
+    "vendor_ts__ra_ap_intern-0.0.273",
+    "vendor_ts__ra_ap_load-cargo-0.0.273",
+    "vendor_ts__ra_ap_parser-0.0.273",
+    "vendor_ts__ra_ap_paths-0.0.273",
+    "vendor_ts__ra_ap_project_model-0.0.273",
+    "vendor_ts__ra_ap_span-0.0.273",
+    "vendor_ts__ra_ap_stdx-0.0.273",
+    "vendor_ts__ra_ap_syntax-0.0.273",
+    "vendor_ts__ra_ap_vfs-0.0.273",
+    "vendor_ts__rand-0.9.0",
     "vendor_ts__rayon-1.10.0",
     "vendor_ts__regex-1.11.1",
     "vendor_ts__serde-1.0.219",
     "vendor_ts__serde_json-1.0.140",
-    "vendor_ts__serde_with-3.13.0",
-    "vendor_ts__syn-2.0.103",
-    "vendor_ts__toml-0.8.23",
+    "vendor_ts__serde_with-3.12.0",
+    "vendor_ts__syn-2.0.100",
+    "vendor_ts__toml-0.8.20",
     "vendor_ts__tracing-0.1.41",
     "vendor_ts__tracing-flame-0.2.0",
     "vendor_ts__tracing-subscriber-0.3.19",
@@ -233,7 +233,7 @@ use_repo(
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.24.0")
+go_sdk.download(version = "1.25rc1")
 
 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")

actions/ql/lib/CHANGELOG.md

@@ -1,11 +1,3 @@
-## 0.4.12
-
-### Minor Analysis Improvements
-
-* Fixed performance issues in the parsing of Bash scripts in workflow files,
-  which led to out-of-disk errors when analysing certain workflow files with
-  complex interpolations of shell commands or quoted strings.
-
 ## 0.4.11
 
 No user-facing changes.

actions/ql/lib/change-notes/2025-06-09-bash-parsing-performance.md

@@ -1,7 +1,6 @@
-## 0.4.12
-
-### Minor Analysis Improvements
-
+---
+category: minorAnalysis
+---
 * Fixed performance issues in the parsing of Bash scripts in workflow files,
   which led to out-of-disk errors when analysing certain workflow files with
-  complex interpolations of shell commands or quoted strings.
+  complex interpolations of shell commands or quoted strings.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.12
+lastReleaseVersion: 0.4.11

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.13-dev
+version: 0.4.12-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 0.6.4
-
-No user-facing changes.
-
 ## 0.6.3
 
 No user-facing changes.

actions/ql/src/change-notes/released/0.6.4.md

@@ -1,3 +0,0 @@
-## 0.6.4
-
-No user-facing changes.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.4
+lastReleaseVersion: 0.6.3

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.5-dev
+version: 0.6.4-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

config/add-overlay-annotations.py

@@ -1,274 +0,0 @@
-# This script is used to annotate .qll files without any existing overlay annotations
-# with overlay[local?] and overlay[caller?] annotations. Maintenance of overlay annotations
-# in annotated files will be handled by QL-for-QL queries.
-
-# It will walk the directory tree and annotate most .qll files, skipping only
-# some specific cases (e.g., empty files, files that configure dataflow for queries).
-
-# The script takes a list of languages and processes the corresponding directories.
-# If the optional --check argument is provided, the script checks for missing annotations,
-# but does not modify any files.
-
-# Usage: python3 add-overlay-annotations.py [--check] <language1> <language2> ...
-
-# The script will modify the files in place and print the changes made.
-# The script is designed to be run from the root of the repository.
-
-#!/usr/bin/python3
-import sys
-import os
-import re
-from difflib import context_diff
-
-OVERLAY_PATTERN = re.compile(r'overlay\[[a-zA-Z?_-]+\]')
-
-def has_overlay_annotations(lines):
-    '''
-    Check whether the given lines contain any overlay[...] annotations.
-    '''
-    return any(OVERLAY_PATTERN.search(line) for line in lines)
-
-
-def is_line_comment(line):
-    return line.startswith("//") or (line.startswith("/*") and line.endswith("*/"))
-
-
-def find_file_level_module_declaration(lines):
-    '''
-    Returns the index of the existing file-level module declaration if one
-    exists. Returns None otherwise.
-    '''
-    comment = False
-    for i, line in enumerate(lines):
-        trimmed = line.strip()
-
-        if is_line_comment(trimmed):
-            continue
-        elif trimmed.startswith("/*"):
-            comment = True
-        elif comment and trimmed.endswith("*/"):
-            comment = False
-        elif not comment and trimmed.endswith("module;"):
-            return i
-
-    return None
-
-
-def is_file_module_qldoc(i, lines):
-    '''
-    Assuming a qldoc ended on line i, determine if it belongs to the implicit
-    file-level module. If it is followed by another qldoc or imports, then it
-    does and if it is followed by any other non-empty, non-comment lines, then
-    we assume that is a declaration of some kind and the qldoc is attached to
-    that declaration.
-    '''
-    comment = False
-
-    for line in lines[i+1:]:
-        trimmed = line.strip()
-
-        if trimmed.startswith("import ") or trimmed.startswith("private import ") or trimmed.startswith("/**"):
-             return True
-        elif is_line_comment(trimmed) or not trimmed:
-             continue
-        elif trimmed.startswith("/*"):
-             comment = True
-        elif comment and trimmed.endswith("*/"):
-             comment = False
-        elif not comment and trimmed:
-             return False
-
-    return True
-
-
-def find_file_module_qldoc_declaration(lines):
-    '''
-    Returns the index of last line of the implicit file module qldoc if one
-    exists. Returns None otherwise.
-    '''
-
-    qldoc = False
-    comment = False
-    for i, line in enumerate(lines):
-        trimmed = line.strip()
-
-        if trimmed.startswith("//"):
-            continue
-        elif (qldoc or trimmed.startswith("/**")) and trimmed.endswith("*/"):
-            # a qldoc just ended; determine if it belongs to the implicit file module
-            if is_file_module_qldoc(i, lines):
-                return i
-            else:
-                return None
-        elif trimmed.startswith("/**"):
-            qldoc = True
-        elif trimmed.startswith("/*"):
-            comment = True
-        elif comment and trimmed.endswith("*/"):
-            comment = False
-        elif (not qldoc and not comment) and trimmed:
-            return None
-
-    return None
-
-
-def only_comments(lines):
-    '''
-    Returns true if the lines contain only comments and empty lines.
-    '''
-    comment = False
-
-    for line in lines:
-        trimmed = line.strip()
-
-        if not trimmed or is_line_comment(trimmed):
-            continue
-        elif trimmed.startswith("/*"):
-            comment = True
-        elif comment and trimmed.endswith("*/"):
-            comment = False
-        elif comment:
-            continue
-        elif trimmed:
-            return False
-
-    return True
-
-
-def insert_toplevel_maybe_local_annotation(filename, lines):
-    '''
-    Find a suitable place to insert an overlay[local?] annotation at the top of the file.
-    Returns a pair consisting of description and the modified lines or None if no overlay
-    annotation is necessary (e.g., for files that only contain comments).
-    '''
-    if only_comments(lines):
-        return None
-
-    i = find_file_level_module_declaration(lines)
-    if not i == None:
-        out_lines = lines[:i]
-        out_lines.append("overlay[local?]\n")
-        out_lines.extend(lines[i:])
-        return (f"Annotating \"{filename}\" via existing file-level module statement", out_lines)
-
-    i = find_file_module_qldoc_declaration(lines)
-    if not i == None:
-        out_lines = lines[:i+1]
-        out_lines.append("overlay[local?]\n")
-        out_lines.append("module;\n")
-        out_lines.extend(lines[i+1:])
-        return (f"Annotating \"{filename}\" which has a file-level module qldoc", out_lines)
-
-    out_lines = ["overlay[local?]\n", "module;\n", "\n"] + lines
-    return (f"Annotating \"{filename}\" without file-level module qldoc", out_lines)
-
-
-def insert_overlay_caller_annotations(lines):
-    '''
-    Mark pragma[inline] predicates as overlay[caller?] if they are not declared private.
-    '''
-    out_lines = []
-    for i, line in enumerate(lines):
-        trimmed = line.strip()
-        if trimmed == "pragma[inline]":
-            if i + 1 < len(lines) and not "private" in lines[i+1]:
-                whitespace = line[0: line.find(trimmed)]
-                out_lines.append(f"{whitespace}overlay[caller?]\n")
-        out_lines.append(line)
-    return out_lines
-
-
-def annotate_as_appropriate(filename, lines):
-    '''
-    Insert new overlay[...] annotations according to heuristics in files without existing
-    overlay annotations.
-
-    Returns None if no annotations are needed. Otherwise, returns a pair consisting of a
-    string describing the action taken and the modified content as a list of lines.
-    '''
-    if has_overlay_annotations(lines):
-        return None
-
-    # These simple heuristics filter out those .qll files that we no _not_ want to annotate
-    # as overlay[local?].  It is not clear that these heuristics are exactly what we want,
-    # but they seem to work well enough for now (as determined by speed and accuracy numbers).
-    if (filename.endswith("Test.qll") or
-        ((filename.endswith("Query.qll") or filename.endswith("Config.qll")) and
-         any("implements DataFlow::ConfigSig" in line for line in lines))):
-        return None
-    elif not any(line for line in lines if line.strip()):
-        return None
-
-    lines = insert_overlay_caller_annotations(lines)
-    return insert_toplevel_maybe_local_annotation(filename, lines)
-
-
-def process_single_file(write, filename):
-    '''
-    Process a single file, annotating it as appropriate.
-    If write is set, the changes are written back to the file.
-    Returns True if the file requires changes.
-    '''
-    with open(filename) as f:
-        old = [line for line in f]
-
-    annotate_result = annotate_as_appropriate(filename, old)
-    if annotate_result is None:
-        return False
-
-    if not write:
-        return True
-
-    new = annotate_result[1]
-
-    diff = context_diff(old, new, fromfile=filename, tofile=filename)
-    diff = [line for line in diff]
-    if diff:
-        print(annotate_result[0])
-        for line in diff:
-            print(line.rstrip())
-        with open(filename, "w") as out_file:
-            for line in new:
-                out_file.write(line)
-
-    return True
-
-
-if len(sys.argv) > 1 and sys.argv[1] == "--check":
-  check = True
-  langs = sys.argv[2:]
-else:
-  check = False
-  langs = sys.argv[1:]
-
-dirs = []
-for lang in langs:
-    if lang in ["cpp", "go", "csharp", "java", "javascript", "python", "ruby", "rust", "swift"]:
-        dirs.append(f"{lang}/ql/lib")
-    else:
-        raise Exception(f"Unknown language \"{lang}\".")
-
-if dirs:
-    dirs.append("shared")
-
-missingAnnotations = []
-
-for roots in dirs:
-    for dirpath, dirnames, filenames in os.walk(roots):
-        for filename in filenames:
-            if filename.endswith(".qll") and not dirpath.endswith("tutorial"):
-                path = os.path.join(dirpath, filename)
-                res = process_single_file(not check, path)
-                if check and res:
-                    missingAnnotations.append(path)
-
-
-if len(missingAnnotations) > 0:
-    print("The following files have no overlay annotations:")
-    for path in missingAnnotations[:10]:
-      print("- " + path)
-    if len(missingAnnotations) > 10:
-      print("and " + str(len(missingAnnotations) - 10) + " additional files.")
-    print()
-    print("Please manually add overlay annotations or use the config/add-overlay-annotations.py script to automatically add sensible default overlay annotations.")
-    exit(1)

config/dbscheme-fragments.json

@@ -11,7 +11,6 @@
     "/*- Diagnostic messages -*/",
     "/*- Diagnostic messages: severity -*/",
     "/*- Source location prefix -*/",
-    "/*- Database metadata -*/",
     "/*- Lines of code -*/",
     "/*- Configuration files with key value pairs -*/",
     "/*- YAML -*/",
@@ -32,4 +31,4 @@
     "/*- Python dbscheme -*/",
     "/*- Empty location -*/"
   ]
-}
+}

config/opcode-qldoc.py

@@ -8,9 +8,9 @@ needs_an_re = re.compile(r'^(?!Unary)[AEIOU]')  # Name requiring "an" instead of
 start_qldoc_re = re.compile(r'^\s*/\*\*')  # Start of a QLDoc comment
 end_qldoc_re = re.compile(r'\*/\s*$')  # End of a QLDoc comment
 blank_qldoc_line_re = re.compile(r'^\s*\*\s*$')  # A line in a QLDoc comment with only the '*'
-instruction_class_re = re.compile(r'^class (?P<name>[A-Za-z0-9]+)Instruction\s')  # Declaration of an `Instruction` class
-opcode_base_class_re = re.compile(r'^abstract class (?P<name>[A-Za-z0-9]+)Opcode\s')  # Declaration of an `Opcode` base class
-opcode_class_re = re.compile(r'^  class (?P<name>[A-Za-z0-9]+)\s')  # Declaration of an `Opcode` class
+instruction_class_re = re.compile(r'^class (?P<name>[A-aa-z0-9]+)Instruction\s')  # Declaration of an `Instruction` class
+opcode_base_class_re = re.compile(r'^abstract class (?P<name>[A-aa-z0-9]+)Opcode\s')  # Declaration of an `Opcode` base class
+opcode_class_re = re.compile(r'^  class (?P<name>[A-aa-z0-9]+)\s')  # Declaration of an `Opcode` class
 
 script_dir = path.realpath(path.dirname(__file__))
 instruction_path = path.realpath(path.join(script_dir, '../cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll'))

cpp/downgrades/7bc12b02a4363149f0727a4bce07952dbb9d98aa/builtintypes.ql

@@ -1,14 +0,0 @@
-class BuiltinType extends @builtintype {
-  string toString() { none() }
-}
-
-from BuiltinType type, string name, int kind, int kind_new, int size, int sign, int alignment
-where
-  builtintypes(type, name, kind, size, sign, alignment) and
-  if
-    type instanceof @complex_fp16 or
-    type instanceof @complex_std_bfloat16 or
-    type instanceof @complex_std_float16
-  then kind_new = 2
-  else kind_new = kind
-select type, name, kind_new, size, sign, alignment

cpp/downgrades/7bc12b02a4363149f0727a4bce07952dbb9d98aa/upgrade.properties

@@ -1,3 +0,0 @@
-description: Introduce new complex 16-bit floating-point types
-compatibility: backwards
-builtintypes.rel: run builtintypes.qlo

cpp/ql/lib/CHANGELOG.md

@@ -1,20 +1,3 @@
-## 5.2.0
-
-### Deprecated APIs
-
-* The `ThrowingFunction` class (`semmle.code.cpp.models.interfaces.Throwing`) has been deprecated. Please use the `AlwaysSehThrowingFunction` class instead.
-
-### New Features
-
-* Added a predicate `getAnAttribute` to `Namespace` to retrieve a namespace attribute.
-* The Microsoft-specific `__leave` statement is now supported.
-* A new class `LeaveStmt` extending `JumpStmt` was added to represent `__leave` statements.
-* Added a predicate `hasParameterList` to `LambdaExpression` to capture whether a lambda has an explicitly specified parameter list.
-
-### Bug Fixes
-
-* `resolveTypedefs` now properly resolves typedefs for `ArrayType`s.
-
 ## 5.1.0
 
 ### New Features

cpp/ql/lib/change-notes/2014-12-13-deprecate-throwing.md

@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+* The `ThrowingFunction` class (`semmle.code.cpp.models.interfaces.Throwing`) has been deprecated. Please use the `AlwaysSehThrowingFunction` class instead.

cpp/ql/lib/change-notes/2025-06-06-lambda-parameters.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a predicate `hasParameterList` to `LambdaExpression` to capture whether a lambda has an explicitly specified parameter list.

cpp/ql/lib/change-notes/2025-06-11-leave-stmt.md

@@ -0,0 +1,5 @@
+---
+category: feature
+---
+* The Microsoft-specific `__leave` statement is now supported.
+* A new class `LeaveStmt` extending `JumpStmt` was added to represent `__leave` statements.

cpp/ql/lib/change-notes/2025-06-16-namespace-attributes.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a predicate `getAnAttribute` to `Namespace` to retrieve a namespace attribute.

cpp/ql/lib/change-notes/2025-06-17-arraytype-typedefs.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* `resolveTypedefs` now properly resolves typedefs for `ArrayType`s.

cpp/ql/lib/change-notes/2025-06-20-oracle-oci-models.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added `sql-injection` sink models for the Oracle Call Interface (OCI) database library functions `OCIStmtPrepare` and `OCIStmtPrepare2`.

cpp/ql/lib/change-notes/2025-06-24-float16.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added support for `__fp16 _Complex` and `__bf16 _Complex` types

cpp/ql/lib/change-notes/released/5.2.0.md

@@ -1,16 +0,0 @@
-## 5.2.0
-
-### Deprecated APIs
-
-* The `ThrowingFunction` class (`semmle.code.cpp.models.interfaces.Throwing`) has been deprecated. Please use the `AlwaysSehThrowingFunction` class instead.
-
-### New Features
-
-* Added a predicate `getAnAttribute` to `Namespace` to retrieve a namespace attribute.
-* The Microsoft-specific `__leave` statement is now supported.
-* A new class `LeaveStmt` extending `JumpStmt` was added to represent `__leave` statements.
-* Added a predicate `hasParameterList` to `LambdaExpression` to capture whether a lambda has an explicitly specified parameter list.
-
-### Bug Fixes
-
-* `resolveTypedefs` now properly resolves typedefs for `ArrayType`s.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.2.0
+lastReleaseVersion: 5.1.0

cpp/ql/lib/experimental/quantum/Language.qll

@@ -56,7 +56,7 @@ module ArtifactFlowConfig implements DataFlow::ConfigSig {
 module ArtifactFlow = DataFlow::Global<ArtifactFlowConfig>;
 
 /**
- * An artifact output to node input configuration
+ * Artifact output to node input configuration
  */
 abstract class AdditionalFlowInputStep extends DataFlow::Node {
   abstract DataFlow::Node getOutput();
@@ -91,8 +91,9 @@ module GenericDataSourceFlowConfig implements DataFlow::ConfigSig {
 
 module GenericDataSourceFlow = TaintTracking::Global<GenericDataSourceFlowConfig>;
 
-private class ConstantDataSource extends Crypto::GenericConstantSourceInstance instanceof OpenSslGenericSourceCandidateLiteral
-{
+private class ConstantDataSource extends Crypto::GenericConstantSourceInstance instanceof Literal {
+  ConstantDataSource() { this instanceof OpenSslGenericSourceCandidateLiteral }
+
   override DataFlow::Node getOutputNode() { result.asExpr() = this }
 
   override predicate flowsTo(Crypto::FlowAwareElement other) {

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll

@@ -48,7 +48,7 @@ module KnownOpenSslAlgorithmToAlgorithmValueConsumerConfig implements DataFlow::
 module KnownOpenSslAlgorithmToAlgorithmValueConsumerFlow =
   DataFlow::Global<KnownOpenSslAlgorithmToAlgorithmValueConsumerConfig>;
 
-module RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {
+module RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source.asExpr() instanceof OpenSslPaddingLiteral }
 
   predicate isSink(DataFlow::Node sink) {
@@ -60,8 +60,8 @@ module RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataF
   }
 }
 
-module RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow =
-  DataFlow::Global<RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig>;
+module RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow =
+  DataFlow::Global<RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig>;
 
 class OpenSslAlgorithmAdditionalFlowStep extends AdditionalFlowInputStep {
   OpenSslAlgorithmAdditionalFlowStep() { exists(AlgorithmPassthroughCall c | c.getInNode() = this) }
@@ -114,11 +114,11 @@ class CopyAndDupAlgorithmPassthroughCall extends AlgorithmPassthroughCall {
   override DataFlow::Node getOutNode() { result = outNode }
 }
 
-class NidToPointerPassthroughCall extends AlgorithmPassthroughCall {
+class NIDToPointerPassthroughCall extends AlgorithmPassthroughCall {
   DataFlow::Node inNode;
   DataFlow::Node outNode;
 
-  NidToPointerPassthroughCall() {
+  NIDToPointerPassthroughCall() {
     this.getTarget().getName() in ["OBJ_nid2obj", "OBJ_nid2ln", "OBJ_nid2sn"] and
     inNode.asExpr() = this.getArgument(0) and
     outNode.asExpr() = this
@@ -150,11 +150,11 @@ class PointerToPointerPassthroughCall extends AlgorithmPassthroughCall {
   override DataFlow::Node getOutNode() { result = outNode }
 }
 
-class PointerToNidPassthroughCall extends AlgorithmPassthroughCall {
+class PointerToNIDPassthroughCall extends AlgorithmPassthroughCall {
   DataFlow::Node inNode;
   DataFlow::Node outNode;
 
-  PointerToNidPassthroughCall() {
+  PointerToNIDPassthroughCall() {
     this.getTarget().getName() in ["OBJ_obj2nid", "OBJ_ln2nid", "OBJ_sn2nid", "OBJ_txt2nid"] and
     (
       inNode.asIndirectExpr() = this.getArgument(0)

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll

@@ -5,35 +5,36 @@ private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmCon
 private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
 private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
 private import AlgToAVCFlow
-private import codeql.quantum.experimental.Standardization::Types::KeyOpAlg as KeyOpAlg
 
 /**
  * Given a `KnownOpenSslBlockModeAlgorithmExpr`, converts this to a block family type.
  * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
  */
 predicate knownOpenSslConstantToBlockModeFamilyType(
-  KnownOpenSslBlockModeAlgorithmExpr e, KeyOpAlg::ModeOfOperationType type
+  KnownOpenSslBlockModeAlgorithmExpr e, Crypto::TBlockCipherModeOfOperationType type
 ) {
   exists(string name |
     name = e.(KnownOpenSslAlgorithmExpr).getNormalizedName() and
     (
-      name = "CBC" and type instanceof KeyOpAlg::CBC
+      name.matches("CBC") and type instanceof Crypto::CBC
       or
-      name = "CFB%" and type instanceof KeyOpAlg::CFB
+      name.matches("CFB%") and type instanceof Crypto::CFB
       or
-      name = "CTR" and type instanceof KeyOpAlg::CTR
+      name.matches("CTR") and type instanceof Crypto::CTR
       or
-      name = "GCM" and type instanceof KeyOpAlg::GCM
+      name.matches("GCM") and type instanceof Crypto::GCM
       or
-      name = "OFB" and type instanceof KeyOpAlg::OFB
+      name.matches("OFB") and type instanceof Crypto::OFB
       or
-      name = "XTS" and type instanceof KeyOpAlg::XTS
+      name.matches("XTS") and type instanceof Crypto::XTS
       or
-      name = "CCM" and type instanceof KeyOpAlg::CCM
+      name.matches("CCM") and type instanceof Crypto::CCM
       or
-      name = "CCM" and type instanceof KeyOpAlg::CCM
+      name.matches("GCM") and type instanceof Crypto::GCM
       or
-      name = "ECB" and type instanceof KeyOpAlg::ECB
+      name.matches("CCM") and type instanceof Crypto::CCM
+      or
+      name.matches("ECB") and type instanceof Crypto::ECB
     )
   )
 }
@@ -63,10 +64,10 @@ class KnownOpenSslBlockModeConstantAlgorithmInstance extends OpenSslAlgorithmIns
     getterCall = this
   }
 
-  override KeyOpAlg::ModeOfOperationType getModeType() {
+  override Crypto::TBlockCipherModeOfOperationType getModeType() {
     knownOpenSslConstantToBlockModeFamilyType(this, result)
     or
-    not knownOpenSslConstantToBlockModeFamilyType(this, _) and result = KeyOpAlg::OtherMode()
+    not knownOpenSslConstantToBlockModeFamilyType(this, _) and result = Crypto::OtherMode()
   }
 
   // NOTE: I'm not going to attempt to parse out the mode specific part, so returning

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll

@@ -33,9 +33,9 @@ predicate knownOpenSslConstantToCipherFamilyType(
       or
       name.matches("CAST5%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::CAST5())
       or
-      name.matches("2DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DOUBLE_DES())
+      name.matches("2DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DoubleDES())
       or
-      name.matches("3DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::TRIPLE_DES())
+      name.matches("3DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::TripleDES())
       or
       name.matches("DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DES())
       or
@@ -113,7 +113,7 @@ class KnownOpenSslCipherConstantAlgorithmInstance extends OpenSslAlgorithmInstan
     this.(KnownOpenSslCipherAlgorithmExpr).getExplicitKeySize() = result
   }
 
-  override KeyOpAlg::AlgorithmType getAlgorithmType() {
+  override Crypto::KeyOpAlg::Algorithm getAlgorithmType() {
     knownOpenSslConstantToCipherFamilyType(this, result)
     or
     not knownOpenSslConstantToCipherFamilyType(this, _) and

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll

@@ -39,14 +39,8 @@ class KnownOpenSslEllipticCurveConstantAlgorithmInstance extends OpenSslAlgorith
     result = this.(Call).getTarget().getName()
   }
 
-  override Crypto::EllipticCurveFamilyType getEllipticCurveFamilyType() {
-    if
-      Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _,
-        _)
-    then
-      Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _,
-        result)
-    else result = Crypto::OtherEllipticCurveType()
+  override Crypto::TEllipticCurveType getEllipticCurveType() {
+    Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _, result)
   }
 
   override string getParsedEllipticCurveName() {
@@ -54,7 +48,7 @@ class KnownOpenSslEllipticCurveConstantAlgorithmInstance extends OpenSslAlgorith
   }
 
   override int getKeySize() {
-    Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.(KnownOpenSslAlgorithmExpr)
+    Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.(KnownOpenSslAlgorithmExpr)
           .getNormalizedName(), result, _)
   }
 }

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll

@@ -11,21 +11,21 @@ predicate knownOpenSslConstantToHashFamilyType(
   exists(string name |
     name = e.(KnownOpenSslAlgorithmExpr).getNormalizedName() and
     (
-      name = "BLAKE2B" and type instanceof Crypto::BLAKE2B
+      name.matches("BLAKE2B") and type instanceof Crypto::BLAKE2B
       or
-      name = "BLAKE2S" and type instanceof Crypto::BLAKE2S
+      name.matches("BLAKE2S") and type instanceof Crypto::BLAKE2S
       or
-      name.matches("GOST%") and type instanceof Crypto::GOST_HASH
+      name.matches("GOST%") and type instanceof Crypto::GOSTHash
       or
-      name = "MD2" and type instanceof Crypto::MD2
+      name.matches("MD2") and type instanceof Crypto::MD2
       or
-      name = "MD4" and type instanceof Crypto::MD4
+      name.matches("MD4") and type instanceof Crypto::MD4
       or
-      name = "MD5" and type instanceof Crypto::MD5
+      name.matches("MD5") and type instanceof Crypto::MD5
       or
-      name = "MDC2" and type instanceof Crypto::MDC2
+      name.matches("MDC2") and type instanceof Crypto::MDC2
       or
-      name = "POLY1305" and type instanceof Crypto::POLY1305
+      name.matches("POLY1305") and type instanceof Crypto::POLY1305
       or
       name.matches(["SHA", "SHA1"]) and type instanceof Crypto::SHA1
       or
@@ -33,13 +33,13 @@ predicate knownOpenSslConstantToHashFamilyType(
       or
       name.matches("SHA3-%") and type instanceof Crypto::SHA3
       or
-      name = "SHAKE" and type instanceof Crypto::SHAKE
+      name.matches(["SHAKE"]) and type instanceof Crypto::SHAKE
       or
-      name = "SM3" and type instanceof Crypto::SM3
+      name.matches("SM3") and type instanceof Crypto::SM3
       or
-      name = "RIPEMD160" and type instanceof Crypto::RIPEMD160
+      name.matches("RIPEMD160") and type instanceof Crypto::RIPEMD160
       or
-      name = "WHIRLPOOL" and type instanceof Crypto::WHIRLPOOL
+      name.matches("WHIRLPOOL") and type instanceof Crypto::WHIRLPOOL
     )
   )
 }

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll

@@ -210,8 +210,7 @@ string getAlgorithmAlias(string alias) {
 }
 
 /**
- * Holds for aliases of known algorithms defined by users
- * (through obj_name_add and various macros pointing to this function).
+ * Finds aliases of known alagorithms defined by users (through obj_name_add and various macros pointing to this function)
  *
  * The `target` and `alias` are converted to lowercase to be of a standard form.
  */
@@ -223,7 +222,7 @@ predicate customAliases(string target, string alias) {
 }
 
 /**
- * Holds for a hard-coded mapping of known algorithm aliases in OpenSsl.
+ * A hard-coded mapping of known algorithm aliases in OpenSsl.
  * This was derived by applying the same kind of logic foun din `customAliases` to the
  * OpenSsl code base directly.
  *

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/MACAlgorithmInstance.qll

@@ -7,7 +7,7 @@ private import experimental.quantum.OpenSSL.Operations.OpenSSLOperations
 private import AlgToAVCFlow
 
 class KnownOpenSslMacConstantAlgorithmInstance extends OpenSslAlgorithmInstance,
-  Crypto::MacAlgorithmInstance instanceof KnownOpenSslMacAlgorithmExpr
+  Crypto::MACAlgorithmInstance instanceof KnownOpenSslMacAlgorithmExpr
 {
   OpenSslAlgorithmValueConsumer getterCall;
 
@@ -39,14 +39,14 @@ class KnownOpenSslMacConstantAlgorithmInstance extends OpenSslAlgorithmInstance,
     result = this.(Call).getTarget().getName()
   }
 
-  override Crypto::MacType getMacType() {
-    this instanceof KnownOpenSslHMacAlgorithmExpr and result = Crypto::HMAC()
+  override Crypto::TMACType getMacType() {
+    this instanceof KnownOpenSslHMacAlgorithmExpr and result instanceof Crypto::THMAC
     or
-    this instanceof KnownOpenSslCMacAlgorithmExpr and result = Crypto::CMAC()
+    this instanceof KnownOpenSslCMacAlgorithmExpr and result instanceof Crypto::TCMAC
   }
 }
 
-class KnownOpenSslHMacConstantAlgorithmInstance extends Crypto::HmacAlgorithmInstance,
+class KnownOpenSslHMacConstantAlgorithmInstance extends Crypto::HMACAlgorithmInstance,
   KnownOpenSslMacConstantAlgorithmInstance
 {
   override Crypto::AlgorithmValueConsumer getHashAlgorithmValueConsumer() {

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll

@@ -5,7 +5,6 @@ private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmCon
 private import AlgToAVCFlow
 private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
 private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
-private import codeql.quantum.experimental.Standardization::Types::KeyOpAlg as KeyOpAlg
 
 /**
  * A class to define padding specific integer values.
@@ -29,18 +28,18 @@ class OpenSslPaddingLiteral extends Literal {
  * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
  */
 predicate knownOpenSslConstantToPaddingFamilyType(
-  KnownOpenSslPaddingAlgorithmExpr e, KeyOpAlg::PaddingSchemeType type
+  KnownOpenSslPaddingAlgorithmExpr e, Crypto::TPaddingType type
 ) {
   exists(string name |
     name = e.(KnownOpenSslAlgorithmExpr).getNormalizedName() and
     (
-      name = "OAEP" and type = KeyOpAlg::OAEP()
+      name.matches("OAEP") and type = Crypto::OAEP()
       or
-      name = "PSS" and type = KeyOpAlg::PSS()
+      name.matches("PSS") and type = Crypto::PSS()
       or
-      name = "PKCS7" and type = KeyOpAlg::PKCS7()
+      name.matches("PKCS7") and type = Crypto::PKCS7()
       or
-      name = "PKCS1V15" and type = KeyOpAlg::PKCS1_V1_5()
+      name.matches("PKCS1V15") and type = Crypto::PKCS1_v1_5()
     )
   )
 }
@@ -86,7 +85,7 @@ class KnownOpenSslPaddingConstantAlgorithmInstance extends OpenSslAlgorithmInsta
       // Source is `this`
       src.asExpr() = this and
       // This traces to a padding-specific consumer
-      RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow::flow(src, sink)
+      RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow::flow(src, sink)
     ) and
     isPaddingSpecificConsumer = true
   }
@@ -99,24 +98,24 @@ class KnownOpenSslPaddingConstantAlgorithmInstance extends OpenSslAlgorithmInsta
 
   override OpenSslAlgorithmValueConsumer getAvc() { result = getterCall }
 
-  KeyOpAlg::PaddingSchemeType getKnownPaddingType() {
-    this.(Literal).getValue().toInt() in [1, 7, 8] and result = KeyOpAlg::PKCS1_V1_5()
+  Crypto::TPaddingType getKnownPaddingType() {
+    this.(Literal).getValue().toInt() in [1, 7, 8] and result = Crypto::PKCS1_v1_5()
     or
-    this.(Literal).getValue().toInt() = 3 and result = KeyOpAlg::NoPadding()
+    this.(Literal).getValue().toInt() = 3 and result = Crypto::NoPadding()
     or
-    this.(Literal).getValue().toInt() = 4 and result = KeyOpAlg::OAEP()
+    this.(Literal).getValue().toInt() = 4 and result = Crypto::OAEP()
     or
-    this.(Literal).getValue().toInt() = 5 and result = KeyOpAlg::ANSI_X9_23()
+    this.(Literal).getValue().toInt() = 5 and result = Crypto::ANSI_X9_23()
     or
-    this.(Literal).getValue().toInt() = 6 and result = KeyOpAlg::PSS()
+    this.(Literal).getValue().toInt() = 6 and result = Crypto::PSS()
   }
 
-  override KeyOpAlg::PaddingSchemeType getPaddingType() {
+  override Crypto::TPaddingType getPaddingType() {
     isPaddingSpecificConsumer = true and
     (
       result = this.getKnownPaddingType()
       or
-      not exists(this.getKnownPaddingType()) and result = KeyOpAlg::OtherPadding()
+      not exists(this.getKnownPaddingType()) and result = Crypto::OtherPadding()
     )
     or
     isPaddingSpecificConsumer = false and
@@ -144,7 +143,7 @@ class KnownOpenSslPaddingConstantAlgorithmInstance extends OpenSslAlgorithmInsta
 //     this instanceof Literal and
 //     this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8]
 //     // TODO: trace to padding-specific consumers
-//     RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow
+//     RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow
 //   }
 //   override string getRawPaddingAlgorithmName() { result = this.(Literal).getValue().toString() }
 //   override Crypto::TPaddingType getPaddingType() {
@@ -162,18 +161,18 @@ class KnownOpenSslPaddingConstantAlgorithmInstance extends OpenSslAlgorithmInsta
 //           else result = Crypto::OtherPadding()
 //   }
 // }
-class OaepPaddingAlgorithmInstance extends Crypto::OaepPaddingAlgorithmInstance,
+class OAEPPaddingAlgorithmInstance extends Crypto::OAEPPaddingAlgorithmInstance,
   KnownOpenSslPaddingConstantAlgorithmInstance
 {
-  OaepPaddingAlgorithmInstance() {
-    this.(Crypto::PaddingAlgorithmInstance).getPaddingType() = KeyOpAlg::OAEP()
+  OAEPPaddingAlgorithmInstance() {
+    this.(Crypto::PaddingAlgorithmInstance).getPaddingType() = Crypto::OAEP()
   }
 
-  override Crypto::HashAlgorithmInstance getOaepEncodingHashAlgorithm() {
+  override Crypto::HashAlgorithmInstance getOAEPEncodingHashAlgorithm() {
     none() //TODO
   }
 
-  override Crypto::HashAlgorithmInstance getMgf1HashAlgorithm() {
+  override Crypto::HashAlgorithmInstance getMGF1HashAlgorithm() {
     none() //TODO
   }
 }

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/SignatureAlgorithmInstance.qll

@@ -73,7 +73,7 @@ class KnownOpenSslSignatureConstantAlgorithmInstance extends OpenSslAlgorithmIns
     none()
   }
 
-  override KeyOpAlg::AlgorithmType getAlgorithmType() {
+  override KeyOpAlg::Algorithm getAlgorithmType() {
     knownOpenSslConstantToSignatureFamilyType(this, result)
     or
     not knownOpenSslConstantToSignatureFamilyType(this, _) and

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/DirectAlgorithmValueConsumer.qll

@@ -4,10 +4,10 @@ private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmCon
 private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
 
 /**
- * A call that is considered to inherently 'consume' an algorithm value.
- * E.g., cases like EVP_MD5(),
- * where there is no input, rather it directly gets an algorithm
- * and returns it. Also includes operations directly using an algorithm
+ * Cases like EVP_MD5(),
+ * there is no input, rather it directly gets an algorithm
+ * and returns it.
+ * Also includes operations directly using an algorithm
  * like AES_encrypt().
  */
 class DirectAlgorithmValueConsumer extends OpenSslAlgorithmValueConsumer instanceof OpenSslAlgorithmCall

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/HashAlgorithmValueConsumer.qll

@@ -7,7 +7,7 @@ private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmI
 abstract class HashAlgorithmValueConsumer extends OpenSslAlgorithmValueConsumer { }
 
 /**
- * An EVP_Q_Digest directly consumes algorithm constant values
+ * EVP_Q_Digest directly consumes algorithm constant values
  */
 class Evp_Q_Digest_Algorithm_Consumer extends HashAlgorithmValueConsumer {
   Evp_Q_Digest_Algorithm_Consumer() { this.(Call).getTarget().getName() = "EVP_Q_digest" }

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll

@@ -91,8 +91,7 @@ class Evp_Cipher_Update_Call extends EvpUpdate {
 }
 
 /**
- * The EVP Cipher operations.
- * See: https://docs.openssl.org/master/man3/EVP_EncryptInit/#synopsis
+ * see: https://docs.openssl.org/master/man3/EVP_EncryptInit/#synopsis
  * Base configuration for all EVP cipher operations.
  */
 abstract class Evp_Cipher_Operation extends EvpOperation, Crypto::KeyOperationInstance {
@@ -164,7 +163,6 @@ class Evp_Cipher_Final_Call extends EvpFinal, Evp_Cipher_Operation {
 }
 
 /**
- * The EVP encryption/decryption operations.
  * https://docs.openssl.org/3.2/man3/EVP_PKEY_decrypt/
  * https://docs.openssl.org/3.2/man3/EVP_PKEY_encrypt
  */

cpp/ql/lib/ext/Oracle.oci.model.yml

@@ -1,8 +0,0 @@
-# partial model of the Oracle Call Interface (OCI) library
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: sinkModel
-    data: # namespace, type, subtypes, name, signature, ext, input, kind, provenance
-      - ["", "", False, "OCIStmtPrepare", "", "", "Argument[*2]", "sql-injection", "manual"]
-      - ["", "", False, "OCIStmtPrepare2", "", "", "Argument[*3]", "sql-injection", "manual"]

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 5.2.1-dev
+version: 5.1.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -858,15 +858,6 @@ private predicate floatingPointTypeMapping(
   or
   // __mfp8
   kind = 62 and base = 2 and domain = TRealDomain() and realKind = 62 and extended = false
-  or
-  // _Complex __fp16
-  kind = 64 and base = 2 and domain = TComplexDomain() and realKind = 54 and extended = false
-  or
-  // _Complex __bf16
-  kind = 65 and base = 2 and domain = TComplexDomain() and realKind = 55 and extended = false
-  or
-  // _Complex std::float16_t
-  kind = 66 and base = 2 and domain = TComplexDomain() and realKind = 56 and extended = false
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -229,49 +229,6 @@ private predicate summaryModel0(
   )
 }
 
-/**
- * Holds if the given extension tuple `madId` should pretty-print as `model`.
- *
- * This predicate should only be used in tests.
- */
-predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) {
-  exists(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext,
-    string output, string kind, string provenance
-  |
-    Extensions::sourceModel(namespace, type, subtypes, name, signature, ext, output, kind,
-      provenance, madId)
-  |
-    model =
-      "Source: " + namespace + "; " + type + "; " + subtypes + "; " + name + "; " + signature + "; "
-        + ext + "; " + output + "; " + kind + "; " + provenance
-  )
-  or
-  exists(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext,
-    string input, string kind, string provenance
-  |
-    Extensions::sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance,
-      madId)
-  |
-    model =
-      "Sink: " + namespace + "; " + type + "; " + subtypes + "; " + name + "; " + signature + "; " +
-        ext + "; " + input + "; " + kind + "; " + provenance
-  )
-  or
-  exists(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext,
-    string input, string output, string kind, string provenance
-  |
-    Extensions::summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind,
-      provenance, madId)
-  |
-    model =
-      "Summary: " + namespace + "; " + type + "; " + subtypes + "; " + name + "; " + signature +
-        "; " + ext + "; " + input + "; " + output + "; " + kind + "; " + provenance
-  )
-}
-
 /**
  * Holds if `input` is `input0`, but with all occurrences of `@` replaced
  * by `n` repetitions of `*` (and similarly for `output` and `output0`).

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll

@@ -54,8 +54,6 @@ private predicate isDeeplyConstBelow(Type t) {
   or
   isDeeplyConst(t.(GNUVectorType).getBaseType())
   or
-  isDeeplyConst(t.(ScalableVectorType).getBaseType())
-  or
   isDeeplyConst(t.(FunctionPointerIshType).getBaseType())
   or
   isDeeplyConst(t.(PointerWrapper).getTemplateArgument(0))

cpp/ql/lib/semmle/code/cpp/ir/internal/CppType.qll

@@ -29,10 +29,6 @@ private int getTypeSizeWorkaround(Type type) {
         not arrayType.hasArraySize() and
         result = getPointerSize()
       )
-      or
-      // Scalable vectors are opaque and not of fixed size. Use 0 as a substitute.
-      type instanceof ScalableVectorType and
-      result = 0
     )
   )
 }
@@ -140,8 +136,6 @@ private predicate isOpaqueType(Type type) {
   type instanceof PointerToMemberType // PTMs are missing size info
   or
   type instanceof ScalableVectorCount
-  or
-  type instanceof ScalableVectorType
 }
 
 /**

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -693,9 +693,6 @@ case @builtintype.kind of
 | 61 = @complex_std_float128  // _Complex _Float128
 | 62 = @mfp8                  // __mfp8
 | 63 = @scalable_vector_count // __SVCount_t
-| 64 = @complex_fp16          // _Complex __fp16
-| 65 = @complex_std_bfloat16  // _Complex __bf16
-| 66 = @complex_std_float16   // _Complex std::float16_t
 ;
 
 builtintypes(

cpp/ql/lib/upgrades/e38346051783182ea75822e4adf8d4c6a949bc37/upgrade.properties

@@ -1,2 +0,0 @@
-description: Support more complex 16-bit floating-point types
-compatibility: full

cpp/ql/lib/utils/test/PrettyPrintModels.ql

@@ -1,6 +0,0 @@
-/**
- * @kind test-postprocess
- */
-
-import semmle.code.cpp.dataflow.ExternalFlow
-import codeql.dataflow.test.ProvenancePathGraph::TestPostProcessing::TranslateProvenanceResults<interpretModelForTest/2>

cpp/ql/src/CHANGELOG.md

@@ -1,9 +1,3 @@
-## 1.4.3
-
-### Minor Analysis Improvements
-
-* Added flow model for the following libraries: `madler/zlib`, `google/brotli`, `libidn/libidn2`, `libssh2/libssh2/`, `nghttp2/nghttp2`, `libuv/libuv/`, and `curl/curl`. This may result in more alerts when running queries on codebases that use these libraries.
-
 ## 1.4.2
 
 No user-facing changes.

cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql

@@ -38,9 +38,6 @@ module SqlTaintedConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node node) {
     exists(SqlLikeFunction runSql | runSql.outermostWrapperFunctionCall(asSinkExpr(node), _))
-    or
-    // sink defined using models-as-data
-    sinkNode(node, "sql-injection")
   }
 
   predicate isBarrier(DataFlow::Node node) {
@@ -59,21 +56,13 @@ module SqlTaintedConfig implements DataFlow::ConfigSig {
 module SqlTainted = TaintTracking::Global<SqlTaintedConfig>;
 
 from
-  Expr taintedArg, FlowSource taintSource, SqlTainted::PathNode sourceNode,
-  SqlTainted::PathNode sinkNode, string extraText
+  SqlLikeFunction runSql, Expr taintedArg, FlowSource taintSource, SqlTainted::PathNode sourceNode,
+  SqlTainted::PathNode sinkNode, string callChain
 where
-  (
-    exists(SqlLikeFunction runSql, string callChain |
-      runSql.outermostWrapperFunctionCall(taintedArg, callChain) and
-      extraText = " and then passed to " + callChain
-    )
-    or
-    sinkNode(sinkNode.getNode(), "sql-injection") and
-    extraText = ""
-  ) and
+  runSql.outermostWrapperFunctionCall(taintedArg, callChain) and
   SqlTainted::flowPath(sourceNode, sinkNode) and
   taintedArg = asSinkExpr(sinkNode.getNode()) and
   taintSource = sourceNode.getNode()
 select taintedArg, sourceNode, sinkNode,
-  "This argument to a SQL query function is derived from $@" + extraText + ".", taintSource,
-  "user input (" + taintSource.getSourceType() + ")"
+  "This argument to a SQL query function is derived from $@ and then passed to " + callChain + ".",
+  taintSource, "user input (" + taintSource.getSourceType() + ")"

cpp/ql/src/change-notes/2025-06-13-mad-summaries.md

@@ -1,5 +1,4 @@
-## 1.4.3
-
-### Minor Analysis Improvements
-
-* Added flow model for the following libraries: `madler/zlib`, `google/brotli`, `libidn/libidn2`, `libssh2/libssh2/`, `nghttp2/nghttp2`, `libuv/libuv/`, and `curl/curl`. This may result in more alerts when running queries on codebases that use these libraries.
+---
+category: minorAnalysis
+---
+* Added flow model for the following libraries: `madler/zlib`, `google/brotli`, `libidn/libidn2`, `libssh2/libssh2/`, `nghttp2/nghttp2`, `libuv/libuv/`, and `curl/curl`. This may result in more alerts when running queries on codebases that use these libraries.

cpp/ql/src/change-notes/2025-06-20-sql-injection-models.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The query `cpp/sql-injection` now can be extended using the `sql-injection` Models as Data (MaD) sink kind.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.4.3
+lastReleaseVersion: 1.4.2

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.4.4-dev
+version: 1.4.3-dev
 groups:
   - cpp
   - queries

cpp/ql/test/library-tests/dataflow/external-models/flow.expected

@@ -1,80 +1,57 @@
-models
-| 1 | Sink: ; ; false; ymlSink; ; ; Argument[0]; test-sink; manual |
-| 2 | Sink: boost::asio; ; false; write; ; ; Argument[*1]; remote-sink; manual |
-| 3 | Source: ; ; false; GetCommandLineA; ; ; ReturnValue[*]; local; manual |
-| 4 | Source: ; ; false; GetEnvironmentStringsA; ; ; ReturnValue[*]; local; manual |
-| 5 | Source: ; ; false; GetEnvironmentVariableA; ; ; Argument[*1]; local; manual |
-| 6 | Source: ; ; false; MapViewOfFile2; ; ; ReturnValue[*]; local; manual |
-| 7 | Source: ; ; false; MapViewOfFile3; ; ; ReturnValue[*]; local; manual |
-| 8 | Source: ; ; false; MapViewOfFile3FromApp; ; ; ReturnValue[*]; local; manual |
-| 9 | Source: ; ; false; MapViewOfFile; ; ; ReturnValue[*]; local; manual |
-| 10 | Source: ; ; false; MapViewOfFileEx; ; ; ReturnValue[*]; local; manual |
-| 11 | Source: ; ; false; MapViewOfFileFromApp; ; ; ReturnValue[*]; local; manual |
-| 12 | Source: ; ; false; MapViewOfFileNuma2; ; ; ReturnValue[*]; local; manual |
-| 13 | Source: ; ; false; NtReadFile; ; ; Argument[*5]; local; manual |
-| 14 | Source: ; ; false; ReadFile; ; ; Argument[*1]; local; manual |
-| 15 | Source: ; ; false; ReadFileEx; ; ; Argument[*1]; local; manual |
-| 16 | Source: ; ; false; ymlSource; ; ; ReturnValue; local; manual |
-| 17 | Source: boost::asio; ; false; read_until; ; ; Argument[*1]; remote; manual |
-| 18 | Summary: ; ; false; CommandLineToArgvA; ; ; Argument[*0]; ReturnValue[**]; taint; manual |
-| 19 | Summary: ; ; false; ReadFileEx; ; ; Argument[*3].Field[@hEvent]; Argument[4].Parameter[*2].Field[@hEvent]; value; manual |
-| 20 | Summary: ; ; false; ymlStepGenerated; ; ; Argument[0]; ReturnValue; taint; df-generated |
-| 21 | Summary: ; ; false; ymlStepManual; ; ; Argument[0]; ReturnValue; taint; manual |
-| 22 | Summary: ; ; false; ymlStepManual_with_body; ; ; Argument[0]; ReturnValue; taint; manual |
-| 23 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
+testFailures
 edges
-| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:23 |
-| asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:91:7:91:17 | recv_buffer | provenance | Src:MaD:17  |
-| asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:93:29:93:39 | *recv_buffer | provenance | Src:MaD:17 Sink:MaD:2 |
+| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:10 |
+| asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:91:7:91:17 | recv_buffer | provenance | Src:MaD:2  |
+| asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:93:29:93:39 | *recv_buffer | provenance | Src:MaD:2 Sink:MaD:6 |
 | asio_streams.cpp:97:37:97:44 | call to source | asio_streams.cpp:98:7:98:14 | send_str | provenance | TaintFunction |
 | asio_streams.cpp:97:37:97:44 | call to source | asio_streams.cpp:100:64:100:71 | *send_str | provenance | TaintFunction |
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:100:44:100:62 | call to buffer | provenance |  |
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:101:7:101:17 | send_buffer | provenance |  |
-| asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:2 |
+| asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:6 |
 | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance |  |
-| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:23 |
-| test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | provenance | MaD:21 |
-| test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | provenance | MaD:20 |
-| test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | provenance | MaD:22 |
+| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:10 |
+| test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | provenance | MaD:26955 |
+| test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | provenance | MaD:26956 |
+| test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | provenance | MaD:26957 |
 | test.cpp:7:47:7:52 | value2 | test.cpp:7:64:7:69 | value2 | provenance |  |
 | test.cpp:7:64:7:69 | value2 | test.cpp:7:5:7:30 | *ymlStepGenerated_with_body | provenance |  |
-| test.cpp:10:10:10:18 | call to ymlSource | test.cpp:10:10:10:18 | call to ymlSource | provenance | Src:MaD:16  |
-| test.cpp:10:10:10:18 | call to ymlSource | test.cpp:14:10:14:10 | x | provenance | Sink:MaD:1 |
+| test.cpp:10:10:10:18 | call to ymlSource | test.cpp:10:10:10:18 | call to ymlSource | provenance | Src:MaD:26953  |
+| test.cpp:10:10:10:18 | call to ymlSource | test.cpp:14:10:14:10 | x | provenance | Sink:MaD:26954 |
 | test.cpp:10:10:10:18 | call to ymlSource | test.cpp:17:24:17:24 | x | provenance |  |
 | test.cpp:10:10:10:18 | call to ymlSource | test.cpp:21:27:21:27 | x | provenance |  |
 | test.cpp:10:10:10:18 | call to ymlSource | test.cpp:25:35:25:35 | x | provenance |  |
 | test.cpp:10:10:10:18 | call to ymlSource | test.cpp:32:41:32:41 | x | provenance |  |
 | test.cpp:17:10:17:22 | call to ymlStepManual | test.cpp:17:10:17:22 | call to ymlStepManual | provenance |  |
-| test.cpp:17:10:17:22 | call to ymlStepManual | test.cpp:18:10:18:10 | y | provenance | Sink:MaD:1 |
+| test.cpp:17:10:17:22 | call to ymlStepManual | test.cpp:18:10:18:10 | y | provenance | Sink:MaD:26954 |
 | test.cpp:17:24:17:24 | x | test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | provenance |  |
-| test.cpp:17:24:17:24 | x | test.cpp:17:10:17:22 | call to ymlStepManual | provenance | MaD:21 |
+| test.cpp:17:24:17:24 | x | test.cpp:17:10:17:22 | call to ymlStepManual | provenance | MaD:26955 |
 | test.cpp:21:10:21:25 | call to ymlStepGenerated | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance |  |
-| test.cpp:21:10:21:25 | call to ymlStepGenerated | test.cpp:22:10:22:10 | z | provenance | Sink:MaD:1 |
+| test.cpp:21:10:21:25 | call to ymlStepGenerated | test.cpp:22:10:22:10 | z | provenance | Sink:MaD:26954 |
 | test.cpp:21:27:21:27 | x | test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | provenance |  |
-| test.cpp:21:27:21:27 | x | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance | MaD:20 |
+| test.cpp:21:27:21:27 | x | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance | MaD:26956 |
 | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance |  |
-| test.cpp:25:11:25:33 | call to ymlStepManual_with_body | test.cpp:26:10:26:11 | y2 | provenance | Sink:MaD:1 |
+| test.cpp:25:11:25:33 | call to ymlStepManual_with_body | test.cpp:26:10:26:11 | y2 | provenance | Sink:MaD:26954 |
 | test.cpp:25:35:25:35 | x | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | provenance |  |
-| test.cpp:25:35:25:35 | x | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance | MaD:22 |
+| test.cpp:25:35:25:35 | x | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance | MaD:26957 |
 | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | provenance |  |
-| test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | test.cpp:33:10:33:11 | z2 | provenance | Sink:MaD:1 |
+| test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | test.cpp:33:10:33:11 | z2 | provenance | Sink:MaD:26954 |
 | test.cpp:32:41:32:41 | x | test.cpp:7:47:7:52 | value2 | provenance |  |
 | test.cpp:32:41:32:41 | x | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | provenance |  |
-| windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | provenance | MaD:18 |
-| windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:22:15:22:29 | *call to GetCommandLineA | provenance | Src:MaD:3  |
+| windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | provenance | MaD:341 |
+| windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:22:15:22:29 | *call to GetCommandLineA | provenance | Src:MaD:325  |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:24:8:24:11 | * ... | provenance |  |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:27:36:27:38 | *cmd | provenance |  |
 | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | provenance |  |
 | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | windows.cpp:30:8:30:15 | * ... | provenance |  |
 | windows.cpp:27:36:27:38 | *cmd | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | provenance |  |
-| windows.cpp:27:36:27:38 | *cmd | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | provenance | MaD:18 |
-| windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | provenance | Src:MaD:4  |
+| windows.cpp:27:36:27:38 | *cmd | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | provenance | MaD:341 |
+| windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | provenance | Src:MaD:327  |
 | windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | windows.cpp:36:10:36:13 | * ... | provenance |  |
-| windows.cpp:39:36:39:38 | GetEnvironmentVariableA output argument | windows.cpp:41:10:41:13 | * ... | provenance | Src:MaD:5  |
+| windows.cpp:39:36:39:38 | GetEnvironmentVariableA output argument | windows.cpp:41:10:41:13 | * ... | provenance | Src:MaD:329  |
 | windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [*hEvent] | windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[*hEvent] in ReadFileEx | provenance |  |
 | windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [hEvent] | windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[hEvent] in ReadFileEx | provenance |  |
-| windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[*hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[*hEvent] in ReadFileEx | provenance | MaD:19 |
-| windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[hEvent] in ReadFileEx | provenance | MaD:19 |
+| windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[*hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[*hEvent] in ReadFileEx | provenance | MaD:343 |
+| windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[hEvent] in ReadFileEx | provenance | MaD:343 |
 | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [*hEvent] | windows.cpp:147:16:147:27 | *lpOverlapped [*hEvent] | provenance |  |
 | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [hEvent] | windows.cpp:157:16:157:27 | *lpOverlapped [hEvent] | provenance |  |
 | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[*hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [*hEvent] | provenance |  |
@@ -90,36 +67,36 @@ edges
 | windows.cpp:159:12:159:55 | hEvent | windows.cpp:160:8:160:8 | c | provenance |  |
 | windows.cpp:159:35:159:46 | *lpOverlapped [hEvent] | windows.cpp:159:12:159:55 | hEvent | provenance |  |
 | windows.cpp:159:35:159:46 | *lpOverlapped [hEvent] | windows.cpp:159:12:159:55 | hEvent | provenance |  |
-| windows.cpp:168:35:168:40 | ReadFile output argument | windows.cpp:170:10:170:16 | * ... | provenance | Src:MaD:14  |
-| windows.cpp:177:23:177:28 | ReadFileEx output argument | windows.cpp:179:10:179:16 | * ... | provenance | Src:MaD:15  |
-| windows.cpp:189:21:189:26 | ReadFile output argument | windows.cpp:190:5:190:56 | *... = ... | provenance | Src:MaD:14  |
+| windows.cpp:168:35:168:40 | ReadFile output argument | windows.cpp:170:10:170:16 | * ... | provenance | Src:MaD:331  |
+| windows.cpp:177:23:177:28 | ReadFileEx output argument | windows.cpp:179:10:179:16 | * ... | provenance | Src:MaD:332  |
+| windows.cpp:189:21:189:26 | ReadFile output argument | windows.cpp:190:5:190:56 | *... = ... | provenance | Src:MaD:331  |
 | windows.cpp:190:5:190:14 | *overlapped [post update] [*hEvent] | windows.cpp:192:53:192:63 | *& ... [*hEvent] | provenance |  |
 | windows.cpp:190:5:190:56 | *... = ... | windows.cpp:190:5:190:14 | *overlapped [post update] [*hEvent] | provenance |  |
 | windows.cpp:192:53:192:63 | *& ... [*hEvent] | windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [*hEvent] | provenance |  |
-| windows.cpp:198:21:198:26 | ReadFile output argument | windows.cpp:199:5:199:57 | ... = ... | provenance | Src:MaD:14  |
+| windows.cpp:198:21:198:26 | ReadFile output argument | windows.cpp:199:5:199:57 | ... = ... | provenance | Src:MaD:331  |
 | windows.cpp:199:5:199:14 | *overlapped [post update] [hEvent] | windows.cpp:201:53:201:63 | *& ... [hEvent] | provenance |  |
 | windows.cpp:199:5:199:57 | ... = ... | windows.cpp:199:5:199:14 | *overlapped [post update] [hEvent] | provenance |  |
 | windows.cpp:201:53:201:63 | *& ... [hEvent] | windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [hEvent] | provenance |  |
-| windows.cpp:209:84:209:89 | NtReadFile output argument | windows.cpp:211:10:211:16 | * ... | provenance | Src:MaD:13  |
-| windows.cpp:286:23:286:35 | *call to MapViewOfFile | windows.cpp:286:23:286:35 | *call to MapViewOfFile | provenance | Src:MaD:9  |
+| windows.cpp:209:84:209:89 | NtReadFile output argument | windows.cpp:211:10:211:16 | * ... | provenance | Src:MaD:340  |
+| windows.cpp:286:23:286:35 | *call to MapViewOfFile | windows.cpp:286:23:286:35 | *call to MapViewOfFile | provenance | Src:MaD:333  |
 | windows.cpp:286:23:286:35 | *call to MapViewOfFile | windows.cpp:287:20:287:52 | *pMapView | provenance |  |
 | windows.cpp:287:20:287:52 | *pMapView | windows.cpp:289:10:289:16 | * ... | provenance |  |
-| windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | provenance | Src:MaD:6  |
+| windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | provenance | Src:MaD:334  |
 | windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | windows.cpp:294:20:294:52 | *pMapView | provenance |  |
 | windows.cpp:294:20:294:52 | *pMapView | windows.cpp:296:10:296:16 | * ... | provenance |  |
-| windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | provenance | Src:MaD:7  |
+| windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | provenance | Src:MaD:335  |
 | windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | windows.cpp:303:20:303:52 | *pMapView | provenance |  |
 | windows.cpp:303:20:303:52 | *pMapView | windows.cpp:305:10:305:16 | * ... | provenance |  |
-| windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | provenance | Src:MaD:8  |
+| windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | provenance | Src:MaD:336  |
 | windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | windows.cpp:312:20:312:52 | *pMapView | provenance |  |
 | windows.cpp:312:20:312:52 | *pMapView | windows.cpp:314:10:314:16 | * ... | provenance |  |
-| windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | provenance | Src:MaD:10  |
+| windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | provenance | Src:MaD:337  |
 | windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | windows.cpp:319:20:319:52 | *pMapView | provenance |  |
 | windows.cpp:319:20:319:52 | *pMapView | windows.cpp:321:10:321:16 | * ... | provenance |  |
-| windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | provenance | Src:MaD:11  |
+| windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | provenance | Src:MaD:338  |
 | windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | windows.cpp:326:20:326:52 | *pMapView | provenance |  |
 | windows.cpp:326:20:326:52 | *pMapView | windows.cpp:328:10:328:16 | * ... | provenance |  |
-| windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | provenance | Src:MaD:12  |
+| windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | provenance | Src:MaD:339  |
 | windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | windows.cpp:333:20:333:52 | *pMapView | provenance |  |
 | windows.cpp:333:20:333:52 | *pMapView | windows.cpp:335:10:335:16 | * ... | provenance |  |
 nodes
@@ -245,4 +222,3 @@ subpaths
 | test.cpp:25:35:25:35 | x | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | test.cpp:25:11:25:33 | call to ymlStepManual_with_body |
 | test.cpp:32:41:32:41 | x | test.cpp:7:47:7:52 | value2 | test.cpp:7:5:7:30 | *ymlStepGenerated_with_body | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body |
 | windows.cpp:27:36:27:38 | *cmd | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA |
-testFailures

cpp/ql/test/library-tests/dataflow/external-models/flow.ql

@@ -1,7 +1,7 @@
 import utils.test.dataflow.FlowTestCommon
 import cpp
 import semmle.code.cpp.security.FlowSources
-import codeql.dataflow.test.ProvenancePathGraph
+import IRTest::IRFlow::PathGraph
 
 module IRTest {
   private import semmle.code.cpp.ir.IR
@@ -33,4 +33,3 @@ module IRTest {
 }
 
 import MakeTest<IRFlowTest<IRTest::IRFlow>>
-import ShowProvenance<interpretModelForTest/2, IRTest::IRFlow::PathNode, IRTest::IRFlow::PathGraph>

cpp/ql/test/library-tests/ir/ir/PrintAST.expected

@@ -58,7 +58,7 @@
 #-----|         Type = [LongType] unsigned long
 #-----|     getParameter(1): [Parameter] (unnamed parameter 1)
 #-----|         Type = [ScopedEnum] align_val_t
-arm_neon.cpp:
+arm.cpp:
 #    6| [TopLevelFunction] uint8x8_t vadd_u8(uint8x8_t, uint8x8_t)
 #    6|   <params>: 
 #    6|     getParameter(0): [Parameter] a
@@ -76,105 +76,59 @@ arm_neon.cpp:
 #    7|         getRightOperand(): [VariableAccess] b
 #    7|             Type = [CTypedefType] uint8x8_t
 #    7|             ValueCategory = prvalue(load)
-#   10| [TopLevelFunction] uint16x8_t vaddl_u8(uint8x8_t, uint8x8_t)
-#   10|   <params>: 
-#   10|     getParameter(0): [Parameter] a
-#   10|         Type = [CTypedefType] uint8x8_t
-#   10|     getParameter(1): [Parameter] b
-#   10|         Type = [CTypedefType] uint8x8_t
-#   12| [TopLevelFunction] uint16x8_t arm_add(uint8x8_t, uint8x8_t*)
+#   12| [TopLevelFunction] uint16x8_t __builtin_aarch64_uaddlv8qi_uuu(uint8x8_t, uint8x8_t)
 #   12|   <params>: 
-#   12|     getParameter(0): [Parameter] a
+#   12|     getParameter(0): [Parameter] (unnamed parameter 0)
 #   12|         Type = [CTypedefType] uint8x8_t
-#   12|     getParameter(1): [Parameter] b
-#   12|         Type = [PointerType] uint8x8_t *
-#   12|   getEntryPoint(): [BlockStmt] { ... }
-#   13|     getStmt(0): [DeclStmt] declaration
-#   13|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of c
-#   13|           Type = [CTypedefType] uint8x8_t
-#   13|         getVariable().getInitializer(): [Initializer] initializer for c
-#   13|           getExpr(): [FunctionCall] call to vadd_u8
-#   13|               Type = [CTypedefType] uint8x8_t
-#   13|               ValueCategory = prvalue
-#   13|             getArgument(0): [VariableAccess] a
-#   13|                 Type = [CTypedefType] uint8x8_t
-#   13|                 ValueCategory = prvalue(load)
-#   13|             getArgument(1): [PointerDereferenceExpr] * ...
-#   13|                 Type = [CTypedefType] uint8x8_t
-#   13|                 ValueCategory = prvalue(load)
-#   13|               getOperand(): [VariableAccess] b
-#   13|                   Type = [PointerType] uint8x8_t *
-#   13|                   ValueCategory = prvalue(load)
-#   14|     getStmt(1): [ReturnStmt] return ...
-#   14|       getExpr(): [FunctionCall] call to vaddl_u8
-#   14|           Type = [CTypedefType] uint16x8_t
-#   14|           ValueCategory = prvalue
-#   14|         getArgument(0): [VariableAccess] a
-#   14|             Type = [CTypedefType] uint8x8_t
-#   14|             ValueCategory = prvalue(load)
-#   14|         getArgument(1): [VariableAccess] c
-#   14|             Type = [CTypedefType] uint8x8_t
-#   14|             ValueCategory = prvalue(load)
-#   20| [TopLevelFunction] mfloat8x8_t vreinterpret_mf8_s8(int8x8_t)
-#   20|   <params>: 
-#   20|     getParameter(0): [Parameter] (unnamed parameter 0)
-#   20|         Type = [CTypedefType] int8x8_t
-#   22| [TopLevelFunction] mfloat8x8_t arm_reinterpret(int8x8_t*)
-#   22|   <params>: 
-#   22|     getParameter(0): [Parameter] a
-#   22|         Type = [PointerType] int8x8_t *
-#   22|   getEntryPoint(): [BlockStmt] { ... }
-#   23|     getStmt(0): [ReturnStmt] return ...
-#   23|       getExpr(): [FunctionCall] call to vreinterpret_mf8_s8
-#   23|           Type = [CTypedefType] mfloat8x8_t
-#   23|           ValueCategory = prvalue
-#   23|         getArgument(0): [PointerDereferenceExpr] * ...
-#   23|             Type = [CTypedefType] int8x8_t
-#   23|             ValueCategory = prvalue(load)
-#   23|           getOperand(): [VariableAccess] a
-#   23|               Type = [PointerType] int8x8_t *
-#   23|               ValueCategory = prvalue(load)
-arm_sve.cpp:
-#    6| [TopLevelFunction] svuint8x2_t svsel_u8_x2(svcount_t, svuint8x2_t, svuint8x2_t)
-#    6|   <params>: 
-#    6|     getParameter(0): [Parameter] (unnamed parameter 0)
-#    6|         Type = [CTypedefType] svcount_t
-#    6|     getParameter(1): [Parameter] (unnamed parameter 1)
-#    6|         Type = [CTypedefType] svuint8x2_t
-#    6|     getParameter(2): [Parameter] (unnamed parameter 2)
-#    6|         Type = [CTypedefType] svuint8x2_t
-#    8| [TopLevelFunction] svuint8x2_t arm_sel(svcount_t, svuint8x2_t, svuint8x2_t*)
-#    8|   <params>: 
-#    8|     getParameter(0): [Parameter] a
-#    8|         Type = [CTypedefType] svcount_t
-#    8|     getParameter(1): [Parameter] b
-#    8|         Type = [CTypedefType] svuint8x2_t
-#    8|     getParameter(2): [Parameter] c
-#    8|         Type = [PointerType] svuint8x2_t *
-#    8|   getEntryPoint(): [BlockStmt] { ... }
-#    9|     getStmt(0): [DeclStmt] declaration
-#    9|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of d
-#    9|           Type = [CTypedefType] svuint8x2_t
-#    9|         getVariable().getInitializer(): [Initializer] initializer for d
-#    9|           getExpr(): [FunctionCall] call to svsel_u8_x2
-#    9|               Type = [CTypedefType] svuint8x2_t
-#    9|               ValueCategory = prvalue
-#    9|             getArgument(0): [VariableAccess] a
-#    9|                 Type = [CTypedefType] svcount_t
-#    9|                 ValueCategory = prvalue(load)
-#    9|             getArgument(1): [VariableAccess] b
-#    9|                 Type = [CTypedefType] svuint8x2_t
-#    9|                 ValueCategory = prvalue(load)
-#    9|             getArgument(2): [PointerDereferenceExpr] * ...
-#    9|                 Type = [CTypedefType] svuint8x2_t
-#    9|                 ValueCategory = prvalue(load)
-#    9|               getOperand(): [VariableAccess] c
-#    9|                   Type = [PointerType] svuint8x2_t *
-#    9|                   ValueCategory = prvalue(load)
-#   10|     getStmt(1): [ReturnStmt] return ...
-#   10|       getExpr(): [VariableAccess] d
-#   10|           Type = [CTypedefType] svuint8x2_t
-#   10|           ValueCategory = prvalue(load)
+#   12|     getParameter(1): [Parameter] (unnamed parameter 1)
+#   12|         Type = [CTypedefType] uint8x8_t
+#   14| [TopLevelFunction] uint16x8_t vaddl_u8(uint8x8_t, uint8x8_t)
+#   14|   <params>: 
+#   14|     getParameter(0): [Parameter] a
+#   14|         Type = [CTypedefType] uint8x8_t
+#   14|     getParameter(1): [Parameter] b
+#   14|         Type = [CTypedefType] uint8x8_t
+#   14|   getEntryPoint(): [BlockStmt] { ... }
+#   15|     getStmt(0): [ReturnStmt] return ...
+#   15|       getExpr(): [FunctionCall] call to __builtin_aarch64_uaddlv8qi_uuu
+#   15|           Type = [CTypedefType] uint16x8_t
+#   15|           ValueCategory = prvalue
+#   15|         getArgument(0): [VariableAccess] a
+#   15|             Type = [CTypedefType] uint8x8_t
+#   15|             ValueCategory = prvalue(load)
+#   15|         getArgument(1): [VariableAccess] b
+#   15|             Type = [CTypedefType] uint8x8_t
+#   15|             ValueCategory = prvalue(load)
+#   18| [TopLevelFunction] uint16x8_t arm_add(uint8x8_t, uint8x8_t)
+#   18|   <params>: 
+#   18|     getParameter(0): [Parameter] a
+#   18|         Type = [CTypedefType] uint8x8_t
+#   18|     getParameter(1): [Parameter] b
+#   18|         Type = [CTypedefType] uint8x8_t
+#   18|   getEntryPoint(): [BlockStmt] { ... }
+#   19|     getStmt(0): [DeclStmt] declaration
+#   19|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of c
+#   19|           Type = [CTypedefType] uint8x8_t
+#   19|         getVariable().getInitializer(): [Initializer] initializer for c
+#   19|           getExpr(): [FunctionCall] call to vadd_u8
+#   19|               Type = [CTypedefType] uint8x8_t
+#   19|               ValueCategory = prvalue
+#   19|             getArgument(0): [VariableAccess] a
+#   19|                 Type = [CTypedefType] uint8x8_t
+#   19|                 ValueCategory = prvalue(load)
+#   19|             getArgument(1): [VariableAccess] b
+#   19|                 Type = [CTypedefType] uint8x8_t
+#   19|                 ValueCategory = prvalue(load)
+#   20|     getStmt(1): [ReturnStmt] return ...
+#   20|       getExpr(): [FunctionCall] call to vaddl_u8
+#   20|           Type = [CTypedefType] uint16x8_t
+#   20|           ValueCategory = prvalue
+#   20|         getArgument(0): [VariableAccess] a
+#   20|             Type = [CTypedefType] uint8x8_t
+#   20|             ValueCategory = prvalue(load)
+#   20|         getArgument(1): [VariableAccess] c
+#   20|             Type = [CTypedefType] uint8x8_t
+#   20|             ValueCategory = prvalue(load)
 bad_asts.cpp:
 #    5| [CopyAssignmentOperator] Bad::S& Bad::S::operator=(Bad::S const&)
 #    5|   <params>: 

cpp/ql/test/library-tests/ir/ir/aliased_ir.expected

@@ -1,4 +1,4 @@
-arm_neon.cpp:
+arm.cpp:
 #    6| uint8x8_t vadd_u8(uint8x8_t, uint8x8_t)
 #    6|   Block 0
 #    6|     v6_1(void)                                                    = EnterFunction            : 
@@ -21,107 +21,65 @@ arm_neon.cpp:
 #    6|     v6_11(void)                                                   = AliasedUse               : m6_3
 #    6|     v6_12(void)                                                   = ExitFunction             : 
 
-#   12| uint16x8_t arm_add(uint8x8_t, uint8x8_t*)
-#   12|   Block 0
-#   12|     v12_1(void)                                                      = EnterFunction             : 
-#   12|     m12_2(unknown)                                                   = AliasedDefinition         : 
-#   12|     m12_3(unknown)                                                   = InitializeNonLocal        : 
-#   12|     m12_4(unknown)                                                   = Chi                       : total:m12_2, partial:m12_3
-#   12|     r12_5(glval<__attribute((neon_vector_type(8))) unsigned char>)   = VariableAddress[a]        : 
-#   12|     m12_6(__attribute((neon_vector_type(8))) unsigned char)          = InitializeParameter[a]    : &:r12_5
-#   12|     r12_7(glval<__attribute((neon_vector_type(8))) unsigned char *>) = VariableAddress[b]        : 
-#   12|     m12_8(__attribute((neon_vector_type(8))) unsigned char *)        = InitializeParameter[b]    : &:r12_7
-#   12|     r12_9(__attribute((neon_vector_type(8))) unsigned char *)        = Load[b]                   : &:r12_7, m12_8
-#   12|     m12_10(unknown)                                                  = InitializeIndirection[b]  : &:r12_9
-#   13|     r13_1(glval<__attribute((neon_vector_type(8))) unsigned char>)   = VariableAddress[c]        : 
-#   13|     r13_2(glval<unknown>)                                            = FunctionAddress[vadd_u8]  : 
-#   13|     r13_3(glval<__attribute((neon_vector_type(8))) unsigned char>)   = VariableAddress[a]        : 
-#   13|     r13_4(__attribute((neon_vector_type(8))) unsigned char)          = Load[a]                   : &:r13_3, m12_6
-#   13|     r13_5(glval<__attribute((neon_vector_type(8))) unsigned char *>) = VariableAddress[b]        : 
-#   13|     r13_6(__attribute((neon_vector_type(8))) unsigned char *)        = Load[b]                   : &:r13_5, m12_8
-#   13|     r13_7(__attribute((neon_vector_type(8))) unsigned char)          = Load[?]                   : &:r13_6, ~m12_10
-#   13|     r13_8(__attribute((neon_vector_type(8))) unsigned char)          = Call[vadd_u8]             : func:r13_2, 0:r13_4, 1:r13_7
-#   13|     m13_9(unknown)                                                   = ^CallSideEffect           : ~m12_4
-#   13|     m13_10(unknown)                                                  = Chi                       : total:m12_4, partial:m13_9
-#   13|     m13_11(__attribute((neon_vector_type(8))) unsigned char)         = Store[c]                  : &:r13_1, r13_8
-#   14|     r14_1(glval<__attribute((neon_vector_type(8))) unsigned short>)  = VariableAddress[#return]  : 
-#   14|     r14_2(glval<unknown>)                                            = FunctionAddress[vaddl_u8] : 
-#   14|     r14_3(glval<__attribute((neon_vector_type(8))) unsigned char>)   = VariableAddress[a]        : 
-#   14|     r14_4(__attribute((neon_vector_type(8))) unsigned char)          = Load[a]                   : &:r14_3, m12_6
-#   14|     r14_5(glval<__attribute((neon_vector_type(8))) unsigned char>)   = VariableAddress[c]        : 
-#   14|     r14_6(__attribute((neon_vector_type(8))) unsigned char)          = Load[c]                   : &:r14_5, m13_11
-#   14|     r14_7(__attribute((neon_vector_type(8))) unsigned short)         = Call[vaddl_u8]            : func:r14_2, 0:r14_4, 1:r14_6
-#   14|     m14_8(unknown)                                                   = ^CallSideEffect           : ~m13_10
-#   14|     m14_9(unknown)                                                   = Chi                       : total:m13_10, partial:m14_8
-#   14|     m14_10(__attribute((neon_vector_type(8))) unsigned short)        = Store[#return]            : &:r14_1, r14_7
-#   12|     v12_11(void)                                                     = ReturnIndirection[b]      : &:r12_9, m12_10
-#   12|     r12_12(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]  : 
-#   12|     v12_13(void)                                                     = ReturnValue               : &:r12_12, m14_10
-#   12|     v12_14(void)                                                     = AliasedUse                : ~m14_9
-#   12|     v12_15(void)                                                     = ExitFunction              : 
+#   14| uint16x8_t vaddl_u8(uint8x8_t, uint8x8_t)
+#   14|   Block 0
+#   14|     v14_1(void)                                                     = EnterFunction                                    : 
+#   14|     m14_2(unknown)                                                  = AliasedDefinition                                : 
+#   14|     m14_3(unknown)                                                  = InitializeNonLocal                               : 
+#   14|     m14_4(unknown)                                                  = Chi                                              : total:m14_2, partial:m14_3
+#   14|     r14_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]                               : 
+#   14|     m14_6(__attribute((neon_vector_type(8))) unsigned char)         = InitializeParameter[a]                           : &:r14_5
+#   14|     r14_7(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]                               : 
+#   14|     m14_8(__attribute((neon_vector_type(8))) unsigned char)         = InitializeParameter[b]                           : &:r14_7
+#   15|     r15_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]                         : 
+#   15|     r15_2(glval<unknown>)                                           = FunctionAddress[__builtin_aarch64_uaddlv8qi_uuu] : 
+#   15|     r15_3(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]                               : 
+#   15|     r15_4(__attribute((neon_vector_type(8))) unsigned char)         = Load[a]                                          : &:r15_3, m14_6
+#   15|     r15_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]                               : 
+#   15|     r15_6(__attribute((neon_vector_type(8))) unsigned char)         = Load[b]                                          : &:r15_5, m14_8
+#   15|     r15_7(__attribute((neon_vector_type(8))) unsigned short)        = Call[__builtin_aarch64_uaddlv8qi_uuu]            : func:r15_2, 0:r15_4, 1:r15_6
+#   15|     m15_8(unknown)                                                  = ^CallSideEffect                                  : ~m14_4
+#   15|     m15_9(unknown)                                                  = Chi                                              : total:m14_4, partial:m15_8
+#   15|     m15_10(__attribute((neon_vector_type(8))) unsigned short)       = Store[#return]                                   : &:r15_1, r15_7
+#   14|     r14_9(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]                         : 
+#   14|     v14_10(void)                                                    = ReturnValue                                      : &:r14_9, m15_10
+#   14|     v14_11(void)                                                    = AliasedUse                                       : ~m15_9
+#   14|     v14_12(void)                                                    = ExitFunction                                     : 
 
-#   22| mfloat8x8_t arm_reinterpret(int8x8_t*)
-#   22|   Block 0
-#   22|     v22_1(void)           = EnterFunction                        : 
-#   22|     m22_2(unknown)        = AliasedDefinition                    : 
-#   22|     m22_3(unknown)        = InitializeNonLocal                   : 
-#   22|     m22_4(unknown)        = Chi                                  : total:m22_2, partial:m22_3
-#   22|     r22_5(glval<char *>)  = VariableAddress[a]                   : 
-#   22|     m22_6(char *)         = InitializeParameter[a]               : &:r22_5
-#   22|     r22_7(char *)         = Load[a]                              : &:r22_5, m22_6
-#   22|     m22_8(unknown)        = InitializeIndirection[a]             : &:r22_7
-#   23|     r23_1(glval<__mfp8>)  = VariableAddress[#return]             : 
-#   23|     r23_2(glval<unknown>) = FunctionAddress[vreinterpret_mf8_s8] : 
-#   23|     r23_3(glval<char *>)  = VariableAddress[a]                   : 
-#   23|     r23_4(char *)         = Load[a]                              : &:r23_3, m22_6
-#   23|     r23_5(char)           = Load[?]                              : &:r23_4, ~m22_8
-#   23|     r23_6(__mfp8)         = Call[vreinterpret_mf8_s8]            : func:r23_2, 0:r23_5
-#   23|     m23_7(unknown)        = ^CallSideEffect                      : ~m22_4
-#   23|     m23_8(unknown)        = Chi                                  : total:m22_4, partial:m23_7
-#   23|     m23_9(__mfp8)         = Store[#return]                       : &:r23_1, r23_6
-#   22|     v22_9(void)           = ReturnIndirection[a]                 : &:r22_7, m22_8
-#   22|     r22_10(glval<__mfp8>) = VariableAddress[#return]             : 
-#   22|     v22_11(void)          = ReturnValue                          : &:r22_10, m23_9
-#   22|     v22_12(void)          = AliasedUse                           : ~m23_8
-#   22|     v22_13(void)          = ExitFunction                         : 
-
-arm_sve.cpp:
-#    8| svuint8x2_t arm_sel(svcount_t, svuint8x2_t, svuint8x2_t*)
-#    8|   Block 0
-#    8|     v8_1(void)                                                    = EnterFunction                : 
-#    8|     m8_2(unknown)                                                 = AliasedDefinition            : 
-#    8|     m8_3(unknown)                                                 = InitializeNonLocal           : 
-#    8|     m8_4(unknown)                                                 = Chi                          : total:m8_2, partial:m8_3
-#    8|     r8_5(glval<__SVCount_t>)                                      = VariableAddress[a]           : 
-#    8|     m8_6(__SVCount_t)                                             = InitializeParameter[a]       : &:r8_5
-#    8|     r8_7(glval<__edg_scalable_vector_type__(unsigned char, 2)>)   = VariableAddress[b]           : 
-#    8|     m8_8(__edg_scalable_vector_type__(unsigned char, 2))          = InitializeParameter[b]       : &:r8_7
-#    8|     r8_9(glval<__edg_scalable_vector_type__(unsigned char, 2) *>) = VariableAddress[c]           : 
-#    8|     m8_10(__edg_scalable_vector_type__(unsigned char, 2) *)       = InitializeParameter[c]       : &:r8_9
-#    8|     r8_11(__edg_scalable_vector_type__(unsigned char, 2) *)       = Load[c]                      : &:r8_9, m8_10
-#    8|     m8_12(unknown)                                                = InitializeIndirection[c]     : &:r8_11
-#    9|     r9_1(glval<__edg_scalable_vector_type__(unsigned char, 2)>)   = VariableAddress[d]           : 
-#    9|     r9_2(glval<unknown>)                                          = FunctionAddress[svsel_u8_x2] : 
-#    9|     r9_3(glval<__SVCount_t>)                                      = VariableAddress[a]           : 
-#    9|     r9_4(__SVCount_t)                                             = Load[a]                      : &:r9_3, m8_6
-#    9|     r9_5(glval<__edg_scalable_vector_type__(unsigned char, 2)>)   = VariableAddress[b]           : 
-#    9|     r9_6(__edg_scalable_vector_type__(unsigned char, 2))          = Load[b]                      : &:r9_5, m8_8
-#    9|     r9_7(glval<__edg_scalable_vector_type__(unsigned char, 2) *>) = VariableAddress[c]           : 
-#    9|     r9_8(__edg_scalable_vector_type__(unsigned char, 2) *)        = Load[c]                      : &:r9_7, m8_10
-#    9|     r9_9(__edg_scalable_vector_type__(unsigned char, 2))          = Load[?]                      : &:r9_8, ~m8_12
-#    9|     r9_10(__edg_scalable_vector_type__(unsigned char, 2))         = Call[svsel_u8_x2]            : func:r9_2, 0:r9_4, 1:r9_6, 2:r9_9
-#    9|     m9_11(unknown)                                                = ^CallSideEffect              : ~m8_4
-#    9|     m9_12(unknown)                                                = Chi                          : total:m8_4, partial:m9_11
-#    9|     m9_13(__edg_scalable_vector_type__(unsigned char, 2))         = Store[d]                     : &:r9_1, r9_10
-#   10|     r10_1(glval<__edg_scalable_vector_type__(unsigned char, 2)>)  = VariableAddress[#return]     : 
-#   10|     r10_2(glval<__edg_scalable_vector_type__(unsigned char, 2)>)  = VariableAddress[d]           : 
-#   10|     r10_3(__edg_scalable_vector_type__(unsigned char, 2))         = Load[d]                      : &:r10_2, m9_13
-#   10|     m10_4(__edg_scalable_vector_type__(unsigned char, 2))         = Store[#return]               : &:r10_1, r10_3
-#    8|     v8_13(void)                                                   = ReturnIndirection[c]         : &:r8_11, m8_12
-#    8|     r8_14(glval<__edg_scalable_vector_type__(unsigned char, 2)>)  = VariableAddress[#return]     : 
-#    8|     v8_15(void)                                                   = ReturnValue                  : &:r8_14, m10_4
-#    8|     v8_16(void)                                                   = AliasedUse                   : ~m9_12
-#    8|     v8_17(void)                                                   = ExitFunction                 : 
+#   18| uint16x8_t arm_add(uint8x8_t, uint8x8_t)
+#   18|   Block 0
+#   18|     v18_1(void)                                                     = EnterFunction             : 
+#   18|     m18_2(unknown)                                                  = AliasedDefinition         : 
+#   18|     m18_3(unknown)                                                  = InitializeNonLocal        : 
+#   18|     m18_4(unknown)                                                  = Chi                       : total:m18_2, partial:m18_3
+#   18|     r18_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]        : 
+#   18|     m18_6(__attribute((neon_vector_type(8))) unsigned char)         = InitializeParameter[a]    : &:r18_5
+#   18|     r18_7(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]        : 
+#   18|     m18_8(__attribute((neon_vector_type(8))) unsigned char)         = InitializeParameter[b]    : &:r18_7
+#   19|     r19_1(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[c]        : 
+#   19|     r19_2(glval<unknown>)                                           = FunctionAddress[vadd_u8]  : 
+#   19|     r19_3(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]        : 
+#   19|     r19_4(__attribute((neon_vector_type(8))) unsigned char)         = Load[a]                   : &:r19_3, m18_6
+#   19|     r19_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]        : 
+#   19|     r19_6(__attribute((neon_vector_type(8))) unsigned char)         = Load[b]                   : &:r19_5, m18_8
+#   19|     r19_7(__attribute((neon_vector_type(8))) unsigned char)         = Call[vadd_u8]             : func:r19_2, 0:r19_4, 1:r19_6
+#   19|     m19_8(unknown)                                                  = ^CallSideEffect           : ~m18_4
+#   19|     m19_9(unknown)                                                  = Chi                       : total:m18_4, partial:m19_8
+#   19|     m19_10(__attribute((neon_vector_type(8))) unsigned char)        = Store[c]                  : &:r19_1, r19_7
+#   20|     r20_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]  : 
+#   20|     r20_2(glval<unknown>)                                           = FunctionAddress[vaddl_u8] : 
+#   20|     r20_3(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]        : 
+#   20|     r20_4(__attribute((neon_vector_type(8))) unsigned char)         = Load[a]                   : &:r20_3, m18_6
+#   20|     r20_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[c]        : 
+#   20|     r20_6(__attribute((neon_vector_type(8))) unsigned char)         = Load[c]                   : &:r20_5, m19_10
+#   20|     r20_7(__attribute((neon_vector_type(8))) unsigned short)        = Call[vaddl_u8]            : func:r20_2, 0:r20_4, 1:r20_6
+#   20|     m20_8(unknown)                                                  = ^CallSideEffect           : ~m19_9
+#   20|     m20_9(unknown)                                                  = Chi                       : total:m19_9, partial:m20_8
+#   20|     m20_10(__attribute((neon_vector_type(8))) unsigned short)       = Store[#return]            : &:r20_1, r20_7
+#   18|     r18_9(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]  : 
+#   18|     v18_10(void)                                                    = ReturnValue               : &:r18_9, m20_10
+#   18|     v18_11(void)                                                    = AliasedUse                : ~m20_9
+#   18|     v18_12(void)                                                    = ExitFunction              : 
 
 bad_asts.cpp:
 #    9| int Bad::S::MemberFunction<int 6>(int)

cpp/ql/test/library-tests/ir/ir/arm.cpp

@@ -0,0 +1,21 @@
+// semmle-extractor-options: --edg --target --edg linux_arm64
+
+typedef __Uint8x8_t uint8x8_t;
+typedef __Uint16x8_t uint16x8_t;
+
+uint8x8_t vadd_u8(uint8x8_t a, uint8x8_t b) {
+  return a + b;
+}
+
+// Workaround: the frontend only exposes this when the arm_neon.h
+// header is encountered.
+uint16x8_t __builtin_aarch64_uaddlv8qi_uuu(uint8x8_t, uint8x8_t);
+
+uint16x8_t vaddl_u8(uint8x8_t a, uint8x8_t b) {
+  return __builtin_aarch64_uaddlv8qi_uuu (a, b);
+}
+
+uint16x8_t arm_add(uint8x8_t a, uint8x8_t b) {
+  uint8x8_t c = vadd_u8(a, b);
+  return vaddl_u8(a, c);
+}

cpp/ql/test/library-tests/ir/ir/arm_neon.cpp

@@ -1,24 +0,0 @@
-// semmle-extractor-options: --edg --target --edg linux_arm64 --gnu_version 150000
-
-typedef __Uint8x8_t uint8x8_t;
-typedef __Uint16x8_t uint16x8_t;
-
-uint8x8_t vadd_u8(uint8x8_t a, uint8x8_t b) {
-  return a + b;
-}
-
-uint16x8_t vaddl_u8(uint8x8_t a, uint8x8_t b);
-
-uint16x8_t arm_add(uint8x8_t a, uint8x8_t *b) {
-  uint8x8_t c = vadd_u8(a, *b);
-  return vaddl_u8(a, c);
-}
-
-typedef __attribute__((neon_vector_type(8))) __mfp8 mfloat8x8_t;
-typedef __attribute__((neon_vector_type(8))) char int8x8_t;
-
-mfloat8x8_t vreinterpret_mf8_s8(int8x8_t);
-
-mfloat8x8_t arm_reinterpret(int8x8_t *a) {
-  return vreinterpret_mf8_s8(*a);
-}

cpp/ql/test/library-tests/ir/ir/arm_sve.cpp

@@ -1,11 +0,0 @@
-// semmle-extractor-options: --edg --target --edg linux_arm64 --clang_version 190000
-
-typedef __clang_svuint8x2_t svuint8x2_t;
-typedef __SVCount_t svcount_t;
-
-svuint8x2_t svsel_u8_x2(svcount_t, svuint8x2_t, svuint8x2_t);
-
-svuint8x2_t arm_sel(svcount_t a, svuint8x2_t b, svuint8x2_t *c) {
-  svuint8x2_t d = svsel_u8_x2(a, b, *c);
-  return d;
-}

cpp/ql/test/library-tests/ir/ir/raw_ir.expected

@@ -1,4 +1,4 @@
-arm_neon.cpp:
+arm.cpp:
 #    6| uint8x8_t vadd_u8(uint8x8_t, uint8x8_t)
 #    6|   Block 0
 #    6|     v6_1(void)                                                    = EnterFunction            : 
@@ -20,100 +20,60 @@ arm_neon.cpp:
 #    6|     v6_10(void)                                                   = AliasedUse               : ~m?
 #    6|     v6_11(void)                                                   = ExitFunction             : 
 
-#   12| uint16x8_t arm_add(uint8x8_t, uint8x8_t*)
-#   12|   Block 0
-#   12|     v12_1(void)                                                      = EnterFunction             : 
-#   12|     mu12_2(unknown)                                                  = AliasedDefinition         : 
-#   12|     mu12_3(unknown)                                                  = InitializeNonLocal        : 
-#   12|     r12_4(glval<__attribute((neon_vector_type(8))) unsigned char>)   = VariableAddress[a]        : 
-#   12|     mu12_5(__attribute((neon_vector_type(8))) unsigned char)         = InitializeParameter[a]    : &:r12_4
-#   12|     r12_6(glval<__attribute((neon_vector_type(8))) unsigned char *>) = VariableAddress[b]        : 
-#   12|     mu12_7(__attribute((neon_vector_type(8))) unsigned char *)       = InitializeParameter[b]    : &:r12_6
-#   12|     r12_8(__attribute((neon_vector_type(8))) unsigned char *)        = Load[b]                   : &:r12_6, ~m?
-#   12|     mu12_9(unknown)                                                  = InitializeIndirection[b]  : &:r12_8
-#   13|     r13_1(glval<__attribute((neon_vector_type(8))) unsigned char>)   = VariableAddress[c]        : 
-#   13|     r13_2(glval<unknown>)                                            = FunctionAddress[vadd_u8]  : 
-#   13|     r13_3(glval<__attribute((neon_vector_type(8))) unsigned char>)   = VariableAddress[a]        : 
-#   13|     r13_4(__attribute((neon_vector_type(8))) unsigned char)          = Load[a]                   : &:r13_3, ~m?
-#   13|     r13_5(glval<__attribute((neon_vector_type(8))) unsigned char *>) = VariableAddress[b]        : 
-#   13|     r13_6(__attribute((neon_vector_type(8))) unsigned char *)        = Load[b]                   : &:r13_5, ~m?
-#   13|     r13_7(__attribute((neon_vector_type(8))) unsigned char)          = Load[?]                   : &:r13_6, ~m?
-#   13|     r13_8(__attribute((neon_vector_type(8))) unsigned char)          = Call[vadd_u8]             : func:r13_2, 0:r13_4, 1:r13_7
-#   13|     mu13_9(unknown)                                                  = ^CallSideEffect           : ~m?
-#   13|     mu13_10(__attribute((neon_vector_type(8))) unsigned char)        = Store[c]                  : &:r13_1, r13_8
-#   14|     r14_1(glval<__attribute((neon_vector_type(8))) unsigned short>)  = VariableAddress[#return]  : 
-#   14|     r14_2(glval<unknown>)                                            = FunctionAddress[vaddl_u8] : 
-#   14|     r14_3(glval<__attribute((neon_vector_type(8))) unsigned char>)   = VariableAddress[a]        : 
-#   14|     r14_4(__attribute((neon_vector_type(8))) unsigned char)          = Load[a]                   : &:r14_3, ~m?
-#   14|     r14_5(glval<__attribute((neon_vector_type(8))) unsigned char>)   = VariableAddress[c]        : 
-#   14|     r14_6(__attribute((neon_vector_type(8))) unsigned char)          = Load[c]                   : &:r14_5, ~m?
-#   14|     r14_7(__attribute((neon_vector_type(8))) unsigned short)         = Call[vaddl_u8]            : func:r14_2, 0:r14_4, 1:r14_6
-#   14|     mu14_8(unknown)                                                  = ^CallSideEffect           : ~m?
-#   14|     mu14_9(__attribute((neon_vector_type(8))) unsigned short)        = Store[#return]            : &:r14_1, r14_7
-#   12|     v12_10(void)                                                     = ReturnIndirection[b]      : &:r12_8, ~m?
-#   12|     r12_11(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]  : 
-#   12|     v12_12(void)                                                     = ReturnValue               : &:r12_11, ~m?
-#   12|     v12_13(void)                                                     = AliasedUse                : ~m?
-#   12|     v12_14(void)                                                     = ExitFunction              : 
+#   14| uint16x8_t vaddl_u8(uint8x8_t, uint8x8_t)
+#   14|   Block 0
+#   14|     v14_1(void)                                                     = EnterFunction                                    : 
+#   14|     mu14_2(unknown)                                                 = AliasedDefinition                                : 
+#   14|     mu14_3(unknown)                                                 = InitializeNonLocal                               : 
+#   14|     r14_4(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]                               : 
+#   14|     mu14_5(__attribute((neon_vector_type(8))) unsigned char)        = InitializeParameter[a]                           : &:r14_4
+#   14|     r14_6(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]                               : 
+#   14|     mu14_7(__attribute((neon_vector_type(8))) unsigned char)        = InitializeParameter[b]                           : &:r14_6
+#   15|     r15_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]                         : 
+#   15|     r15_2(glval<unknown>)                                           = FunctionAddress[__builtin_aarch64_uaddlv8qi_uuu] : 
+#   15|     r15_3(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]                               : 
+#   15|     r15_4(__attribute((neon_vector_type(8))) unsigned char)         = Load[a]                                          : &:r15_3, ~m?
+#   15|     r15_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]                               : 
+#   15|     r15_6(__attribute((neon_vector_type(8))) unsigned char)         = Load[b]                                          : &:r15_5, ~m?
+#   15|     r15_7(__attribute((neon_vector_type(8))) unsigned short)        = Call[__builtin_aarch64_uaddlv8qi_uuu]            : func:r15_2, 0:r15_4, 1:r15_6
+#   15|     mu15_8(unknown)                                                 = ^CallSideEffect                                  : ~m?
+#   15|     mu15_9(__attribute((neon_vector_type(8))) unsigned short)       = Store[#return]                                   : &:r15_1, r15_7
+#   14|     r14_8(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]                         : 
+#   14|     v14_9(void)                                                     = ReturnValue                                      : &:r14_8, ~m?
+#   14|     v14_10(void)                                                    = AliasedUse                                       : ~m?
+#   14|     v14_11(void)                                                    = ExitFunction                                     : 
 
-#   22| mfloat8x8_t arm_reinterpret(int8x8_t*)
-#   22|   Block 0
-#   22|     v22_1(void)           = EnterFunction                        : 
-#   22|     mu22_2(unknown)       = AliasedDefinition                    : 
-#   22|     mu22_3(unknown)       = InitializeNonLocal                   : 
-#   22|     r22_4(glval<char *>)  = VariableAddress[a]                   : 
-#   22|     mu22_5(char *)        = InitializeParameter[a]               : &:r22_4
-#   22|     r22_6(char *)         = Load[a]                              : &:r22_4, ~m?
-#   22|     mu22_7(unknown)       = InitializeIndirection[a]             : &:r22_6
-#   23|     r23_1(glval<__mfp8>)  = VariableAddress[#return]             : 
-#   23|     r23_2(glval<unknown>) = FunctionAddress[vreinterpret_mf8_s8] : 
-#   23|     r23_3(glval<char *>)  = VariableAddress[a]                   : 
-#   23|     r23_4(char *)         = Load[a]                              : &:r23_3, ~m?
-#   23|     r23_5(char)           = Load[?]                              : &:r23_4, ~m?
-#   23|     r23_6(__mfp8)         = Call[vreinterpret_mf8_s8]            : func:r23_2, 0:r23_5
-#   23|     mu23_7(unknown)       = ^CallSideEffect                      : ~m?
-#   23|     mu23_8(__mfp8)        = Store[#return]                       : &:r23_1, r23_6
-#   22|     v22_8(void)           = ReturnIndirection[a]                 : &:r22_6, ~m?
-#   22|     r22_9(glval<__mfp8>)  = VariableAddress[#return]             : 
-#   22|     v22_10(void)          = ReturnValue                          : &:r22_9, ~m?
-#   22|     v22_11(void)          = AliasedUse                           : ~m?
-#   22|     v22_12(void)          = ExitFunction                         : 
-
-arm_sve.cpp:
-#    8| svuint8x2_t arm_sel(svcount_t, svuint8x2_t, svuint8x2_t*)
-#    8|   Block 0
-#    8|     v8_1(void)                                                    = EnterFunction                : 
-#    8|     mu8_2(unknown)                                                = AliasedDefinition            : 
-#    8|     mu8_3(unknown)                                                = InitializeNonLocal           : 
-#    8|     r8_4(glval<__SVCount_t>)                                      = VariableAddress[a]           : 
-#    8|     mu8_5(__SVCount_t)                                            = InitializeParameter[a]       : &:r8_4
-#    8|     r8_6(glval<__edg_scalable_vector_type__(unsigned char, 2)>)   = VariableAddress[b]           : 
-#    8|     mu8_7(__edg_scalable_vector_type__(unsigned char, 2))         = InitializeParameter[b]       : &:r8_6
-#    8|     r8_8(glval<__edg_scalable_vector_type__(unsigned char, 2) *>) = VariableAddress[c]           : 
-#    8|     mu8_9(__edg_scalable_vector_type__(unsigned char, 2) *)       = InitializeParameter[c]       : &:r8_8
-#    8|     r8_10(__edg_scalable_vector_type__(unsigned char, 2) *)       = Load[c]                      : &:r8_8, ~m?
-#    8|     mu8_11(unknown)                                               = InitializeIndirection[c]     : &:r8_10
-#    9|     r9_1(glval<__edg_scalable_vector_type__(unsigned char, 2)>)   = VariableAddress[d]           : 
-#    9|     r9_2(glval<unknown>)                                          = FunctionAddress[svsel_u8_x2] : 
-#    9|     r9_3(glval<__SVCount_t>)                                      = VariableAddress[a]           : 
-#    9|     r9_4(__SVCount_t)                                             = Load[a]                      : &:r9_3, ~m?
-#    9|     r9_5(glval<__edg_scalable_vector_type__(unsigned char, 2)>)   = VariableAddress[b]           : 
-#    9|     r9_6(__edg_scalable_vector_type__(unsigned char, 2))          = Load[b]                      : &:r9_5, ~m?
-#    9|     r9_7(glval<__edg_scalable_vector_type__(unsigned char, 2) *>) = VariableAddress[c]           : 
-#    9|     r9_8(__edg_scalable_vector_type__(unsigned char, 2) *)        = Load[c]                      : &:r9_7, ~m?
-#    9|     r9_9(__edg_scalable_vector_type__(unsigned char, 2))          = Load[?]                      : &:r9_8, ~m?
-#    9|     r9_10(__edg_scalable_vector_type__(unsigned char, 2))         = Call[svsel_u8_x2]            : func:r9_2, 0:r9_4, 1:r9_6, 2:r9_9
-#    9|     mu9_11(unknown)                                               = ^CallSideEffect              : ~m?
-#    9|     mu9_12(__edg_scalable_vector_type__(unsigned char, 2))        = Store[d]                     : &:r9_1, r9_10
-#   10|     r10_1(glval<__edg_scalable_vector_type__(unsigned char, 2)>)  = VariableAddress[#return]     : 
-#   10|     r10_2(glval<__edg_scalable_vector_type__(unsigned char, 2)>)  = VariableAddress[d]           : 
-#   10|     r10_3(__edg_scalable_vector_type__(unsigned char, 2))         = Load[d]                      : &:r10_2, ~m?
-#   10|     mu10_4(__edg_scalable_vector_type__(unsigned char, 2))        = Store[#return]               : &:r10_1, r10_3
-#    8|     v8_12(void)                                                   = ReturnIndirection[c]         : &:r8_10, ~m?
-#    8|     r8_13(glval<__edg_scalable_vector_type__(unsigned char, 2)>)  = VariableAddress[#return]     : 
-#    8|     v8_14(void)                                                   = ReturnValue                  : &:r8_13, ~m?
-#    8|     v8_15(void)                                                   = AliasedUse                   : ~m?
-#    8|     v8_16(void)                                                   = ExitFunction                 : 
+#   18| uint16x8_t arm_add(uint8x8_t, uint8x8_t)
+#   18|   Block 0
+#   18|     v18_1(void)                                                     = EnterFunction             : 
+#   18|     mu18_2(unknown)                                                 = AliasedDefinition         : 
+#   18|     mu18_3(unknown)                                                 = InitializeNonLocal        : 
+#   18|     r18_4(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]        : 
+#   18|     mu18_5(__attribute((neon_vector_type(8))) unsigned char)        = InitializeParameter[a]    : &:r18_4
+#   18|     r18_6(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]        : 
+#   18|     mu18_7(__attribute((neon_vector_type(8))) unsigned char)        = InitializeParameter[b]    : &:r18_6
+#   19|     r19_1(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[c]        : 
+#   19|     r19_2(glval<unknown>)                                           = FunctionAddress[vadd_u8]  : 
+#   19|     r19_3(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]        : 
+#   19|     r19_4(__attribute((neon_vector_type(8))) unsigned char)         = Load[a]                   : &:r19_3, ~m?
+#   19|     r19_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]        : 
+#   19|     r19_6(__attribute((neon_vector_type(8))) unsigned char)         = Load[b]                   : &:r19_5, ~m?
+#   19|     r19_7(__attribute((neon_vector_type(8))) unsigned char)         = Call[vadd_u8]             : func:r19_2, 0:r19_4, 1:r19_6
+#   19|     mu19_8(unknown)                                                 = ^CallSideEffect           : ~m?
+#   19|     mu19_9(__attribute((neon_vector_type(8))) unsigned char)        = Store[c]                  : &:r19_1, r19_7
+#   20|     r20_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]  : 
+#   20|     r20_2(glval<unknown>)                                           = FunctionAddress[vaddl_u8] : 
+#   20|     r20_3(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]        : 
+#   20|     r20_4(__attribute((neon_vector_type(8))) unsigned char)         = Load[a]                   : &:r20_3, ~m?
+#   20|     r20_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[c]        : 
+#   20|     r20_6(__attribute((neon_vector_type(8))) unsigned char)         = Load[c]                   : &:r20_5, ~m?
+#   20|     r20_7(__attribute((neon_vector_type(8))) unsigned short)        = Call[vaddl_u8]            : func:r20_2, 0:r20_4, 1:r20_6
+#   20|     mu20_8(unknown)                                                 = ^CallSideEffect           : ~m?
+#   20|     mu20_9(__attribute((neon_vector_type(8))) unsigned short)       = Store[#return]            : &:r20_1, r20_7
+#   18|     r18_8(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]  : 
+#   18|     v18_9(void)                                                     = ReturnValue               : &:r18_8, ~m?
+#   18|     v18_10(void)                                                    = AliasedUse                : ~m?
+#   18|     v18_11(void)                                                    = ExitFunction              : 
 
 bad_asts.cpp:
 #    9| int Bad::S::MemberFunction<int 6>(int)

cpp/ql/test/library-tests/templates/instantiation_directive/functions.expected

@@ -1,5 +1,3 @@
 | file://:0:0:0:0 | operator= | file://:0:0:0:0 | __va_list_tag && |
 | file://:0:0:0:0 | operator= | file://:0:0:0:0 | const __va_list_tag & |
-| test.cpp:2:6:2:6 | foo | file://:0:0:0:0 | float |
-| test.cpp:2:6:2:6 | foo | file://:0:0:0:0 | int |
 | test.cpp:2:6:2:8 | foo | test.cpp:1:19:1:19 | T |

cpp/ql/test/library-tests/templates/isfromtemplateinstantiation/instantiations.expected

@@ -10,4 +10,3 @@
 | isfromtemplateinstantiation.cpp:134:29:134:33 | Outer<int> | ClassTemplateInstantiation | file://:0:0:0:0 | int |
 | isfromtemplateinstantiation.cpp:135:31:135:35 | Inner<long> | ClassTemplateInstantiation | file://:0:0:0:0 | long |
 | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> | ClassTemplateInstantiation | load.cpp:3:7:3:24 | std_istream_mockup |
-| load.cpp:22:10:22:10 | load | FunctionTemplateInstantiation | file://:0:0:0:0 | short |

cpp/ql/test/library-tests/templates/isfromtemplateinstantiation/isfromtemplateinstantiation.expected

@@ -104,15 +104,6 @@
 | isfromtemplateinstantiation.cpp:99:1:99:1 | return ... | isfromtemplateinstantiation.cpp:77:26:77:45 | AnotherTemplateClass<int> |
 | isfromtemplateinstantiation.cpp:99:1:99:1 | return ... | isfromtemplateinstantiation.cpp:97:52:97:52 | AnotherTemplateClass<int>::myMethod2(MyClassEnum) |
 | isfromtemplateinstantiation.cpp:110:3:110:3 | definition of var_template | isfromtemplateinstantiation.cpp:110:3:110:3 | var_template |
-| isfromtemplateinstantiation.cpp:129:6:129:6 | AnotherTemplateClass<long *>::f() | isfromtemplateinstantiation.cpp:128:7:128:30 | AnotherTemplateClass<long *> |
-| isfromtemplateinstantiation.cpp:129:6:129:6 | definition of f | isfromtemplateinstantiation.cpp:128:7:128:30 | AnotherTemplateClass<long *> |
-| isfromtemplateinstantiation.cpp:129:6:129:6 | definition of f | isfromtemplateinstantiation.cpp:129:6:129:6 | AnotherTemplateClass<long *>::f() |
-| isfromtemplateinstantiation.cpp:129:10:129:22 | { ... } | isfromtemplateinstantiation.cpp:128:7:128:30 | AnotherTemplateClass<long *> |
-| isfromtemplateinstantiation.cpp:129:10:129:22 | { ... } | isfromtemplateinstantiation.cpp:129:6:129:6 | AnotherTemplateClass<long *>::f() |
-| isfromtemplateinstantiation.cpp:129:12:129:20 | return ... | isfromtemplateinstantiation.cpp:128:7:128:30 | AnotherTemplateClass<long *> |
-| isfromtemplateinstantiation.cpp:129:12:129:20 | return ... | isfromtemplateinstantiation.cpp:129:6:129:6 | AnotherTemplateClass<long *>::f() |
-| isfromtemplateinstantiation.cpp:129:19:129:19 | 1 | isfromtemplateinstantiation.cpp:128:7:128:30 | AnotherTemplateClass<long *> |
-| isfromtemplateinstantiation.cpp:129:19:129:19 | 1 | isfromtemplateinstantiation.cpp:129:6:129:6 | AnotherTemplateClass<long *>::f() |
 | isfromtemplateinstantiation.cpp:135:31:135:35 | Inner<U> | isfromtemplateinstantiation.cpp:134:29:134:33 | Outer<int> |
 | isfromtemplateinstantiation.cpp:135:31:135:35 | declaration of Inner<U> | isfromtemplateinstantiation.cpp:134:29:134:33 | Outer<int> |
 | isfromtemplateinstantiation.cpp:136:7:136:7 | definition of x | isfromtemplateinstantiation.cpp:135:31:135:35 | Inner<long> |
@@ -121,94 +112,7 @@
 | isfromtemplateinstantiation.cpp:137:7:137:7 | y | isfromtemplateinstantiation.cpp:135:31:135:35 | Inner<long> |
 | load.cpp:15:14:15:15 | definition of is | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
 | load.cpp:15:14:15:15 | is | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:18:5:18:5 | definition of basic_text_iprimitive | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:18:5:18:5 | definition of basic_text_iprimitive | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
-| load.cpp:18:36:18:42 | definition of isParam | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:18:36:18:42 | definition of isParam | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
-| load.cpp:18:36:18:42 | std_istream_mockup & isParam | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:18:36:18:42 | std_istream_mockup & isParam | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
-| load.cpp:19:11:19:21 | constructor init of field is | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:19:11:19:21 | constructor init of field is | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
-| load.cpp:19:14:19:20 | (reference dereference) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:19:14:19:20 | (reference dereference) | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
-| load.cpp:19:14:19:20 | (reference to) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:19:14:19:20 | (reference to) | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
-| load.cpp:19:14:19:20 | isParam | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:19:14:19:20 | isParam | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
-| load.cpp:19:23:19:24 | { ... } | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:19:23:19:24 | { ... } | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
-| load.cpp:19:24:19:24 | return ... | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:19:24:19:24 | return ... | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
-| load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:22:10:22:10 | definition of load | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:22:10:22:10 | definition of load | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
 | load.cpp:22:10:22:13 | basic_text_iprimitive<std_istream_mockup>::load<T>(T &) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
 | load.cpp:22:10:22:13 | declaration of load | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
 | load.cpp:22:19:22:19 | T & t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
 | load.cpp:22:19:22:19 | declaration of t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:22:19:22:19 | definition of t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:22:19:22:19 | definition of t | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
-| load.cpp:22:19:22:19 | short & t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:22:19:22:19 | short & t | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
-| load.cpp:23:5:25:5 | { ... } | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:23:5:25:5 | { ... } | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
-| load.cpp:24:9:24:10 | (reference dereference) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:24:9:24:10 | (reference dereference) | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
-| load.cpp:24:9:24:10 | is | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:24:9:24:10 | is | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
-| load.cpp:24:9:24:10 | this | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:24:9:24:10 | this | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
-| load.cpp:24:9:24:16 | ExprStmt | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:24:9:24:16 | ExprStmt | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
-| load.cpp:24:12:24:12 | call to operator>> | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:24:12:24:12 | call to operator>> | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
-| load.cpp:24:12:24:16 | (reference dereference) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:24:12:24:16 | (reference dereference) | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
-| load.cpp:24:15:24:15 | (reference dereference) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:24:15:24:15 | (reference dereference) | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
-| load.cpp:24:15:24:15 | (reference to) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:24:15:24:15 | (reference to) | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
-| load.cpp:24:15:24:15 | t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:24:15:24:15 | t | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
-| load.cpp:25:5:25:5 | return ... | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:25:5:25:5 | return ... | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
-| load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:27:10:27:10 | definition of load | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:27:10:27:10 | definition of load | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
-| load.cpp:27:22:27:22 | char & t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:27:22:27:22 | char & t | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
-| load.cpp:27:22:27:22 | definition of t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:27:22:27:22 | definition of t | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
-| load.cpp:28:5:32:5 | { ... } | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:28:5:32:5 | { ... } | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
-| load.cpp:29:9:29:20 | declaration | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:29:9:29:20 | declaration | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
-| load.cpp:29:19:29:19 | definition of i | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:29:19:29:19 | definition of i | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
-| load.cpp:29:19:29:19 | i | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:29:19:29:19 | i | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
-| load.cpp:30:9:30:12 | call to load | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:30:9:30:12 | call to load | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
-| load.cpp:30:9:30:12 | this | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:30:9:30:12 | this | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
-| load.cpp:30:9:30:16 | ExprStmt | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:30:9:30:16 | ExprStmt | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
-| load.cpp:30:14:30:14 | (reference to) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:30:14:30:14 | (reference to) | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
-| load.cpp:30:14:30:14 | i | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:30:14:30:14 | i | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
-| load.cpp:31:9:31:9 | (reference dereference) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:31:9:31:9 | (reference dereference) | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
-| load.cpp:31:9:31:9 | t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:31:9:31:9 | t | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
-| load.cpp:31:9:31:13 | ... = ... | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:31:9:31:13 | ... = ... | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
-| load.cpp:31:9:31:14 | ExprStmt | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:31:9:31:14 | ExprStmt | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
-| load.cpp:31:13:31:13 | (char)... | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:31:13:31:13 | (char)... | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
-| load.cpp:31:13:31:13 | i | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:31:13:31:13 | i | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
-| load.cpp:32:5:32:5 | return ... | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
-| load.cpp:32:5:32:5 | return ... | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |

cpp/ql/test/library-tests/templates/isfromtemplateinstantiation/isfromuninstantiatedtemplate.expected

@@ -425,16 +425,7 @@ isFromUninstantiatedTemplate
 | isfromtemplateinstantiation.cpp:123:6:123:6 | f |  |  | Declaration |  |
 | isfromtemplateinstantiation.cpp:128:7:128:30 | AnotherTemplateClass<T *> |  | T | Declaration |  |
 | isfromtemplateinstantiation.cpp:128:7:128:30 | AnotherTemplateClass<long *> | I |  | Declaration |  |
-| isfromtemplateinstantiation.cpp:129:6:129:6 | definition of f |  | T | Definition |  |
-| isfromtemplateinstantiation.cpp:129:6:129:6 | definition of f | I |  | Definition |  |
 | isfromtemplateinstantiation.cpp:129:6:129:6 | f |  | T | Declaration |  |
-| isfromtemplateinstantiation.cpp:129:6:129:6 | f | I |  | Declaration |  |
-| isfromtemplateinstantiation.cpp:129:10:129:22 | { ... } |  | T | Stmt |  |
-| isfromtemplateinstantiation.cpp:129:10:129:22 | { ... } | I |  | Stmt |  |
-| isfromtemplateinstantiation.cpp:129:12:129:20 | return ... |  | T | Stmt |  |
-| isfromtemplateinstantiation.cpp:129:12:129:20 | return ... | I |  | Stmt |  |
-| isfromtemplateinstantiation.cpp:129:19:129:19 | 1 |  | T | Expr |  |
-| isfromtemplateinstantiation.cpp:129:19:129:19 | 1 | I |  | Expr |  |
 | isfromtemplateinstantiation.cpp:134:29:134:33 | Outer<T> |  | T | Declaration |  |
 | isfromtemplateinstantiation.cpp:134:29:134:33 | Outer<int> | I |  | Declaration |  |
 | isfromtemplateinstantiation.cpp:135:31:135:35 | Inner<U> |  | T | Declaration |  |
@@ -470,82 +461,21 @@ isFromUninstantiatedTemplate
 | load.cpp:15:14:15:15 | definition of is | I |  | Definition |  |
 | load.cpp:15:14:15:15 | is |  | T | Declaration |  |
 | load.cpp:15:14:15:15 | is | I |  | Declaration |  |
-| load.cpp:18:5:18:5 | basic_text_iprimitive | I |  | Declaration |  |
 | load.cpp:18:5:18:25 | basic_text_iprimitive |  | T | Declaration |  |
-| load.cpp:18:36:18:42 | definition of isParam |  | T | Definition |  |
-| load.cpp:18:36:18:42 | definition of isParam | I |  | Definition |  |
-| load.cpp:18:36:18:42 | isParam |  | T | Declaration |  |
-| load.cpp:18:36:18:42 | isParam | I |  | Declaration |  |
-| load.cpp:19:11:19:21 | constructor init of field is |  | T | Expr |  |
-| load.cpp:19:11:19:21 | constructor init of field is | I |  | Expr |  |
 | load.cpp:19:14:19:20 | (reference dereference) |  | T | Expr |  |
-| load.cpp:19:14:19:20 | (reference dereference) | I |  | Expr |  |
 | load.cpp:19:14:19:20 | (reference to) |  | T | Expr |  |
-| load.cpp:19:14:19:20 | (reference to) | I |  | Expr |  |
 | load.cpp:19:14:19:20 | isParam |  | T | Expr | Ref |
-| load.cpp:19:14:19:20 | isParam | I |  | Expr | Ref |
-| load.cpp:19:23:19:24 | { ... } |  | T | Stmt |  |
-| load.cpp:19:23:19:24 | { ... } | I |  | Stmt |  |
-| load.cpp:19:24:19:24 | return ... |  | T | Stmt |  |
-| load.cpp:19:24:19:24 | return ... | I |  | Stmt |  |
-| load.cpp:22:10:22:10 | load | I |  | Declaration |  |
 | load.cpp:22:10:22:13 | load |  | T | Declaration |  |
 | load.cpp:22:10:22:13 | load | I | T | Declaration |  |
-| load.cpp:22:19:22:19 | definition of t |  | T | Definition |  |
-| load.cpp:22:19:22:19 | definition of t | I |  | Definition |  |
 | load.cpp:22:19:22:19 | t |  | T | Declaration |  |
-| load.cpp:22:19:22:19 | t | I |  | Declaration |  |
 | load.cpp:22:19:22:19 | t | I | T | Declaration |  |
-| load.cpp:23:5:25:5 | { ... } |  | T | Stmt |  |
-| load.cpp:23:5:25:5 | { ... } | I |  | Stmt |  |
 | load.cpp:24:9:24:10 | (reference dereference) |  | T | Expr |  |
-| load.cpp:24:9:24:10 | (reference dereference) | I |  | Expr |  |
 | load.cpp:24:9:24:10 | is |  | T | Expr | Not ref |
-| load.cpp:24:9:24:10 | is | I |  | Expr | Not ref |
 | load.cpp:24:9:24:10 | this |  | T | Expr |  |
-| load.cpp:24:9:24:10 | this | I |  | Expr |  |
-| load.cpp:24:9:24:16 | ExprStmt |  | T | Stmt |  |
-| load.cpp:24:9:24:16 | ExprStmt | I |  | Stmt |  |
 | load.cpp:24:15:24:15 | (reference dereference) |  | T | Expr |  |
-| load.cpp:24:15:24:15 | (reference dereference) | I |  | Expr |  |
-| load.cpp:24:15:24:15 | (reference to) | I |  | Expr |  |
 | load.cpp:24:15:24:15 | t |  | T | Expr | Not ref |
-| load.cpp:24:15:24:15 | t | I |  | Expr | Ref |
-| load.cpp:25:5:25:5 | return ... |  | T | Stmt |  |
-| load.cpp:25:5:25:5 | return ... | I |  | Stmt |  |
-| load.cpp:27:10:27:10 | load | I |  | Declaration |  |
 | load.cpp:27:10:27:13 | load |  | T | Declaration |  |
-| load.cpp:27:22:27:22 | definition of t |  | T | Definition |  |
-| load.cpp:27:22:27:22 | definition of t | I |  | Definition |  |
-| load.cpp:27:22:27:22 | t |  | T | Declaration |  |
-| load.cpp:27:22:27:22 | t | I |  | Declaration |  |
-| load.cpp:28:5:32:5 | { ... } |  | T | Stmt |  |
-| load.cpp:28:5:32:5 | { ... } | I |  | Stmt |  |
-| load.cpp:29:9:29:20 | declaration |  | T | Stmt |  |
-| load.cpp:29:9:29:20 | declaration | I |  | Stmt |  |
-| load.cpp:29:19:29:19 | definition of i |  | T | Definition |  |
-| load.cpp:29:19:29:19 | definition of i | I |  | Definition |  |
-| load.cpp:29:19:29:19 | i |  | T | Declaration |  |
-| load.cpp:29:19:29:19 | i | I |  | Declaration |  |
-| load.cpp:30:9:30:12 | Unknown literal |  | T | Expr |  |
-| load.cpp:30:9:30:12 | call to load | I |  | Expr |  |
-| load.cpp:30:9:30:12 | this | I |  | Expr |  |
-| load.cpp:30:9:30:16 | ExprStmt |  | T | Stmt |  |
-| load.cpp:30:9:30:16 | ExprStmt | I |  | Stmt |  |
-| load.cpp:30:14:30:14 | (reference to) | I |  | Expr |  |
-| load.cpp:30:14:30:14 | i |  | T | Expr | Not ref |
-| load.cpp:30:14:30:14 | i | I |  | Expr | Ref |
 | load.cpp:31:9:31:9 | (reference dereference) |  | T | Expr |  |
-| load.cpp:31:9:31:9 | (reference dereference) | I |  | Expr |  |
 | load.cpp:31:9:31:9 | t |  | T | Expr | Not ref |
-| load.cpp:31:9:31:9 | t | I |  | Expr | Not ref |
-| load.cpp:31:9:31:13 | ... = ... |  | T | Expr |  |
-| load.cpp:31:9:31:13 | ... = ... | I |  | Expr |  |
-| load.cpp:31:9:31:14 | ExprStmt |  | T | Stmt |  |
-| load.cpp:31:9:31:14 | ExprStmt | I |  | Stmt |  |
 | load.cpp:31:13:31:13 | (char)... |  | T | Expr |  |
-| load.cpp:31:13:31:13 | (char)... | I |  | Expr |  |
 | load.cpp:31:13:31:13 | i |  | T | Expr | Not ref |
-| load.cpp:31:13:31:13 | i | I |  | Expr | Not ref |
-| load.cpp:32:5:32:5 | return ... |  | T | Stmt |  |
-| load.cpp:32:5:32:5 | return ... | I |  | Stmt |  |

cpp/ql/test/library-tests/templates/switch/test.expected

@@ -1,2 +1 @@
 | test.cpp:13:3:20:3 | switch (...) ...  | 3 |
-| test.cpp:13:3:20:3 | switch (...) ...  | 3 |

cpp/ql/test/library-tests/templates/type_instantiations/types.expected

@@ -5,13 +5,10 @@
 | file://:0:0:0:0 | _Complex _Float64 |
 | file://:0:0:0:0 | _Complex _Float64x |
 | file://:0:0:0:0 | _Complex _Float128 |
-| file://:0:0:0:0 | _Complex __bf16 |
 | file://:0:0:0:0 | _Complex __float128 |
-| file://:0:0:0:0 | _Complex __fp16 |
 | file://:0:0:0:0 | _Complex double |
 | file://:0:0:0:0 | _Complex float |
 | file://:0:0:0:0 | _Complex long double |
-| file://:0:0:0:0 | _Complex std::float16_t |
 | file://:0:0:0:0 | _Decimal32 |
 | file://:0:0:0:0 | _Decimal64 |
 | file://:0:0:0:0 | _Decimal128 |

cpp/ql/test/library-tests/type_sizes/type_sizes.expected

@@ -25,13 +25,10 @@
 | file://:0:0:0:0 | _Complex _Float64 | 16 |
 | file://:0:0:0:0 | _Complex _Float64x | 32 |
 | file://:0:0:0:0 | _Complex _Float128 | 32 |
-| file://:0:0:0:0 | _Complex __bf16 | 4 |
 | file://:0:0:0:0 | _Complex __float128 | 32 |
-| file://:0:0:0:0 | _Complex __fp16 | 4 |
 | file://:0:0:0:0 | _Complex double | 16 |
 | file://:0:0:0:0 | _Complex float | 8 |
 | file://:0:0:0:0 | _Complex long double | 32 |
-| file://:0:0:0:0 | _Complex std::float16_t | 4 |
 | file://:0:0:0:0 | _Decimal32 | 4 |
 | file://:0:0:0:0 | _Decimal64 | 8 |
 | file://:0:0:0:0 | _Decimal128 | 16 |

cpp/ql/test/library-tests/unspecified_type/types/unspecified_type.expected

@@ -7,13 +7,10 @@
 | file://:0:0:0:0 | _Complex _Float64 | _Complex _Float64 |
 | file://:0:0:0:0 | _Complex _Float64x | _Complex _Float64x |
 | file://:0:0:0:0 | _Complex _Float128 | _Complex _Float128 |
-| file://:0:0:0:0 | _Complex __bf16 | _Complex __bf16 |
 | file://:0:0:0:0 | _Complex __float128 | _Complex __float128 |
-| file://:0:0:0:0 | _Complex __fp16 | _Complex __fp16 |
 | file://:0:0:0:0 | _Complex double | _Complex double |
 | file://:0:0:0:0 | _Complex float | _Complex float |
 | file://:0:0:0:0 | _Complex long double | _Complex long double |
-| file://:0:0:0:0 | _Complex std::float16_t | _Complex std::float16_t |
 | file://:0:0:0:0 | _Decimal32 | _Decimal32 |
 | file://:0:0:0:0 | _Decimal64 | _Decimal64 |
 | file://:0:0:0:0 | _Decimal128 | _Decimal128 |

cpp/ql/test/library-tests/variables/variables/types.expected

@@ -6,13 +6,10 @@
 | _Complex _Float64 | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
 | _Complex _Float64x | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
 | _Complex _Float128 | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
-| _Complex __bf16 | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
 | _Complex __float128 | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
-| _Complex __fp16 | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
 | _Complex double | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
 | _Complex float | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
 | _Complex long double | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
-| _Complex std::float16_t | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
 | _Decimal32 | Decimal32Type |  |  |  |  |
 | _Decimal64 | Decimal64Type |  |  |  |  |
 | _Decimal128 | Decimal128Type |  |  |  |  |

cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected

@@ -1,11 +1,3 @@
-#select
-| test.c:21:18:21:23 | query1 | test.c:14:27:14:30 | **argv | test.c:21:18:21:23 | *query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | **argv | user input (a command-line argument) |
-| test.c:51:18:51:23 | query1 | test.c:14:27:14:30 | **argv | test.c:51:18:51:23 | *query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | **argv | user input (a command-line argument) |
-| test.c:76:17:76:25 | userInput | test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | *userInput | This argument to a SQL query function is derived from $@ and then passed to SQLPrepare(StatementText). | test.c:75:8:75:16 | gets output argument | user input (string read by gets) |
-| test.c:77:20:77:28 | userInput | test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | *userInput | This argument to a SQL query function is derived from $@ and then passed to SQLExecDirect(StatementText). | test.c:75:8:75:16 | gets output argument | user input (string read by gets) |
-| test.c:106:24:106:29 | query1 | test.c:101:8:101:16 | gets output argument | test.c:106:24:106:29 | *query1 | This argument to a SQL query function is derived from $@. | test.c:101:8:101:16 | gets output argument | user input (string read by gets) |
-| test.c:107:28:107:33 | query1 | test.c:101:8:101:16 | gets output argument | test.c:107:28:107:33 | *query1 | This argument to a SQL query function is derived from $@. | test.c:101:8:101:16 | gets output argument | user input (string read by gets) |
-| test.cpp:43:27:43:33 | access to array | test.cpp:39:27:39:30 | **argv | test.cpp:43:27:43:33 | *access to array | This argument to a SQL query function is derived from $@ and then passed to pqxx::work::exec1((unnamed parameter 0)). | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |
 edges
 | test.c:14:27:14:30 | **argv | test.c:15:20:15:26 | *access to array | provenance |  |
 | test.c:15:20:15:26 | *access to array | test.c:21:18:21:23 | *query1 | provenance | TaintFunction |
@@ -17,12 +9,7 @@ edges
 | test.c:48:20:48:33 | *globalUsername | test.c:51:18:51:23 | *query1 | provenance | TaintFunction |
 | test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | *userInput | provenance |  |
 | test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | *userInput | provenance |  |
-| test.c:101:8:101:16 | gets output argument | test.c:106:24:106:29 | *query1 | provenance | TaintFunction Sink:MaD:2 |
-| test.c:101:8:101:16 | gets output argument | test.c:107:28:107:33 | *query1 | provenance | TaintFunction Sink:MaD:1 |
 | test.cpp:39:27:39:30 | **argv | test.cpp:43:27:43:33 | *access to array | provenance |  |
-models
-| 1 | Sink: ; ; false; OCIStmtPrepare2; ; ; Argument[*3]; sql-injection; manual |
-| 2 | Sink: ; ; false; OCIStmtPrepare; ; ; Argument[*2]; sql-injection; manual |
 nodes
 | test.c:14:27:14:30 | **argv | semmle.label | **argv |
 | test.c:15:20:15:26 | *access to array | semmle.label | *access to array |
@@ -36,9 +23,12 @@ nodes
 | test.c:75:8:75:16 | gets output argument | semmle.label | gets output argument |
 | test.c:76:17:76:25 | *userInput | semmle.label | *userInput |
 | test.c:77:20:77:28 | *userInput | semmle.label | *userInput |
-| test.c:101:8:101:16 | gets output argument | semmle.label | gets output argument |
-| test.c:106:24:106:29 | *query1 | semmle.label | *query1 |
-| test.c:107:28:107:33 | *query1 | semmle.label | *query1 |
 | test.cpp:39:27:39:30 | **argv | semmle.label | **argv |
 | test.cpp:43:27:43:33 | *access to array | semmle.label | *access to array |
 subpaths
+#select
+| test.c:21:18:21:23 | query1 | test.c:14:27:14:30 | **argv | test.c:21:18:21:23 | *query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | **argv | user input (a command-line argument) |
+| test.c:51:18:51:23 | query1 | test.c:14:27:14:30 | **argv | test.c:51:18:51:23 | *query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | **argv | user input (a command-line argument) |
+| test.c:76:17:76:25 | userInput | test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | *userInput | This argument to a SQL query function is derived from $@ and then passed to SQLPrepare(StatementText). | test.c:75:8:75:16 | gets output argument | user input (string read by gets) |
+| test.c:77:20:77:28 | userInput | test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | *userInput | This argument to a SQL query function is derived from $@ and then passed to SQLExecDirect(StatementText). | test.c:75:8:75:16 | gets output argument | user input (string read by gets) |
+| test.cpp:43:27:43:33 | access to array | test.cpp:39:27:39:30 | **argv | test.cpp:43:27:43:33 | *access to array | This argument to a SQL query function is derived from $@ and then passed to pqxx::work::exec1((unnamed parameter 0)). | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |

cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.qlref

@@ -1,5 +1 @@
-query: Security/CWE/CWE-089/SqlTainted.ql
-postprocess:
- - utils/test/PrettyPrintModels.ql
- - utils/test/InlineExpectationsTestQuery.ql
- 
+Security/CWE/CWE-089/SqlTainted.ql

cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.c

@@ -11,14 +11,14 @@ int atoi(const char *nptr);
 void exit(int i);
 ///// Test code /////
 
-int main(int argc, char** argv) { // $ Source
+int main(int argc, char** argv) {
   char *userName = argv[2];
   int userNumber = atoi(argv[3]);
 
   // a string from the user is injected directly into an SQL query.
   char query1[1000] = {0};
   snprintf(query1, 1000, "SELECT UID FROM USERS where name = \"%s\"", userName);
-  mysql_query(0, query1); // $ Alert
+  mysql_query(0, query1); // BAD
   
   // the user string is encoded by a library routine.
   char userNameSanitized[1000] = {0};
@@ -48,7 +48,7 @@ void badFunc() {
   char *userName = globalUsername;
   char query1[1000] = {0};
   snprintf(query1, 1000, "SELECT UID FROM USERS where name = \"%s\"", userName);
-  mysql_query(0, query1); // $ Alert
+  mysql_query(0, query1); // BAD
 }
 
 //ODBC Library Rountines
@@ -72,44 +72,7 @@ SQLRETURN SQLPrepare(
 
 void ODBCTests(){
   char userInput[100];
-  gets(userInput); // $ Source
-  SQLPrepare(0, userInput, 100); // $ Alert
-  SQLExecDirect(0, userInput, 100); // $ Alert
-}
-
-// Oracle Call Interface (OCI) Routines
-int OCIStmtPrepare(
-      void *arg0,
-      void *arg1,
-      const unsigned char *sql,
-      unsigned int arg3,
-      unsigned int arg4,
-      unsigned int arg5);
-int OCIStmtPrepare2(
-      void *arg0,
-      void **arg1,
-      void *arg2,
-      const unsigned char *sql,
-      unsigned int arg4,
-      const unsigned char *arg5,
-      unsigned int arg6,
-      unsigned int arg7,
-      unsigned int arg8);
-
-void OCITests(){
-  char userInput[100];
-  gets(userInput); // $ Source
-
-  // a string from the user is injected directly into an SQL query.
-  char query1[1000] = {0};
-  snprintf(query1, 1000, "SELECT UID FROM USERS where name = \"%s\"", userInput);
-  OCIStmtPrepare(0, 0, query1, 0, 0, 0); // $ Alert
-  OCIStmtPrepare2(0, 0, 0, query1, 0, 0, 0, 0, 0); // $ Alert
-
-  // an integer from the user is injected into an SQL query.
-  int userNumber = atoi(userInput);
-  char query2[1000] = {0};
-  snprintf(query2, 1000, "SELECT UID FROM USERS where number = \"%i\"", userNumber);
-  OCIStmtPrepare(0, 0, query2, 0, 0, 0); // GOOD
-  OCIStmtPrepare2(0, 0, 0, query2, 0, 0, 0, 0, 0); // GOOD
+  gets(userInput);
+  SQLPrepare(0, userInput, 100); // BAD
+  SQLExecDirect(0, userInput, 100); // BAD
 }

cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.cpp

@@ -36,11 +36,11 @@ namespace pqxx {
     };
 }
 
-int main(int argc, char** argv) { // $ Source
+int main(int argc, char** argv) {
     pqxx::connection c;
     pqxx::work w(c);
     
-    pqxx::row r = w.exec1(argv[1]); // $ Alert
+    pqxx::row r = w.exec1(argv[1]); // BAD
     
     pqxx::result r2 = w.exec(w.quote(argv[1])); // GOOD
 

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 1.7.43
-
-No user-facing changes.
-
 ## 1.7.42
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.43.md

@@ -1,3 +0,0 @@
-## 1.7.43
-
-No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.43
+lastReleaseVersion: 1.7.42

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.44-dev
+version: 1.7.43-dev
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 1.7.43
-
-No user-facing changes.
-
 ## 1.7.42
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.43.md

@@ -1,3 +0,0 @@
-## 1.7.43
-
-No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.43
+lastReleaseVersion: 1.7.42

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.44-dev
+version: 1.7.43-dev
 groups:
   - csharp
   - solorigate

csharp/ql/lib/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 5.1.9
-
-No user-facing changes.
-
 ## 5.1.8
 
 No user-facing changes.

csharp/ql/lib/change-notes/released/5.1.9.md

@@ -1,3 +0,0 @@
-## 5.1.9
-
-No user-facing changes.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.1.9
+lastReleaseVersion: 5.1.8

csharp/ql/lib/ext/Microsoft.Data.SqlClient.model.yml

@@ -1,20 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/csharp-all
-      extensible: sinkModel
-    data:
-      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String)", "", "Argument[0]", "sql-injection", "manual"]
-      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String,Microsoft.Data.SqlClient.SqlConnection)", "", "Argument[0]", "sql-injection", "manual"]
-      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String,Microsoft.Data.SqlClient.SqlConnection,Microsoft.Data.SqlClient.SqlTransaction)", "", "Argument[0]", "sql-injection", "manual"]
-      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String,Microsoft.Data.SqlClient.SqlConnection,Microsoft.Data.SqlClient.SqlTransaction,Microsoft.Data.SqlClient.SqlCommandColumnEncryptionSetting)", "", "Argument[0]", "sql-injection", "manual"]
-      - ["Microsoft.Data.SqlClient", "SqlDataAdapter", False, "SqlDataAdapter", "(Microsoft.Data.SqlClient.SqlCommand)", "", "Argument[0]", "sql-injection", "manual"]
-      - ["Microsoft.Data.SqlClient", "SqlDataAdapter", False, "SqlDataAdapter", "(System.String,Microsoft.Data.SqlClient.SqlConnection)", "", "Argument[0]", "sql-injection", "manual"]
-      - ["Microsoft.Data.SqlClient", "SqlDataAdapter", False, "SqlDataAdapter", "(System.String,System.String)", "", "Argument[0]", "sql-injection", "manual"]
-  - addsTo:
-      pack: codeql/csharp-all
-      extensible: summaryModel
-    data:
-      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
-      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String,Microsoft.Data.SqlClient.SqlConnection)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
-      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String,Microsoft.Data.SqlClient.SqlConnection,Microsoft.Data.SqlClient.SqlTransaction)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
-      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String,Microsoft.Data.SqlClient.SqlConnection,Microsoft.Data.SqlClient.SqlTransaction,Microsoft.Data.SqlClient.SqlCommandColumnEncryptionSetting)", "", "Argument[0]", "Argument[this]", "taint", "manual"]

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.1.10-dev
+version: 5.1.9-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes for representing abstract bounds for use in, for example, range analysis.
  */
-overlay[local?]
-module;
 
 private import internal.rangeanalysis.BoundSpecific
 

csharp/ql/lib/semmle/code/csharp/dataflow/ModulusAnalysis.qll

@@ -3,8 +3,6 @@
  * an expression, `b` is a `Bound` (typically zero or the value of an SSA
  * variable), and `v` is an integer in the range `[0 .. m-1]`.
  */
-overlay[local?]
-module;
 
 private import internal.rangeanalysis.ModulusAnalysisSpecific::Private
 private import Bound

csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll

@@ -1,6 +1,3 @@
-overlay[local?]
-module;
-
 newtype TSign =
   TNeg() or
   TZero() or