Bump actions/download-artifact

Bumps the github_actions group with 1 update in the /.github/workflows directory: [actions/download-artifact](https://github.com/actions/download-artifact).


Updates `actions/download-artifact` from 3 to 4.1.7
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/v3...v4.1.7)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  dependency-group: github_actions
...

Signed-off-by: dependabot[bot] <support@github.com>

.bazelversion

@@ -1 +1 @@
-7.2.1
+5f5d70b6c4d2fb1a889479569107f1692239e8a7

.github/workflows/cpp-swift-analysis.yml

@@ -37,7 +37,7 @@ jobs:
       with:
         languages: cpp
         config-file: ./.github/codeql/codeql-config.yml
-  
+
     - name: "[Ubuntu] Remove GCC 13 from runner image"
       shell: bash
       run: |
@@ -48,7 +48,7 @@ jobs:
     - name: "Build Swift extractor using Bazel"
       run: |
         bazel clean --expunge
-        bazel run //swift:create-extractor-pack --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results --spawn_strategy=local --features=-layering_check
+        bazel run //swift:create-extractor-pack --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results --spawn_strategy=local
         bazel shutdown
 
     - name: Perform CodeQL Analysis

.github/workflows/ql-for-ql-dataset_measure.yml

@@ -76,7 +76,7 @@ jobs:
     needs: measure
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4.1.7
         with:
           name: measurements
           path: stats

.github/workflows/ruby-build.yml

@@ -140,25 +140,26 @@ jobs:
           path: |
             ${{ runner.temp }}/query-packs/*
           retention-days: 1
+          include-hidden-files: true
 
   package:
     runs-on: ubuntu-latest
     needs: [build, compile-queries]
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4.1.7
         with:
           name: ruby.dbscheme
           path: ruby/ruby
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4.1.7
         with:
           name: extractor-ubuntu-latest
           path: ruby/linux64
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4.1.7
         with:
           name: extractor-windows-latest
           path: ruby/win64
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4.1.7
         with:
           name: extractor-macos-latest
           path: ruby/osx64
@@ -176,7 +177,8 @@ jobs:
           name: codeql-ruby-pack
           path: ruby/codeql-ruby.zip
           retention-days: 1
-      - uses: actions/download-artifact@v3
+          include-hidden-files: true
+      - uses: actions/download-artifact@v4.1.7
         with:
           name: codeql-ruby-queries
           path: ruby/qlpacks
@@ -193,6 +195,7 @@ jobs:
           name: codeql-ruby-bundle
           path: ruby/codeql-ruby-bundle.zip
           retention-days: 1
+          include-hidden-files: true
 
   test:
     defaults:
@@ -211,7 +214,7 @@ jobs:
         uses: ./.github/actions/fetch-codeql
 
       - name: Download Ruby bundle
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4.1.7
         with:
           name: codeql-ruby-bundle
           path: ${{ runner.temp }}

.github/workflows/ruby-dataset-measure.yml

@@ -63,7 +63,7 @@ jobs:
     needs: measure
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4.1.7
         with:
           name: measurements
           path: stats

.gitignore

@@ -7,8 +7,8 @@
 .cache
 
 # qltest projects and artifacts
+*.actual
 */ql/test/**/*.testproj
-*/ql/test/**/*.actual
 */ql/test/**/go.sum
 
 # Visual studio temporaries, except a file used by QL4VS

MODULE.bazel

@@ -15,7 +15,7 @@ local_path_override(
 # see https://registry.bazel.build/ for a list of available packages
 
 bazel_dep(name = "platforms", version = "0.0.10")
-bazel_dep(name = "rules_go", version = "0.49.0")
+bazel_dep(name = "rules_go", version = "0.50.0")
 bazel_dep(name = "rules_pkg", version = "0.10.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
 bazel_dep(name = "rules_python", version = "0.32.2")

cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/exprs.ql

@@ -0,0 +1,17 @@
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Location extends @location_expr {
+  string toString() { none() }
+}
+
+predicate isExprWithNewBuiltin(Expr expr) {
+  exists(int kind | exprs(expr, kind, _) | 385 <= kind and kind <= 388)
+}
+
+from Expr expr, int kind, int kind_new, Location location
+where
+  exprs(expr, kind, location) and
+  if isExprWithNewBuiltin(expr) then kind_new = 1 else kind_new = kind
+select expr, kind_new, location

cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/sizeof_bind.ql

@@ -0,0 +1,14 @@
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Type extends @type {
+  string toString() { none() }
+}
+
+from Expr expr, Type type, int kind
+where
+  sizeof_bind(expr, type) and
+  exprs(expr, kind, _) and
+  (kind = 93 or kind = 94)
+select expr, type

cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/upgrade.properties

@@ -0,0 +1,4 @@
+description: Add new builtin operations
+compatibility: partial
+exprs.rel: run exprs.qlo
+sizeof_bind.rel: run sizeof_bind.qlo

cpp/downgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/downgrades.ql

@@ -0,0 +1,32 @@
+/*
+ * Approach: replace conversion expressions of kind 389 (= @c11_generic) by
+ * conversion expressions of kind 12 (= @parexpr), i.e., a `ParenthesisExpr`,
+ * and drop the relation which its child expressions, which are just syntactic
+ * sugar. Parenthesis expressions are equally benign as C11 _Generic expressions,
+ * and behave similarly in the context of the IR.
+ */
+
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Location extends @location {
+  string toString() { none() }
+}
+
+class ExprParent extends @exprparent {
+  string toString() { none() }
+}
+
+query predicate new_exprs(Expr expr, int new_kind, Location loc) {
+  exists(int kind | exprs(expr, kind, loc) | if kind = 389 then new_kind = 12 else new_kind = kind)
+}
+
+query predicate new_exprparents(Expr expr, int index, ExprParent expr_parent) {
+  exprparents(expr, index, expr_parent) and
+  (
+    not expr_parent instanceof @expr
+    or
+    exists(int kind | exprs(expr_parent.(Expr), kind, _) | kind != 389)
+  )
+}

cpp/downgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/upgrade.properties

@@ -0,0 +1,4 @@
+description: Expose C11 _Generics
+compatibility: partial
+exprs.rel: run downgrades.ql new_exprs
+exprparents.rel: run downgrades.ql new_exprparents

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.4.1
+
+No user-facing changes.
+
 ## 1.4.0
 
 ### New Features

cpp/ql/lib/change-notes/2024-08-28-more-builtin-operations.md

@@ -0,0 +1,5 @@
+---
+category: feature
+---
+* Added subclasses of `BuiltInOperations` for the `__is_scoped_enum`, `__is_trivially_equality_comparable`, and `__is_trivially_relocatable` builtin operations.
+* Added a subclass of `Expr` for `__datasizeof` expressions.

cpp/ql/lib/change-notes/2024-08-30-c11-generics.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a class `C11GenericExpr` to represent C11 generic selection expressions. The generic selection is represented as a `Conversion` on the expression that will be selected.

cpp/ql/lib/change-notes/released/1.4.1.md

@@ -0,0 +1,3 @@
+## 1.4.1
+
+No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.4.0
+lastReleaseVersion: 1.4.1

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 1.4.1-dev
+version: 1.4.2-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -385,6 +385,21 @@ class CastNode extends ConversionNode {
   }
 }
 
+/**
+ * A node representing a `C11GenericExpr`.
+ */
+class C11GenericNode extends ConversionNode {
+  C11GenericExpr generic;
+
+  C11GenericNode() { generic = conv }
+
+  override AstNode getChildInternal(int childIndex) {
+    result = super.getChildInternal(childIndex - count(generic.getAChild()))
+    or
+    result.getAst() = generic.getChild(childIndex)
+  }
+}
+
 /**
  * A node representing a `StmtExpr`.
  */
@@ -860,6 +875,15 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
     or
     expr.(BuiltInVarArgsStart).getLastNamedParameter() = ele and pred = "getLastNamedParameter()"
     or
+    expr.(C11GenericExpr).getControllingExpr() = ele and pred = "getControllingExpr()"
+    or
+    exists(int n |
+      expr.(C11GenericExpr).getAssociationType(n) = ele.(TypeName).getType() and
+      pred = "getAssociationType(" + n + ")"
+      or
+      expr.(C11GenericExpr).getAssociationExpr(n) = ele and pred = "getAssociationExpr(" + n + ")"
+    )
+    or
     expr.(Call).getQualifier() = ele and pred = "getQualifier()"
     or
     exists(int n | expr.(Call).getArgument(n) = ele and pred = "getArgument(" + n.toString() + ")")

cpp/ql/lib/semmle/code/cpp/exprs/BuiltInOperations.qll

@@ -1885,3 +1885,59 @@ class BuiltInOperationIsWinInterface extends BuiltInOperation, @iswininterface {
 
   override string getAPrimaryQlClass() { result = "BuiltInOperationIsWinInterface" }
 }
+
+/**
+ * A C++ `__is_trivially_equality_comparable` built-in operation.
+ *
+ * Returns `true` if comparing two objects of type `_Tp` is equivalent to
+ * comparing their object representations.
+ *
+ * ```
+ * template<typename _Tp>
+ *   struct is_trivially_equality_comparable
+ *   : public integral_constant<bool, __is_trivially_equality_comparable(_Tp)>
+ *   {};
+ * ```
+ */
+class BuiltInOperationIsTriviallyEqualityComparable extends BuiltInOperation,
+  @istriviallyequalitycomparable
+{
+  override string toString() { result = "__is_trivially_equality_comparable" }
+
+  override string getAPrimaryQlClass() { result = "BuiltInOperationIsTriviallyEqualityComparable" }
+}
+
+/**
+ * A C++ `__is_scoped_enum` built-in operation (used by some implementations
+ * of the `<type_traits>` header).
+ *
+ * Returns `true` if a type is a scoped enum.
+ * ```
+ * template<typename _Tp>
+ * constexpr bool is_scoped_enum = __is_scoped_enum(_Tp);
+ * ```
+ */
+class BuiltInOperationIsScopedEnum extends BuiltInOperation, @isscopedenum {
+  override string toString() { result = "__is_scoped_enum" }
+
+  override string getAPrimaryQlClass() { result = "BuiltInOperationIsScopedEnum" }
+}
+
+/**
+ * A C++ `__is_trivially_relocatable` built-in operation.
+ *
+ * Returns `true` if moving an object of type `_Tp` is equivalent to
+ * copying the underlying bytes.
+ *
+ * ```
+ * template<typename _Tp>
+ *   struct is_trivially_relocatable
+ *   : public integral_constant<bool, __is_trivially_relocatable(_Tp)>
+ *   {};
+ * ```
+ */
+class BuiltInOperationIsTriviallyRelocatable extends BuiltInOperation, @istriviallyrelocatable {
+  override string toString() { result = "__is_trivially_relocatable" }
+
+  override string getAPrimaryQlClass() { result = "BuiltInOperationIsTriviallyRelocatable" }
+}

cpp/ql/lib/semmle/code/cpp/exprs/Cast.qll

@@ -791,6 +791,53 @@ class AlignofTypeOperator extends AlignofOperator {
   override string toString() { result = "alignof(" + this.getTypeOperand().getName() + ")" }
 }
 
+/**
+ * A C++ `__datasizeof` expression (used by some implementations
+ * of the `<type_traits>` header).
+ *
+ * The `__datasizeof` expression behaves identically to `sizeof` except
+ * that the result ignores tail padding.
+ */
+class DatasizeofOperator extends Expr, @datasizeof {
+  override int getPrecedence() { result = 16 }
+}
+
+/**
+ * A C++ `__datasizeof` expression whose operand is an expression.
+ */
+class DatasizeofExprOperator extends DatasizeofOperator {
+  DatasizeofExprOperator() { exists(this.getChild(0)) }
+
+  override string getAPrimaryQlClass() { result = "DatasizeofExprOperator" }
+
+  /** Gets the contained expression. */
+  Expr getExprOperand() { result = this.getChild(0) }
+
+  override string toString() { result = "__datasizeof(<expr>)" }
+
+  override predicate mayBeImpure() { this.getExprOperand().mayBeImpure() }
+
+  override predicate mayBeGloballyImpure() { this.getExprOperand().mayBeGloballyImpure() }
+}
+
+/**
+ * A C++ `__datasizeof` expression whose operand is a type name.
+ */
+class DatasizeofTypeOperator extends DatasizeofOperator {
+  DatasizeofTypeOperator() { sizeof_bind(underlyingElement(this), _) }
+
+  override string getAPrimaryQlClass() { result = "DatasizeofTypeOperator" }
+
+  /** Gets the contained type. */
+  Type getTypeOperand() { sizeof_bind(underlyingElement(this), unresolveElement(result)) }
+
+  override string toString() { result = "__datasizeof(" + this.getTypeOperand().getName() + ")" }
+
+  override predicate mayBeImpure() { none() }
+
+  override predicate mayBeGloballyImpure() { none() }
+}
+
 /**
  * A C/C++ array to pointer conversion.
  *

cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll

@@ -304,6 +304,8 @@ class Expr extends StmtParent, @expr {
       e instanceof NoExceptExpr
       or
       e instanceof AlignofOperator
+      or
+      e instanceof DatasizeofOperator
     )
     or
     exists(Decltype d | d.getExpr() = this.getParentWithConversions*())
@@ -630,6 +632,106 @@ class ParenthesisExpr extends Conversion, @parexpr {
   override string getAPrimaryQlClass() { result = "ParenthesisExpr" }
 }
 
+/**
+ * A node representing a C11 `_Generic` selection expression.
+ *
+ * For example:
+ * ```
+ * _Generic(e, int: "int", default: "unknown")
+ * ```
+ */
+class C11GenericExpr extends Conversion, @c11_generic {
+  int associationCount;
+
+  C11GenericExpr() { associationCount = (count(this.getAChild()) - 1) / 2 }
+
+  override string toString() { result = "_Generic" }
+
+  override string getAPrimaryQlClass() { result = "C11GenericExpr" }
+
+  /**
+   * Gets the controlling expression of the generic selection.
+   *
+   * For example, for
+   * ```
+   * _Generic(e, int: "a", default: "b")
+   * ```
+   * the result is `e`.
+   */
+  Expr getControllingExpr() { result = this.getChild(0) }
+
+  /**
+   * Gets the type of the `n`th element in the association list of the generic selection.
+   *
+   * For example, for
+   * ```
+   * _Generic(e, int: "a", default: "b")
+   * ```
+   * the type of the 0th element is `int`. In the case of the default element the
+   * type will an instance of `VoidType`.
+   */
+  Type getAssociationType(int n) {
+    n in [0 .. associationCount - 1] and
+    result = this.getChild(n * 2 + 1).(TypeName).getType()
+  }
+
+  /**
+   * Gets the type of an element in the association list of the generic selection.
+   */
+  Type getAnAssociationType() { result = this.getAssociationType(_) }
+
+  /**
+   * Gets the expression of the `n`th element in the association list of
+   * the generic selection.
+   *
+   * For example, for
+   * ```
+   * _Generic(e, int: "a", default: "b")
+   * ```
+   * the expression for 0th element is `"a"`, and the expression for the
+   * 1st element is `"b"`. For the selected expression, this predicate
+   * will yield a `ReuseExpr`, such that
+   * ```
+   * this.getAssociationExpr(n).(ReuseExpr).getReusedExpr() = this.getExpr()
+   * ```
+   */
+  Expr getAssociationExpr(int n) {
+    n in [0 .. associationCount - 1] and
+    result = this.getChild(n * 2 + 2)
+  }
+
+  /**
+   * Gets the expression of an element in the association list of the generic selection.
+   */
+  Expr getAnAssociationExpr() { result = this.getAssociationExpr(_) }
+
+  /**
+   * Holds if the `n`th element of the association list of the generic selection is the
+   * default element.
+   *
+   * For example, for
+   * ```
+   * _Generic(e, int: "a", default: "b")
+   * ```
+   * this holds for 1.
+   */
+  predicate isDefaultAssociation(int n) { this.getAssociationType(n) instanceof VoidType }
+
+  /**
+   * Holds if the `n`th element of the association list of the generic selection is the
+   * one whose expression was selected.
+   *
+   * For example, with `e` of type `int` and
+   * ```
+   * _Generic(e, int: "a", default: "b")
+   * ```
+   * this holds for 0.
+   */
+  predicate isSelectedAssociation(int n) {
+    this.getAssociationExpr(n).(ReuseExpr).getReusedExpr() = this.getExpr()
+  }
+}
+
 /**
  * A C/C++ expression that could not be resolved, or that can no longer be
  * represented due to a database upgrade or downgrade.
@@ -666,6 +768,8 @@ class AssumeExpr extends Expr, @assume {
 
 /**
  * A C/C++ comma expression.
+ *
+ * For example:
  * ```
  * int c = compute1(), compute2(), resulting_value;
  * ```

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -128,6 +128,9 @@ private predicate ignoreExprAndDescendants(Expr expr) {
     vaStartExpr.getLastNamedParameter().getFullyConverted() = expr
   )
   or
+  // The children of C11 _Generic expressions are just surface syntax.
+  exists(C11GenericExpr generic | generic.getAChild() = expr)
+  or
   // Do not translate implicit destructor calls for unnamed temporary variables that are
   // conditionally constructed (until we have a mechanism for calling these only when the
   // temporary's constructor was run)
@@ -432,6 +435,9 @@ predicate ignoreLoad(Expr expr) {
     // The load is duplicated from the right operand.
     isExtractorFrontendVersion65OrHigher() and expr instanceof CommaExpr
     or
+    // The load is duplicated from the chosen expression.
+    expr instanceof C11GenericExpr
+    or
     expr.(PointerDereferenceExpr).getOperand().getFullyConverted().getType().getUnspecifiedType()
       instanceof FunctionPointerType
     or

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -893,7 +893,8 @@ class TranslatedTransparentConversion extends TranslatedTransparentExpr {
     (
       expr instanceof ParenthesisExpr or
       expr instanceof ReferenceDereferenceExpr or
-      expr instanceof ReferenceToExpr
+      expr instanceof ReferenceToExpr or
+      expr instanceof C11GenericExpr
     )
   }
 

cpp/ql/lib/semmle/code/cpp/models/Models.qll

@@ -42,6 +42,7 @@ private import implementations.Accept
 private import implementations.Poll
 private import implementations.Select
 private import implementations.MySql
+private import implementations.NoexceptFunction
 private import implementations.ODBC
 private import implementations.SqLite3
 private import implementations.PostgreSql

cpp/ql/lib/semmle/code/cpp/models/implementations/Memcpy.qll

@@ -9,13 +9,14 @@ import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
 import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.NonThrowing
 
 /**
  * The standard functions `memcpy`, `memmove` and `bcopy`; and the gcc variant
  * `__builtin___memcpy_chk`.
  */
 private class MemcpyFunction extends ArrayFunction, DataFlowFunction, SideEffectFunction,
-  AliasFunction
+  AliasFunction, NonThrowingFunction
 {
   MemcpyFunction() {
     // memcpy(dest, src, num)

cpp/ql/lib/semmle/code/cpp/models/implementations/Memset.qll

@@ -8,9 +8,10 @@ import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
+import semmle.code.cpp.models.interfaces.NonThrowing
 
 private class MemsetFunctionModel extends ArrayFunction, DataFlowFunction, AliasFunction,
-  SideEffectFunction
+  SideEffectFunction, NonThrowingFunction
 {
   MemsetFunctionModel() {
     this.hasGlobalOrStdOrBslName("memset")

cpp/ql/lib/semmle/code/cpp/models/implementations/NoexceptFunction.qll

@@ -0,0 +1,11 @@
+import semmle.code.cpp.models.interfaces.NonThrowing
+
+/**
+ * A function that is annotated with a `noexcept` specifier (or the equivalent
+ * `throw()` specifier) guaranteeing that the function can not throw exceptions.
+ *
+ * Note: The `throw` specifier was deprecated in C++11 and removed in C++17.
+ */
+class NoexceptFunction extends NonThrowingFunction {
+  NoexceptFunction() { this.isNoExcept() or this.isNoThrow() }
+}

cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll

@@ -8,11 +8,12 @@
 import semmle.code.cpp.models.interfaces.FormattingFunction
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
+import semmle.code.cpp.models.interfaces.NonThrowing
 
 /**
  * The standard functions `printf`, `wprintf` and their glib variants.
  */
-private class Printf extends FormattingFunction, AliasFunction {
+private class Printf extends FormattingFunction, AliasFunction, NonThrowingFunction {
   Printf() {
     this instanceof TopLevelFunction and
     (
@@ -36,7 +37,7 @@ private class Printf extends FormattingFunction, AliasFunction {
 /**
  * The standard functions `fprintf`, `fwprintf` and their glib variants.
  */
-private class Fprintf extends FormattingFunction {
+private class Fprintf extends FormattingFunction, NonThrowingFunction {
   Fprintf() {
     this instanceof TopLevelFunction and
     (
@@ -54,7 +55,7 @@ private class Fprintf extends FormattingFunction {
 /**
  * The standard function `sprintf` and its Microsoft and glib variants.
  */
-private class Sprintf extends FormattingFunction {
+private class Sprintf extends FormattingFunction, NonThrowingFunction {
   Sprintf() {
     this instanceof TopLevelFunction and
     (
@@ -97,7 +98,7 @@ private class Sprintf extends FormattingFunction {
 /**
  * Implements `Snprintf`.
  */
-private class SnprintfImpl extends Snprintf, AliasFunction, SideEffectFunction {
+private class SnprintfImpl extends Snprintf, AliasFunction, SideEffectFunction, NonThrowingFunction {
   SnprintfImpl() {
     this instanceof TopLevelFunction and
     (
@@ -204,7 +205,7 @@ private class StringCchPrintf extends FormattingFunction {
 /**
  * The standard function `syslog`.
  */
-private class Syslog extends FormattingFunction {
+private class Syslog extends FormattingFunction, NonThrowingFunction {
   Syslog() {
     this instanceof TopLevelFunction and
     this.hasGlobalName("syslog") and

cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll

@@ -7,13 +7,16 @@ import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.SideEffect
+import semmle.code.cpp.models.interfaces.NonThrowing
 
 /**
  * The standard function `strcat` and its wide, sized, and Microsoft variants.
  *
  * Does not include `strlcat`, which is covered by `StrlcatFunction`
  */
-class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, SideEffectFunction {
+class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, SideEffectFunction,
+  NonThrowingFunction
+{
   StrcatFunction() {
     this.hasGlobalOrStdOrBslName([
         "strcat", // strcat(dst, src)

cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll

@@ -7,11 +7,14 @@ import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.SideEffect
+import semmle.code.cpp.models.interfaces.NonThrowing
 
 /**
  * The standard function `strcpy` and its wide, sized, and Microsoft variants.
  */
-class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, SideEffectFunction {
+class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, SideEffectFunction,
+  NonThrowingFunction
+{
   StrcpyFunction() {
     this.hasGlobalOrStdOrBslName([
         "strcpy", // strcpy(dst, src)

cpp/ql/lib/semmle/code/cpp/models/interfaces/NonThrowing.qll

@@ -0,0 +1,11 @@
+/**
+ * Provides an abstract class for modeling functions that never throw.
+ */
+
+import semmle.code.cpp.Function
+import semmle.code.cpp.models.Models
+
+/**
+ * A function that is guaranteed to never throw.
+ */
+abstract class NonThrowingFunction extends Function { }

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -1210,6 +1210,7 @@ conversionkinds(
             | @reference_to
             | @ref_indirect
             | @temp_init
+            | @c11_generic
             ;
 
 /*
@@ -1788,6 +1789,11 @@ case @expr.kind of
 | 382 = @isvalidwinrttype
 | 383 = @iswinclass
 | 384 = @iswininterface
+| 385 = @istriviallyequalitycomparable
+| 386 = @isscopedenum
+| 387 = @istriviallyrelocatable
+| 388 = @datasizeof
+| 389 = @c11_generic
 ;
 
 @var_args_expr = @vastartexpr
@@ -1901,6 +1907,9 @@ case @expr.kind of
             | @isvalidwinrttype
             | @iswinclass
             | @iswininterface
+            | @istriviallyequalitycomparable
+            | @isscopedenum
+            | @istriviallyrelocatable
             ;
 
 new_allocated_type(
@@ -1961,7 +1970,7 @@ uuidof_bind(
     int type_id: @type ref
 );
 
-@runtime_sizeof_or_alignof = @runtime_sizeof | @runtime_alignof;
+@runtime_sizeof_or_alignof = @runtime_sizeof | @runtime_alignof | @datasizeof;
 
 sizeof_bind(
     unique int expr: @runtime_sizeof_or_alignof ref,

cpp/ql/lib/upgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/upgrade.properties

@@ -0,0 +1,2 @@
+description: Expose C11 _Generics
+compatibility: backwards

cpp/ql/lib/upgrades/68930f3b81bbe3fdbb91c850deca1fec8072d62a/upgrade.properties

@@ -0,0 +1,2 @@
+description: Add new builtin operations
+compatibility: backwards

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 1.2.1
+
+### Minor Analysis Improvements
+
+* The `cpp/uncontrolled-allocation-size` ("Uncontrolled allocation size") query now considers arithmetic operations that might reduce the size of user input as a barrier. The query therefore produces fewer false positive results.
+
 ## 1.2.0
 
 ### Query Metadata Changes

cpp/ql/src/Security/CWE/CWE-190/Bounded.qll

@@ -1,6 +1,6 @@
 /**
- * This file provides the `bounded` predicate that is used in both `cpp/uncontrolled-arithmetic`
- * and `cpp/tainted-arithmetic`.
+ * This file provides the `bounded` predicate that is used in `cpp/uncontrolled-arithmetic`,
+ * `cpp/tainted-arithmetic` and `cpp/uncontrolled-allocation-size`.
  */
 
 private import cpp
@@ -8,20 +8,18 @@ private import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
 
 /**
- * An operand `e` of a bitwise and expression `andExpr` (i.e., `andExpr` is either an `BitwiseAndExpr`
- * or an `AssignAndExpr`) with operands `operand1` and `operand2` is the operand that is not `e` is upper
- * bounded by some number that is less than the maximum integer allowed by the result type of `andExpr`.
+ * An operand `operand` of a bitwise and expression `andExpr` (i.e., `andExpr` is either a
+ * `BitwiseAndExpr` or an `AssignAndExpr`) is upper bounded by some number that is less than the
+ * maximum integer allowed by the result type of `andExpr`.
  */
 pragma[inline]
-private predicate boundedBitwiseAnd(Expr e, Expr andExpr, Expr operand1, Expr operand2) {
-  operand1 != operand2 and
-  e = operand1 and
-  upperBound(operand2.getFullyConverted()) < exprMaxVal(andExpr.getFullyConverted())
+private predicate boundedBitwiseAnd(Expr operand, Expr andExpr) {
+  upperBound(operand.getFullyConverted()) < exprMaxVal(andExpr.getFullyConverted())
 }
 
 /**
- * Holds if `e` is an arithmetic expression that cannot overflow, or if `e` is an operand of an
- * operation that may greatly reduce the range of possible values.
+ * Holds if `e` is an arithmetic expression that cannot overflow, or if `e` is an operation that
+ * may greatly reduce the range of possible values.
  */
 predicate bounded(Expr e) {
   // There can be two separate reasons for `convertedExprMightOverflow` not holding:
@@ -35,25 +33,25 @@ predicate bounded(Expr e) {
   ) and
   not convertedExprMightOverflow(e)
   or
-  // Optimistically assume that a remainder expression always yields a much smaller value.
-  e = any(RemExpr rem).getLeftOperand()
+  // Optimistically assume that the following operations always yields a much smaller value.
+  e instanceof RemExpr
   or
-  e = any(AssignRemExpr rem).getLValue()
+  e instanceof DivExpr
+  or
+  e instanceof RShiftExpr
   or
   exists(BitwiseAndExpr andExpr |
-    boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
+    e = andExpr and boundedBitwiseAnd(andExpr.getAnOperand(), andExpr)
   )
   or
-  exists(AssignAndExpr andExpr |
-    boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
-  )
-  or
-  // Optimistically assume that a division always yields a much smaller value.
-  e = any(DivExpr div).getLeftOperand()
+  // For the assignment variant of the operations we place the barrier on the assigned lvalue.
+  e = any(AssignRemExpr rem).getLValue()
   or
   e = any(AssignDivExpr div).getLValue()
   or
-  e = any(RShiftExpr shift).getLeftOperand()
-  or
   e = any(AssignRShiftExpr div).getLValue()
+  or
+  exists(AssignAndExpr andExpr |
+    e = andExpr.getLValue() and boundedBitwiseAnd(andExpr.getRValue(), andExpr)
+  )
 }

cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql

@@ -16,6 +16,7 @@
 import cpp
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 import semmle.code.cpp.controlflow.Guards
+import semmle.code.cpp.models.implementations.NoexceptFunction
 
 /** Gets the `Constructor` invoked when `newExpr` allocates memory. */
 Constructor getConstructorForAllocation(NewOrNewArrayExpr newExpr) {
@@ -44,9 +45,8 @@ predicate deleteMayThrow(DeleteOrDeleteArrayExpr deleteExpr) {
  * like it might throw an exception, and the function does not have a `noexcept` or `throw()` specifier.
  */
 predicate functionMayThrow(Function f) {
-  (not exists(f.getBlock()) or stmtMayThrow(f.getBlock())) and
-  not f.isNoExcept() and
-  not f.isNoThrow()
+  not f instanceof NonThrowingFunction and
+  (not exists(f.getBlock()) or stmtMayThrow(f.getBlock()))
 }
 
 /** Holds if the evaluation of `stmt` may throw an exception. */
@@ -172,8 +172,7 @@ class ThrowingAllocator extends Function {
       not exists(Parameter p | p = this.getAParameter() |
         p.getUnspecifiedType().stripType() instanceof NoThrowType
       ) and
-      not this.isNoExcept() and
-      not this.isNoThrow()
+      not this instanceof NoexceptFunction
     )
   }
 }

cpp/ql/src/change-notes/2024-08-26-non-throwing-functions.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Add modeling of C functions that don't throw, thereby increasing the precision of the `cpp/incorrect-allocation-error-handling` ("Incorrect allocation-error handling") query. The query now produces additional true positives.

cpp/ql/src/change-notes/released/1.2.1.md

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
-* The `cpp/uncontrolled-allocation-size` ("Uncontrolled allocation size") query now considers arithmetic operations that might reduce the size of user input as a barrier. The query therefore produces fewer false positive results.
+## 1.2.1
+
+### Minor Analysis Improvements
+
+* The `cpp/uncontrolled-allocation-size` ("Uncontrolled allocation size") query now considers arithmetic operations that might reduce the size of user input as a barrier. The query therefore produces fewer false positive results.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.2.0
+lastReleaseVersion: 1.2.1

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.2.1-dev
+version: 1.2.2-dev
 groups:
   - cpp
   - queries

cpp/ql/test/library-tests/builtins/type_traits/clang.cpp

@@ -1,4 +1,4 @@
-// semmle-extractor-options: --clang --clang_version 180000
+// semmle-extractor-options: --clang --edg --clang_version --edg 190000
 
 struct S {
     void f() {}
@@ -108,3 +108,16 @@ bool b_is_unbounded_array2 = __is_unbounded_array(int[42]);
 
 bool b_is_referenceable1 = __is_referenceable(int);
 bool b_is_referenceable2 = __is_referenceable(void);
+
+bool b_is_trivially_equality_comparable1 = __is_trivially_equality_comparable(int);
+bool b_is_trivially_equality_comparable2 = __is_trivially_equality_comparable(void);
+
+enum class E {
+    a, b
+};
+
+bool b_is_scoped_enum1 = __is_scoped_enum(E);
+bool b_is_scoped_enum2 = __is_scoped_enum(int);
+
+bool b_is_trivially_relocatable1 = __is_trivially_relocatable(int);
+bool b_is_trivially_relocatable2 = __is_trivially_relocatable(void);

cpp/ql/test/library-tests/builtins/type_traits/expr.expected

@@ -153,7 +153,21 @@
 | clang.cpp:109:28:109:50 | int |  | <none> |
 | clang.cpp:110:28:110:51 | __is_referenceable | void | 0 |
 | clang.cpp:110:28:110:51 | void |  | <none> |
+| clang.cpp:112:44:112:82 | __is_trivially_equality_comparable | int | 1 |
+| clang.cpp:112:44:112:82 | int |  | <none> |
+| clang.cpp:113:44:113:83 | __is_trivially_equality_comparable | void | 0 |
+| clang.cpp:113:44:113:83 | void |  | <none> |
+| clang.cpp:119:26:119:44 | E |  | <none> |
+| clang.cpp:119:26:119:44 | __is_scoped_enum | E | 1 |
+| clang.cpp:120:26:120:46 | __is_scoped_enum | int | 0 |
+| clang.cpp:120:26:120:46 | int |  | <none> |
+| clang.cpp:122:36:122:66 | __is_trivially_relocatable | int | 1 |
+| clang.cpp:122:36:122:66 | int |  | <none> |
+| clang.cpp:123:36:123:67 | __is_trivially_relocatable | void | 0 |
+| clang.cpp:123:36:123:67 | void |  | <none> |
 | file://:0:0:0:0 | 0 |  | 0 |
+| file://:0:0:0:0 | 0 |  | 0 |
+| file://:0:0:0:0 | 1 |  | 1 |
 | file://:0:0:0:0 | 1 |  | 1 |
 | file://:0:0:0:0 | 2 |  | 2 |
 | gcc.cpp:3:25:3:25 | 8 |  | 8 |

cpp/ql/test/library-tests/c11_generic/PrintAST.expected

@@ -0,0 +1,458 @@
+#-----| [CopyAssignmentOperator] __va_list_tag& __va_list_tag::operator=(__va_list_tag const&)
+#-----|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const __va_list_tag &
+#-----| [MoveAssignmentOperator] __va_list_tag& __va_list_tag::operator=(__va_list_tag&&)
+#-----|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] __va_list_tag &&
+generic.c:
+#    3| [FormattingFunction,TopLevelFunction] int printf(char const*)
+#    3|   <params>: 
+#    3|     getParameter(0): [Parameter] format
+#    3|         Type = [PointerType] const char *
+#   14| [TopLevelFunction] int main()
+#   14|   <params>: 
+#   15|   getEntryPoint(): [BlockStmt] { ... }
+#   16|     getStmt(0): [DeclStmt] declaration
+#   16|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of i
+#   16|           Type = [IntType] int
+#   17|     getStmt(1): [DeclStmt] declaration
+#   17|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of m
+#   17|           Type = [CTypedefType] MYINT
+#   18|     getStmt(2): [DeclStmt] declaration
+#   18|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of s
+#   18|           Type = [PointerType] const char *
+#   19|     getStmt(3): [DeclStmt] declaration
+#   19|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of f
+#   19|           Type = [PointerType] float ***
+#   21|     getStmt(4): [ExprStmt] ExprStmt
+#   21|       getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
+#   21|           Type = [IntType] int
+#   21|           ValueCategory = prvalue
+#   21|         getArgument(0): i is %s\n
+#   21|             Type = [ArrayType] char[9]
+#   21|             Value = [StringLiteral] "i is %s\n"
+#   21|             ValueCategory = lvalue
+#   21|         getArgument(1): int
+#   21|             Type = [ArrayType] char[4]
+#   21|             Value = [StringLiteral] "int"
+#   21|             ValueCategory = lvalue
+#   21|         getArgument(0).getFullyConverted(): [CStyleCast] (const char *)...
+#   21|             Conversion = [PointerConversion] pointer conversion
+#   21|             Type = [PointerType] const char *
+#   21|             ValueCategory = prvalue
+#   21|           getExpr(): [ArrayToPointerConversion] array to pointer conversion
+#   21|               Type = [CharPointerType] char *
+#   21|               ValueCategory = prvalue
+#   21|         getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   21|             Type = [CharPointerType] char *
+#   21|             ValueCategory = prvalue
+#   21|           getExpr(): [C11GenericExpr] _Generic
+#   21|               Type = [ArrayType] char[4]
+#   21|               Value = [C11GenericExpr] int
+#   21|               ValueCategory = lvalue
+#   21|             getControllingExpr(): [VariableAccess] i
+#   21|                 Type = [IntType] int
+#   21|                 ValueCategory = prvalue(load)
+#   21|             getAssociationType(0): [TypeName] int
+#   21|                 Type = [IntType] int
+#   21|                 ValueCategory = prvalue
+#   21|             getAssociationExpr(0): [ReuseExpr] reuse of int
+#   21|                 Type = [ArrayType] char[4]
+#   21|                 ValueCategory = lvalue
+#   21|             getAssociationType(1): [TypeName] const char *
+#   21|                 Type = [PointerType] const char *
+#   21|                 ValueCategory = prvalue
+#   21|             getAssociationExpr(1): string
+#   21|                 Type = [ArrayType] char[7]
+#   21|                 Value = [StringLiteral] "string"
+#   21|                 ValueCategory = lvalue
+#   21|             getAssociationType(2): [TypeName] void
+#   21|                 Type = [VoidType] void
+#   21|                 ValueCategory = prvalue
+#   21|             getAssociationExpr(2): unknown
+#   21|                 Type = [ArrayType] char[8]
+#   21|                 Value = [StringLiteral] "unknown"
+#   21|                 ValueCategory = lvalue
+#   21|             getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
+#   21|                 Type = [IntType] int
+#   21|                 ValueCategory = prvalue(load)
+#   22|     getStmt(5): [ExprStmt] ExprStmt
+#   22|       getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
+#   22|           Type = [IntType] int
+#   22|           ValueCategory = prvalue
+#   22|         getArgument(0): c is %s\n
+#   22|             Type = [ArrayType] char[9]
+#   22|             Value = [StringLiteral] "c is %s\n"
+#   22|             ValueCategory = lvalue
+#   22|         getArgument(1): int
+#   22|             Type = [ArrayType] char[4]
+#   22|             Value = [StringLiteral] "int"
+#   22|             ValueCategory = lvalue
+#   22|         getArgument(0).getFullyConverted(): [CStyleCast] (const char *)...
+#   22|             Conversion = [PointerConversion] pointer conversion
+#   22|             Type = [PointerType] const char *
+#   22|             ValueCategory = prvalue
+#   22|           getExpr(): [ArrayToPointerConversion] array to pointer conversion
+#   22|               Type = [CharPointerType] char *
+#   22|               ValueCategory = prvalue
+#   22|         getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   22|             Type = [CharPointerType] char *
+#   22|             ValueCategory = prvalue
+#   22|           getExpr(): [C11GenericExpr] _Generic
+#   22|               Type = [ArrayType] char[4]
+#   22|               Value = [C11GenericExpr] int
+#   22|               ValueCategory = lvalue
+#   22|             getControllingExpr(): [VariableAccess] m
+#   22|                 Type = [CTypedefType] MYINT
+#   22|                 ValueCategory = prvalue(load)
+#   22|             getAssociationType(0): [TypeName] int
+#   22|                 Type = [IntType] int
+#   22|                 ValueCategory = prvalue
+#   22|             getAssociationExpr(0): [ReuseExpr] reuse of int
+#   22|                 Type = [ArrayType] char[4]
+#   22|                 ValueCategory = lvalue
+#   22|             getAssociationType(1): [TypeName] const char *
+#   22|                 Type = [PointerType] const char *
+#   22|                 ValueCategory = prvalue
+#   22|             getAssociationExpr(1): string
+#   22|                 Type = [ArrayType] char[7]
+#   22|                 Value = [StringLiteral] "string"
+#   22|                 ValueCategory = lvalue
+#   22|             getAssociationType(2): [TypeName] void
+#   22|                 Type = [VoidType] void
+#   22|                 ValueCategory = prvalue
+#   22|             getAssociationExpr(2): unknown
+#   22|                 Type = [ArrayType] char[8]
+#   22|                 Value = [StringLiteral] "unknown"
+#   22|                 ValueCategory = lvalue
+#   22|             getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
+#   22|                 Type = [CTypedefType] MYINT
+#   22|                 ValueCategory = prvalue(load)
+#   23|     getStmt(6): [ExprStmt] ExprStmt
+#   23|       getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
+#   23|           Type = [IntType] int
+#   23|           ValueCategory = prvalue
+#   23|         getArgument(0): s is %s\n
+#   23|             Type = [ArrayType] char[9]
+#   23|             Value = [StringLiteral] "s is %s\n"
+#   23|             ValueCategory = lvalue
+#   23|         getArgument(1): string
+#   23|             Type = [ArrayType] char[7]
+#   23|             Value = [StringLiteral] "string"
+#   23|             ValueCategory = lvalue
+#   23|         getArgument(0).getFullyConverted(): [CStyleCast] (const char *)...
+#   23|             Conversion = [PointerConversion] pointer conversion
+#   23|             Type = [PointerType] const char *
+#   23|             ValueCategory = prvalue
+#   23|           getExpr(): [ArrayToPointerConversion] array to pointer conversion
+#   23|               Type = [CharPointerType] char *
+#   23|               ValueCategory = prvalue
+#   23|         getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   23|             Type = [CharPointerType] char *
+#   23|             ValueCategory = prvalue
+#   23|           getExpr(): [C11GenericExpr] _Generic
+#   23|               Type = [ArrayType] char[7]
+#   23|               Value = [C11GenericExpr] string
+#   23|               ValueCategory = lvalue
+#   23|             getControllingExpr(): [VariableAccess] s
+#   23|                 Type = [PointerType] const char *
+#   23|                 ValueCategory = prvalue(load)
+#   23|             getAssociationType(0): [TypeName] int
+#   23|                 Type = [IntType] int
+#   23|                 ValueCategory = prvalue
+#   23|             getAssociationExpr(0): int
+#   23|                 Type = [ArrayType] char[4]
+#   23|                 Value = [StringLiteral] "int"
+#   23|                 ValueCategory = lvalue
+#   23|             getAssociationType(1): [TypeName] const char *
+#   23|                 Type = [PointerType] const char *
+#   23|                 ValueCategory = prvalue
+#   23|             getAssociationExpr(1): [ReuseExpr] reuse of string
+#   23|                 Type = [ArrayType] char[7]
+#   23|                 ValueCategory = lvalue
+#   23|             getAssociationType(2): [TypeName] void
+#   23|                 Type = [VoidType] void
+#   23|                 ValueCategory = prvalue
+#   23|             getAssociationExpr(2): unknown
+#   23|                 Type = [ArrayType] char[8]
+#   23|                 Value = [StringLiteral] "unknown"
+#   23|                 ValueCategory = lvalue
+#   23|             getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
+#   23|                 Type = [PointerType] const char *
+#   23|                 ValueCategory = prvalue(load)
+#   24|     getStmt(7): [ExprStmt] ExprStmt
+#   24|       getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
+#   24|           Type = [IntType] int
+#   24|           ValueCategory = prvalue
+#   24|         getArgument(0): f is %s\n
+#   24|             Type = [ArrayType] char[9]
+#   24|             Value = [StringLiteral] "f is %s\n"
+#   24|             ValueCategory = lvalue
+#   24|         getArgument(1): unknown
+#   24|             Type = [ArrayType] char[8]
+#   24|             Value = [StringLiteral] "unknown"
+#   24|             ValueCategory = lvalue
+#   24|         getArgument(0).getFullyConverted(): [CStyleCast] (const char *)...
+#   24|             Conversion = [PointerConversion] pointer conversion
+#   24|             Type = [PointerType] const char *
+#   24|             ValueCategory = prvalue
+#   24|           getExpr(): [ArrayToPointerConversion] array to pointer conversion
+#   24|               Type = [CharPointerType] char *
+#   24|               ValueCategory = prvalue
+#   24|         getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   24|             Type = [CharPointerType] char *
+#   24|             ValueCategory = prvalue
+#   24|           getExpr(): [C11GenericExpr] _Generic
+#   24|               Type = [ArrayType] char[8]
+#   24|               Value = [C11GenericExpr] unknown
+#   24|               ValueCategory = lvalue
+#   24|             getControllingExpr(): [VariableAccess] f
+#   24|                 Type = [PointerType] float ***
+#   24|                 ValueCategory = prvalue(load)
+#   24|             getAssociationType(0): [TypeName] int
+#   24|                 Type = [IntType] int
+#   24|                 ValueCategory = prvalue
+#   24|             getAssociationExpr(0): int
+#   24|                 Type = [ArrayType] char[4]
+#   24|                 Value = [StringLiteral] "int"
+#   24|                 ValueCategory = lvalue
+#   24|             getAssociationType(1): [TypeName] const char *
+#   24|                 Type = [PointerType] const char *
+#   24|                 ValueCategory = prvalue
+#   24|             getAssociationExpr(1): string
+#   24|                 Type = [ArrayType] char[7]
+#   24|                 Value = [StringLiteral] "string"
+#   24|                 ValueCategory = lvalue
+#   24|             getAssociationType(2): [TypeName] void
+#   24|                 Type = [VoidType] void
+#   24|                 ValueCategory = prvalue
+#   24|             getAssociationExpr(2): [ReuseExpr] reuse of unknown
+#   24|                 Type = [ArrayType] char[8]
+#   24|                 ValueCategory = lvalue
+#   24|             getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
+#   24|                 Type = [PointerType] float ***
+#   24|                 ValueCategory = prvalue(load)
+#   25|     getStmt(8): [ReturnStmt] return ...
+#-----|       getExpr(): [Literal] 0
+#-----|           Type = [IntType] int
+#-----|           Value = [Literal] 0
+#-----|           ValueCategory = prvalue
+generic.cpp:
+#    4| [FormattingFunction,TopLevelFunction] int printf(char const*)
+#    4|   <params>: 
+#    4|     getParameter(0): [Parameter] format
+#    4|         Type = [PointerType] const char *
+#   15| [TopLevelFunction] int main()
+#   15|   <params>: 
+#   16|   getEntryPoint(): [BlockStmt] { ... }
+#   17|     getStmt(0): [DeclStmt] declaration
+#   17|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of i
+#   17|           Type = [IntType] int
+#   18|     getStmt(1): [DeclStmt] declaration
+#   18|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of m
+#   18|           Type = [CTypedefType] MYINT
+#   19|     getStmt(2): [DeclStmt] declaration
+#   19|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of s
+#   19|           Type = [PointerType] const char *
+#   20|     getStmt(3): [DeclStmt] declaration
+#   20|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of f
+#   20|           Type = [PointerType] float ***
+#   22|     getStmt(4): [ExprStmt] ExprStmt
+#   22|       getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
+#   22|           Type = [IntType] int
+#   22|           ValueCategory = prvalue
+#   22|         getArgument(0): i is %s\n
+#   22|             Type = [ArrayType] const char[9]
+#   22|             Value = [StringLiteral] "i is %s\n"
+#   22|             ValueCategory = lvalue
+#   22|         getArgument(1): int
+#   22|             Type = [ArrayType] const char[4]
+#   22|             Value = [StringLiteral] "int"
+#   22|             ValueCategory = lvalue
+#   22|         getArgument(0).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   22|             Type = [PointerType] const char *
+#   22|             ValueCategory = prvalue
+#   22|         getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   22|             Type = [PointerType] const char *
+#   22|             ValueCategory = prvalue
+#   22|           getExpr(): [C11GenericExpr] _Generic
+#   22|               Type = [ArrayType] const char[4]
+#   22|               Value = [C11GenericExpr] int
+#   22|               ValueCategory = lvalue
+#   22|             getControllingExpr(): [VariableAccess] i
+#   22|                 Type = [IntType] int
+#   22|                 ValueCategory = lvalue
+#   22|             getAssociationType(0): [TypeName] int
+#   22|                 Type = [IntType] int
+#   22|                 ValueCategory = prvalue
+#   22|             getAssociationExpr(0): [ReuseExpr] reuse of int
+#   22|                 Type = [ArrayType] const char[4]
+#   22|                 ValueCategory = lvalue
+#   22|             getAssociationType(1): [TypeName] const char *
+#   22|                 Type = [PointerType] const char *
+#   22|                 ValueCategory = prvalue
+#   22|             getAssociationExpr(1): string
+#   22|                 Type = [ArrayType] const char[7]
+#   22|                 Value = [StringLiteral] "string"
+#   22|                 ValueCategory = lvalue
+#   22|             getAssociationType(2): [TypeName] void
+#   22|                 Type = [VoidType] void
+#   22|                 ValueCategory = prvalue
+#   22|             getAssociationExpr(2): unknown
+#   22|                 Type = [ArrayType] const char[8]
+#   22|                 Value = [StringLiteral] "unknown"
+#   22|                 ValueCategory = lvalue
+#   22|             getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
+#   22|                 Type = [IntType] int
+#   22|                 ValueCategory = lvalue
+#   23|     getStmt(5): [ExprStmt] ExprStmt
+#   23|       getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
+#   23|           Type = [IntType] int
+#   23|           ValueCategory = prvalue
+#   23|         getArgument(0): c is %s\n
+#   23|             Type = [ArrayType] const char[9]
+#   23|             Value = [StringLiteral] "c is %s\n"
+#   23|             ValueCategory = lvalue
+#   23|         getArgument(1): int
+#   23|             Type = [ArrayType] const char[4]
+#   23|             Value = [StringLiteral] "int"
+#   23|             ValueCategory = lvalue
+#   23|         getArgument(0).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   23|             Type = [PointerType] const char *
+#   23|             ValueCategory = prvalue
+#   23|         getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   23|             Type = [PointerType] const char *
+#   23|             ValueCategory = prvalue
+#   23|           getExpr(): [C11GenericExpr] _Generic
+#   23|               Type = [ArrayType] const char[4]
+#   23|               Value = [C11GenericExpr] int
+#   23|               ValueCategory = lvalue
+#   23|             getControllingExpr(): [VariableAccess] m
+#   23|                 Type = [CTypedefType] MYINT
+#   23|                 ValueCategory = lvalue
+#   23|             getAssociationType(0): [TypeName] int
+#   23|                 Type = [IntType] int
+#   23|                 ValueCategory = prvalue
+#   23|             getAssociationExpr(0): [ReuseExpr] reuse of int
+#   23|                 Type = [ArrayType] const char[4]
+#   23|                 ValueCategory = lvalue
+#   23|             getAssociationType(1): [TypeName] const char *
+#   23|                 Type = [PointerType] const char *
+#   23|                 ValueCategory = prvalue
+#   23|             getAssociationExpr(1): string
+#   23|                 Type = [ArrayType] const char[7]
+#   23|                 Value = [StringLiteral] "string"
+#   23|                 ValueCategory = lvalue
+#   23|             getAssociationType(2): [TypeName] void
+#   23|                 Type = [VoidType] void
+#   23|                 ValueCategory = prvalue
+#   23|             getAssociationExpr(2): unknown
+#   23|                 Type = [ArrayType] const char[8]
+#   23|                 Value = [StringLiteral] "unknown"
+#   23|                 ValueCategory = lvalue
+#   23|             getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
+#   23|                 Type = [CTypedefType] MYINT
+#   23|                 ValueCategory = lvalue
+#   24|     getStmt(6): [ExprStmt] ExprStmt
+#   24|       getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
+#   24|           Type = [IntType] int
+#   24|           ValueCategory = prvalue
+#   24|         getArgument(0): s is %s\n
+#   24|             Type = [ArrayType] const char[9]
+#   24|             Value = [StringLiteral] "s is %s\n"
+#   24|             ValueCategory = lvalue
+#   24|         getArgument(1): string
+#   24|             Type = [ArrayType] const char[7]
+#   24|             Value = [StringLiteral] "string"
+#   24|             ValueCategory = lvalue
+#   24|         getArgument(0).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   24|             Type = [PointerType] const char *
+#   24|             ValueCategory = prvalue
+#   24|         getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   24|             Type = [PointerType] const char *
+#   24|             ValueCategory = prvalue
+#   24|           getExpr(): [C11GenericExpr] _Generic
+#   24|               Type = [ArrayType] const char[7]
+#   24|               Value = [C11GenericExpr] string
+#   24|               ValueCategory = lvalue
+#   24|             getControllingExpr(): [VariableAccess] s
+#   24|                 Type = [PointerType] const char *
+#   24|                 ValueCategory = lvalue
+#   24|             getAssociationType(0): [TypeName] int
+#   24|                 Type = [IntType] int
+#   24|                 ValueCategory = prvalue
+#   24|             getAssociationExpr(0): int
+#   24|                 Type = [ArrayType] const char[4]
+#   24|                 Value = [StringLiteral] "int"
+#   24|                 ValueCategory = lvalue
+#   24|             getAssociationType(1): [TypeName] const char *
+#   24|                 Type = [PointerType] const char *
+#   24|                 ValueCategory = prvalue
+#   24|             getAssociationExpr(1): [ReuseExpr] reuse of string
+#   24|                 Type = [ArrayType] const char[7]
+#   24|                 ValueCategory = lvalue
+#   24|             getAssociationType(2): [TypeName] void
+#   24|                 Type = [VoidType] void
+#   24|                 ValueCategory = prvalue
+#   24|             getAssociationExpr(2): unknown
+#   24|                 Type = [ArrayType] const char[8]
+#   24|                 Value = [StringLiteral] "unknown"
+#   24|                 ValueCategory = lvalue
+#   24|             getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
+#   24|                 Type = [PointerType] const char *
+#   24|                 ValueCategory = lvalue
+#   25|     getStmt(7): [ExprStmt] ExprStmt
+#   25|       getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
+#   25|           Type = [IntType] int
+#   25|           ValueCategory = prvalue
+#   25|         getArgument(0): f is %s\n
+#   25|             Type = [ArrayType] const char[9]
+#   25|             Value = [StringLiteral] "f is %s\n"
+#   25|             ValueCategory = lvalue
+#   25|         getArgument(1): unknown
+#   25|             Type = [ArrayType] const char[8]
+#   25|             Value = [StringLiteral] "unknown"
+#   25|             ValueCategory = lvalue
+#   25|         getArgument(0).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   25|             Type = [PointerType] const char *
+#   25|             ValueCategory = prvalue
+#   25|         getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   25|             Type = [PointerType] const char *
+#   25|             ValueCategory = prvalue
+#   25|           getExpr(): [C11GenericExpr] _Generic
+#   25|               Type = [ArrayType] const char[8]
+#   25|               Value = [C11GenericExpr] unknown
+#   25|               ValueCategory = lvalue
+#   25|             getControllingExpr(): [VariableAccess] f
+#   25|                 Type = [PointerType] float ***
+#   25|                 ValueCategory = lvalue
+#   25|             getAssociationType(0): [TypeName] int
+#   25|                 Type = [IntType] int
+#   25|                 ValueCategory = prvalue
+#   25|             getAssociationExpr(0): int
+#   25|                 Type = [ArrayType] const char[4]
+#   25|                 Value = [StringLiteral] "int"
+#   25|                 ValueCategory = lvalue
+#   25|             getAssociationType(1): [TypeName] const char *
+#   25|                 Type = [PointerType] const char *
+#   25|                 ValueCategory = prvalue
+#   25|             getAssociationExpr(1): string
+#   25|                 Type = [ArrayType] const char[7]
+#   25|                 Value = [StringLiteral] "string"
+#   25|                 ValueCategory = lvalue
+#   25|             getAssociationType(2): [TypeName] void
+#   25|                 Type = [VoidType] void
+#   25|                 ValueCategory = prvalue
+#   25|             getAssociationExpr(2): [ReuseExpr] reuse of unknown
+#   25|                 Type = [ArrayType] const char[8]
+#   25|                 ValueCategory = lvalue
+#   25|             getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
+#   25|                 Type = [PointerType] float ***
+#   25|                 ValueCategory = lvalue
+#   26|     getStmt(8): [ReturnStmt] return ...
+#-----|       getExpr(): [Literal] 0
+#-----|           Type = [IntType] int
+#-----|           Value = [Literal] 0
+#-----|           ValueCategory = prvalue

cpp/ql/test/library-tests/c11_generic/PrintAST.qlref

@@ -0,0 +1 @@
+semmle/code/cpp/PrintAST.ql

cpp/ql/test/library-tests/c11_generic/macro_invocation.expected

@@ -0,0 +1,8 @@
+| generic.c:21:22:21:32 | _Generic | generic.c:21:22:21:32 | describe(val) |
+| generic.c:22:22:22:32 | _Generic | generic.c:22:22:22:32 | describe(val) |
+| generic.c:23:22:23:32 | _Generic | generic.c:23:22:23:32 | describe(val) |
+| generic.c:24:22:24:32 | _Generic | generic.c:24:22:24:32 | describe(val) |
+| generic.cpp:22:22:22:32 | _Generic | generic.cpp:22:22:22:32 | describe(val) |
+| generic.cpp:23:22:23:32 | _Generic | generic.cpp:23:22:23:32 | describe(val) |
+| generic.cpp:24:22:24:32 | _Generic | generic.cpp:24:22:24:32 | describe(val) |
+| generic.cpp:25:22:25:32 | _Generic | generic.cpp:25:22:25:32 | describe(val) |

cpp/ql/test/library-tests/c11_generic/macro_invocation.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from C11GenericExpr g, MacroInvocation m
+where m.getAnExpandedElement() = g
+select g, m

cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp

@@ -450,7 +450,7 @@ void test_qualifiers()
 	b.member = source();
 	sink(b); // $ ir MISSING: ast
 	sink(b.member); // $ ast,ir
-	sink(b.getMember()); // $ ir MISSING: ast
+	sink(b.getMember()); // $  MISSING: ir ast
 
 	c = new MyClass2(0);
 

cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp

@@ -115,8 +115,8 @@ void test_vector_swap() {
 	v3.swap(v4);
 
 	sink(v1);
-	sink(v2); // $ ir MISSING:ast
-	sink(v3); // $ ir MISSING:ast
+	sink(v2); // $ MISSING:ir ast
+	sink(v3); // $ MISSING:ir ast
 	sink(v4);
 }
 

cpp/ql/test/library-tests/ir/ir/PrintAST.expected

@@ -4180,7 +4180,7 @@ destructors_for_temps.cpp:
 #  103|             ValueCategory = prvalue
 #  104|     getStmt(1): [ReturnStmt] return ...
 generic.c:
-#    1| [TopLevelFunction] void c11_generic_test(unsigned int, int)
+#    1| [TopLevelFunction] void c11_generic_test_with_load(unsigned int, int)
 #    1|   <params>: 
 #    1|     getParameter(0): [Parameter] x
 #    1|         Type = [IntType] unsigned int
@@ -4207,12 +4207,150 @@ generic.c:
 #    3|               Type = [IntType] int
 #    3|               Value = [Literal] 1
 #    3|               ValueCategory = prvalue
+#    3|           getLeftOperand().getFullyConverted(): [C11GenericExpr] _Generic
+#    3|               Type = [IntType] unsigned int
+#    3|               ValueCategory = prvalue(load)
+#    3|             getControllingExpr(): [VariableAccess] r
+#    3|                 Type = [IntType] unsigned int
+#    3|                 ValueCategory = prvalue(load)
+#    3|             getAssociationType(0): [TypeName] unsigned int
+#    3|                 Type = [IntType] unsigned int
+#    3|                 ValueCategory = prvalue
+#    3|             getAssociationExpr(0): [ReuseExpr] reuse of x
+#    3|                 Type = [IntType] unsigned int
+#    3|                 ValueCategory = lvalue
+#    3|             getAssociationType(1): [TypeName] int
+#    3|                 Type = [IntType] int
+#    3|                 ValueCategory = prvalue
+#    3|             getAssociationExpr(1): [VariableAccess] y
+#    3|                 Type = [IntType] int
+#    3|                 ValueCategory = lvalue
 #    3|           getRightOperand().getFullyConverted(): [CStyleCast] (unsigned int)...
 #    3|               Conversion = [IntegralConversion] integral conversion
 #    3|               Type = [IntType] unsigned int
 #    3|               Value = [CStyleCast] 1
 #    3|               ValueCategory = prvalue
 #    4|     getStmt(2): [ReturnStmt] return ...
+#   12| [TopLevelFunction] char const* c11_generic_test_with_constant_and_macro()
+#   12|   <params>: 
+#   13|   getEntryPoint(): [BlockStmt] { ... }
+#   14|     getStmt(0): [DeclStmt] declaration
+#   14|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of i
+#   14|           Type = [IntType] int
+#   16|     getStmt(1): [ReturnStmt] return ...
+#   16|       getExpr(): int
+#   16|           Type = [ArrayType] char[4]
+#   16|           Value = [StringLiteral] "int"
+#   16|           ValueCategory = lvalue
+#   16|       getExpr().getFullyConverted(): [CStyleCast] (const char *)...
+#   16|           Conversion = [PointerConversion] pointer conversion
+#   16|           Type = [PointerType] const char *
+#   16|           ValueCategory = prvalue
+#   16|         getExpr(): [ArrayToPointerConversion] array to pointer conversion
+#   16|             Type = [CharPointerType] char *
+#   16|             ValueCategory = prvalue
+#   16|           getExpr(): [C11GenericExpr] _Generic
+#   16|               Type = [ArrayType] char[4]
+#   16|               Value = [C11GenericExpr] int
+#   16|               ValueCategory = lvalue
+#   16|             getControllingExpr(): [VariableAccess] i
+#   16|                 Type = [IntType] int
+#   16|                 ValueCategory = prvalue(load)
+#   16|             getAssociationType(0): [TypeName] int
+#   16|                 Type = [IntType] int
+#   16|                 ValueCategory = prvalue
+#   16|             getAssociationExpr(0): [ReuseExpr] reuse of int
+#   16|                 Type = [ArrayType] char[4]
+#   16|                 ValueCategory = lvalue
+#   16|             getAssociationType(1): [TypeName] void
+#   16|                 Type = [VoidType] void
+#   16|                 ValueCategory = prvalue
+#   16|             getAssociationExpr(1): unknown
+#   16|                 Type = [ArrayType] char[8]
+#   16|                 Value = [StringLiteral] "unknown"
+#   16|                 ValueCategory = lvalue
+#   16|             getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
+#   16|                 Type = [IntType] int
+#   16|                 ValueCategory = prvalue(load)
+#   19| [TopLevelFunction] char const* c11_generic_test_with_constant_and_no_macro()
+#   19|   <params>: 
+#   20|   getEntryPoint(): [BlockStmt] { ... }
+#   21|     getStmt(0): [DeclStmt] declaration
+#   21|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of i
+#   21|           Type = [IntType] int
+#   23|     getStmt(1): [ReturnStmt] return ...
+#   23|       getExpr(): int
+#   23|           Type = [ArrayType] char[4]
+#   23|           Value = [StringLiteral] "int"
+#   23|           ValueCategory = lvalue
+#   23|       getExpr().getFullyConverted(): [CStyleCast] (const char *)...
+#   23|           Conversion = [PointerConversion] pointer conversion
+#   23|           Type = [PointerType] const char *
+#   23|           ValueCategory = prvalue
+#   23|         getExpr(): [ArrayToPointerConversion] array to pointer conversion
+#   23|             Type = [CharPointerType] char *
+#   23|             ValueCategory = prvalue
+#   23|           getExpr(): [C11GenericExpr] _Generic
+#   23|               Type = [ArrayType] char[4]
+#   23|               Value = [C11GenericExpr] int
+#   23|               ValueCategory = lvalue
+#   23|             getControllingExpr(): [VariableAccess] i
+#   23|                 Type = [IntType] int
+#   23|                 ValueCategory = prvalue(load)
+#   23|             getAssociationType(0): [TypeName] int
+#   23|                 Type = [IntType] int
+#   23|                 ValueCategory = prvalue
+#   23|             getAssociationExpr(0): [ReuseExpr] reuse of int
+#   23|                 Type = [ArrayType] char[4]
+#   23|                 ValueCategory = lvalue
+#   23|             getAssociationType(1): [TypeName] void
+#   23|                 Type = [VoidType] void
+#   23|                 ValueCategory = prvalue
+#   23|             getAssociationExpr(1): unknown
+#   23|                 Type = [ArrayType] char[8]
+#   23|                 Value = [StringLiteral] "unknown"
+#   23|                 ValueCategory = lvalue
+#   26| [TopLevelFunction] void c11_generic_test_test_with_cast(int)
+#   26|   <params>: 
+#   26|     getParameter(0): [Parameter] y
+#   26|         Type = [IntType] int
+#   26|   getEntryPoint(): [BlockStmt] { ... }
+#   27|     getStmt(0): [DeclStmt] declaration
+#   27|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of r
+#   27|           Type = [IntType] unsigned int
+#   28|     getStmt(1): [ExprStmt] ExprStmt
+#   28|       getExpr(): [AssignExpr] ... = ...
+#   28|           Type = [IntType] unsigned int
+#   28|           ValueCategory = prvalue
+#   28|         getLValue(): [VariableAccess] r
+#   28|             Type = [IntType] unsigned int
+#   28|             ValueCategory = lvalue
+#   28|         getRValue(): [VariableAccess] y
+#   28|             Type = [IntType] int
+#   28|             ValueCategory = prvalue(load)
+#   28|         getRValue().getFullyConverted(): [C11GenericExpr] _Generic
+#   28|             Type = [IntType] unsigned int
+#   28|             ValueCategory = prvalue
+#   28|           getControllingExpr(): [VariableAccess] r
+#   28|               Type = [IntType] unsigned int
+#   28|               ValueCategory = prvalue(load)
+#   28|           getAssociationType(0): [TypeName] unsigned int
+#   28|               Type = [IntType] unsigned int
+#   28|               ValueCategory = prvalue
+#   28|           getAssociationExpr(0): [ReuseExpr] reuse of y
+#   28|               Type = [IntType] int
+#   28|               ValueCategory = prvalue
+#   28|           getAssociationType(1): [TypeName] int
+#   28|               Type = [IntType] int
+#   28|               ValueCategory = prvalue
+#   28|           getAssociationExpr(1): [VariableAccess] y
+#   28|               Type = [IntType] int
+#   28|               ValueCategory = lvalue
+#   28|           getExpr(): [CStyleCast] (unsigned int)...
+#   28|               Conversion = [IntegralConversion] integral conversion
+#   28|               Type = [IntType] unsigned int
+#   28|               ValueCategory = prvalue
+#   29|     getStmt(2): [ReturnStmt] return ...
 ir.c:
 #    5| [TopLevelFunction] int getX(MyCoords*)
 #    5|   <params>: 

cpp/ql/test/library-tests/ir/ir/aliased_ir.expected

@@ -2959,7 +2959,7 @@ destructors_for_temps.cpp:
 #  102|     v102_10(void)                        = ExitFunction                             : 
 
 generic.c:
-#    1| void c11_generic_test(unsigned int, int)
+#    1| void c11_generic_test_with_load(unsigned int, int)
 #    1|   Block 0
 #    1|     v1_1(void)                = EnterFunction          : 
 #    1|     m1_2(unknown)             = AliasedDefinition      : 
@@ -2982,6 +2982,62 @@ generic.c:
 #    1|     v1_10(void)               = AliasedUse             : m1_3
 #    1|     v1_11(void)               = ExitFunction           : 
 
+#   12| char const* c11_generic_test_with_constant_and_macro()
+#   12|   Block 0
+#   12|     v12_1(void)           = EnterFunction            : 
+#   12|     m12_2(unknown)        = AliasedDefinition        : 
+#   12|     m12_3(unknown)        = InitializeNonLocal       : 
+#   12|     m12_4(unknown)        = Chi                      : total:m12_2, partial:m12_3
+#   14|     r14_1(glval<int>)     = VariableAddress[i]       : 
+#   14|     m14_2(int)            = Uninitialized[i]         : &:r14_1
+#   16|     r16_1(glval<char *>)  = VariableAddress[#return] : 
+#   16|     r16_2(glval<char[4]>) = Constant[int]            : 
+#   16|     r16_3(char *)         = Convert                  : r16_2
+#   16|     r16_4(char *)         = Convert                  : r16_3
+#   16|     m16_5(char *)         = Store[#return]           : &:r16_1, r16_4
+#   12|     r12_5(glval<char *>)  = VariableAddress[#return] : 
+#   12|     v12_6(void)           = ReturnValue              : &:r12_5, m16_5
+#   12|     v12_7(void)           = AliasedUse               : m12_3
+#   12|     v12_8(void)           = ExitFunction             : 
+
+#   19| char const* c11_generic_test_with_constant_and_no_macro()
+#   19|   Block 0
+#   19|     v19_1(void)           = EnterFunction            : 
+#   19|     m19_2(unknown)        = AliasedDefinition        : 
+#   19|     m19_3(unknown)        = InitializeNonLocal       : 
+#   19|     m19_4(unknown)        = Chi                      : total:m19_2, partial:m19_3
+#   21|     r21_1(glval<int>)     = VariableAddress[i]       : 
+#   21|     m21_2(int)            = Uninitialized[i]         : &:r21_1
+#   23|     r23_1(glval<char *>)  = VariableAddress[#return] : 
+#   23|     r23_2(glval<char[4]>) = Constant[int]            : 
+#   23|     r23_3(char *)         = Convert                  : r23_2
+#   23|     r23_4(char *)         = Convert                  : r23_3
+#   23|     m23_5(char *)         = Store[#return]           : &:r23_1, r23_4
+#   19|     r19_5(glval<char *>)  = VariableAddress[#return] : 
+#   19|     v19_6(void)           = ReturnValue              : &:r19_5, m23_5
+#   19|     v19_7(void)           = AliasedUse               : m19_3
+#   19|     v19_8(void)           = ExitFunction             : 
+
+#   26| void c11_generic_test_test_with_cast(int)
+#   26|   Block 0
+#   26|     v26_1(void)                = EnterFunction          : 
+#   26|     m26_2(unknown)             = AliasedDefinition      : 
+#   26|     m26_3(unknown)             = InitializeNonLocal     : 
+#   26|     m26_4(unknown)             = Chi                    : total:m26_2, partial:m26_3
+#   26|     r26_5(glval<int>)          = VariableAddress[y]     : 
+#   26|     m26_6(int)                 = InitializeParameter[y] : &:r26_5
+#   27|     r27_1(glval<unsigned int>) = VariableAddress[r]     : 
+#   27|     m27_2(unsigned int)        = Uninitialized[r]       : &:r27_1
+#   28|     r28_1(glval<int>)          = VariableAddress[y]     : 
+#   28|     r28_2(int)                 = Load[y]                : &:r28_1, m26_6
+#   28|     r28_3(unsigned int)        = Convert                : r28_2
+#   28|     r28_4(glval<unsigned int>) = VariableAddress[r]     : 
+#   28|     m28_5(unsigned int)        = Store[r]               : &:r28_4, r28_3
+#   29|     v29_1(void)                = NoOp                   : 
+#   26|     v26_7(void)                = ReturnVoid             : 
+#   26|     v26_8(void)                = AliasedUse             : m26_3
+#   26|     v26_9(void)                = ExitFunction           : 
+
 ir.c:
 #    7| void MyCoordsTest(int)
 #    7|   Block 0

cpp/ql/test/library-tests/ir/ir/generic.c

@@ -1,6 +1,31 @@
-void c11_generic_test(unsigned int x, int y) {
+void c11_generic_test_with_load(unsigned int x, int y) {
   unsigned int r;
   r = _Generic(r, unsigned int: x, int: y) + 1;
 }
 
-// // semmle-extractor-options: -std=c11
+#define describe(val) \
+  _Generic((val), \
+    int: "int", \
+    default: "unknown" \
+  )
+
+const char *c11_generic_test_with_constant_and_macro()
+{
+  int i;
+
+  return describe(i);
+}
+
+const char *c11_generic_test_with_constant_and_no_macro()
+{
+  int i;
+
+  return _Generic(i, int: "int", default: "unknown");
+}
+
+void c11_generic_test_test_with_cast(int y) {
+  unsigned int r;
+  r = _Generic(r, unsigned int: (unsigned int)y, int: y);
+}
+
+// semmle-extractor-options: -std=c11

cpp/ql/test/library-tests/ir/ir/raw_ir.expected

@@ -2733,7 +2733,7 @@ destructors_for_temps.cpp:
 #  102|     v102_8(void)                         = ExitFunction                             : 
 
 generic.c:
-#    1| void c11_generic_test(unsigned int, int)
+#    1| void c11_generic_test_with_load(unsigned int, int)
 #    1|   Block 0
 #    1|     v1_1(void)                = EnterFunction          : 
 #    1|     mu1_2(unknown)            = AliasedDefinition      : 
@@ -2755,6 +2755,59 @@ generic.c:
 #    1|     v1_9(void)                = AliasedUse             : ~m?
 #    1|     v1_10(void)               = ExitFunction           : 
 
+#   12| char const* c11_generic_test_with_constant_and_macro()
+#   12|   Block 0
+#   12|     v12_1(void)           = EnterFunction            : 
+#   12|     mu12_2(unknown)       = AliasedDefinition        : 
+#   12|     mu12_3(unknown)       = InitializeNonLocal       : 
+#   14|     r14_1(glval<int>)     = VariableAddress[i]       : 
+#   14|     mu14_2(int)           = Uninitialized[i]         : &:r14_1
+#   16|     r16_1(glval<char *>)  = VariableAddress[#return] : 
+#   16|     r16_2(glval<char[4]>) = Constant[int]            : 
+#   16|     r16_3(char *)         = Convert                  : r16_2
+#   16|     r16_4(char *)         = Convert                  : r16_3
+#   16|     mu16_5(char *)        = Store[#return]           : &:r16_1, r16_4
+#   12|     r12_4(glval<char *>)  = VariableAddress[#return] : 
+#   12|     v12_5(void)           = ReturnValue              : &:r12_4, ~m?
+#   12|     v12_6(void)           = AliasedUse               : ~m?
+#   12|     v12_7(void)           = ExitFunction             : 
+
+#   19| char const* c11_generic_test_with_constant_and_no_macro()
+#   19|   Block 0
+#   19|     v19_1(void)           = EnterFunction            : 
+#   19|     mu19_2(unknown)       = AliasedDefinition        : 
+#   19|     mu19_3(unknown)       = InitializeNonLocal       : 
+#   21|     r21_1(glval<int>)     = VariableAddress[i]       : 
+#   21|     mu21_2(int)           = Uninitialized[i]         : &:r21_1
+#   23|     r23_1(glval<char *>)  = VariableAddress[#return] : 
+#   23|     r23_2(glval<char[4]>) = Constant[int]            : 
+#   23|     r23_3(char *)         = Convert                  : r23_2
+#   23|     r23_4(char *)         = Convert                  : r23_3
+#   23|     mu23_5(char *)        = Store[#return]           : &:r23_1, r23_4
+#   19|     r19_4(glval<char *>)  = VariableAddress[#return] : 
+#   19|     v19_5(void)           = ReturnValue              : &:r19_4, ~m?
+#   19|     v19_6(void)           = AliasedUse               : ~m?
+#   19|     v19_7(void)           = ExitFunction             : 
+
+#   26| void c11_generic_test_test_with_cast(int)
+#   26|   Block 0
+#   26|     v26_1(void)                = EnterFunction          : 
+#   26|     mu26_2(unknown)            = AliasedDefinition      : 
+#   26|     mu26_3(unknown)            = InitializeNonLocal     : 
+#   26|     r26_4(glval<int>)          = VariableAddress[y]     : 
+#   26|     mu26_5(int)                = InitializeParameter[y] : &:r26_4
+#   27|     r27_1(glval<unsigned int>) = VariableAddress[r]     : 
+#   27|     mu27_2(unsigned int)       = Uninitialized[r]       : &:r27_1
+#   28|     r28_1(glval<int>)          = VariableAddress[y]     : 
+#   28|     r28_2(int)                 = Load[y]                : &:r28_1, ~m?
+#   28|     r28_3(unsigned int)        = Convert                : r28_2
+#   28|     r28_4(glval<unsigned int>) = VariableAddress[r]     : 
+#   28|     mu28_5(unsigned int)       = Store[r]               : &:r28_4, r28_3
+#   29|     v29_1(void)                = NoOp                   : 
+#   26|     v26_6(void)                = ReturnVoid             : 
+#   26|     v26_7(void)                = AliasedUse             : ~m?
+#   26|     v26_8(void)                = ExitFunction           : 
+
 ir.c:
 #    7| void MyCoordsTest(int)
 #    7|   Block 0

cpp/ql/test/library-tests/types/datasizeof/datasizeof.cpp

@@ -0,0 +1,30 @@
+// semmle-extractor-options: --clang --edg --clang_version --edg 190000
+
+typedef unsigned int size_t;
+
+class MyClass
+{
+public:
+	int x;
+	int *ptr;
+	char c;
+};
+
+void func() {
+	int i;
+	char c;
+	int * ptr;
+	MyClass mc;
+	int arr[10];
+
+	size_t sz1 = __datasizeof(int);
+	size_t sz2 = __datasizeof(char);
+	size_t sz3 = __datasizeof(int *);
+	size_t sz4 = __datasizeof(MyClass);
+	size_t sz5 = __datasizeof(i);
+	size_t sz6 = __datasizeof(c);
+	size_t sz7 = __datasizeof(ptr);
+	size_t sz8 = __datasizeof(mc);
+	size_t sz9 = __datasizeof(arr);
+	size_t sz10 = __datasizeof(arr[4]);
+}

cpp/ql/test/library-tests/types/datasizeof/datasizeof.expected

@@ -0,0 +1,10 @@
+| datasizeof.cpp:20:15:20:31 | __datasizeof(int) | 4 | DatasizeofTypeOperator.getTypeOperand() | file://:0:0:0:0 | int |
+| datasizeof.cpp:21:15:21:32 | __datasizeof(char) | 1 | DatasizeofTypeOperator.getTypeOperand() | file://:0:0:0:0 | char |
+| datasizeof.cpp:22:15:22:33 | __datasizeof(int *) | 8 | DatasizeofTypeOperator.getTypeOperand() | file://:0:0:0:0 | int * |
+| datasizeof.cpp:23:15:23:35 | __datasizeof(MyClass) | 24 | DatasizeofTypeOperator.getTypeOperand() | datasizeof.cpp:5:7:5:13 | MyClass |
+| datasizeof.cpp:24:15:24:29 | __datasizeof(<expr>) | 4 | DatasizeofExprOperator.getExprOperand() | datasizeof.cpp:24:28:24:28 | i |
+| datasizeof.cpp:25:15:25:29 | __datasizeof(<expr>) | 1 | DatasizeofExprOperator.getExprOperand() | datasizeof.cpp:25:28:25:28 | c |
+| datasizeof.cpp:26:15:26:31 | __datasizeof(<expr>) | 8 | DatasizeofExprOperator.getExprOperand() | datasizeof.cpp:26:28:26:30 | ptr |
+| datasizeof.cpp:27:15:27:30 | __datasizeof(<expr>) | 24 | DatasizeofExprOperator.getExprOperand() | datasizeof.cpp:27:28:27:29 | mc |
+| datasizeof.cpp:28:15:28:31 | __datasizeof(<expr>) | 40 | DatasizeofExprOperator.getExprOperand() | datasizeof.cpp:28:28:28:30 | arr |
+| datasizeof.cpp:29:16:29:35 | __datasizeof(<expr>) | 4 | DatasizeofExprOperator.getExprOperand() | datasizeof.cpp:29:29:29:34 | access to array |

cpp/ql/test/library-tests/types/datasizeof/datasizeof.ql

@@ -0,0 +1,10 @@
+import cpp
+
+from DatasizeofOperator sto, string elemDesc, Element e
+where
+  elemDesc = "DatasizeofTypeOperator.getTypeOperand()" and
+  e = sto.(DatasizeofTypeOperator).getTypeOperand()
+  or
+  elemDesc = "DatasizeofExprOperator.getExprOperand()" and
+  e = sto.(DatasizeofExprOperator).getExprOperand()
+select sto, sto.getValue(), elemDesc, e

cpp/ql/test/library-tests/types/sizeof/sizeof.expected

@@ -1,10 +1,10 @@
-| sizeof.cpp:19:15:19:25 | sizeof(int) | SizeofTypeOperator.getTypeOperand() | file://:0:0:0:0 | int |
-| sizeof.cpp:20:15:20:26 | sizeof(char) | SizeofTypeOperator.getTypeOperand() | file://:0:0:0:0 | char |
-| sizeof.cpp:21:15:21:27 | sizeof(int *) | SizeofTypeOperator.getTypeOperand() | file://:0:0:0:0 | int * |
-| sizeof.cpp:22:15:22:29 | sizeof(MyClass) | SizeofTypeOperator.getTypeOperand() | sizeof.cpp:4:7:4:13 | MyClass |
-| sizeof.cpp:23:15:23:23 | sizeof(<expr>) | SizeofExprOperator.getExprOperand() | sizeof.cpp:23:22:23:22 | i |
-| sizeof.cpp:24:15:24:23 | sizeof(<expr>) | SizeofExprOperator.getExprOperand() | sizeof.cpp:24:22:24:22 | c |
-| sizeof.cpp:25:15:25:25 | sizeof(<expr>) | SizeofExprOperator.getExprOperand() | sizeof.cpp:25:22:25:24 | ptr |
-| sizeof.cpp:26:15:26:24 | sizeof(<expr>) | SizeofExprOperator.getExprOperand() | sizeof.cpp:26:22:26:23 | mc |
-| sizeof.cpp:27:15:27:25 | sizeof(<expr>) | SizeofExprOperator.getExprOperand() | sizeof.cpp:27:22:27:24 | arr |
-| sizeof.cpp:28:16:28:29 | sizeof(<expr>) | SizeofExprOperator.getExprOperand() | sizeof.cpp:28:23:28:28 | access to array |
+| sizeof.cpp:19:15:19:25 | sizeof(int) | 4 | SizeofTypeOperator.getTypeOperand() | file://:0:0:0:0 | int |
+| sizeof.cpp:20:15:20:26 | sizeof(char) | 1 | SizeofTypeOperator.getTypeOperand() | file://:0:0:0:0 | char |
+| sizeof.cpp:21:15:21:27 | sizeof(int *) | 8 | SizeofTypeOperator.getTypeOperand() | file://:0:0:0:0 | int * |
+| sizeof.cpp:22:15:22:29 | sizeof(MyClass) | 16 | SizeofTypeOperator.getTypeOperand() | sizeof.cpp:4:7:4:13 | MyClass |
+| sizeof.cpp:23:15:23:23 | sizeof(<expr>) | 4 | SizeofExprOperator.getExprOperand() | sizeof.cpp:23:22:23:22 | i |
+| sizeof.cpp:24:15:24:23 | sizeof(<expr>) | 1 | SizeofExprOperator.getExprOperand() | sizeof.cpp:24:22:24:22 | c |
+| sizeof.cpp:25:15:25:25 | sizeof(<expr>) | 8 | SizeofExprOperator.getExprOperand() | sizeof.cpp:25:22:25:24 | ptr |
+| sizeof.cpp:26:15:26:24 | sizeof(<expr>) | 16 | SizeofExprOperator.getExprOperand() | sizeof.cpp:26:22:26:23 | mc |
+| sizeof.cpp:27:15:27:25 | sizeof(<expr>) | 40 | SizeofExprOperator.getExprOperand() | sizeof.cpp:27:22:27:24 | arr |
+| sizeof.cpp:28:16:28:29 | sizeof(<expr>) | 4 | SizeofExprOperator.getExprOperand() | sizeof.cpp:28:23:28:28 | access to array |

cpp/ql/test/library-tests/types/sizeof/sizeof.ql

@@ -7,4 +7,4 @@ where
   or
   elemDesc = "SizeofExprOperator.getExprOperand()" and
   e = sto.(SizeofExprOperator).getExprOperand()
-select sto, elemDesc, e
+select sto, sto.getValue(), elemDesc, e

cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected

@@ -16,7 +16,6 @@ edges
 | test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:153:5:153:5 | a | provenance |  |
 | test_free.cpp:233:14:233:15 | pointer to free output argument | test_free.cpp:234:9:234:11 | *... ++ | provenance |  |
 | test_free.cpp:234:9:234:11 | *... ++ | test_free.cpp:236:9:236:10 | * ... | provenance |  |
-| test_free.cpp:238:15:238:17 | *... ++ | test_free.cpp:238:15:238:17 | *... ++ | provenance |  |
 | test_free.cpp:238:15:238:17 | *... ++ | test_free.cpp:241:9:241:10 | * ... | provenance |  |
 | test_free.cpp:239:14:239:15 | pointer to free output argument | test_free.cpp:238:15:238:17 | *... ++ | provenance |  |
 | test_free.cpp:245:10:245:11 | pointer to free output argument | test_free.cpp:246:9:246:10 | * ... | provenance |  |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected

@@ -32,6 +32,8 @@ edges
 | test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r | provenance |  |
 | test.cpp:30:13:30:14 | get_rand2 output argument | test.cpp:31:7:31:7 | r | provenance |  |
 | test.cpp:36:13:36:13 | get_rand3 output argument | test.cpp:37:7:37:7 | r | provenance |  |
+| test.cpp:62:19:62:24 | call to rand | test.cpp:62:19:62:24 | call to rand | provenance |  |
+| test.cpp:62:19:62:24 | call to rand | test.cpp:65:9:65:9 | x | provenance |  |
 | test.cpp:86:10:86:13 | call to rand | test.cpp:86:10:86:13 | call to rand | provenance |  |
 | test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x | provenance |  |
 | test.cpp:98:10:98:13 | call to rand | test.cpp:98:10:98:13 | call to rand | provenance |  |
@@ -105,6 +107,9 @@ nodes
 | test.cpp:31:7:31:7 | r | semmle.label | r |
 | test.cpp:36:13:36:13 | get_rand3 output argument | semmle.label | get_rand3 output argument |
 | test.cpp:37:7:37:7 | r | semmle.label | r |
+| test.cpp:62:19:62:24 | call to rand | semmle.label | call to rand |
+| test.cpp:62:19:62:24 | call to rand | semmle.label | call to rand |
+| test.cpp:65:9:65:9 | x | semmle.label | x |
 | test.cpp:86:10:86:13 | call to rand | semmle.label | call to rand |
 | test.cpp:86:10:86:13 | call to rand | semmle.label | call to rand |
 | test.cpp:90:10:90:10 | x | semmle.label | x |
@@ -156,6 +161,7 @@ subpaths
 | test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | uncontrolled value |
 | test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | uncontrolled value |
 | test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | uncontrolled value |
+| test.cpp:65:9:65:9 | x | test.cpp:62:19:62:24 | call to rand | test.cpp:65:9:65:9 | x | This arithmetic expression depends on an $@, potentially causing an underflow. | test.cpp:62:19:62:22 | call to rand | uncontrolled value |
 | test.cpp:90:10:90:10 | x | test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:86:10:86:13 | call to rand | uncontrolled value |
 | test.cpp:102:10:102:10 | x | test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:98:10:98:13 | call to rand | uncontrolled value |
 | test.cpp:146:9:146:9 | y | test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:137:10:137:13 | call to rand | uncontrolled value |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/test.cpp

@@ -62,7 +62,7 @@ unsigned int test_remainder_subtract_unsigned()
 	unsigned int x = rand();
 	unsigned int y = x % 100; // y <= x
 
-	return x - y; // GOOD (as y <= x)
+	return x - y; // GOOD (as y <= x) [FALSE POSITIVE]
 }
 
 typedef unsigned long size_t;

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected

@@ -13,26 +13,30 @@ edges
 | test.cpp:133:19:133:32 | *call to getenv | test.cpp:133:14:133:17 | call to atoi | provenance | TaintFunction |
 | test.cpp:148:15:148:18 | call to atol | test.cpp:152:11:152:28 | ... * ... | provenance |  |
 | test.cpp:148:20:148:33 | *call to getenv | test.cpp:148:15:148:18 | call to atol | provenance | TaintFunction |
-| test.cpp:224:8:224:23 | *get_tainted_size | test.cpp:256:9:256:24 | call to get_tainted_size | provenance |  |
-| test.cpp:226:9:226:42 | ... * ... | test.cpp:224:8:224:23 | *get_tainted_size | provenance |  |
-| test.cpp:226:14:226:27 | *call to getenv | test.cpp:226:9:226:42 | ... * ... | provenance | TaintFunction |
-| test.cpp:245:21:245:21 | s | test.cpp:246:21:246:21 | s | provenance |  |
-| test.cpp:252:19:252:52 | ... * ... | test.cpp:254:9:254:18 | local_size | provenance |  |
-| test.cpp:252:19:252:52 | ... * ... | test.cpp:260:11:260:20 | local_size | provenance |  |
-| test.cpp:252:19:252:52 | ... * ... | test.cpp:262:10:262:19 | local_size | provenance |  |
-| test.cpp:252:24:252:37 | *call to getenv | test.cpp:252:19:252:52 | ... * ... | provenance | TaintFunction |
-| test.cpp:262:10:262:19 | local_size | test.cpp:245:21:245:21 | s | provenance |  |
-| test.cpp:265:20:265:27 | *out_size | test.cpp:304:17:304:20 | get_size output argument | provenance |  |
-| test.cpp:265:20:265:27 | *out_size | test.cpp:320:18:320:21 | get_size output argument | provenance |  |
-| test.cpp:266:2:266:32 | ... = ... | test.cpp:265:20:265:27 | *out_size | provenance |  |
-| test.cpp:266:18:266:31 | *call to getenv | test.cpp:266:2:266:32 | ... = ... | provenance | TaintFunction |
-| test.cpp:274:15:274:18 | call to atoi | test.cpp:278:11:278:29 | ... * ... | provenance |  |
-| test.cpp:274:20:274:33 | *call to getenv | test.cpp:274:15:274:18 | call to atoi | provenance | TaintFunction |
-| test.cpp:304:17:304:20 | get_size output argument | test.cpp:306:11:306:28 | ... * ... | provenance |  |
-| test.cpp:320:18:320:21 | get_size output argument | test.cpp:323:10:323:27 | ... * ... | provenance |  |
-| test.cpp:368:13:368:16 | call to atoi | test.cpp:370:35:370:38 | size | provenance |  |
-| test.cpp:368:13:368:16 | call to atoi | test.cpp:371:35:371:38 | size | provenance |  |
-| test.cpp:368:18:368:31 | *call to getenv | test.cpp:368:13:368:16 | call to atoi | provenance | TaintFunction |
+| test.cpp:190:14:190:17 | call to atoi | test.cpp:194:11:194:28 | ... * ... | provenance |  |
+| test.cpp:190:19:190:32 | *call to getenv | test.cpp:190:14:190:17 | call to atoi | provenance | TaintFunction |
+| test.cpp:205:14:205:17 | call to atoi | test.cpp:209:11:209:28 | ... * ... | provenance |  |
+| test.cpp:205:19:205:32 | *call to getenv | test.cpp:205:14:205:17 | call to atoi | provenance | TaintFunction |
+| test.cpp:239:8:239:23 | *get_tainted_size | test.cpp:271:9:271:24 | call to get_tainted_size | provenance |  |
+| test.cpp:241:9:241:42 | ... * ... | test.cpp:239:8:239:23 | *get_tainted_size | provenance |  |
+| test.cpp:241:14:241:27 | *call to getenv | test.cpp:241:9:241:42 | ... * ... | provenance | TaintFunction |
+| test.cpp:260:21:260:21 | s | test.cpp:261:21:261:21 | s | provenance |  |
+| test.cpp:267:19:267:52 | ... * ... | test.cpp:269:9:269:18 | local_size | provenance |  |
+| test.cpp:267:19:267:52 | ... * ... | test.cpp:275:11:275:20 | local_size | provenance |  |
+| test.cpp:267:19:267:52 | ... * ... | test.cpp:277:10:277:19 | local_size | provenance |  |
+| test.cpp:267:24:267:37 | *call to getenv | test.cpp:267:19:267:52 | ... * ... | provenance | TaintFunction |
+| test.cpp:277:10:277:19 | local_size | test.cpp:260:21:260:21 | s | provenance |  |
+| test.cpp:280:20:280:27 | *out_size | test.cpp:319:17:319:20 | get_size output argument | provenance |  |
+| test.cpp:280:20:280:27 | *out_size | test.cpp:335:18:335:21 | get_size output argument | provenance |  |
+| test.cpp:281:2:281:32 | ... = ... | test.cpp:280:20:280:27 | *out_size | provenance |  |
+| test.cpp:281:18:281:31 | *call to getenv | test.cpp:281:2:281:32 | ... = ... | provenance | TaintFunction |
+| test.cpp:289:15:289:18 | call to atoi | test.cpp:293:11:293:29 | ... * ... | provenance |  |
+| test.cpp:289:20:289:33 | *call to getenv | test.cpp:289:15:289:18 | call to atoi | provenance | TaintFunction |
+| test.cpp:319:17:319:20 | get_size output argument | test.cpp:321:11:321:28 | ... * ... | provenance |  |
+| test.cpp:335:18:335:21 | get_size output argument | test.cpp:338:10:338:27 | ... * ... | provenance |  |
+| test.cpp:383:13:383:16 | call to atoi | test.cpp:385:35:385:38 | size | provenance |  |
+| test.cpp:383:13:383:16 | call to atoi | test.cpp:386:35:386:38 | size | provenance |  |
+| test.cpp:383:18:383:31 | *call to getenv | test.cpp:383:13:383:16 | call to atoi | provenance | TaintFunction |
 nodes
 | test.cpp:39:27:39:30 | **argv | semmle.label | **argv |
 | test.cpp:40:16:40:19 | call to atoi | semmle.label | call to atoi |
@@ -52,31 +56,37 @@ nodes
 | test.cpp:148:15:148:18 | call to atol | semmle.label | call to atol |
 | test.cpp:148:20:148:33 | *call to getenv | semmle.label | *call to getenv |
 | test.cpp:152:11:152:28 | ... * ... | semmle.label | ... * ... |
-| test.cpp:224:8:224:23 | *get_tainted_size | semmle.label | *get_tainted_size |
-| test.cpp:226:9:226:42 | ... * ... | semmle.label | ... * ... |
-| test.cpp:226:14:226:27 | *call to getenv | semmle.label | *call to getenv |
-| test.cpp:245:21:245:21 | s | semmle.label | s |
-| test.cpp:246:21:246:21 | s | semmle.label | s |
-| test.cpp:252:19:252:52 | ... * ... | semmle.label | ... * ... |
-| test.cpp:252:24:252:37 | *call to getenv | semmle.label | *call to getenv |
-| test.cpp:254:9:254:18 | local_size | semmle.label | local_size |
-| test.cpp:256:9:256:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
-| test.cpp:260:11:260:20 | local_size | semmle.label | local_size |
-| test.cpp:262:10:262:19 | local_size | semmle.label | local_size |
-| test.cpp:265:20:265:27 | *out_size | semmle.label | *out_size |
-| test.cpp:266:2:266:32 | ... = ... | semmle.label | ... = ... |
-| test.cpp:266:18:266:31 | *call to getenv | semmle.label | *call to getenv |
-| test.cpp:274:15:274:18 | call to atoi | semmle.label | call to atoi |
-| test.cpp:274:20:274:33 | *call to getenv | semmle.label | *call to getenv |
-| test.cpp:278:11:278:29 | ... * ... | semmle.label | ... * ... |
-| test.cpp:304:17:304:20 | get_size output argument | semmle.label | get_size output argument |
-| test.cpp:306:11:306:28 | ... * ... | semmle.label | ... * ... |
-| test.cpp:320:18:320:21 | get_size output argument | semmle.label | get_size output argument |
-| test.cpp:323:10:323:27 | ... * ... | semmle.label | ... * ... |
-| test.cpp:368:13:368:16 | call to atoi | semmle.label | call to atoi |
-| test.cpp:368:18:368:31 | *call to getenv | semmle.label | *call to getenv |
-| test.cpp:370:35:370:38 | size | semmle.label | size |
-| test.cpp:371:35:371:38 | size | semmle.label | size |
+| test.cpp:190:14:190:17 | call to atoi | semmle.label | call to atoi |
+| test.cpp:190:19:190:32 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:194:11:194:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:205:14:205:17 | call to atoi | semmle.label | call to atoi |
+| test.cpp:205:19:205:32 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:209:11:209:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:239:8:239:23 | *get_tainted_size | semmle.label | *get_tainted_size |
+| test.cpp:241:9:241:42 | ... * ... | semmle.label | ... * ... |
+| test.cpp:241:14:241:27 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:260:21:260:21 | s | semmle.label | s |
+| test.cpp:261:21:261:21 | s | semmle.label | s |
+| test.cpp:267:19:267:52 | ... * ... | semmle.label | ... * ... |
+| test.cpp:267:24:267:37 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:269:9:269:18 | local_size | semmle.label | local_size |
+| test.cpp:271:9:271:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
+| test.cpp:275:11:275:20 | local_size | semmle.label | local_size |
+| test.cpp:277:10:277:19 | local_size | semmle.label | local_size |
+| test.cpp:280:20:280:27 | *out_size | semmle.label | *out_size |
+| test.cpp:281:2:281:32 | ... = ... | semmle.label | ... = ... |
+| test.cpp:281:18:281:31 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:289:15:289:18 | call to atoi | semmle.label | call to atoi |
+| test.cpp:289:20:289:33 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:293:11:293:29 | ... * ... | semmle.label | ... * ... |
+| test.cpp:319:17:319:20 | get_size output argument | semmle.label | get_size output argument |
+| test.cpp:321:11:321:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:335:18:335:21 | get_size output argument | semmle.label | get_size output argument |
+| test.cpp:338:10:338:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:383:13:383:16 | call to atoi | semmle.label | call to atoi |
+| test.cpp:383:18:383:31 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:385:35:385:38 | size | semmle.label | size |
+| test.cpp:386:35:386:38 | size | semmle.label | size |
 subpaths
 #select
 | test.cpp:43:31:43:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |
@@ -88,12 +98,14 @@ subpaths
 | test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:31 | *call to getenv | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:124:18:124:31 | *call to getenv | user input (an environment variable) |
 | test.cpp:135:3:135:8 | call to malloc | test.cpp:133:19:133:32 | *call to getenv | test.cpp:135:10:135:27 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:133:19:133:32 | *call to getenv | user input (an environment variable) |
 | test.cpp:152:4:152:9 | call to malloc | test.cpp:148:20:148:33 | *call to getenv | test.cpp:152:11:152:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:148:20:148:33 | *call to getenv | user input (an environment variable) |
-| test.cpp:246:14:246:19 | call to malloc | test.cpp:252:24:252:37 | *call to getenv | test.cpp:246:21:246:21 | s | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:252:24:252:37 | *call to getenv | user input (an environment variable) |
-| test.cpp:254:2:254:7 | call to malloc | test.cpp:252:24:252:37 | *call to getenv | test.cpp:254:9:254:18 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:252:24:252:37 | *call to getenv | user input (an environment variable) |
-| test.cpp:256:2:256:7 | call to malloc | test.cpp:226:14:226:27 | *call to getenv | test.cpp:256:9:256:24 | call to get_tainted_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:226:14:226:27 | *call to getenv | user input (an environment variable) |
-| test.cpp:260:2:260:9 | call to my_alloc | test.cpp:252:24:252:37 | *call to getenv | test.cpp:260:11:260:20 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:252:24:252:37 | *call to getenv | user input (an environment variable) |
-| test.cpp:278:4:278:9 | call to malloc | test.cpp:274:20:274:33 | *call to getenv | test.cpp:278:11:278:29 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:274:20:274:33 | *call to getenv | user input (an environment variable) |
-| test.cpp:306:4:306:9 | call to malloc | test.cpp:266:18:266:31 | *call to getenv | test.cpp:306:11:306:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:266:18:266:31 | *call to getenv | user input (an environment variable) |
-| test.cpp:323:3:323:8 | call to malloc | test.cpp:266:18:266:31 | *call to getenv | test.cpp:323:10:323:27 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:266:18:266:31 | *call to getenv | user input (an environment variable) |
-| test.cpp:370:25:370:33 | call to MyMalloc1 | test.cpp:368:18:368:31 | *call to getenv | test.cpp:370:35:370:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:368:18:368:31 | *call to getenv | user input (an environment variable) |
-| test.cpp:371:25:371:33 | call to MyMalloc2 | test.cpp:368:18:368:31 | *call to getenv | test.cpp:371:35:371:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:368:18:368:31 | *call to getenv | user input (an environment variable) |
+| test.cpp:194:4:194:9 | call to malloc | test.cpp:190:19:190:32 | *call to getenv | test.cpp:194:11:194:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:190:19:190:32 | *call to getenv | user input (an environment variable) |
+| test.cpp:209:4:209:9 | call to malloc | test.cpp:205:19:205:32 | *call to getenv | test.cpp:209:11:209:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:205:19:205:32 | *call to getenv | user input (an environment variable) |
+| test.cpp:261:14:261:19 | call to malloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:261:21:261:21 | s | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) |
+| test.cpp:269:2:269:7 | call to malloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:269:9:269:18 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) |
+| test.cpp:271:2:271:7 | call to malloc | test.cpp:241:14:241:27 | *call to getenv | test.cpp:271:9:271:24 | call to get_tainted_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:241:14:241:27 | *call to getenv | user input (an environment variable) |
+| test.cpp:275:2:275:9 | call to my_alloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:275:11:275:20 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) |
+| test.cpp:293:4:293:9 | call to malloc | test.cpp:289:20:289:33 | *call to getenv | test.cpp:293:11:293:29 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:289:20:289:33 | *call to getenv | user input (an environment variable) |
+| test.cpp:321:4:321:9 | call to malloc | test.cpp:281:18:281:31 | *call to getenv | test.cpp:321:11:321:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:281:18:281:31 | *call to getenv | user input (an environment variable) |
+| test.cpp:338:3:338:8 | call to malloc | test.cpp:281:18:281:31 | *call to getenv | test.cpp:338:10:338:27 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:281:18:281:31 | *call to getenv | user input (an environment variable) |
+| test.cpp:385:25:385:33 | call to MyMalloc1 | test.cpp:383:18:383:31 | *call to getenv | test.cpp:385:35:385:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:383:18:383:31 | *call to getenv | user input (an environment variable) |
+| test.cpp:386:25:386:33 | call to MyMalloc2 | test.cpp:383:18:383:31 | *call to getenv | test.cpp:386:35:386:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:383:18:383:31 | *call to getenv | user input (an environment variable) |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp

@@ -191,7 +191,22 @@ void more_bounded_tests() {
 
 		if (size % 100)
 		{
-			malloc(size * sizeof(int)); // BAD [NOT DETECTED]
+			malloc(size * sizeof(int)); // BAD
+		}
+	}
+
+	{
+		int size = atoi(getenv("USER"));
+		int size2 = size & 7; // Pick the first three bits of size
+		malloc(size2 * sizeof(int)); // GOOD
+	}
+
+	{
+		int size = atoi(getenv("USER"));
+
+		if (size & 7)
+		{
+			malloc(size * sizeof(int)); // BAD
 		}
 	}
 

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected

@@ -22,11 +22,9 @@ edges
 | test.c:41:5:41:24 | ... = ... | test.c:44:7:44:10 | len2 | provenance |  |
 | test.c:41:5:41:24 | ... = ... | test.c:44:7:44:12 | ... -- | provenance |  |
 | test.c:44:7:44:12 | ... -- | test.c:44:7:44:10 | len2 | provenance |  |
-| test.c:44:7:44:12 | ... -- | test.c:44:7:44:12 | ... -- | provenance |  |
 | test.c:51:5:51:24 | ... = ... | test.c:54:7:54:10 | len3 | provenance |  |
 | test.c:51:5:51:24 | ... = ... | test.c:54:7:54:12 | ... -- | provenance |  |
 | test.c:54:7:54:12 | ... -- | test.c:54:7:54:10 | len3 | provenance |  |
-| test.c:54:7:54:12 | ... -- | test.c:54:7:54:12 | ... -- | provenance |  |
 nodes
 | test2.cpp:12:21:12:21 | v | semmle.label | v |
 | test2.cpp:14:11:14:11 | v | semmle.label | v |

cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/LoopConditionsConst.expected

@@ -2,25 +2,25 @@
 | test.cpp:43:2:45:2 | for(...;...;...) ... | test.cpp:43:18:43:26 | ... < ... |  | i | { ... } | i | ExprStmt |
 | test.cpp:74:2:77:2 | while (...) ... | test.cpp:74:9:74:17 | ... > ... | 1 | count | { ... } | count | ExprStmt |
 | test.cpp:84:2:88:2 | while (...) ... | test.cpp:84:9:84:17 | ... > ... |  | count | { ... } | count | if (...) ...  |
-| test.cpp:171:3:173:3 | while (...) ... | test.cpp:171:10:171:43 | ... != ... | 0 |  | { ... } | 0 | return ... |
-| test.cpp:251:2:255:2 | while (...) ... | test.cpp:251:9:251:12 | loop | 1 | loop | { ... } | loop | return ... |
-| test.cpp:263:2:267:2 | while (...) ... | test.cpp:263:9:263:20 | ... && ... | 1 | 1 | { ... } | ... && ... | return ... |
-| test.cpp:275:2:279:2 | while (...) ... | test.cpp:275:9:275:13 | ! ... | 1 | stop | { ... } | stop | return ... |
-| test.cpp:287:2:291:2 | while (...) ... | test.cpp:287:9:287:20 | ... && ... | 1 | loop | { ... } | loop | return ... |
-| test.cpp:299:2:303:2 | while (...) ... | test.cpp:299:9:299:20 | ... && ... | 1 | loop | { ... } | ... && ..., loop | return ... |
-| test.cpp:311:2:315:2 | while (...) ... | test.cpp:311:9:311:21 | ... \|\| ... | 1 | ... \|\| ... | { ... } | 0 | return ... |
-| test.cpp:323:2:328:2 | while (...) ... | test.cpp:323:9:323:17 | ... ? ... : ... |  | b, c | { ... } | c | return ... |
-| test.cpp:336:2:341:2 | while (...) ... | test.cpp:336:9:336:21 | ... \|\| ... | 1 | b, c | { ... } | c | return ... |
-| test.cpp:348:2:351:17 | do (...) ... | test.cpp:351:11:351:15 | 0 |  | { ... } | { ... } | { ... } | return ... |
-| test.cpp:361:2:364:2 | while (...) ... | test.cpp:361:9:361:21 | ... \|\| ... | 1 | ... \|\| ... | { ... } | 0 | while (...) ... |
-| test.cpp:365:2:368:2 | while (...) ... | test.cpp:365:9:365:13 | ! ... | 1 | stop | { ... } | stop | while (...) ... |
-| test.cpp:369:2:373:2 | while (...) ... | test.cpp:369:9:369:21 | ... \|\| ... | 1 | b, c | { ... } | c | do (...) ... |
-| test.cpp:374:2:376:17 | do (...) ... | test.cpp:376:11:376:15 | 0 |  | do (...) ... | { ... } | { ... } | return ... |
-| test.cpp:384:2:386:2 | while (...) ... | test.cpp:384:9:384:12 | 1 | 1 | 1 | { ... } |  | return ... |
-| test.cpp:394:2:396:2 | while (...) ... | test.cpp:394:9:394:21 | ... , ... |  | { ... } | { ... } |  |  |
-| test.cpp:404:3:408:3 | while (...) ... | test.cpp:404:10:404:13 | loop | 1 | loop | { ... } |  |  |
-| test.cpp:416:2:418:2 | for(...;...;...) ... | test.cpp:416:18:416:23 | ... < ... | 1 | i | { ... } | i | return ... |
-| test.cpp:424:2:425:2 | for(...;...;...) ... | test.cpp:424:18:424:23 | ... < ... | 1 | i | { ... } | i | return ... |
-| test.cpp:433:2:434:2 | for(...;...;...) ... | test.cpp:433:18:433:22 | 0 | 0 |  | { ... } | 0 | return ... |
-| test.cpp:559:3:564:3 | while (...) ... | test.cpp:559:9:559:15 | call to getBool |  | call to getBool | { ... } | call to getBool | ExprStmt |
-| test.cpp:574:3:579:3 | while (...) ... | test.cpp:574:10:574:16 | call to getBool |  | call to getBool | { ... } | call to getBool | ExprStmt |
+| test.cpp:172:3:174:3 | while (...) ... | test.cpp:172:10:172:43 | ... != ... |  | args | { ... } | args | return ... |
+| test.cpp:259:2:263:2 | while (...) ... | test.cpp:259:9:259:12 | loop | 1 | loop | { ... } | loop | return ... |
+| test.cpp:271:2:275:2 | while (...) ... | test.cpp:271:9:271:20 | ... && ... | 1 | 1 | { ... } | ... && ... | return ... |
+| test.cpp:283:2:287:2 | while (...) ... | test.cpp:283:9:283:13 | ! ... | 1 | stop | { ... } | stop | return ... |
+| test.cpp:295:2:299:2 | while (...) ... | test.cpp:295:9:295:20 | ... && ... | 1 | loop | { ... } | loop | return ... |
+| test.cpp:307:2:311:2 | while (...) ... | test.cpp:307:9:307:20 | ... && ... | 1 | loop | { ... } | ... && ..., loop | return ... |
+| test.cpp:319:2:323:2 | while (...) ... | test.cpp:319:9:319:21 | ... \|\| ... | 1 | ... \|\| ... | { ... } | 0 | return ... |
+| test.cpp:331:2:336:2 | while (...) ... | test.cpp:331:9:331:17 | ... ? ... : ... |  | b, c | { ... } | c | return ... |
+| test.cpp:344:2:349:2 | while (...) ... | test.cpp:344:9:344:21 | ... \|\| ... | 1 | b, c | { ... } | c | return ... |
+| test.cpp:356:2:359:17 | do (...) ... | test.cpp:359:11:359:15 | 0 |  | { ... } | { ... } | { ... } | return ... |
+| test.cpp:369:2:372:2 | while (...) ... | test.cpp:369:9:369:21 | ... \|\| ... | 1 | ... \|\| ... | { ... } | 0 | while (...) ... |
+| test.cpp:373:2:376:2 | while (...) ... | test.cpp:373:9:373:13 | ! ... | 1 | stop | { ... } | stop | while (...) ... |
+| test.cpp:377:2:381:2 | while (...) ... | test.cpp:377:9:377:21 | ... \|\| ... | 1 | b, c | { ... } | c | do (...) ... |
+| test.cpp:382:2:384:17 | do (...) ... | test.cpp:384:11:384:15 | 0 |  | do (...) ... | { ... } | { ... } | return ... |
+| test.cpp:392:2:394:2 | while (...) ... | test.cpp:392:9:392:12 | 1 | 1 | 1 | { ... } |  | return ... |
+| test.cpp:402:2:404:2 | while (...) ... | test.cpp:402:9:402:21 | ... , ... |  | { ... } | { ... } |  |  |
+| test.cpp:412:3:416:3 | while (...) ... | test.cpp:412:10:412:13 | loop | 1 | loop | { ... } |  |  |
+| test.cpp:424:2:426:2 | for(...;...;...) ... | test.cpp:424:18:424:23 | ... < ... | 1 | i | { ... } | i | return ... |
+| test.cpp:432:2:433:2 | for(...;...;...) ... | test.cpp:432:18:432:23 | ... < ... | 1 | i | { ... } | i | return ... |
+| test.cpp:441:2:442:2 | for(...;...;...) ... | test.cpp:441:18:441:22 | 0 | 0 |  | { ... } | 0 | return ... |
+| test.cpp:567:3:572:3 | while (...) ... | test.cpp:567:9:567:15 | call to getBool |  | call to getBool | { ... } | call to getBool | ExprStmt |
+| test.cpp:582:3:587:3 | while (...) ... | test.cpp:582:10:582:16 | call to getBool |  | call to getBool | { ... } | call to getBool | ExprStmt |

cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected

@@ -2,28 +2,28 @@ edges
 nodes
 | test.cpp:11:6:11:8 | definition of foo | semmle.label | definition of foo |
 | test.cpp:111:6:111:8 | definition of foo | semmle.label | definition of foo |
-| test.cpp:218:7:218:7 | definition of x | semmle.label | definition of x |
-| test.cpp:241:6:241:6 | definition of i | semmle.label | definition of i |
-| test.cpp:333:7:333:7 | definition of a | semmle.label | definition of a |
-| test.cpp:358:7:358:7 | definition of a | semmle.label | definition of a |
-| test.cpp:359:6:359:8 | definition of val | semmle.label | definition of val |
-| test.cpp:414:9:414:9 | definition of j | semmle.label | definition of j |
-| test.cpp:431:9:431:9 | definition of j | semmle.label | definition of j |
-| test.cpp:452:6:452:6 | definition of x | semmle.label | definition of x |
-| test.cpp:458:6:458:6 | definition of x | semmle.label | definition of x |
-| test.cpp:464:6:464:6 | definition of x | semmle.label | definition of x |
-| test.cpp:471:6:471:6 | definition of x | semmle.label | definition of x |
+| test.cpp:226:7:226:7 | definition of x | semmle.label | definition of x |
+| test.cpp:249:6:249:6 | definition of i | semmle.label | definition of i |
+| test.cpp:341:7:341:7 | definition of a | semmle.label | definition of a |
+| test.cpp:366:7:366:7 | definition of a | semmle.label | definition of a |
+| test.cpp:367:6:367:8 | definition of val | semmle.label | definition of val |
+| test.cpp:422:9:422:9 | definition of j | semmle.label | definition of j |
+| test.cpp:439:9:439:9 | definition of j | semmle.label | definition of j |
+| test.cpp:460:6:460:6 | definition of x | semmle.label | definition of x |
+| test.cpp:466:6:466:6 | definition of x | semmle.label | definition of x |
+| test.cpp:472:6:472:6 | definition of x | semmle.label | definition of x |
+| test.cpp:479:6:479:6 | definition of x | semmle.label | definition of x |
 #select
 | test.cpp:12:6:12:8 | foo | test.cpp:11:6:11:8 | definition of foo | test.cpp:11:6:11:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:11:6:11:8 | foo | foo |
 | test.cpp:113:6:113:8 | foo | test.cpp:111:6:111:8 | definition of foo | test.cpp:111:6:111:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:111:6:111:8 | foo | foo |
-| test.cpp:219:3:219:3 | x | test.cpp:218:7:218:7 | definition of x | test.cpp:218:7:218:7 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:218:7:218:7 | x | x |
-| test.cpp:243:13:243:13 | i | test.cpp:241:6:241:6 | definition of i | test.cpp:241:6:241:6 | definition of i | The variable $@ may not be initialized at this access. | test.cpp:241:6:241:6 | i | i |
-| test.cpp:336:10:336:10 | a | test.cpp:333:7:333:7 | definition of a | test.cpp:333:7:333:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:333:7:333:7 | a | a |
-| test.cpp:369:10:369:10 | a | test.cpp:358:7:358:7 | definition of a | test.cpp:358:7:358:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:358:7:358:7 | a | a |
-| test.cpp:378:9:378:11 | val | test.cpp:359:6:359:8 | definition of val | test.cpp:359:6:359:8 | definition of val | The variable $@ may not be initialized at this access. | test.cpp:359:6:359:8 | val | val |
-| test.cpp:417:10:417:10 | j | test.cpp:414:9:414:9 | definition of j | test.cpp:414:9:414:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:414:9:414:9 | j | j |
-| test.cpp:436:9:436:9 | j | test.cpp:431:9:431:9 | definition of j | test.cpp:431:9:431:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:431:9:431:9 | j | j |
-| test.cpp:454:2:454:2 | x | test.cpp:452:6:452:6 | definition of x | test.cpp:452:6:452:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:452:6:452:6 | x | x |
-| test.cpp:460:7:460:7 | x | test.cpp:458:6:458:6 | definition of x | test.cpp:458:6:458:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:458:6:458:6 | x | x |
-| test.cpp:467:2:467:2 | x | test.cpp:464:6:464:6 | definition of x | test.cpp:464:6:464:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:464:6:464:6 | x | x |
-| test.cpp:474:7:474:7 | x | test.cpp:471:6:471:6 | definition of x | test.cpp:471:6:471:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:471:6:471:6 | x | x |
+| test.cpp:227:3:227:3 | x | test.cpp:226:7:226:7 | definition of x | test.cpp:226:7:226:7 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:226:7:226:7 | x | x |
+| test.cpp:251:13:251:13 | i | test.cpp:249:6:249:6 | definition of i | test.cpp:249:6:249:6 | definition of i | The variable $@ may not be initialized at this access. | test.cpp:249:6:249:6 | i | i |
+| test.cpp:344:10:344:10 | a | test.cpp:341:7:341:7 | definition of a | test.cpp:341:7:341:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:341:7:341:7 | a | a |
+| test.cpp:377:10:377:10 | a | test.cpp:366:7:366:7 | definition of a | test.cpp:366:7:366:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:366:7:366:7 | a | a |
+| test.cpp:386:9:386:11 | val | test.cpp:367:6:367:8 | definition of val | test.cpp:367:6:367:8 | definition of val | The variable $@ may not be initialized at this access. | test.cpp:367:6:367:8 | val | val |
+| test.cpp:425:10:425:10 | j | test.cpp:422:9:422:9 | definition of j | test.cpp:422:9:422:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:422:9:422:9 | j | j |
+| test.cpp:444:9:444:9 | j | test.cpp:439:9:439:9 | definition of j | test.cpp:439:9:439:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:439:9:439:9 | j | j |
+| test.cpp:462:2:462:2 | x | test.cpp:460:6:460:6 | definition of x | test.cpp:460:6:460:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:460:6:460:6 | x | x |
+| test.cpp:468:7:468:7 | x | test.cpp:466:6:466:6 | definition of x | test.cpp:466:6:466:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:466:6:466:6 | x | x |
+| test.cpp:475:2:475:2 | x | test.cpp:472:6:472:6 | definition of x | test.cpp:472:6:472:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:472:6:472:6 | x | x |
+| test.cpp:482:7:482:7 | x | test.cpp:479:6:479:6 | definition of x | test.cpp:479:6:479:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:479:6:479:6 | x | x |

cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp

@@ -156,11 +156,12 @@ int absCorrect2(int i) {
 	return j; // correct: j always initialized before use
 }
 
+typedef __builtin_va_list va_list;
+#define va_start(v, l)	__builtin_va_start(v,l)
+#define va_end(v)	__builtin_va_end(v)
+#define va_arg(v, l)	__builtin_va_arg(v,l)
+#define va_copy(d, s)	__builtin_va_copy(d,s)
 
-typedef void *va_list;
-#define va_start(ap, parmN)
-#define va_end(ap)
-#define va_arg(ap, type) ((type)0)
 #define NULL 0
 
 // Variadic initialisation
@@ -176,7 +177,7 @@ void init(int val, ...) {
 void test15() {
   int foo;
   init(42, &foo, NULL);
-  use(foo); //GOOD -- initialised by `init`
+  use(foo); // GOOD -- initialised by `init`
 }
 
 // Variadic non-initialisation
@@ -192,6 +193,13 @@ void test16() {
   use(foo); // BAD (NOT REPORTED)
 }
 
+void test_va_copy(va_list va) {
+  va_list va2;
+  va_copy(va2, va); // GOOD -- this is an initialization
+  use(va2);
+  va_end(va2);
+}
+
 bool test17(bool b) {
   int foo;
   int *p = nullptr;

cpp/ql/test/query-tests/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.expected

@@ -17,3 +17,4 @@
 | test.cpp:229:15:229:35 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:231:16:231:19 | { ... } | This catch block |
 | test.cpp:242:14:242:34 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:243:34:243:36 | { ... } | This catch block |
 | test.cpp:276:17:276:31 | new[] | This allocation cannot return null. $@ is unnecessary. | test.cpp:277:8:277:12 | ! ... | This check |
+| test.cpp:288:19:288:47 | new[] | This allocation cannot throw. $@ is unnecessary. | test.cpp:291:30:293:5 | { ... } | This catch block |

cpp/ql/test/query-tests/Security/CWE/CWE-570/test.cpp

@@ -282,7 +282,7 @@ namespace qhelp {
   }
 
   // BAD: the allocation won't throw an exception, but
-  // instead return a null pointer. [NOT DETECTED]
+  // instead return a null pointer.
   void bad2(std::size_t length) noexcept {
     try {
       int* dest = new(std::nothrow) int[length];

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.23
+
+No user-facing changes.
+
 ## 1.7.22
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.23.md

@@ -0,0 +1,3 @@
+## 1.7.23
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.22
+lastReleaseVersion: 1.7.23

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.23-dev
+version: 1.7.24-dev
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.23
+
+No user-facing changes.
+
 ## 1.7.22
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.23.md

@@ -0,0 +1,3 @@
+## 1.7.23
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.22
+lastReleaseVersion: 1.7.23

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.23-dev
+version: 1.7.24-dev
 groups:
   - csharp
   - solorigate