Bump actions/download-artifact

Bumps the github_actions group with 1 update in the /.github/workflows directory: [actions/download-artifact](https://github.com/actions/download-artifact).


Updates `actions/download-artifact` from 3 to 4.1.7
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/v3...v4.1.7)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  dependency-group: github_actions
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/pull_request_template.md

@@ -1,13 +0,0 @@
-### Pull Request checklist
-
-#### All query authors
-
-- [ ] A change note is added if necessary. See [the documentation](https://github.com/github/codeql/blob/main/docs/change-notes.md) in this repository.
-- [ ] All new queries have appropriate `.qhelp`. See [the documentation](https://github.com/github/codeql/blob/main/docs/query-help-style-guide.md) in this repository.
-- [ ] QL tests are added if necessary. See [Testing custom queries](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-custom-queries) in the GitHub documentation.
-- [ ] New and changed queries have correct query metadata. See [the documentation](https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md) in this repository.
-
-#### Internal query authors only
-
-- [ ] Autofixes generated based on these changes are valid, only needed if this PR makes significant changes to `.ql`, `.qll`, or `.qhelp` files. See [the documentation](https://github.com/github/codeql-team/blob/main/docs/best-practices/validating-autofix-for-query-changes.md) (internal access required).
-- [ ] Changes are validated [at scale](https://github.com/github/codeql-dca/) (internal access required).

.github/workflows/csharp-qltest.yml

@@ -29,6 +29,45 @@ permissions:
   contents: read
 
 jobs:
+  qlupgrade:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/fetch-codeql
+      - name: Check DB upgrade scripts
+        run: |
+          echo >empty.trap
+          codeql dataset import -S ql/lib/upgrades/initial/semmlecode.csharp.dbscheme testdb empty.trap
+          codeql dataset upgrade testdb --additional-packs ql/lib
+          diff -q testdb/semmlecode.csharp.dbscheme ql/lib/semmlecode.csharp.dbscheme
+      - name: Check DB downgrade scripts
+        run: |
+          echo >empty.trap
+          rm -rf testdb; codeql dataset import -S ql/lib/semmlecode.csharp.dbscheme testdb empty.trap
+          codeql resolve upgrades --format=lines --allow-downgrades --additional-packs downgrades \
+           --dbscheme=ql/lib/semmlecode.csharp.dbscheme --target-dbscheme=downgrades/initial/semmlecode.csharp.dbscheme |
+           xargs codeql execute upgrades testdb
+          diff -q testdb/semmlecode.csharp.dbscheme downgrades/initial/semmlecode.csharp.dbscheme
+  qltest:
+    if: github.repository_owner == 'github'
+    runs-on: ubuntu-latest-xl
+    strategy:
+      fail-fast: false
+      matrix:
+        slice: ["1/2", "2/2"]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./csharp/actions/create-extractor-pack
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with:
+          key: csharp-qltest-${{ matrix.slice }}
+      - name: Run QL tests
+        run: |
+          codeql test run --threads=0 --ram 50000 --slice ${{ matrix.slice }} --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
   unit-tests:
     strategy:
       matrix:

.github/workflows/ql-for-ql-dataset_measure.yml

@@ -76,7 +76,7 @@ jobs:
     needs: measure
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4.1.7
         with:
           name: measurements
           path: stats

.github/workflows/ruby-build.yml

@@ -147,19 +147,19 @@ jobs:
     needs: [build, compile-queries]
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4.1.7
         with:
           name: ruby.dbscheme
           path: ruby/ruby
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4.1.7
         with:
           name: extractor-ubuntu-latest
           path: ruby/linux64
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4.1.7
         with:
           name: extractor-windows-latest
           path: ruby/win64
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4.1.7
         with:
           name: extractor-macos-latest
           path: ruby/osx64
@@ -178,7 +178,7 @@ jobs:
           path: ruby/codeql-ruby.zip
           retention-days: 1
           include-hidden-files: true
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4.1.7
         with:
           name: codeql-ruby-queries
           path: ruby/qlpacks
@@ -214,7 +214,7 @@ jobs:
         uses: ./.github/actions/fetch-codeql
 
       - name: Download Ruby bundle
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4.1.7
         with:
           name: codeql-ruby-bundle
           path: ${{ runner.temp }}

.github/workflows/ruby-dataset-measure.yml

@@ -63,7 +63,7 @@ jobs:
     needs: measure
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4.1.7
         with:
           name: measurements
           path: stats

MODULE.bazel

@@ -16,9 +16,9 @@ local_path_override(
 
 bazel_dep(name = "platforms", version = "0.0.10")
 bazel_dep(name = "rules_go", version = "0.50.0")
-bazel_dep(name = "rules_pkg", version = "1.0.1")
+bazel_dep(name = "rules_pkg", version = "0.10.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
-bazel_dep(name = "rules_python", version = "0.35.0")
+bazel_dep(name = "rules_python", version = "0.32.2")
 bazel_dep(name = "bazel_skylib", version = "1.6.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.0", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
@@ -27,7 +27,7 @@ bazel_dep(name = "rules_kotlin", version = "1.9.4-codeql.1")
 bazel_dep(name = "gazelle", version = "0.38.0")
 bazel_dep(name = "rules_dotnet", version = "0.15.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.49.3")
+bazel_dep(name = "rules_rust", version = "0.49.1")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
 

cpp/downgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/coroutine.ql

@@ -1,18 +0,0 @@
-class Function extends @function {
-  string toString() { none() }
-}
-
-class Type extends @type {
-  string toString() { none() }
-}
-
-class Variable extends @variable {
-  string toString() { none() }
-}
-
-from Function func, Type traits, Variable handle, Variable promise
-where
-  coroutine(func, traits) and
-  coroutine_placeholder_variable(handle, 1, func) and
-  coroutine_placeholder_variable(promise, 2, func)
-select func, traits, handle, promise

cpp/downgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/upgrade.properties

@@ -1,4 +0,0 @@
-description: Improve handling of coroutine placeholder variables
-compatibility: full
-coroutine.rel: run coroutine.qlo
-coroutine_placeholder_variable.rel: delete

cpp/ql/lib/change-notes/2024-09-03-outdated-deprecations.md

@@ -1,11 +0,0 @@
----
-category: breaking
----
-* Deleted many deprecated taint-tracking configurations based on `TaintTracking::Configuration`. 
-* Deleted many deprecated dataflow configurations based on `DataFlow::Configuration`. 
-* Deleted the deprecated `hasQualifiedName` and `isDefined` predicates from the `Declaration` class, use `hasGlobalName` and `hasDefinition` respectively instead.
-* Deleted the `getFullSignature` predicate from the `Function` class, use `getIdentityString(Declaration)` from `semmle.code.cpp.Print` instead.
-* Deleted the deprecated `freeCall` predicate from `Alloc.qll`. Use `DeallocationExpr` instead.
-* Deleted the deprecated `explorationLimit` predicate from `DataFlow::Configuration`, use `FlowExploration<explorationLimit>` instead.
-* Deleted the deprecated `getFieldExpr` predicate from `ClassAggregateLiteral`, use `getAFieldExpr` instead.
-* Deleted the deprecated `getElementExpr` predicate from `ArrayOrVectorAggregateLiteral`, use `getAnElementExpr` instead.

cpp/ql/lib/change-notes/2024-09-03-realloc-data-flow.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added a data flow model for `realloc`-like functions, which were previously modeled as a taint tracking functions. This change improves the precision of queries where flow through `realloc`-like functions might affect the results.

cpp/ql/lib/change-notes/2024-09-04-swap-data-flow.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added a data flow model for `swap` member functions, which were previously modeled as taint tracking functions. This change improves the precision of queries where flow through `swap` member functions might affect the results.

cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll

@@ -36,6 +36,16 @@ module PrivateCleartextWrite {
     }
   }
 
+  deprecated class WriteConfig extends TaintTracking::Configuration {
+    WriteConfig() { this = "Write configuration" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+  }
+
   private module WriteConfig implements DataFlow::ConfigSig {
     predicate isSource(DataFlow::Node source) { source instanceof Source }
 

cpp/ql/lib/semmle/code/cpp/Declaration.qll

@@ -60,6 +60,18 @@ class Declaration extends Locatable, @declaration {
    */
   string getQualifiedName() { result = underlyingElement(this).(Q::Declaration).getQualifiedName() }
 
+  /**
+   * DEPRECATED: Prefer `hasGlobalName` or the 2-argument or 3-argument
+   * `hasQualifiedName` predicates. To get the exact same results as this
+   * predicate in all edge cases, use `getQualifiedName()`.
+   *
+   * Holds if this declaration has the fully-qualified name `qualifiedName`.
+   * See `getQualifiedName`.
+   */
+  deprecated predicate hasQualifiedName(string qualifiedName) {
+    this.getQualifiedName() = qualifiedName
+  }
+
   /**
    * Holds if this declaration has a fully-qualified name with a name-space
    * component of `namespaceQualifier`, a declaring type of `typeQualifier`,
@@ -173,6 +185,9 @@ class Declaration extends Locatable, @declaration {
   /** Holds if the declaration has a definition. */
   predicate hasDefinition() { exists(this.getDefinition()) }
 
+  /** DEPRECATED: Use `hasDefinition` instead. */
+  deprecated predicate isDefined() { this.hasDefinition() }
+
   /** Gets the preferred location of this declaration, if any. */
   override Location getLocation() { none() }
 

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -30,6 +30,46 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
 
   override string getName() { functions(underlyingElement(this), result, _) }
 
+  /**
+   * DEPRECATED: Use `getIdentityString(Declaration)` from `semmle.code.cpp.Print` instead.
+   * Gets the full signature of this function, including return type, parameter
+   * types, and template arguments.
+   *
+   * For example, in the following code:
+   * ```
+   * template<typename T> T min(T x, T y);
+   * int z = min(5, 7);
+   * ```
+   * The full signature of the function called on the last line would be
+   * `min<int>(int, int) -> int`, and the full signature of the uninstantiated
+   * template on the first line would be `min<T>(T, T) -> T`.
+   */
+  deprecated string getFullSignature() {
+    exists(string name, string templateArgs, string args |
+      result = name + templateArgs + args + " -> " + this.getType().toString() and
+      name = this.getQualifiedName() and
+      (
+        if exists(this.getATemplateArgument())
+        then
+          templateArgs =
+            "<" +
+              concat(int i |
+                exists(this.getTemplateArgument(i))
+              |
+                this.getTemplateArgument(i).toString(), ", " order by i
+              ) + ">"
+        else templateArgs = ""
+      ) and
+      args =
+        "(" +
+          concat(int i |
+            exists(this.getParameter(i))
+          |
+            this.getParameter(i).getType().toString(), ", " order by i
+          ) + ")"
+    )
+  }
+
   /** Gets a specifier of this function. */
   override Specifier getASpecifier() {
     funspecifiers(underlyingElement(this), unresolveElement(result)) or

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -286,6 +286,9 @@ abstract class BaseAstNode extends PrintAstNode {
    * Gets the AST represented by this node.
    */
   final Locatable getAst() { result = ast }
+
+  /** DEPRECATED: Alias for getAst */
+  deprecated Locatable getAST() { result = this.getAst() }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/Variable.qll

@@ -409,18 +409,11 @@ class LocalVariable extends LocalScopeVariable, @localvariable {
     exists(ConditionDeclExpr e | e.getVariable() = this and e.getEnclosingFunction() = result)
     or
     orphaned_variables(underlyingElement(this), unresolveElement(result))
-    or
-    coroutine_placeholder_variable(underlyingElement(this), _, unresolveElement(result))
   }
 
   override predicate isStatic() {
     super.isStatic() or orphaned_variables(underlyingElement(this), _)
   }
-
-  override predicate isCompilerGenerated() {
-    super.isCompilerGenerated() or
-    coroutine_placeholder_variable(underlyingElement(this), _, _)
-  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/commons/Alloc.qll

@@ -7,6 +7,15 @@ import semmle.code.cpp.models.interfaces.Deallocation
  */
 predicate freeFunction(Function f, int argNum) { argNum = f.(DeallocationFunction).getFreedArg() }
 
+/**
+ * A call to a library routine that frees memory.
+ *
+ * DEPRECATED: Use `DeallocationExpr` instead (this also includes `delete` expressions).
+ */
+deprecated predicate freeCall(FunctionCall fc, Expr arg) {
+  arg = fc.(DeallocationExpr).getFreedExpr()
+}
+
 /**
  * Is e some kind of allocation or deallocation (`new`, `alloc`, `realloc`, `delete`, `free` etc)?
  */

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *

cpp/ql/lib/semmle/code/cpp/exprs/Literal.qll

@@ -195,6 +195,17 @@ class ClassAggregateLiteral extends AggregateLiteral {
    */
   Expr getAFieldExpr(Field field) { result = this.getFieldExpr(field, _) }
 
+  /**
+   * DEPRECATED: Use `getAFieldExpr` instead.
+   *
+   * Gets the expression within the aggregate literal that is used to initialize
+   * field `field`, if present.
+   *
+   * This predicate may have multiple results since a field can be initialized
+   * multiple times in the same initializer.
+   */
+  deprecated Expr getFieldExpr(Field field) { result = this.getFieldExpr(field, _) }
+
   /**
    * Gets the expression within the aggregate literal that is used to initialize
    * field `field`, if present. The expression is the `position`'th entry in the
@@ -289,6 +300,17 @@ class ArrayOrVectorAggregateLiteral extends AggregateLiteral {
    */
   Expr getAnElementExpr(int elementIndex) { result = this.getElementExpr(elementIndex, _) }
 
+  /**
+   * DEPRECATED: Use `getAnElementExpr` instead.
+   *
+   * Gets the expression within the aggregate literal that is used to initialize
+   * element `elementIndex`, if present.
+   *
+   * This predicate may have multiple results since an element can be initialized
+   * multiple times in the same initializer.
+   */
+  deprecated Expr getElementExpr(int elementIndex) { result = this.getElementExpr(elementIndex, _) }
+
   /**
    * Gets the expression within the aggregate literal that is used to initialize
    * element `elementIndex`, if present. The expression is the `position`'th entry

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll

@@ -50,6 +50,9 @@ abstract private class AbstractIRVariable extends TIRVariable {
    */
   abstract Language::AST getAst();
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated Language::AST getAST() { result = this.getAst() }
+
   /**
    * Gets an identifier string for the variable. This identifier is unique
    * within the function.
@@ -93,6 +96,9 @@ class IRUserVariable extends AbstractIRVariable, TIRUserVariable {
 
   final override Language::AST getAst() { result = var }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Language::AST getAST() { result = this.getAst() }
+
   final override string getUniqueId() {
     result = this.getVariable().toString() + " " + this.getVariable().getLocation().toString()
   }
@@ -157,6 +163,9 @@ abstract private class AbstractIRGeneratedVariable extends AbstractIRVariable {
 
   final override Language::AST getAst() { result = ast }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Language::AST getAST() { result = this.getAst() }
+
   override string toString() { result = this.getBaseString() + this.getLocationString() }
 
   override string getUniqueId() { none() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll

@@ -285,6 +285,9 @@ abstract private class MemoryLocation0 extends TMemoryLocation {
   predicate isAlwaysAllocatedOnStack() { none() }
 
   final predicate canReuseSsa() { none() }
+
+  /** DEPRECATED: Alias for canReuseSsa */
+  deprecated predicate canReuseSSA() { this.canReuseSsa() }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRVariable.qll

@@ -50,6 +50,9 @@ abstract private class AbstractIRVariable extends TIRVariable {
    */
   abstract Language::AST getAst();
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated Language::AST getAST() { result = this.getAst() }
+
   /**
    * Gets an identifier string for the variable. This identifier is unique
    * within the function.
@@ -93,6 +96,9 @@ class IRUserVariable extends AbstractIRVariable, TIRUserVariable {
 
   final override Language::AST getAst() { result = var }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Language::AST getAST() { result = this.getAst() }
+
   final override string getUniqueId() {
     result = this.getVariable().toString() + " " + this.getVariable().getLocation().toString()
   }
@@ -157,6 +163,9 @@ abstract private class AbstractIRGeneratedVariable extends AbstractIRVariable {
 
   final override Language::AST getAst() { result = ast }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Language::AST getAST() { result = this.getAst() }
+
   override string toString() { result = this.getBaseString() + this.getLocationString() }
 
   override string getUniqueId() { none() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll

@@ -216,6 +216,9 @@ abstract class TranslatedSideEffects extends TranslatedElement {
 
   final override Locatable getAst() { result = this.getExpr() }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override Declaration getFunction() { result = getEnclosingDeclaration(this.getExpr()) }
 
   final override TranslatedElement getChild(int i) {
@@ -613,6 +616,9 @@ class TranslatedArgumentExprSideEffect extends TranslatedArgumentSideEffect,
 
   final override Locatable getAst() { result = arg }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override Type getIndirectionType() {
     result = arg.getUnspecifiedType().(DerivedType).getBaseType()
     or
@@ -645,6 +651,9 @@ class TranslatedStructorQualifierSideEffect extends TranslatedArgumentSideEffect
 
   final override Locatable getAst() { result = call }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override Type getIndirectionType() { result = call.getTarget().getDeclaringType() }
 
   final override string getArgString() { result = "this" }
@@ -666,6 +675,9 @@ class TranslatedCallSideEffect extends TranslatedSideEffect, TTranslatedCallSide
 
   override Locatable getAst() { result = expr }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   override Expr getPrimaryExpr() { result = expr }
 
   override predicate sortOrder(int group, int indexInGroup) {
@@ -704,6 +716,9 @@ class TranslatedAllocationSideEffect extends TranslatedSideEffect, TTranslatedAl
 
   override Locatable getAst() { result = expr }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   override Expr getPrimaryExpr() { result = expr }
 
   override predicate sortOrder(int group, int indexInGroup) {

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll

@@ -29,6 +29,9 @@ abstract class TranslatedCondition extends TranslatedElement {
 
   final override Locatable getAst() { result = expr }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final ConditionContext getConditionContext() { result = this.getParent() }
 
   final Expr getExpr() { result = expr }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll

@@ -45,6 +45,9 @@ abstract class TranslatedDeclarationEntry extends TranslatedElement, TTranslated
   final override string toString() { result = entry.toString() }
 
   final override Locatable getAst() { result = entry.getAst() }
+
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
 }
 
 /**
@@ -245,6 +248,9 @@ class TranslatedStaticLocalVariableInitialization extends TranslatedElement,
 
   final override Locatable getAst() { result = entry.getAst() }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override LocalVariable getVariable() { result = var }
 
   final override Declaration getFunction() { result = var.getFunction() }
@@ -271,6 +277,9 @@ class TranslatedConditionDecl extends TranslatedLocalVariableDeclaration, TTrans
 
   override Locatable getAst() { result = conditionDeclExpr }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   override Declaration getFunction() { result = getEnclosingFunction(conditionDeclExpr) }
 
   override LocalVariable getVariable() { result = conditionDeclExpr.getVariable() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -926,6 +926,9 @@ abstract class TranslatedElement extends TTranslatedElement {
    */
   abstract Locatable getAst();
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated Locatable getAST() { result = this.getAst() }
+
   /** Gets the location of this element. */
   Location getLocation() { result = this.getAst().getLocation() }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll

@@ -67,6 +67,9 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
 
   final override Locatable getAst() { result = func }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   /**
    * Gets the function being translated.
    */
@@ -480,6 +483,9 @@ class TranslatedThisParameter extends TranslatedParameter, TTranslatedThisParame
 
   final override Locatable getAst() { result = func }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override Function getFunction() { result = func }
 
   final override predicate hasIndirection() { any() }
@@ -512,6 +518,9 @@ class TranslatedPositionalParameter extends TranslatedParameter, TTranslatedPara
 
   final override Locatable getAst() { result = param }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override Function getFunction() {
     result = param.getFunction() or
     result = param.getCatchBlock().getEnclosingFunction()
@@ -549,6 +558,9 @@ class TranslatedEllipsisParameter extends TranslatedParameter, TTranslatedEllips
 
   final override Locatable getAst() { result = func }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override Function getFunction() { result = func }
 
   final override predicate hasIndirection() { any() }
@@ -585,6 +597,9 @@ class TranslatedConstructorInitList extends TranslatedElement, InitializationCon
 
   override Locatable getAst() { result = func }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   override TranslatedElement getChild(int id) {
     exists(ConstructorFieldInit fieldInit |
       fieldInit = func.(Constructor).getInitializer(id) and
@@ -662,6 +677,9 @@ class TranslatedDestructorDestructionList extends TranslatedElement,
 
   override Locatable getAst() { result = func }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   override TranslatedElement getChild(int id) {
     exists(DestructorFieldDestruction fieldDestruction |
       fieldDestruction = func.(Destructor).getDestruction(id) and
@@ -715,6 +733,9 @@ class TranslatedReadEffects extends TranslatedElement, TTranslatedReadEffects {
 
   override Locatable getAst() { result = func }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   override Function getFunction() { result = func }
 
   override string toString() { result = "read effects: " + func.toString() }
@@ -818,6 +839,9 @@ class TranslatedThisReadEffect extends TranslatedReadEffect, TTranslatedThisRead
 
   override Locatable getAst() { result = func }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   override Function getFunction() { result = func }
 
   override string toString() { result = "read effect: this" }
@@ -841,6 +865,9 @@ class TranslatedParameterReadEffect extends TranslatedReadEffect, TTranslatedPar
 
   override Locatable getAst() { result = param }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   override string toString() { result = "read effect: " + param.toString() }
 
   override Function getFunction() { result = param.getFunction() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll

@@ -153,6 +153,9 @@ abstract class TranslatedInitialization extends TranslatedElement, TTranslatedIn
 
   final override Locatable getAst() { result = expr }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   /**
    * Gets the expression that is doing the initialization.
    */
@@ -525,6 +528,9 @@ abstract class TranslatedFieldInitialization extends TranslatedElement {
 
   final override Locatable getAst() { result = ast }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override Declaration getFunction() {
     result = getEnclosingFunction(ast) or
     result = getEnclosingVariable(ast).(GlobalOrNamespaceVariable) or
@@ -695,6 +701,9 @@ abstract class TranslatedElementInitialization extends TranslatedElement {
 
   final override Locatable getAst() { result = initList }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override Declaration getFunction() {
     result = getEnclosingFunction(initList)
     or
@@ -903,6 +912,9 @@ abstract class TranslatedStructorCallFromStructor extends TranslatedElement, Str
 
   final override Locatable getAst() { result = call }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override TranslatedElement getChild(int id) {
     id = 0 and
     result = this.getStructorCall()
@@ -1046,6 +1058,9 @@ class TranslatedConstructorBareInit extends TranslatedElement, TTranslatedConstr
 
   override Locatable getAst() { result = init }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override string toString() { result = "construct base (no constructor)" }
 
   override Instruction getFirstInstruction(EdgeKind kind) {

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll

@@ -268,6 +268,9 @@ abstract class TranslatedStmt extends TranslatedElement, TTranslatedStmt {
 
   final override Locatable getAst() { result = stmt }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override Function getFunction() { result = stmt.getEnclosingFunction() }
 }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll

@@ -50,6 +50,9 @@ abstract private class AbstractIRVariable extends TIRVariable {
    */
   abstract Language::AST getAst();
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated Language::AST getAST() { result = this.getAst() }
+
   /**
    * Gets an identifier string for the variable. This identifier is unique
    * within the function.
@@ -93,6 +96,9 @@ class IRUserVariable extends AbstractIRVariable, TIRUserVariable {
 
   final override Language::AST getAst() { result = var }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Language::AST getAST() { result = this.getAst() }
+
   final override string getUniqueId() {
     result = this.getVariable().toString() + " " + this.getVariable().getLocation().toString()
   }
@@ -157,6 +163,9 @@ abstract private class AbstractIRGeneratedVariable extends AbstractIRVariable {
 
   final override Language::AST getAst() { result = ast }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Language::AST getAST() { result = this.getAst() }
+
   override string toString() { result = this.getBaseString() + this.getLocationString() }
 
   override string getUniqueId() { none() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll

@@ -71,6 +71,9 @@ class MemoryLocation extends TMemoryLocation {
   final string getUniqueId() { result = var.getUniqueId() }
 
   final predicate canReuseSsa() { canReuseSsaForVariable(var) }
+
+  /** DEPRECATED: Alias for canReuseSsa */
+  deprecated predicate canReuseSSA() { this.canReuseSsa() }
 }
 
 predicate canReuseSsaForOldResult(Instruction instr) { none() }

cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll

@@ -5,13 +5,13 @@
  */
 
 import semmle.code.cpp.models.interfaces.Allocation
-import semmle.code.cpp.models.interfaces.DataFlow
+import semmle.code.cpp.models.interfaces.Taint
 
 /**
  * An allocation function (such as `realloc`) that has an argument for the size
  * in bytes, and an argument for an existing pointer that is to be reallocated.
  */
-private class ReallocAllocationFunction extends AllocationFunction, DataFlowFunction {
+private class ReallocAllocationFunction extends AllocationFunction, TaintFunction {
   int sizeArg;
   int reallocArg;
 
@@ -44,7 +44,7 @@ private class ReallocAllocationFunction extends AllocationFunction, DataFlowFunc
 
   override int getReallocPtrArg() { result = reallocArg }
 
-  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameterDeref(this.getReallocPtrArg()) and output.isReturnValueDeref()
   }
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Swap.qll

@@ -26,7 +26,7 @@ private class Swap extends DataFlowFunction {
  * obj1.swap(obj2)
  * ```
  */
-private class MemberSwap extends DataFlowFunction, MemberFunction, AliasFunction {
+private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction {
   MemberSwap() {
     this.hasName("swap") and
     this.getNumberOfParameters() = 1 and
@@ -34,7 +34,7 @@ private class MemberSwap extends DataFlowFunction, MemberFunction, AliasFunction
       this.getDeclaringType()
   }
 
-  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierObject() and
     output.isParameterDeref(0)
     or

cpp/ql/lib/semmle/code/cpp/security/boostorg/asio/protocols.qll

@@ -353,6 +353,22 @@ module BoostorgAsio {
   }
 
   //////////////////////// Dataflow /////////////////////
+  /**
+   * Abstract class for flows of protocol values to the first argument of a context
+   * constructor.
+   */
+  abstract deprecated class SslContextCallAbstractConfig extends DataFlow::Configuration {
+    bindingset[this]
+    SslContextCallAbstractConfig() { any() }
+
+    override predicate isSink(DataFlow::Node sink) {
+      exists(ConstructorCall cc, SslContextClass c, Expr e | e = sink.asExpr() |
+        c.getAContructorCall() = cc and
+        cc.getArgument(0) = e
+      )
+    }
+  }
+
   /**
    * Signature for flows of protocol values to the first argument of a context
    * constructor.
@@ -386,6 +402,20 @@ module BoostorgAsio {
     import DataFlow::Global<C>
   }
 
+  /**
+   * Any protocol value that flows to the first argument of a context constructor.
+   */
+  deprecated class SslContextCallConfig extends SslContextCallAbstractConfig {
+    SslContextCallConfig() { this = "SslContextCallConfig" }
+
+    override predicate isSource(DataFlow::Node source) {
+      exists(Expr e | e = source.asExpr() |
+        e.fromSource() and
+        not e.getLocation().getFile().toString().matches("%/boost/asio/%")
+      )
+    }
+  }
+
   /**
    * Any protocol value that flows to the first argument of a context constructor.
    */
@@ -400,6 +430,21 @@ module BoostorgAsio {
 
   module SslContextCallFlow = SslContextCallGlobal<SslContextCallConfig>;
 
+  /**
+   * A banned protocol value that flows to the first argument of a context constructor.
+   */
+  deprecated class SslContextCallBannedProtocolConfig extends SslContextCallAbstractConfig {
+    SslContextCallBannedProtocolConfig() { this = "SslContextCallBannedProtocolConfig" }
+
+    override predicate isSource(DataFlow::Node source) {
+      exists(Expr e | e = source.asExpr() |
+        e.fromSource() and
+        not e.getLocation().getFile().toString().matches("%/boost/asio/%") and
+        isExprBannedBoostProtocol(e)
+      )
+    }
+  }
+
   /**
    * A banned protocol value that flows to the first argument of a context constructor.
    */
@@ -416,6 +461,21 @@ module BoostorgAsio {
   module SslContextCallBannedProtocolFlow =
     SslContextCallGlobal<SslContextCallBannedProtocolConfig>;
 
+  /**
+   * A TLS 1.2 protocol value that flows to the first argument of a context constructor.
+   */
+  deprecated class SslContextCallTls12ProtocolConfig extends SslContextCallAbstractConfig {
+    SslContextCallTls12ProtocolConfig() { this = "SslContextCallTls12ProtocolConfig" }
+
+    override predicate isSource(DataFlow::Node source) {
+      exists(Expr e | e = source.asExpr() |
+        e.fromSource() and
+        not e.getLocation().getFile().toString().matches("%/boost/asio/%") and
+        isExprTls12BoostProtocol(e)
+      )
+    }
+  }
+
   /**
    * A TLS 1.2 protocol value that flows to the first argument of a context constructor.
    */
@@ -431,6 +491,21 @@ module BoostorgAsio {
 
   module SslContextCallTls12ProtocolFlow = SslContextCallGlobal<SslContextCallTls12ProtocolConfig>;
 
+  /**
+   * A TLS 1.3 protocol value that flows to the first argument of a context constructor.
+   */
+  deprecated class SslContextCallTls13ProtocolConfig extends SslContextCallAbstractConfig {
+    SslContextCallTls13ProtocolConfig() { this = "SslContextCallTls12ProtocolConfig" }
+
+    override predicate isSource(DataFlow::Node source) {
+      exists(Expr e | e = source.asExpr() |
+        e.fromSource() and
+        not e.getLocation().getFile().toString().matches("%/boost/asio/%") and
+        isExprTls13BoostProtocol(e)
+      )
+    }
+  }
+
   /**
    * A TLS 1.3 protocol value that flows to the first argument of a context constructor.
    */
@@ -446,6 +521,21 @@ module BoostorgAsio {
 
   module SslContextCallTls13ProtocolFlow = SslContextCallGlobal<SslContextCallTls13ProtocolConfig>;
 
+  /**
+   * A generic TLS protocol value that flows to the first argument of a context constructor.
+   */
+  deprecated class SslContextCallTlsProtocolConfig extends SslContextCallAbstractConfig {
+    SslContextCallTlsProtocolConfig() { this = "SslContextCallTlsProtocolConfig" }
+
+    override predicate isSource(DataFlow::Node source) {
+      exists(Expr e | e = source.asExpr() |
+        e.fromSource() and
+        not e.getLocation().getFile().toString().matches("%/boost/asio/%") and
+        isExprTlsBoostProtocol(e)
+      )
+    }
+  }
+
   /**
    * A generic TLS protocol value that flows to the first argument of a context constructor.
    */
@@ -461,6 +551,30 @@ module BoostorgAsio {
 
   module SslContextCallTlsProtocolFlow = SslContextCallGlobal<SslContextCallTlsProtocolConfig>;
 
+  /**
+   * A context constructor call that flows to a call to `SetOptions()`.
+   */
+  deprecated class SslContextFlowsToSetOptionConfig extends DataFlow::Configuration {
+    SslContextFlowsToSetOptionConfig() { this = "SslContextFlowsToSetOptionConfig" }
+
+    override predicate isSource(DataFlow::Node source) {
+      exists(SslContextClass c, ConstructorCall cc |
+        cc = source.asExpr() and
+        c.getAContructorCall() = cc
+      )
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+      exists(FunctionCall fc, SslSetOptionsFunction f, Variable v, VariableAccess va |
+        va = sink.asExpr()
+      |
+        f.getACallToThisFunction() = fc and
+        v.getAnAccess() = va and
+        va = fc.getQualifier()
+      )
+    }
+  }
+
   /**
    * A context constructor call that flows to a call to `SetOptions()`.
    */
@@ -485,6 +599,28 @@ module BoostorgAsio {
 
   module SslContextFlowsToSetOptionFlow = DataFlow::Global<SslContextFlowsToSetOptionConfig>;
 
+  /**
+   * An option value that flows to the first parameter of a call to `SetOptions()`.
+   */
+  deprecated class SslOptionConfig extends DataFlow::Configuration {
+    SslOptionConfig() { this = "SslOptionConfig" }
+
+    override predicate isSource(DataFlow::Node source) {
+      exists(Expr e | e = source.asExpr() |
+        e.fromSource() and
+        not e.getLocation().getFile().toString().matches("%/boost/asio/%")
+      )
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+      exists(SslSetOptionsFunction f, FunctionCall call |
+        sink.asExpr() = call.getArgument(0) and
+        f.getACallToThisFunction() = call and
+        not sink.getLocation().getFile().toString().matches("%/boost/asio/%")
+      )
+    }
+  }
+
   /**
    * An option value that flows to the first parameter of a call to `SetOptions()`.
    */

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -384,23 +384,11 @@ function_return_type(
  */
 coroutine(
   unique int function: @function ref,
-  int traits: @type ref
+  int traits: @type ref,
+  int handle: @variable ref,
+  int promise: @variable ref
 );
 
-/*
-case @coroutine_placeholder_variable.kind of
-  1 = @handle
-| 2 = @promise
-| 3 = @init_await_resume
-;
-*/
-
-coroutine_placeholder_variable(
-  unique int placeholder_variable: @variable ref,
-  int kind: int ref,
-  int function: @function ref
-)
-
 /** The `new` function used for allocating the coroutine state, if any. */
 coroutine_new(
   unique int function: @function ref,
@@ -841,6 +829,22 @@ variable_template_argument_value(
     int arg_value: @expr ref
 );
 
+/*
+  Fixed point types
+  precision(1) = short, precision(2) = default, precision(3) = long
+  is_unsigned(1) = unsigned is_unsigned(2) = signed
+  is_fract_type(1) = declared with _Fract
+  saturating(1) = declared with _Sat
+*/
+/* TODO
+fixedpointtypes(
+    unique int id: @fixedpointtype,
+    int precision: int ref,
+    int is_unsigned: int ref,
+    int is_fract_type: int ref,
+    int saturating: int ref);
+*/
+
 routinetypes(
     unique int id: @routinetype,
     int return_type: @type ref

cpp/ql/lib/upgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/upgrade.properties

@@ -1,4 +0,0 @@
-description: Improve handling of coroutine placeholder variables
-compatibility: partial
-coroutine.rel: run upgrades.qlo new_coroutine
-coroutine_placeholder_variable.rel: run upgrades.qlo new_coroutine_placeholder_variable

cpp/ql/lib/upgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/upgrades.ql

@@ -1,19 +0,0 @@
-class Function extends @function {
-  string toString() { none() }
-}
-
-class Type extends @type {
-  string toString() { none() }
-}
-
-class Variable extends @variable {
-  string toString() { none() }
-}
-
-query predicate new_coroutine(Function func, Type traits) { coroutine(func, traits, _, _) }
-
-query predicate new_coroutine_placeholder_variable(Variable var, int kind, Function func) {
-  coroutine(func, _, var, _) and kind = 1
-  or
-  coroutine(func, _, _, var) and kind = 2
-}

cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll

@@ -205,6 +205,20 @@ class ChecksForLeapYearFunctionCall extends FunctionCall {
   ChecksForLeapYearFunctionCall() { this.getTarget() instanceof ChecksForLeapYearFunction }
 }
 
+/**
+ * Data flow configuration for finding a variable access that would flow into
+ * a function call that includes an operation to check for leap year.
+ */
+deprecated class LeapYearCheckConfiguration extends DataFlow::Configuration {
+  LeapYearCheckConfiguration() { this = "LeapYearCheckConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof VariableAccess }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(ChecksForLeapYearFunctionCall fc | sink.asExpr() = fc.getAnArgument())
+  }
+}
+
 /**
  * Data flow configuration for finding a variable access that would flow into
  * a function call that includes an operation to check for leap year.
@@ -219,6 +233,33 @@ private module LeapYearCheckConfig implements DataFlow::ConfigSig {
 
 module LeapYearCheckFlow = DataFlow::Global<LeapYearCheckConfig>;
 
+/**
+ * Data flow configuration for finding an operation with hardcoded 365 that will flow into
+ * a `FILEINFO` field.
+ */
+deprecated class FiletimeYearArithmeticOperationCheckConfiguration extends DataFlow::Configuration {
+  FiletimeYearArithmeticOperationCheckConfiguration() {
+    this = "FiletimeYearArithmeticOperationCheckConfiguration"
+  }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(Expr e, Operation op | e = source.asExpr() |
+      op.getAChild*().getValue().toInt() = 365 and
+      op.getAChild*() = e
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(StructLikeClass dds, FieldAccess fa, AssignExpr aexpr, Expr e | e = sink.asExpr() |
+      dds instanceof PackedTimeType and
+      fa.getQualifier().getUnderlyingType() = dds and
+      fa.isModified() and
+      aexpr.getAChild() = fa and
+      aexpr.getChild(1).getAChild*() = e
+    )
+  }
+}
+
 /**
  * Data flow configuration for finding an operation with hardcoded 365 that will flow into
  * a `FILEINFO` field.
@@ -245,6 +286,51 @@ private module FiletimeYearArithmeticOperationCheckConfig implements DataFlow::C
 module FiletimeYearArithmeticOperationCheckFlow =
   DataFlow::Global<FiletimeYearArithmeticOperationCheckConfig>;
 
+/**
+ * Taint configuration for finding an operation with hardcoded 365 that will flow into any known date/time field.
+ */
+deprecated class PossibleYearArithmeticOperationCheckConfiguration extends TaintTracking::Configuration
+{
+  PossibleYearArithmeticOperationCheckConfiguration() {
+    this = "PossibleYearArithmeticOperationCheckConfiguration"
+  }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(Operation op | op = source.asExpr() |
+      op.getAChild*().getValue().toInt() = 365 and
+      (
+        not op.getParent() instanceof Expr or
+        op.getParent() instanceof Assignment
+      )
+    )
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // flow from anything on the RHS of an assignment to a time/date structure to that
+    // assignment.
+    exists(StructLikeClass dds, FieldAccess fa, Assignment aexpr, Expr e |
+      e = node1.asExpr() and
+      fa = node2.asExpr()
+    |
+      (dds instanceof PackedTimeType or dds instanceof UnpackedTimeType) and
+      fa.getQualifier().getUnderlyingType() = dds and
+      aexpr.getLValue() = fa and
+      aexpr.getRValue().getAChild*() = e
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(StructLikeClass dds, FieldAccess fa, AssignExpr aexpr |
+      aexpr.getRValue() = sink.asExpr()
+    |
+      (dds instanceof PackedTimeType or dds instanceof UnpackedTimeType) and
+      fa.getQualifier().getUnderlyingType() = dds and
+      fa.isModified() and
+      aexpr.getLValue() = fa
+    )
+  }
+}
+
 /**
  * Taint configuration for finding an operation with hardcoded 365 that will flow into any known date/time field.
  */

cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll

@@ -129,6 +129,24 @@ class NetworkFunctionCall extends FunctionCall {
   NetworkFunctionCall() { this.getTarget().hasName(["ntohd", "ntohf", "ntohl", "ntohll", "ntohs"]) }
 }
 
+deprecated class NetworkToBufferSizeConfiguration extends DataFlow::Configuration {
+  NetworkToBufferSizeConfiguration() { this = "NetworkToBufferSizeConfiguration" }
+
+  override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof NetworkFunctionCall }
+
+  override predicate isSink(DataFlow::Node node) {
+    node.asExpr() = any(BufferAccess ba).getAccessedLength()
+  }
+
+  override predicate isBarrier(DataFlow::Node node) {
+    exists(GuardCondition gc, GVN gvn |
+      gc.getAChild*() = gvn.getAnExpr() and
+      globalValueNumber(node.asExpr()) = gvn and
+      gc.controls(node.asExpr().getBasicBlock(), _)
+    )
+  }
+}
+
 private module NetworkToBufferSizeConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) { node.asExpr() instanceof NetworkFunctionCall }
 

cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll

@@ -41,6 +41,20 @@ class ExternalApiDataNode extends DataFlow::Node {
   string getFunctionDescription() { result = this.getExternalFunction().toString() }
 }
 
+/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
+deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
+  UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfig" }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(RemoteFlowSourceFunction remoteFlow |
+      remoteFlow = source.asExpr().(Call).getTarget() and
+      remoteFlow.hasRemoteFlowSource(_, _)
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+}
+
 /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
 private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {

cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll

@@ -41,6 +41,15 @@ class ExternalApiDataNode extends DataFlow::Node {
   string getFunctionDescription() { result = this.getExternalFunction().toString() }
 }
 
+/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
+deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
+  UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfigIR" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+}
+
 /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
 private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

cpp/ql/src/experimental/Security/CWE/CWE-409/Brotli.qll

@@ -1,26 +0,0 @@
-/**
- * https://github.com/google/brotli
- */
-
-import cpp
-import DecompressionBomb
-
-/**
- * The `BrotliDecoderDecompress` function is used in flow sink.
- * See https://www.brotli.org/decode.html.
- */
-class BrotliDecoderDecompressFunction extends DecompressionFunction {
-  BrotliDecoderDecompressFunction() { this.hasGlobalName("BrotliDecoderDecompress") }
-
-  override int getArchiveParameterIndex() { result = 1 }
-}
-
-/**
- * The `BrotliDecoderDecompressStream` function is used in flow sink.
- * See https://www.brotli.org/decode.html.
- */
-class BrotliDecoderDecompressStreamFunction extends DecompressionFunction {
-  BrotliDecoderDecompressStreamFunction() { this.hasGlobalName("BrotliDecoderDecompressStream") }
-
-  override int getArchiveParameterIndex() { result = 2 }
-}

cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBomb.qll

@@ -1,26 +0,0 @@
-import cpp
-import semmle.code.cpp.ir.dataflow.TaintTracking
-import MiniZip
-import ZlibGzopen
-import ZlibInflator
-import ZlibUncompress
-import LibArchive
-import ZSTD
-import Brotli
-
-/**
- * The Decompression Sink instances, extend this class to define new decompression sinks.
- */
-abstract class DecompressionFunction extends Function {
-  abstract int getArchiveParameterIndex();
-}
-
-/**
- * The Decompression Flow Steps, extend this class to define new decompression sinks.
- */
-abstract class DecompressionFlowStep extends string {
-  bindingset[this]
-  DecompressionFlowStep() { any() }
-
-  abstract predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2);
-}

cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.qhelp

@@ -1,39 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<overview>
-<p>Extracting Compressed files with any compression algorithm like gzip can cause denial of service attacks.</p>
-<p>Attackers can compress a huge file consisting of repeated similiar bytes into a small compressed file.</p>
-</overview>
-<recommendation>
-
-<p>When you want to decompress a user-provided compressed file you must be careful about the decompression ratio or read these files within a loop byte by byte to be able to manage the decompressed size in each cycle of the loop.</p>
-
-</recommendation>
-<example>
-
-<p>
-Reading an uncompressed Gzip file within a loop and check for a threshold size in each cycle.
-</p>
-<sample src="example_good.cpp"/>
-
-<p>
-The following example is unsafe, as we do not check the uncompressed size.
-</p>
-<sample src="example_bad.cpp" />
-
-</example>
-
-<references>
-
-<li>
-<a href="https://zlib.net/manual.html">Zlib documentation</a>
-</li>
-
-<li>
-<a href="https://www.bamsoftware.com/hacks/zipbomb/">An explanation of the attack</a>
-</li>
-
-</references>
-</qhelp>

cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql

@@ -1,40 +0,0 @@
-/**
- * @name User-controlled file decompression
- * @description User-controlled data that flows into decompression library APIs without checking the compression rate is dangerous
- * @kind path-problem
- * @problem.severity error
- * @precision low
- * @id cpp/data-decompression-bomb
- * @tags security
- *       experimental
- *       external/cwe/cwe-409
- */
-
-import cpp
-import semmle.code.cpp.security.FlowSources
-import DecompressionBomb
-
-predicate isSink(FunctionCall fc, DataFlow::Node sink) {
-  exists(DecompressionFunction f | fc.getTarget() = f |
-    fc.getArgument(f.getArchiveParameterIndex()) = [sink.asExpr(), sink.asIndirectExpr()]
-  )
-}
-
-module DecompressionTaintConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof FlowSource }
-
-  predicate isSink(DataFlow::Node sink) { isSink(_, sink) }
-
-  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    any(DecompressionFlowStep s).isAdditionalFlowStep(node1, node2)
-  }
-}
-
-module DecompressionTaint = TaintTracking::Global<DecompressionTaintConfig>;
-
-import DecompressionTaint::PathGraph
-
-from DecompressionTaint::PathNode source, DecompressionTaint::PathNode sink, FunctionCall fc
-where DecompressionTaint::flowPath(source, sink) and isSink(fc, sink.getNode())
-select sink.getNode(), source, sink, "The decompression output of $@ is not limited", fc,
-  fc.getTarget().getName()

cpp/ql/src/experimental/Security/CWE/CWE-409/LibArchive.qll

@@ -1,32 +0,0 @@
-/**
- * https://github.com/libarchive/libarchive/wiki
- */
-
-import cpp
-import DecompressionBomb
-
-/**
- * The `archive_read_data*` functions are used in flow sink.
- * See https://github.com/libarchive/libarchive/wiki/Examples.
- */
-class Archive_read_data_block extends DecompressionFunction {
-  Archive_read_data_block() {
-    this.hasGlobalName(["archive_read_data_block", "archive_read_data", "archive_read_data_into_fd"])
-  }
-
-  override int getArchiveParameterIndex() { result = 0 }
-}
-
-/**
- * The `archive_read_open_filename` function as a flow step.
- */
-class ReadOpenFunctionStep extends DecompressionFlowStep {
-  ReadOpenFunctionStep() { this = "ReadOpenFunction" }
-
-  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(FunctionCall fc | fc.getTarget().hasGlobalName("archive_read_open_filename") |
-      node1.asIndirectExpr() = fc.getArgument(1) and
-      node2.asIndirectExpr() = fc.getArgument(0)
-    )
-  }
-}

cpp/ql/src/experimental/Security/CWE/CWE-409/MiniZip.qll

@@ -1,56 +0,0 @@
-/**
- * https://github.com/zlib-ng/minizip-ng
- */
-
-import cpp
-import DecompressionBomb
-
-/**
- * The `mz_zip_entry` function is used in flow sink.
- * See https://github.com/zlib-ng/minizip-ng/blob/master/doc/mz_zip.md.
- */
-class Mz_zip_entry extends DecompressionFunction {
-  Mz_zip_entry() { this.hasGlobalName("mz_zip_entry_read") }
-
-  override int getArchiveParameterIndex() { result = 1 }
-}
-
-/**
- * The `mz_zip_reader_entry_*` and `mz_zip_reader_save_all` functions are used in flow sink.
- * See https://github.com/zlib-ng/minizip-ng/blob/master/doc/mz_zip_rw.md.
- */
-class Mz_zip_reader_entry extends DecompressionFunction {
-  Mz_zip_reader_entry() {
-    this.hasGlobalName([
-        "mz_zip_reader_entry_save", "mz_zip_reader_entry_read", "mz_zip_reader_entry_save_process",
-        "mz_zip_reader_entry_save_file", "mz_zip_reader_entry_save_buffer", "mz_zip_reader_save_all"
-      ])
-  }
-
-  override int getArchiveParameterIndex() { result = 0 }
-}
-
-/**
- * The `UnzOpen*` functions are used in flow sink.
- */
-class UnzOpenFunction extends DecompressionFunction {
-  UnzOpenFunction() { this.hasGlobalName(["UnzOpen", "unzOpen64", "unzOpen2", "unzOpen2_64"]) }
-
-  override int getArchiveParameterIndex() { result = 0 }
-}
-
-/**
- * The `mz_zip_reader_open_file` and `mz_zip_reader_open_file_in_memory` functions as a flow step.
- */
-class ReaderOpenFunctionStep extends DecompressionFlowStep {
-  ReaderOpenFunctionStep() { this = "ReaderOpenFunctionStep" }
-
-  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(FunctionCall fc |
-      fc.getTarget().hasGlobalName(["mz_zip_reader_open_file_in_memory", "mz_zip_reader_open_file"])
-    |
-      node1.asIndirectExpr() = fc.getArgument(1) and
-      node2.asIndirectExpr() = fc.getArgument(0)
-    )
-  }
-}

cpp/ql/src/experimental/Security/CWE/CWE-409/ZSTD.qll

@@ -1,88 +0,0 @@
-/**
- * https://github.com/facebook/zstd/blob/dev/examples/streaming_decompression.c
- */
-
-import cpp
-import DecompressionBomb
-
-/**
- * The `ZSTD_decompress`  function is used in flow sink.
- */
-class ZstdDecompressFunction extends DecompressionFunction {
-  ZstdDecompressFunction() { this.hasGlobalName("ZSTD_decompress") }
-
-  override int getArchiveParameterIndex() { result = 2 }
-}
-
-/**
- * The `ZSTD_decompressDCtx` function is used in flow sink.
- */
-class ZstdDecompressDctxFunction extends DecompressionFunction {
-  ZstdDecompressDctxFunction() { this.hasGlobalName("ZSTD_decompressDCtx") }
-
-  override int getArchiveParameterIndex() { result = 3 }
-}
-
-/**
- * The `ZSTD_decompressStream` function is used in flow sink.
- */
-class ZstdDecompressStreamFunction extends DecompressionFunction {
-  ZstdDecompressStreamFunction() { this.hasGlobalName("ZSTD_decompressStream") }
-
-  override int getArchiveParameterIndex() { result = 2 }
-}
-
-/**
- * The `ZSTD_decompress_usingDDict` function is used in flow sink.
- */
-class ZstdDecompressUsingDdictFunction extends DecompressionFunction {
-  ZstdDecompressUsingDdictFunction() { this.hasGlobalName("ZSTD_decompress_usingDDict") }
-
-  override int getArchiveParameterIndex() { result = 3 }
-}
-
-/**
- * The `fopen_orDie` function as a flow step.
- */
-class FopenOrDieFunctionStep extends DecompressionFlowStep {
-  FopenOrDieFunctionStep() { this = "FopenOrDieFunctionStep" }
-
-  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(FunctionCall fc | fc.getTarget().hasGlobalName("fopen_orDie") |
-      node1.asIndirectExpr() = fc.getArgument(0) and
-      node2.asExpr() = fc
-    )
-  }
-}
-
-/**
- * The `fread_orDie` function as a flow step.
- */
-class FreadOrDieFunctionStep extends DecompressionFlowStep {
-  FreadOrDieFunctionStep() { this = "FreadOrDieFunctionStep" }
-
-  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(FunctionCall fc | fc.getTarget().hasGlobalName("fread_orDie") |
-      node1.asExpr() = fc.getArgument(2) and
-      node2.asIndirectExpr() = fc.getArgument(0)
-    )
-  }
-}
-
-/**
- * The `src` member of a `ZSTD_inBuffer` variable is used in a flow steps.
- */
-class SrcMember extends DecompressionFlowStep {
-  SrcMember() { this = "SrcMember" }
-
-  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(VariableAccess inBufferAccess, Field srcField, ClassAggregateLiteral c |
-      inBufferAccess.getType().hasName("ZSTD_inBuffer") and
-      srcField.hasName("src")
-    |
-      node2.asExpr() = inBufferAccess and
-      inBufferAccess.getTarget().getInitializer().getExpr() = c and
-      node1.asIndirectExpr() = c.getFieldExpr(srcField, _)
-    )
-  }
-}

cpp/ql/src/experimental/Security/CWE/CWE-409/ZlibGzopen.qll

@@ -1,71 +0,0 @@
-/**
- * https://www.zlib.net/
- */
-
-import cpp
-import DecompressionBomb
-
-/**
- * The `gzfread` function is used in flow sink.
- *
- * `gzfread(voidp buf, z_size_t size, z_size_t nitems, gzFile file)`
- */
-class GzFreadFunction extends DecompressionFunction {
-  GzFreadFunction() { this.hasGlobalName("gzfread") }
-
-  override int getArchiveParameterIndex() { result = 3 }
-}
-
-/**
- * The `gzgets` function is used in flow sink.
- *
- * `gzgets(gzFile file, char *buf, int len)`
- */
-class GzGetsFunction extends DecompressionFunction {
-  GzGetsFunction() { this.hasGlobalName("gzgets") }
-
-  override int getArchiveParameterIndex() { result = 0 }
-}
-
-/**
- * The `gzread` function is used in flow sink.
- *
- * `gzread(gzFile file, voidp buf, unsigned len)`
- */
-class GzReadFunction extends DecompressionFunction {
-  GzReadFunction() { this.hasGlobalName("gzread") }
-
-  override int getArchiveParameterIndex() { result = 0 }
-}
-
-/**
- * The `gzdopen` function is used in flow steps.
- *
- * `gzdopen(int fd, const char *mode)`
- */
-class GzdopenFunctionStep extends DecompressionFlowStep {
-  GzdopenFunctionStep() { this = "GzdopenFunctionStep" }
-
-  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(FunctionCall fc | fc.getTarget().hasGlobalName("gzdopen") |
-      node1.asExpr() = fc.getArgument(0) and
-      node2.asExpr() = fc
-    )
-  }
-}
-
-/**
- * The `gzopen` function is used in flow steps.
- *
- * `gzopen(const char *path, const char *mode)`
- */
-class GzopenFunctionStep extends DecompressionFlowStep {
-  GzopenFunctionStep() { this = "GzopenFunctionStep" }
-
-  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(FunctionCall fc | fc.getTarget().hasGlobalName("gzopen") |
-      node1.asIndirectExpr() = fc.getArgument(0) and
-      node2.asExpr() = fc
-    )
-  }
-}

cpp/ql/src/experimental/Security/CWE/CWE-409/ZlibInflator.qll

@@ -1,37 +0,0 @@
-/**
- * https://www.zlib.net/
- */
-
-import cpp
-import DecompressionBomb
-
-/**
- * The `inflate` and `inflateSync` functions are used in flow sink.
- *
- * `inflate(z_stream strm, int flush)`
- *
- * `inflateSync(z_stream strm)`
- */
-class InflateFunction extends DecompressionFunction {
-  InflateFunction() { this.hasGlobalName(["inflate", "inflateSync"]) }
-
-  override int getArchiveParameterIndex() { result = 0 }
-}
-
-/**
- * The `next_in` member of a `z_stream` variable is used in a flow steps.
- */
-class NextInMemberStep extends DecompressionFlowStep {
-  NextInMemberStep() { this = "NextInMemberStep" }
-
-  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(Variable nextInVar |
-      nextInVar.getDeclaringType().hasName("z_stream") and
-      nextInVar.hasName("next_in")
-    |
-      node1.asIndirectExpr() = nextInVar.getAnAssignedValue() and
-      node2.asExpr() =
-        nextInVar.getAnAccess().getQualifier().(VariableAccess).getTarget().getAnAccess()
-    )
-  }
-}

cpp/ql/src/experimental/Security/CWE/CWE-409/ZlibUncompress.qll

@@ -1,15 +0,0 @@
-/**
- * https://www.zlib.net/
- */
-
-import cpp
-import DecompressionBomb
-
-/**
- * The `uncompress`/`uncompress2` function is used in flow sink.
- */
-class UncompressFunction extends DecompressionFunction {
-  UncompressFunction() { this.hasGlobalName(["uncompress", "uncompress2"]) }
-
-  override int getArchiveParameterIndex() { result = 2 }
-}

cpp/ql/src/experimental/Security/CWE/CWE-409/example_bad.cpp

@@ -1,15 +0,0 @@
-#include "zlib.h"
-
-void UnsafeGzread(gzFile inFileZ) {
-    const int BUFFER_SIZE = 8192;
-    unsigned char unzipBuffer[BUFFER_SIZE];
-    unsigned int unzippedBytes;
-    while (true) {
-        unzippedBytes = gzread(inFileZ, unzipBuffer, BUFFER_SIZE);
-        if (unzippedBytes <= 0) {
-            break;
-        }
-
-        // process buffer
-    }
-}

cpp/ql/src/experimental/Security/CWE/CWE-409/example_good.cpp

@@ -1,23 +0,0 @@
-#include "zlib.h"
-
-void SafeGzread(gzFile inFileZ) {
-    const int MAX_READ = 1024 * 1024 * 4;
-    const int BUFFER_SIZE = 8192;
-    unsigned char unzipBuffer[BUFFER_SIZE];
-    unsigned int unzippedBytes;
-    unsigned int totalRead = 0;
-    while (true) {
-        unzippedBytes = gzread(inFileZ, unzipBuffer, BUFFER_SIZE);
-        totalRead += unzippedBytes;
-        if (unzippedBytes <= 0) {
-            break;
-        }
-
-        if (totalRead > MAX_READ) {
-            // Possible decompression bomb, stop processing.
-            break;
-        } else {
-            // process buffer
-        }
-    }
-}

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.expected

@@ -1,239 +0,0 @@
-edges
-| brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:15:41:15:44 | **argv | provenance |  |
-| brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:18:35:18:53 | *access to array | provenance |  |
-| brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:21:30:21:52 | *access to array | provenance |  |
-| brotliTest.cpp:21:30:21:52 | *access to array | brotliTest.cpp:24:51:24:58 | **& ... | provenance |  |
-| libarchiveTests.cpp:16:31:16:32 | *ar | libarchiveTests.cpp:16:31:16:32 | *ar | provenance |  |
-| libarchiveTests.cpp:16:31:16:32 | *ar | libarchiveTests.cpp:22:41:22:42 | *ar | provenance |  |
-| libarchiveTests.cpp:30:45:30:48 | **argv | libarchiveTests.cpp:30:45:30:48 | **argv | provenance |  |
-| libarchiveTests.cpp:30:45:30:48 | **argv | libarchiveTests.cpp:34:35:34:41 | *access to array | provenance |  |
-| libarchiveTests.cpp:34:32:34:32 | *a | libarchiveTests.cpp:38:27:38:27 | *a | provenance |  |
-| libarchiveTests.cpp:34:35:34:41 | *access to array | libarchiveTests.cpp:34:32:34:32 | *a | provenance | Config |
-| libarchiveTests.cpp:38:27:38:27 | *a | libarchiveTests.cpp:16:31:16:32 | *ar | provenance |  |
-| libarchiveTests.cpp:38:27:38:27 | *a | libarchiveTests.cpp:38:27:38:27 | read_data output argument | provenance |  |
-| libarchiveTests.cpp:38:27:38:27 | read_data output argument | libarchiveTests.cpp:38:27:38:27 | *a | provenance |  |
-| main.cpp:7:33:7:36 | **argv | main.cpp:8:23:8:26 | **argv | provenance |  |
-| main.cpp:7:33:7:36 | **argv | main.cpp:9:27:9:30 | **argv | provenance |  |
-| main.cpp:7:33:7:36 | **argv | main.cpp:10:24:10:27 | **argv | provenance |  |
-| main.cpp:7:33:7:36 | **argv | main.cpp:11:21:11:24 | **argv | provenance |  |
-| main.cpp:7:33:7:36 | **argv | main.cpp:12:21:12:24 | **argv | provenance |  |
-| main.cpp:8:23:8:26 | **argv | brotliTest.cpp:15:41:15:44 | **argv | provenance |  |
-| main.cpp:8:23:8:26 | **argv | main.cpp:8:23:8:26 | brotli_test output argument | provenance |  |
-| main.cpp:8:23:8:26 | brotli_test output argument | main.cpp:9:27:9:30 | **argv | provenance |  |
-| main.cpp:8:23:8:26 | brotli_test output argument | main.cpp:10:24:10:27 | **argv | provenance |  |
-| main.cpp:8:23:8:26 | brotli_test output argument | main.cpp:11:21:11:24 | **argv | provenance |  |
-| main.cpp:8:23:8:26 | brotli_test output argument | main.cpp:12:21:12:24 | **argv | provenance |  |
-| main.cpp:9:27:9:30 | **argv | libarchiveTests.cpp:30:45:30:48 | **argv | provenance |  |
-| main.cpp:9:27:9:30 | **argv | main.cpp:9:27:9:30 | libarchive_test output argument | provenance |  |
-| main.cpp:9:27:9:30 | libarchive_test output argument | main.cpp:10:24:10:27 | **argv | provenance |  |
-| main.cpp:9:27:9:30 | libarchive_test output argument | main.cpp:11:21:11:24 | **argv | provenance |  |
-| main.cpp:9:27:9:30 | libarchive_test output argument | main.cpp:12:21:12:24 | **argv | provenance |  |
-| main.cpp:10:24:10:27 | **argv | main.cpp:10:24:10:27 | minizip_test output argument | provenance |  |
-| main.cpp:10:24:10:27 | **argv | minizipTest.cpp:12:42:12:45 | **argv | provenance |  |
-| main.cpp:10:24:10:27 | minizip_test output argument | main.cpp:11:21:11:24 | **argv | provenance |  |
-| main.cpp:10:24:10:27 | minizip_test output argument | main.cpp:12:21:12:24 | **argv | provenance |  |
-| main.cpp:11:21:11:24 | **argv | main.cpp:11:21:11:24 | zlib_test output argument | provenance |  |
-| main.cpp:11:21:11:24 | **argv | main.cpp:11:21:11:24 | zlib_test output argument | provenance |  |
-| main.cpp:11:21:11:24 | **argv | zlibTest.cpp:80:33:80:36 | **argv | provenance |  |
-| main.cpp:11:21:11:24 | zlib_test output argument | main.cpp:12:21:12:24 | **argv | provenance |  |
-| main.cpp:11:21:11:24 | zlib_test output argument | main.cpp:12:21:12:24 | *argv | provenance |  |
-| main.cpp:12:21:12:24 | **argv | zstdTest.cpp:26:39:26:42 | **argv | provenance |  |
-| main.cpp:12:21:12:24 | *argv | zstdTest.cpp:26:39:26:42 | **argv | provenance |  |
-| main.cpp:12:21:12:24 | *argv | zstdTest.cpp:26:39:26:42 | *argv | provenance |  |
-| minizipTest.cpp:12:42:12:45 | **argv | minizipTest.cpp:12:42:12:45 | **argv | provenance |  |
-| minizipTest.cpp:12:42:12:45 | **argv | minizipTest.cpp:17:52:17:67 | *access to array | provenance |  |
-| minizipTest.cpp:12:42:12:45 | **argv | minizipTest.cpp:24:41:24:47 | *access to array | provenance |  |
-| minizipTest.cpp:12:42:12:45 | **argv | minizipTest.cpp:28:13:28:19 | *access to array | provenance |  |
-| minizipTest.cpp:24:29:24:38 | **zip_reader | minizipTest.cpp:26:30:26:39 | **zip_reader | provenance |  |
-| minizipTest.cpp:24:29:24:38 | *zip_reader | minizipTest.cpp:26:30:26:39 | *zip_reader | provenance |  |
-| minizipTest.cpp:24:41:24:47 | *access to array | minizipTest.cpp:24:29:24:38 | **zip_reader | provenance | Config |
-| minizipTest.cpp:24:41:24:47 | *access to array | minizipTest.cpp:24:29:24:38 | *zip_reader | provenance | Config |
-| zlibTest.cpp:16:26:16:30 | *input | zlibTest.cpp:20:25:20:39 | *input | provenance |  |
-| zlibTest.cpp:20:25:20:39 | *input | zlibTest.cpp:16:26:16:30 | *input | provenance |  |
-| zlibTest.cpp:20:25:20:39 | *input | zlibTest.cpp:24:17:24:26 | & ... | provenance | Config |
-| zlibTest.cpp:20:25:20:39 | *input | zlibTest.cpp:25:13:25:22 | & ... | provenance | Config |
-| zlibTest.cpp:24:17:24:26 | & ... | zlibTest.cpp:25:13:25:22 | & ... | provenance |  |
-| zlibTest.cpp:37:25:37:32 | *fileName | zlibTest.cpp:38:29:38:36 | *fileName | provenance |  |
-| zlibTest.cpp:38:22:38:27 | call to gzopen | zlibTest.cpp:38:22:38:27 | call to gzopen | provenance |  |
-| zlibTest.cpp:38:22:38:27 | call to gzopen | zlibTest.cpp:41:20:41:26 | inFileZ | provenance |  |
-| zlibTest.cpp:38:29:38:36 | *fileName | zlibTest.cpp:37:25:37:32 | *fileName | provenance |  |
-| zlibTest.cpp:38:29:38:36 | *fileName | zlibTest.cpp:38:22:38:27 | call to gzopen | provenance | Config |
-| zlibTest.cpp:47:26:47:33 | *fileName | zlibTest.cpp:48:29:48:36 | *fileName | provenance |  |
-| zlibTest.cpp:48:22:48:27 | call to gzopen | zlibTest.cpp:48:22:48:27 | call to gzopen | provenance |  |
-| zlibTest.cpp:48:22:48:27 | call to gzopen | zlibTest.cpp:51:38:51:44 | inFileZ | provenance |  |
-| zlibTest.cpp:48:29:48:36 | *fileName | zlibTest.cpp:47:26:47:33 | *fileName | provenance |  |
-| zlibTest.cpp:48:29:48:36 | *fileName | zlibTest.cpp:48:22:48:27 | call to gzopen | provenance | Config |
-| zlibTest.cpp:57:25:57:32 | *fileName | zlibTest.cpp:58:29:58:36 | *fileName | provenance |  |
-| zlibTest.cpp:58:22:58:27 | call to gzopen | zlibTest.cpp:58:22:58:27 | call to gzopen | provenance |  |
-| zlibTest.cpp:58:22:58:27 | call to gzopen | zlibTest.cpp:62:25:62:31 | inFileZ | provenance |  |
-| zlibTest.cpp:58:29:58:36 | *fileName | zlibTest.cpp:57:25:57:32 | *fileName | provenance |  |
-| zlibTest.cpp:58:29:58:36 | *fileName | zlibTest.cpp:58:22:58:27 | call to gzopen | provenance | Config |
-| zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:71:26:71:30 | *input | provenance |  |
-| zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:77:45:77:59 | *input | provenance |  |
-| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:80:33:80:36 | **argv | provenance |  |
-| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:81:19:81:25 | *access to array | provenance |  |
-| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:82:18:82:24 | *access to array | provenance |  |
-| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:83:19:83:25 | *access to array | provenance |  |
-| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:84:18:84:24 | *access to array | provenance |  |
-| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:85:19:85:25 | *access to array | provenance |  |
-| zlibTest.cpp:81:19:81:25 | *access to array | zlibTest.cpp:47:26:47:33 | *fileName | provenance |  |
-| zlibTest.cpp:81:19:81:25 | *access to array | zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | provenance |  |
-| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:80:33:80:36 | **argv | provenance |  |
-| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:80:33:80:36 | **argv [Return] | provenance |  |
-| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:82:18:82:24 | *access to array | provenance |  |
-| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:83:19:83:25 | *access to array | provenance |  |
-| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:84:18:84:24 | *access to array | provenance |  |
-| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:85:19:85:25 | *access to array | provenance |  |
-| zlibTest.cpp:82:18:82:24 | *access to array | zlibTest.cpp:57:25:57:32 | *fileName | provenance |  |
-| zlibTest.cpp:82:18:82:24 | *access to array | zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | provenance |  |
-| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | zlibTest.cpp:80:33:80:36 | **argv | provenance |  |
-| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | zlibTest.cpp:80:33:80:36 | **argv [Return] | provenance |  |
-| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | zlibTest.cpp:83:19:83:25 | *access to array | provenance |  |
-| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | zlibTest.cpp:84:18:84:24 | *access to array | provenance |  |
-| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | zlibTest.cpp:85:19:85:25 | *access to array | provenance |  |
-| zlibTest.cpp:83:19:83:25 | *access to array | zlibTest.cpp:16:26:16:30 | *input | provenance |  |
-| zlibTest.cpp:83:19:83:25 | *access to array | zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | provenance |  |
-| zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | zlibTest.cpp:80:33:80:36 | **argv | provenance |  |
-| zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | zlibTest.cpp:80:33:80:36 | **argv [Return] | provenance |  |
-| zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | zlibTest.cpp:84:18:84:24 | *access to array | provenance |  |
-| zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | zlibTest.cpp:85:19:85:25 | *access to array | provenance |  |
-| zlibTest.cpp:84:18:84:24 | *access to array | zlibTest.cpp:37:25:37:32 | *fileName | provenance |  |
-| zlibTest.cpp:84:18:84:24 | *access to array | zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | provenance |  |
-| zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | zlibTest.cpp:80:33:80:36 | **argv | provenance |  |
-| zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | zlibTest.cpp:80:33:80:36 | **argv [Return] | provenance |  |
-| zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | zlibTest.cpp:85:19:85:25 | *access to array | provenance |  |
-| zlibTest.cpp:85:19:85:25 | *access to array | zlibTest.cpp:71:26:71:30 | *input | provenance |  |
-| zlibTest.cpp:85:19:85:25 | *access to array | zlibTest.cpp:85:19:85:25 | InflateString output argument | provenance |  |
-| zlibTest.cpp:85:19:85:25 | InflateString output argument | zlibTest.cpp:80:33:80:36 | **argv | provenance |  |
-| zlibTest.cpp:85:19:85:25 | InflateString output argument | zlibTest.cpp:80:33:80:36 | **argv [Return] | provenance |  |
-| zstdTest.cpp:26:39:26:42 | **argv | zstdTest.cpp:27:35:27:41 | *access to array | provenance |  |
-| zstdTest.cpp:26:39:26:42 | *argv | zstdTest.cpp:27:35:27:41 | *access to array | provenance |  |
-| zstdTest.cpp:27:23:27:33 | call to fopen_orDie | zstdTest.cpp:27:23:27:33 | call to fopen_orDie | provenance |  |
-| zstdTest.cpp:27:23:27:33 | call to fopen_orDie | zstdTest.cpp:35:52:35:54 | fin | provenance |  |
-| zstdTest.cpp:27:35:27:41 | *access to array | zstdTest.cpp:27:23:27:33 | call to fopen_orDie | provenance | Config |
-| zstdTest.cpp:35:32:35:37 | **buffIn | zstdTest.cpp:36:32:36:37 | **buffIn | provenance |  |
-| zstdTest.cpp:35:32:35:37 | *buffIn | zstdTest.cpp:36:32:36:37 | *buffIn | provenance |  |
-| zstdTest.cpp:35:52:35:54 | fin | zstdTest.cpp:35:32:35:37 | **buffIn | provenance | Config |
-| zstdTest.cpp:35:52:35:54 | fin | zstdTest.cpp:35:32:35:37 | *buffIn | provenance | Config |
-| zstdTest.cpp:36:32:36:37 | **buffIn | zstdTest.cpp:35:32:35:37 | **buffIn | provenance |  |
-| zstdTest.cpp:36:32:36:37 | **buffIn | zstdTest.cpp:39:69:39:74 | & ... | provenance | Config |
-| zstdTest.cpp:36:32:36:37 | **buffIn | zstdTest.cpp:39:69:39:74 | & ... | provenance | Config |
-| zstdTest.cpp:36:32:36:37 | *buffIn | zstdTest.cpp:35:32:35:37 | *buffIn | provenance |  |
-| zstdTest.cpp:36:32:36:37 | *buffIn | zstdTest.cpp:39:69:39:74 | & ... | provenance | Config |
-| zstdTest.cpp:36:32:36:37 | *buffIn | zstdTest.cpp:39:69:39:74 | & ... | provenance | Config |
-| zstdTest.cpp:39:69:39:74 | & ... | zstdTest.cpp:39:69:39:74 | & ... | provenance |  |
-| zstdTest.cpp:39:69:39:74 | & ... | zstdTest.cpp:39:69:39:74 | & ... | provenance |  |
-nodes
-| brotliTest.cpp:15:41:15:44 | **argv | semmle.label | **argv |
-| brotliTest.cpp:15:41:15:44 | **argv | semmle.label | **argv |
-| brotliTest.cpp:18:35:18:53 | *access to array | semmle.label | *access to array |
-| brotliTest.cpp:21:30:21:52 | *access to array | semmle.label | *access to array |
-| brotliTest.cpp:24:51:24:58 | **& ... | semmle.label | **& ... |
-| libarchiveTests.cpp:16:31:16:32 | *ar | semmle.label | *ar |
-| libarchiveTests.cpp:16:31:16:32 | *ar | semmle.label | *ar |
-| libarchiveTests.cpp:22:41:22:42 | *ar | semmle.label | *ar |
-| libarchiveTests.cpp:30:45:30:48 | **argv | semmle.label | **argv |
-| libarchiveTests.cpp:30:45:30:48 | **argv | semmle.label | **argv |
-| libarchiveTests.cpp:34:32:34:32 | *a | semmle.label | *a |
-| libarchiveTests.cpp:34:35:34:41 | *access to array | semmle.label | *access to array |
-| libarchiveTests.cpp:38:27:38:27 | *a | semmle.label | *a |
-| libarchiveTests.cpp:38:27:38:27 | read_data output argument | semmle.label | read_data output argument |
-| main.cpp:7:33:7:36 | **argv | semmle.label | **argv |
-| main.cpp:8:23:8:26 | **argv | semmle.label | **argv |
-| main.cpp:8:23:8:26 | brotli_test output argument | semmle.label | brotli_test output argument |
-| main.cpp:9:27:9:30 | **argv | semmle.label | **argv |
-| main.cpp:9:27:9:30 | libarchive_test output argument | semmle.label | libarchive_test output argument |
-| main.cpp:10:24:10:27 | **argv | semmle.label | **argv |
-| main.cpp:10:24:10:27 | minizip_test output argument | semmle.label | minizip_test output argument |
-| main.cpp:11:21:11:24 | **argv | semmle.label | **argv |
-| main.cpp:11:21:11:24 | zlib_test output argument | semmle.label | zlib_test output argument |
-| main.cpp:11:21:11:24 | zlib_test output argument | semmle.label | zlib_test output argument |
-| main.cpp:12:21:12:24 | **argv | semmle.label | **argv |
-| main.cpp:12:21:12:24 | *argv | semmle.label | *argv |
-| minizipTest.cpp:12:42:12:45 | **argv | semmle.label | **argv |
-| minizipTest.cpp:12:42:12:45 | **argv | semmle.label | **argv |
-| minizipTest.cpp:17:52:17:67 | *access to array | semmle.label | *access to array |
-| minizipTest.cpp:24:29:24:38 | **zip_reader | semmle.label | **zip_reader |
-| minizipTest.cpp:24:29:24:38 | *zip_reader | semmle.label | *zip_reader |
-| minizipTest.cpp:24:41:24:47 | *access to array | semmle.label | *access to array |
-| minizipTest.cpp:26:30:26:39 | **zip_reader | semmle.label | **zip_reader |
-| minizipTest.cpp:26:30:26:39 | *zip_reader | semmle.label | *zip_reader |
-| minizipTest.cpp:28:13:28:19 | *access to array | semmle.label | *access to array |
-| zlibTest.cpp:16:26:16:30 | *input | semmle.label | *input |
-| zlibTest.cpp:16:26:16:30 | *input | semmle.label | *input |
-| zlibTest.cpp:20:25:20:39 | *input | semmle.label | *input |
-| zlibTest.cpp:24:17:24:26 | & ... | semmle.label | & ... |
-| zlibTest.cpp:25:13:25:22 | & ... | semmle.label | & ... |
-| zlibTest.cpp:37:25:37:32 | *fileName | semmle.label | *fileName |
-| zlibTest.cpp:37:25:37:32 | *fileName | semmle.label | *fileName |
-| zlibTest.cpp:38:22:38:27 | call to gzopen | semmle.label | call to gzopen |
-| zlibTest.cpp:38:22:38:27 | call to gzopen | semmle.label | call to gzopen |
-| zlibTest.cpp:38:29:38:36 | *fileName | semmle.label | *fileName |
-| zlibTest.cpp:41:20:41:26 | inFileZ | semmle.label | inFileZ |
-| zlibTest.cpp:47:26:47:33 | *fileName | semmle.label | *fileName |
-| zlibTest.cpp:47:26:47:33 | *fileName | semmle.label | *fileName |
-| zlibTest.cpp:48:22:48:27 | call to gzopen | semmle.label | call to gzopen |
-| zlibTest.cpp:48:22:48:27 | call to gzopen | semmle.label | call to gzopen |
-| zlibTest.cpp:48:29:48:36 | *fileName | semmle.label | *fileName |
-| zlibTest.cpp:51:38:51:44 | inFileZ | semmle.label | inFileZ |
-| zlibTest.cpp:57:25:57:32 | *fileName | semmle.label | *fileName |
-| zlibTest.cpp:57:25:57:32 | *fileName | semmle.label | *fileName |
-| zlibTest.cpp:58:22:58:27 | call to gzopen | semmle.label | call to gzopen |
-| zlibTest.cpp:58:22:58:27 | call to gzopen | semmle.label | call to gzopen |
-| zlibTest.cpp:58:29:58:36 | *fileName | semmle.label | *fileName |
-| zlibTest.cpp:62:25:62:31 | inFileZ | semmle.label | inFileZ |
-| zlibTest.cpp:71:26:71:30 | *input | semmle.label | *input |
-| zlibTest.cpp:71:26:71:30 | *input | semmle.label | *input |
-| zlibTest.cpp:77:45:77:59 | *input | semmle.label | *input |
-| zlibTest.cpp:80:33:80:36 | **argv | semmle.label | **argv |
-| zlibTest.cpp:80:33:80:36 | **argv | semmle.label | **argv |
-| zlibTest.cpp:80:33:80:36 | **argv [Return] | semmle.label | **argv [Return] |
-| zlibTest.cpp:81:19:81:25 | *access to array | semmle.label | *access to array |
-| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | semmle.label | UnsafeGzfread output argument |
-| zlibTest.cpp:82:18:82:24 | *access to array | semmle.label | *access to array |
-| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | semmle.label | UnsafeGzgets output argument |
-| zlibTest.cpp:83:19:83:25 | *access to array | semmle.label | *access to array |
-| zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | semmle.label | UnsafeInflate output argument |
-| zlibTest.cpp:84:18:84:24 | *access to array | semmle.label | *access to array |
-| zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | semmle.label | UnsafeGzread output argument |
-| zlibTest.cpp:85:19:85:25 | *access to array | semmle.label | *access to array |
-| zlibTest.cpp:85:19:85:25 | InflateString output argument | semmle.label | InflateString output argument |
-| zstdTest.cpp:26:39:26:42 | **argv | semmle.label | **argv |
-| zstdTest.cpp:26:39:26:42 | *argv | semmle.label | *argv |
-| zstdTest.cpp:27:23:27:33 | call to fopen_orDie | semmle.label | call to fopen_orDie |
-| zstdTest.cpp:27:23:27:33 | call to fopen_orDie | semmle.label | call to fopen_orDie |
-| zstdTest.cpp:27:35:27:41 | *access to array | semmle.label | *access to array |
-| zstdTest.cpp:35:32:35:37 | **buffIn | semmle.label | **buffIn |
-| zstdTest.cpp:35:32:35:37 | *buffIn | semmle.label | *buffIn |
-| zstdTest.cpp:35:52:35:54 | fin | semmle.label | fin |
-| zstdTest.cpp:36:32:36:37 | **buffIn | semmle.label | **buffIn |
-| zstdTest.cpp:36:32:36:37 | *buffIn | semmle.label | *buffIn |
-| zstdTest.cpp:39:69:39:74 | & ... | semmle.label | & ... |
-| zstdTest.cpp:39:69:39:74 | & ... | semmle.label | & ... |
-subpaths
-| libarchiveTests.cpp:38:27:38:27 | *a | libarchiveTests.cpp:16:31:16:32 | *ar | libarchiveTests.cpp:16:31:16:32 | *ar | libarchiveTests.cpp:38:27:38:27 | read_data output argument |
-| main.cpp:8:23:8:26 | **argv | brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:15:41:15:44 | **argv | main.cpp:8:23:8:26 | brotli_test output argument |
-| main.cpp:9:27:9:30 | **argv | libarchiveTests.cpp:30:45:30:48 | **argv | libarchiveTests.cpp:30:45:30:48 | **argv | main.cpp:9:27:9:30 | libarchive_test output argument |
-| main.cpp:10:24:10:27 | **argv | minizipTest.cpp:12:42:12:45 | **argv | minizipTest.cpp:12:42:12:45 | **argv | main.cpp:10:24:10:27 | minizip_test output argument |
-| main.cpp:11:21:11:24 | **argv | zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:80:33:80:36 | **argv | main.cpp:11:21:11:24 | zlib_test output argument |
-| main.cpp:11:21:11:24 | **argv | zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:80:33:80:36 | **argv [Return] | main.cpp:11:21:11:24 | zlib_test output argument |
-| main.cpp:11:21:11:24 | **argv | zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:80:33:80:36 | **argv [Return] | main.cpp:11:21:11:24 | zlib_test output argument |
-| zlibTest.cpp:81:19:81:25 | *access to array | zlibTest.cpp:47:26:47:33 | *fileName | zlibTest.cpp:47:26:47:33 | *fileName | zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument |
-| zlibTest.cpp:82:18:82:24 | *access to array | zlibTest.cpp:57:25:57:32 | *fileName | zlibTest.cpp:57:25:57:32 | *fileName | zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument |
-| zlibTest.cpp:83:19:83:25 | *access to array | zlibTest.cpp:16:26:16:30 | *input | zlibTest.cpp:16:26:16:30 | *input | zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument |
-| zlibTest.cpp:84:18:84:24 | *access to array | zlibTest.cpp:37:25:37:32 | *fileName | zlibTest.cpp:37:25:37:32 | *fileName | zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument |
-| zlibTest.cpp:85:19:85:25 | *access to array | zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:85:19:85:25 | InflateString output argument |
-#select
-| brotliTest.cpp:18:35:18:53 | *access to array | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:18:35:18:53 | *access to array | The decompression output of $@ is not limited | brotliTest.cpp:18:5:18:27 | call to BrotliDecoderDecompress | BrotliDecoderDecompress |
-| brotliTest.cpp:24:51:24:58 | **& ... | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:24:51:24:58 | **& ... | The decompression output of $@ is not limited | brotliTest.cpp:24:5:24:33 | call to BrotliDecoderDecompressStream | BrotliDecoderDecompressStream |
-| libarchiveTests.cpp:22:41:22:42 | *ar | main.cpp:7:33:7:36 | **argv | libarchiveTests.cpp:22:41:22:42 | *ar | The decompression output of $@ is not limited | libarchiveTests.cpp:22:17:22:39 | call to archive_read_data_block | archive_read_data_block |
-| minizipTest.cpp:17:52:17:67 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:17:52:17:67 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:17:22:17:38 | call to mz_zip_entry_read | mz_zip_entry_read |
-| minizipTest.cpp:26:30:26:39 | **zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | **zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save |
-| minizipTest.cpp:26:30:26:39 | *zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | *zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save |
-| minizipTest.cpp:28:13:28:19 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:28:13:28:19 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:28:5:28:11 | call to UnzOpen | UnzOpen |
-| zlibTest.cpp:25:13:25:22 | & ... | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:25:13:25:22 | & ... | The decompression output of $@ is not limited | zlibTest.cpp:25:5:25:11 | call to inflate | inflate |
-| zlibTest.cpp:41:20:41:26 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:41:20:41:26 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:41:13:41:18 | call to gzread | gzread |
-| zlibTest.cpp:51:38:51:44 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:51:38:51:44 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:51:14:51:20 | call to gzfread | gzfread |
-| zlibTest.cpp:62:25:62:31 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:62:25:62:31 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:62:18:62:23 | call to gzgets | gzgets |
-| zlibTest.cpp:77:45:77:59 | *input | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:77:45:77:59 | *input | The decompression output of $@ is not limited | zlibTest.cpp:77:5:77:14 | call to uncompress | uncompress |
-| zstdTest.cpp:39:69:39:74 | & ... | main.cpp:7:33:7:36 | **argv | zstdTest.cpp:39:69:39:74 | & ... | The decompression output of $@ is not limited | zstdTest.cpp:39:32:39:52 | call to ZSTD_decompressStream | ZSTD_decompressStream |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.qlref

@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-409/DecompressionBombs.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/brotliTest.cpp

@@ -1,26 +0,0 @@
-typedef long unsigned int size_t;
-typedef unsigned char uint8_t;
-
-enum BrotliDecoderResult {};
-struct BrotliDecoderState;
-
-BrotliDecoderResult BrotliDecoderDecompress(
-        size_t encoded_size, const uint8_t encoded_buffer[],
-        size_t *decoded_size, uint8_t decoded_buffer[]);
-
-BrotliDecoderResult BrotliDecoderDecompressStream(
-        BrotliDecoderState *state, size_t *available_in, const uint8_t **next_in,
-        size_t *available_out, uint8_t **next_out, size_t *total_out);
-
-void brotli_test(int argc, const char **argv) {
-    uint8_t output[1024];
-    size_t output_size = sizeof(output);
-    BrotliDecoderDecompress(1024, (uint8_t *) argv[2], &output_size, output); // BAD
-
-    size_t input_size = 1024;
-    const uint8_t *input_p = (const uint8_t*)argv[2];
-    uint8_t *output_p = output;
-    size_t out_size;
-    BrotliDecoderDecompressStream(0, &input_size, &input_p, &output_size, // BAD
-                                  &output_p, &out_size);
-}

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/libarchiveTests.cpp

@@ -1,42 +0,0 @@
-#define    ARCHIVE_EOF     1
-#define    ARCHIVE_OK      0
-#define    ARCHIVE_WARN    (-20)
-
-struct archive;
-struct archive_entry;
-typedef int size_t;
-typedef int la_int64_t;
-
-archive *archive_read_new();
-int archive_read_open_filename(archive *pArchive, const char *filename, int i);
-int archive_read_next_header(archive *a, archive_entry **entry);
-int archive_entry_size(archive_entry *pEntry);
-int archive_read_data_block(archive *pArchive, const void **pVoid, size_t *pInt, la_int64_t *pInt1);
-
-static int read_data(archive *ar) {
-    for (;;) {
-        const void *buff;
-        size_t size;
-        la_int64_t offset;
-
-        int r = archive_read_data_block(ar, &buff, &size, &offset); // BAD
-        if (r == ARCHIVE_EOF)
-            return ARCHIVE_OK;
-        if (r < ARCHIVE_OK)
-            return r;
-    }
-}
-
-void libarchive_test(int argc, const char **argv) {
-    archive *a = archive_read_new();
-    archive_entry *entry;
-
-    archive_read_open_filename(a, argv[1], 10240);
-    for (;;) {
-        archive_read_next_header(a, &entry);
-        if (archive_entry_size(entry) > 0) {
-            if (read_data(a) < ARCHIVE_WARN)
-                break;
-        }
-    }
-}

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/main.cpp

@@ -1,14 +0,0 @@
-void brotli_test(int argc, const char **argv);
-void libarchive_test(int argc, const char **argv);
-void minizip_test(int argc, const char **argv);
-void zlib_test(int argc, const char **argv);
-void zstd_test(int argc, const char **argv);
-
-int main(int argc, const char **argv) {
-    brotli_test(argc, argv);
-    libarchive_test(argc, argv);
-    minizip_test(argc, argv);
-    zlib_test(argc, argv);
-    zstd_test(argc, argv);
-    return 0;
-}

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/minizipTest.cpp

@@ -1,29 +0,0 @@
-typedef signed int int32_t;
-
-void *mz_zip_reader_create();
-int32_t mz_zip_reader_open_file(void *handle, const char *path);
-int32_t mz_zip_reader_goto_first_entry(void *pVoid);
-int32_t mz_zip_reader_entry_save(void *pVoid, int stream, int write);
-int32_t mz_zip_entry_read(void *pVoid, void *buf, int32_t i);
-void UnzOpen(const char *string);
-
-void *mz_zip_create();
-
-void minizip_test(int argc, const char **argv) {
-    void *zip_handle = mz_zip_create();
-    int32_t bytes_read;
-    char buf[4096];
-    while(true) {
-        bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf)); // BAD
-        if (bytes_read <= 0) {
-            break;
-        }
-    }
-
-    void *zip_reader = mz_zip_reader_create();
-    mz_zip_reader_open_file(zip_reader, argv[1]);
-    mz_zip_reader_goto_first_entry(zip_reader);
-    mz_zip_reader_entry_save(zip_reader, 0, 0); // BAD
-
-    UnzOpen(argv[3]); // BAD
-}

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zlibTest.cpp

@@ -1,86 +0,0 @@
-typedef unsigned char Bytef;
-typedef unsigned long uLong;
-typedef uLong uLongf;
-typedef unsigned int uInt;
-
-struct z_stream {
-    Bytef *next_in;
-    Bytef *next_out;
-    uInt avail_out;
-};
-
-void inflateInit(z_stream *infstream);
-void inflate(z_stream *infstream, int i);
-void inflateEnd(z_stream *infstream);
-
-void UnsafeInflate(char *input) {
-    unsigned char output[1024];
-
-    z_stream infstream;
-    infstream.next_in = (Bytef *) input; // input char array
-    infstream.avail_out = sizeof(output); // size of output
-    infstream.next_out = output; // output char array
-
-    inflateInit(&infstream);
-    inflate(&infstream, 0); // BAD
-}
-
-
-struct gzFile {
-};
-
-gzFile gzopen(char *str, const char *rb);
-unsigned int gzread(gzFile gz_file, unsigned char *str, int i);
-bool gzfread(char *str, int i, int i1, gzFile gz_file);
-char *gzgets(gzFile gz_file, char *buffer, int i);
-
-void UnsafeGzread(char *fileName) {
-    gzFile inFileZ = gzopen(fileName, "rb");
-    unsigned char unzipBuffer[8192];
-    while (true) {
-        if (gzread(inFileZ, unzipBuffer, 8192) <= 0) { // BAD
-            break;
-        }
-    }
-}
-
-void UnsafeGzfread(char *fileName) {
-    gzFile inFileZ = gzopen(fileName, "rb");
-    while (true) {
-        char buffer[1000];
-        if (!gzfread(buffer, 999, 1, inFileZ)) { // BAD
-            break;
-        }
-    }
-}
-
-void UnsafeGzgets(char *fileName) {
-    gzFile inFileZ = gzopen(fileName, "rb");
-    char *buffer = new char[4000000000];
-    char *result;
-    while (true) {
-        result = gzgets(inFileZ, buffer, 1000000000); // BAD
-        if (result == nullptr) {
-            break;
-        }
-    }
-}
-
-int uncompress(Bytef *dest, uLongf *destLen, const Bytef *source, uLong sourceLen);
-
-void InflateString(char *input) {
-    unsigned char output[1024];
-
-    uLong source_length = 500;
-    uLong destination_length = sizeof(output);
-
-    uncompress(output, &destination_length, (Bytef *) input, source_length); // BAD
-}
-
-void zlib_test(int argc, char **argv) {
-    UnsafeGzfread(argv[2]);
-    UnsafeGzgets(argv[2]);
-    UnsafeInflate(argv[2]);
-    UnsafeGzread(argv[2]);
-    InflateString(argv[2]);
-}

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zstdTest.cpp

@@ -1,43 +0,0 @@
-typedef long unsigned int size_t;
-struct FILE;
-
-FILE *fopen_orDie(const char *filename, const char *instruction);
-size_t fread_orDie(void *const pVoid, const size_t read, FILE *const pFile);
-void *const malloc_orDie(const size_t size);
-
-struct ZSTD_DCtx;
-typedef struct ZSTD_inBuffer_s {
-    const void *src;
-    size_t size;
-    size_t pos;
-} ZSTD_inBuffer;
-typedef struct ZSTD_outBuffer_s {
-    void *dst;
-    size_t size;
-    size_t pos;
-} ZSTD_outBuffer;
-
-const size_t ZSTD_DStreamInSize();
-const size_t ZSTD_DStreamOutSize();
-ZSTD_DCtx *const ZSTD_createDCtx();
-const size_t ZSTD_decompressStream(ZSTD_DCtx *const pCtx, ZSTD_outBuffer *pS, ZSTD_inBuffer *pS1);
-void CHECK_ZSTD(const size_t ret);
-
-void zstd_test(int argc, const char **argv) {
-    FILE *const fin = fopen_orDie(argv[1], "rb");
-    size_t const buffInSize = ZSTD_DStreamInSize();
-    void *const buffIn = malloc_orDie(buffInSize);
-    size_t const buffOutSize = ZSTD_DStreamOutSize();
-    void *const buffOut = malloc_orDie(buffOutSize);
-
-    ZSTD_DCtx *const dctx = ZSTD_createDCtx();
-    size_t read;
-    while ((read = fread_orDie(buffIn, buffInSize, fin))) {
-        ZSTD_inBuffer input = {buffIn, read, 0};
-        while (input.pos < input.size) {
-            ZSTD_outBuffer output = {buffOut, buffOutSize, 0};
-            size_t const ret = ZSTD_decompressStream(dctx, &output, &input); // BAD  
-            CHECK_ZSTD(ret);
-        }
-    }
-}

cpp/ql/test/header-variant-tests/multi-target-includes/includes.expected

@@ -5,5 +5,6 @@
 | main1.cpp:7:1:7:26 | #include "defines_issue.h" | Include | defines_issue.h | 1 |
 | main2.cpp:3:1:3:19 | #include "common.h" | Include | common.h | 1 |
 | main2.cpp:7:1:7:26 | #include "defines_issue.h" | Include | defines_issue.h | 1 |
+| nameclash.h:3:1:3:27 | #include_next "nameclash.h" | IncludeNext | nameclash.h | 1 |
 | nameclash.h:3:1:3:27 | #include_next "nameclash.h" | IncludeNext | subdir1/nameclash.h | 1 |
 | nameclash.h:3:1:3:27 | #include_next "nameclash.h" | IncludeNext | subdir2/nameclash.h | 1 |

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected

@@ -33,7 +33,7 @@ argHasPostUpdate
 | test.cpp:67:29:67:35 | source1 | ArgumentNode is missing PostUpdateNode. |
 | test.cpp:813:19:813:35 | * ... | ArgumentNode is missing PostUpdateNode. |
 | test.cpp:848:23:848:25 | rpx | ArgumentNode is missing PostUpdateNode. |
-| test.cpp:1093:19:1093:21 | * ... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:1057:19:1057:21 | * ... | ArgumentNode is missing PostUpdateNode. |
 postWithInFlow
 | BarrierGuard.cpp:49:6:49:6 | x [post update] | PostUpdateNode should not be the target of local flow. |
 | BarrierGuard.cpp:60:7:60:7 | x [post update] | PostUpdateNode should not be the target of local flow. |
@@ -167,17 +167,15 @@ postWithInFlow
 | test.cpp:932:5:932:19 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:932:6:932:19 | global_pointer [inner post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:1045:9:1045:11 | ref arg buf | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1066:5:1066:5 | i [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1069:5:1069:5 | i [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1087:5:1087:11 | content [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1088:9:1088:9 | a [inner post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1092:5:1092:7 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1092:6:1092:7 | pp [inner post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1098:53:1098:53 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1108:3:1108:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1108:4:1108:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1109:3:1109:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1109:4:1109:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1051:5:1051:11 | content [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1052:9:1052:9 | a [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1056:5:1056:7 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1056:6:1056:7 | pp [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1062:53:1062:53 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1072:3:1072:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1072:4:1072:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1073:3:1073:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1073:4:1073:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition
 uniqueParameterNodePosition

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected

@@ -26,10 +26,6 @@ postWithInFlow
 | test.cpp:400:10:400:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
 | test.cpp:407:10:407:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
 | test.cpp:1045:9:1045:11 | memset output argument | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1076:2:1076:3 | swap output argument | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1076:10:1076:11 | swap output argument | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1077:2:1077:3 | swap output argument | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1077:10:1077:11 | swap output argument | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition
 uniqueParameterNodePosition

cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow-ir.expected

@@ -202,12 +202,12 @@
 | test.cpp:489:23:489:29 | *content | test.cpp:490:8:490:17 | * ... |
 | test.cpp:489:23:489:29 | content | test.cpp:489:23:489:29 | content |
 | test.cpp:489:23:489:29 | content | test.cpp:490:9:490:17 | p_content |
-| test.cpp:1086:12:1086:12 | definition of a | test.cpp:1087:3:1087:3 | *a |
-| test.cpp:1087:3:1087:3 | *a | test.cpp:1088:8:1088:9 | *& ... |
-| test.cpp:1087:3:1087:3 | *a [post update] | test.cpp:1088:8:1088:9 | *& ... |
-| test.cpp:1087:3:1087:3 | a | test.cpp:1088:8:1088:9 | & ... |
-| test.cpp:1087:3:1087:3 | a [post update] | test.cpp:1088:8:1088:9 | & ... |
-| test.cpp:1087:15:1087:21 | 0 | test.cpp:1087:3:1087:21 | ... = ... |
-| test.cpp:1087:15:1087:21 | *0 | test.cpp:1087:3:1087:21 | *... = ... |
-| test.cpp:1088:9:1088:9 | *a | test.cpp:1088:8:1088:9 | *& ... |
-| test.cpp:1088:9:1088:9 | a | test.cpp:1088:8:1088:9 | & ... |
+| test.cpp:1050:12:1050:12 | definition of a | test.cpp:1051:3:1051:3 | *a |
+| test.cpp:1051:3:1051:3 | *a | test.cpp:1052:8:1052:9 | *& ... |
+| test.cpp:1051:3:1051:3 | *a [post update] | test.cpp:1052:8:1052:9 | *& ... |
+| test.cpp:1051:3:1051:3 | a | test.cpp:1052:8:1052:9 | & ... |
+| test.cpp:1051:3:1051:3 | a [post update] | test.cpp:1052:8:1052:9 | & ... |
+| test.cpp:1051:15:1051:21 | 0 | test.cpp:1051:3:1051:21 | ... = ... |
+| test.cpp:1051:15:1051:21 | *0 | test.cpp:1051:3:1051:21 | *... = ... |
+| test.cpp:1052:9:1052:9 | *a | test.cpp:1052:8:1052:9 | *& ... |
+| test.cpp:1052:9:1052:9 | a | test.cpp:1052:8:1052:9 | & ... |

cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow.expected

@@ -81,10 +81,10 @@ WARNING: module 'DataFlow' has been deprecated and may be removed in future (loc
 | test.cpp:488:21:488:21 | s [post update] | test.cpp:489:20:489:20 | s |
 | test.cpp:488:24:488:30 | ref arg content | test.cpp:489:23:489:29 | content |
 | test.cpp:489:23:489:29 | content | test.cpp:490:9:490:17 | p_content |
-| test.cpp:1086:12:1086:12 | a | test.cpp:1087:3:1087:3 | a |
-| test.cpp:1086:12:1086:12 | a | test.cpp:1088:9:1088:9 | a |
-| test.cpp:1087:3:1087:3 | a [post update] | test.cpp:1088:9:1088:9 | a |
-| test.cpp:1087:3:1087:21 | ... = ... | test.cpp:1087:5:1087:11 | content [post update] |
-| test.cpp:1087:15:1087:21 | 0 | test.cpp:1087:3:1087:21 | ... = ... |
-| test.cpp:1088:8:1088:9 | ref arg & ... | test.cpp:1088:9:1088:9 | a [inner post update] |
-| test.cpp:1088:9:1088:9 | a | test.cpp:1088:8:1088:9 | & ... |
+| test.cpp:1050:12:1050:12 | a | test.cpp:1051:3:1051:3 | a |
+| test.cpp:1050:12:1050:12 | a | test.cpp:1052:9:1052:9 | a |
+| test.cpp:1051:3:1051:3 | a [post update] | test.cpp:1052:9:1052:9 | a |
+| test.cpp:1051:3:1051:21 | ... = ... | test.cpp:1051:5:1051:11 | content [post update] |
+| test.cpp:1051:15:1051:21 | 0 | test.cpp:1051:3:1051:21 | ... = ... |
+| test.cpp:1052:8:1052:9 | ref arg & ... | test.cpp:1052:9:1052:9 | a [inner post update] |
+| test.cpp:1052:9:1052:9 | a | test.cpp:1052:8:1052:9 | & ... |

cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected

@@ -127,11 +127,7 @@ astFlow
 | test.cpp:842:11:842:16 | call to source | test.cpp:844:8:844:8 | y |
 | test.cpp:846:13:846:27 | call to indirect_source | test.cpp:848:23:848:25 | rpx |
 | test.cpp:860:54:860:59 | call to source | test.cpp:861:10:861:37 | static_local_pointer_dynamic |
-| test.cpp:1066:9:1066:14 | call to source | test.cpp:1072:10:1072:10 | i |
-| test.cpp:1066:9:1066:14 | call to source | test.cpp:1080:10:1080:10 | i |
-| test.cpp:1069:9:1069:14 | call to source | test.cpp:1074:10:1074:10 | i |
-| test.cpp:1069:9:1069:14 | call to source | test.cpp:1082:10:1082:10 | i |
-| test.cpp:1086:12:1086:12 | a | test.cpp:1088:8:1088:9 | & ... |
+| test.cpp:1050:12:1050:12 | a | test.cpp:1052:8:1052:9 | & ... |
 | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
 | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |
 | true_upon_entry.cpp:33:11:33:16 | call to source | true_upon_entry.cpp:39:8:39:8 | x |
@@ -317,12 +313,7 @@ irFlow
 | test.cpp:1021:18:1021:32 | *call to indirect_source | test.cpp:1027:19:1027:28 | *translated |
 | test.cpp:1021:18:1021:32 | *call to indirect_source | test.cpp:1031:19:1031:28 | *translated |
 | test.cpp:1045:14:1045:19 | call to source | test.cpp:1046:7:1046:10 | * ... |
-| test.cpp:1052:13:1052:27 | *call to indirect_source | test.cpp:1054:7:1054:11 | * ... |
-| test.cpp:1066:9:1066:14 | call to source | test.cpp:1072:10:1072:10 | i |
-| test.cpp:1066:9:1066:14 | call to source | test.cpp:1079:10:1079:10 | i |
-| test.cpp:1069:9:1069:14 | call to source | test.cpp:1074:10:1074:10 | i |
-| test.cpp:1069:9:1069:14 | call to source | test.cpp:1081:10:1081:10 | i |
-| test.cpp:1117:27:1117:34 | call to source | test.cpp:1117:27:1117:34 | call to source |
+| test.cpp:1081:27:1081:34 | call to source | test.cpp:1081:27:1081:34 | call to source |
 | true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x |
 | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
 | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp

@@ -1046,42 +1046,6 @@ void memset_test(char* buf) { // $ ast-def=buf ir-def=*buf
 	sink(*buf); // $ ir MISSING: ast
 }
 
-void *realloc(void *, size_t);
-
-void test_realloc() {
-	int *src = indirect_source();
-	int *dest = (int*)realloc(src, sizeof(int));
-	sink(*dest); // $ ir, MISSING: ast
-}
-
-struct MyInt {
-  int i;
-  MyInt();
-  void swap(MyInt &j);
-};
-
-void test_member_swap() {
-	MyInt s1;
-	MyInt s2;
-	s2.i = source();
-	MyInt s3;
-	MyInt s4;
-	s4.i = source();
-
-	sink(s1.i);
-	sink(s2.i); // $ ast,ir
-	sink(s3.i);
-	sink(s4.i); // $ ast,ir
-
-	s1.swap(s2);
-	s4.swap(s3);
-
-	sink(s1.i); // $ ir
-	sink(s2.i); // $ SPURIOUS: ast
-	sink(s3.i); // $ ir
-	sink(s4.i); // $ SPURIOUS: ast
-}
-
 void flow_out_of_address_with_local_flow() {
   MyStruct a;
   a.content = nullptr;

cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected

@@ -51,5 +51,5 @@ incorrectBaseType
 | test.cpp:848:23:848:25 | rpx | Expected 'Node.getType()' to be int, but it was int * |
 | test.cpp:854:10:854:36 | * ... | Expected 'Node.getType()' to be const int, but it was int |
 | test.cpp:867:10:867:30 | * ... | Expected 'Node.getType()' to be const int, but it was int |
-| test.cpp:1098:52:1098:53 | *& ... | Expected 'Node.getType()' to be char, but it was char * |
+| test.cpp:1062:52:1062:53 | *& ... | Expected 'Node.getType()' to be char, but it was char * |
 failures

cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected

@@ -54,5 +54,5 @@
 | test.cpp:796:12:796:12 | a | test.cpp:797:20:797:20 | a |
 | test.cpp:796:12:796:12 | a | test.cpp:797:31:797:31 | a |
 | test.cpp:796:12:796:12 | a | test.cpp:798:17:798:17 | a |
-| test.cpp:1086:12:1086:12 | a | test.cpp:1087:3:1087:3 | a |
-| test.cpp:1086:12:1086:12 | a | test.cpp:1088:9:1088:9 | a |
+| test.cpp:1050:12:1050:12 | a | test.cpp:1051:3:1051:3 | a |
+| test.cpp:1050:12:1050:12 | a | test.cpp:1052:9:1052:9 | a |

cpp/ql/test/library-tests/dataflow/fields/Nodes.qll

@@ -13,6 +13,9 @@ class Node extends TNode {
 
   AST::DataFlow::Node asAst() { none() }
 
+  /** DEPRECATED: Alias for asAst */
+  deprecated AST::DataFlow::Node asAST() { result = this.asAst() }
+
   Location getLocation() { none() }
 }
 
@@ -25,6 +28,9 @@ class AstNode extends Node, TAstNode {
 
   override AST::DataFlow::Node asAst() { result = n }
 
+  /** DEPRECATED: Alias for asAst */
+  deprecated override AST::DataFlow::Node asAST() { result = this.asAst() }
+
   override Location getLocation() { result = n.getLocation() }
 }
 

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -554,15 +554,19 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | map.cpp:67:30:67:42 | call to pair | map.cpp:80:7:80:7 | l |  |
 | map.cpp:67:30:67:42 | call to pair | map.cpp:81:7:81:7 | l |  |
 | map.cpp:67:37:67:41 | 456 | map.cpp:67:30:67:42 | call to pair | TAINT |
+| map.cpp:68:3:68:3 | i | map.cpp:68:10:68:10 | ref arg j | TAINT |
 | map.cpp:68:3:68:3 | ref arg i | map.cpp:70:7:70:7 | i |  |
 | map.cpp:68:3:68:3 | ref arg i | map.cpp:71:7:71:7 | i |  |
 | map.cpp:68:3:68:3 | ref arg i | map.cpp:72:7:72:7 | i |  |
+| map.cpp:68:10:68:10 | j | map.cpp:68:3:68:3 | ref arg i | TAINT |
 | map.cpp:68:10:68:10 | ref arg j | map.cpp:73:7:73:7 | j |  |
 | map.cpp:68:10:68:10 | ref arg j | map.cpp:74:7:74:7 | j |  |
 | map.cpp:68:10:68:10 | ref arg j | map.cpp:75:7:75:7 | j |  |
+| map.cpp:69:2:69:2 | k | map.cpp:69:9:69:9 | ref arg l | TAINT |
 | map.cpp:69:2:69:2 | ref arg k | map.cpp:76:7:76:7 | k |  |
 | map.cpp:69:2:69:2 | ref arg k | map.cpp:77:7:77:7 | k |  |
 | map.cpp:69:2:69:2 | ref arg k | map.cpp:78:7:78:7 | k |  |
+| map.cpp:69:9:69:9 | l | map.cpp:69:2:69:2 | ref arg k | TAINT |
 | map.cpp:69:9:69:9 | ref arg l | map.cpp:79:7:79:7 | l |  |
 | map.cpp:69:9:69:9 | ref arg l | map.cpp:80:7:80:7 | l |  |
 | map.cpp:69:9:69:9 | ref arg l | map.cpp:81:7:81:7 | l |  |
@@ -1061,12 +1065,16 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | map.cpp:194:7:194:9 | m16 | map.cpp:194:7:194:9 | call to map |  |
 | map.cpp:195:7:195:9 | m17 | map.cpp:195:7:195:9 | call to map |  |
 | map.cpp:196:7:196:9 | m18 | map.cpp:196:7:196:9 | call to map |  |
+| map.cpp:197:2:197:4 | m15 | map.cpp:197:11:197:13 | ref arg m16 | TAINT |
 | map.cpp:197:2:197:4 | ref arg m15 | map.cpp:199:7:199:9 | m15 |  |
 | map.cpp:197:2:197:4 | ref arg m15 | map.cpp:252:1:252:1 | m15 |  |
+| map.cpp:197:11:197:13 | m16 | map.cpp:197:2:197:4 | ref arg m15 | TAINT |
 | map.cpp:197:11:197:13 | ref arg m16 | map.cpp:200:7:200:9 | m16 |  |
 | map.cpp:197:11:197:13 | ref arg m16 | map.cpp:252:1:252:1 | m16 |  |
+| map.cpp:198:2:198:4 | m17 | map.cpp:198:11:198:13 | ref arg m18 | TAINT |
 | map.cpp:198:2:198:4 | ref arg m17 | map.cpp:201:7:201:9 | m17 |  |
 | map.cpp:198:2:198:4 | ref arg m17 | map.cpp:252:1:252:1 | m17 |  |
+| map.cpp:198:11:198:13 | m18 | map.cpp:198:2:198:4 | ref arg m17 | TAINT |
 | map.cpp:198:11:198:13 | ref arg m18 | map.cpp:202:7:202:9 | m18 |  |
 | map.cpp:198:11:198:13 | ref arg m18 | map.cpp:252:1:252:1 | m18 |  |
 | map.cpp:199:7:199:9 | m15 | map.cpp:199:7:199:9 | call to map |  |
@@ -1739,12 +1747,16 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | map.cpp:343:7:343:9 | m16 | map.cpp:343:7:343:9 | call to unordered_map |  |
 | map.cpp:344:7:344:9 | m17 | map.cpp:344:7:344:9 | call to unordered_map |  |
 | map.cpp:345:7:345:9 | m18 | map.cpp:345:7:345:9 | call to unordered_map |  |
+| map.cpp:346:2:346:4 | m15 | map.cpp:346:11:346:13 | ref arg m16 | TAINT |
 | map.cpp:346:2:346:4 | ref arg m15 | map.cpp:348:7:348:9 | m15 |  |
 | map.cpp:346:2:346:4 | ref arg m15 | map.cpp:438:1:438:1 | m15 |  |
+| map.cpp:346:11:346:13 | m16 | map.cpp:346:2:346:4 | ref arg m15 | TAINT |
 | map.cpp:346:11:346:13 | ref arg m16 | map.cpp:349:7:349:9 | m16 |  |
 | map.cpp:346:11:346:13 | ref arg m16 | map.cpp:438:1:438:1 | m16 |  |
+| map.cpp:347:2:347:4 | m17 | map.cpp:347:11:347:13 | ref arg m18 | TAINT |
 | map.cpp:347:2:347:4 | ref arg m17 | map.cpp:350:7:350:9 | m17 |  |
 | map.cpp:347:2:347:4 | ref arg m17 | map.cpp:438:1:438:1 | m17 |  |
+| map.cpp:347:11:347:13 | m18 | map.cpp:347:2:347:4 | ref arg m17 | TAINT |
 | map.cpp:347:11:347:13 | ref arg m18 | map.cpp:351:7:351:9 | m18 |  |
 | map.cpp:347:11:347:13 | ref arg m18 | map.cpp:438:1:438:1 | m18 |  |
 | map.cpp:348:7:348:9 | m15 | map.cpp:348:7:348:9 | call to unordered_map |  |
@@ -2567,12 +2579,16 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | set.cpp:81:7:81:9 | s15 | set.cpp:81:7:81:9 | call to set |  |
 | set.cpp:82:2:82:4 | ref arg s12 | set.cpp:84:7:84:9 | s12 |  |
 | set.cpp:82:2:82:4 | ref arg s12 | set.cpp:126:1:126:1 | s12 |  |
+| set.cpp:82:2:82:4 | s12 | set.cpp:82:11:82:13 | ref arg s13 | TAINT |
 | set.cpp:82:11:82:13 | ref arg s13 | set.cpp:85:7:85:9 | s13 |  |
 | set.cpp:82:11:82:13 | ref arg s13 | set.cpp:126:1:126:1 | s13 |  |
+| set.cpp:82:11:82:13 | s13 | set.cpp:82:2:82:4 | ref arg s12 | TAINT |
 | set.cpp:83:2:83:4 | ref arg s14 | set.cpp:86:7:86:9 | s14 |  |
 | set.cpp:83:2:83:4 | ref arg s14 | set.cpp:126:1:126:1 | s14 |  |
+| set.cpp:83:2:83:4 | s14 | set.cpp:83:11:83:13 | ref arg s15 | TAINT |
 | set.cpp:83:11:83:13 | ref arg s15 | set.cpp:87:7:87:9 | s15 |  |
 | set.cpp:83:11:83:13 | ref arg s15 | set.cpp:126:1:126:1 | s15 |  |
+| set.cpp:83:11:83:13 | s15 | set.cpp:83:2:83:4 | ref arg s14 | TAINT |
 | set.cpp:84:7:84:9 | s12 | set.cpp:84:7:84:9 | call to set |  |
 | set.cpp:85:7:85:9 | s13 | set.cpp:85:7:85:9 | call to set |  |
 | set.cpp:86:7:86:9 | s14 | set.cpp:86:7:86:9 | call to set |  |
@@ -3050,12 +3066,16 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | set.cpp:193:7:193:9 | s15 | set.cpp:193:7:193:9 | call to unordered_set |  |
 | set.cpp:194:2:194:4 | ref arg s12 | set.cpp:196:7:196:9 | s12 |  |
 | set.cpp:194:2:194:4 | ref arg s12 | set.cpp:238:1:238:1 | s12 |  |
+| set.cpp:194:2:194:4 | s12 | set.cpp:194:11:194:13 | ref arg s13 | TAINT |
 | set.cpp:194:11:194:13 | ref arg s13 | set.cpp:197:7:197:9 | s13 |  |
 | set.cpp:194:11:194:13 | ref arg s13 | set.cpp:238:1:238:1 | s13 |  |
+| set.cpp:194:11:194:13 | s13 | set.cpp:194:2:194:4 | ref arg s12 | TAINT |
 | set.cpp:195:2:195:4 | ref arg s14 | set.cpp:198:7:198:9 | s14 |  |
 | set.cpp:195:2:195:4 | ref arg s14 | set.cpp:238:1:238:1 | s14 |  |
+| set.cpp:195:2:195:4 | s14 | set.cpp:195:11:195:13 | ref arg s15 | TAINT |
 | set.cpp:195:11:195:13 | ref arg s15 | set.cpp:199:7:199:9 | s15 |  |
 | set.cpp:195:11:195:13 | ref arg s15 | set.cpp:238:1:238:1 | s15 |  |
+| set.cpp:195:11:195:13 | s15 | set.cpp:195:2:195:4 | ref arg s14 | TAINT |
 | set.cpp:196:7:196:9 | s12 | set.cpp:196:7:196:9 | call to unordered_set |  |
 | set.cpp:197:7:197:9 | s13 | set.cpp:197:7:197:9 | call to unordered_set |  |
 | set.cpp:198:7:198:9 | s14 | set.cpp:198:7:198:9 | call to unordered_set |  |
@@ -4027,9 +4047,13 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | string.cpp:272:17:272:25 | call to basic_string | string.cpp:280:2:280:3 | s4 |  |
 | string.cpp:272:17:272:25 | call to basic_string | string.cpp:285:7:285:8 | s4 |  |
 | string.cpp:279:2:279:3 | ref arg s1 | string.cpp:282:7:282:8 | s1 |  |
+| string.cpp:279:2:279:3 | s1 | string.cpp:279:10:279:11 | ref arg s2 | TAINT |
 | string.cpp:279:10:279:11 | ref arg s2 | string.cpp:283:7:283:8 | s2 |  |
+| string.cpp:279:10:279:11 | s2 | string.cpp:279:2:279:3 | ref arg s1 | TAINT |
 | string.cpp:280:2:280:3 | ref arg s4 | string.cpp:285:7:285:8 | s4 |  |
+| string.cpp:280:2:280:3 | s4 | string.cpp:280:10:280:11 | ref arg s3 | TAINT |
 | string.cpp:280:10:280:11 | ref arg s3 | string.cpp:284:7:284:8 | s3 |  |
+| string.cpp:280:10:280:11 | s3 | string.cpp:280:2:280:3 | ref arg s4 | TAINT |
 | string.cpp:289:17:289:22 | call to source | string.cpp:289:17:289:25 | call to basic_string | TAINT |
 | string.cpp:289:17:289:25 | call to basic_string | string.cpp:293:7:293:8 | s1 |  |
 | string.cpp:289:17:289:25 | call to basic_string | string.cpp:297:2:297:3 | s1 |  |
@@ -4815,9 +4839,13 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | stringstream.cpp:115:24:115:32 | call to basic_stringstream | stringstream.cpp:118:2:118:4 | ss4 |  |
 | stringstream.cpp:115:24:115:32 | call to basic_stringstream | stringstream.cpp:123:7:123:9 | ss4 |  |
 | stringstream.cpp:117:2:117:4 | ref arg ss1 | stringstream.cpp:120:7:120:9 | ss1 |  |
+| stringstream.cpp:117:2:117:4 | ss1 | stringstream.cpp:117:11:117:13 | ref arg ss2 | TAINT |
 | stringstream.cpp:117:11:117:13 | ref arg ss2 | stringstream.cpp:121:7:121:9 | ss2 |  |
+| stringstream.cpp:117:11:117:13 | ss2 | stringstream.cpp:117:2:117:4 | ref arg ss1 | TAINT |
 | stringstream.cpp:118:2:118:4 | ref arg ss4 | stringstream.cpp:123:7:123:9 | ss4 |  |
+| stringstream.cpp:118:2:118:4 | ss4 | stringstream.cpp:118:11:118:13 | ref arg ss3 | TAINT |
 | stringstream.cpp:118:11:118:13 | ref arg ss3 | stringstream.cpp:122:7:122:9 | ss3 |  |
+| stringstream.cpp:118:11:118:13 | ss3 | stringstream.cpp:118:2:118:4 | ref arg ss4 | TAINT |
 | stringstream.cpp:128:20:128:22 | call to basic_stringstream | stringstream.cpp:142:7:142:9 | ss1 |  |
 | stringstream.cpp:128:20:128:22 | call to basic_stringstream | stringstream.cpp:145:7:145:9 | ss1 |  |
 | stringstream.cpp:128:20:128:22 | call to basic_stringstream | stringstream.cpp:153:7:153:9 | ss1 |  |
@@ -5385,7 +5413,9 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | swap1.cpp:24:9:24:13 | this | swap1.cpp:24:31:24:34 | this |  |
 | swap1.cpp:24:23:24:26 | that | swap1.cpp:24:23:24:26 | that |  |
 | swap1.cpp:24:23:24:26 | that | swap1.cpp:24:36:24:39 | that |  |
+| swap1.cpp:24:31:24:34 | this | swap1.cpp:24:36:24:39 | ref arg that | TAINT |
 | swap1.cpp:24:36:24:39 | ref arg that | swap1.cpp:24:23:24:26 | that |  |
+| swap1.cpp:24:36:24:39 | that | swap1.cpp:24:31:24:34 | ref arg this | TAINT |
 | swap1.cpp:25:9:25:13 | this | swap1.cpp:25:36:25:52 | constructor init of field data1 [pre-this] |  |
 | swap1.cpp:25:28:25:31 | that | swap1.cpp:25:42:25:45 | that |  |
 | swap1.cpp:25:47:25:51 | data1 | swap1.cpp:25:36:25:52 | constructor init of field data1 | TAINT |
@@ -5395,28 +5425,36 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | swap1.cpp:29:23:29:27 | call to Class | swap1.cpp:30:18:30:20 | tmp |  |
 | swap1.cpp:29:24:29:27 | that | swap1.cpp:29:23:29:27 | call to Class |  |
 | swap1.cpp:30:13:30:16 | ref arg this | swap1.cpp:31:21:31:24 | this |  |
+| swap1.cpp:30:13:30:16 | this | swap1.cpp:30:18:30:20 | ref arg tmp | TAINT |
 | swap1.cpp:30:13:30:16 | this | swap1.cpp:31:21:31:24 | this |  |
+| swap1.cpp:30:18:30:20 | tmp | swap1.cpp:30:13:30:16 | ref arg this | TAINT |
 | swap1.cpp:31:21:31:24 | this | swap1.cpp:31:20:31:24 | * ... | TAINT |
 | swap1.cpp:34:16:34:24 | this | swap1.cpp:36:13:36:16 | this |  |
 | swap1.cpp:34:34:34:37 | that | swap1.cpp:34:34:34:37 | that |  |
 | swap1.cpp:34:34:34:37 | that | swap1.cpp:36:18:36:21 | that |  |
 | swap1.cpp:36:13:36:16 | ref arg this | swap1.cpp:37:21:37:24 | this |  |
+| swap1.cpp:36:13:36:16 | this | swap1.cpp:36:18:36:21 | ref arg that | TAINT |
 | swap1.cpp:36:13:36:16 | this | swap1.cpp:37:21:37:24 | this |  |
 | swap1.cpp:36:18:36:21 | ref arg that | swap1.cpp:34:34:34:37 | that |  |
+| swap1.cpp:36:18:36:21 | that | swap1.cpp:36:13:36:16 | ref arg this | TAINT |
 | swap1.cpp:37:21:37:24 | this | swap1.cpp:37:20:37:24 | * ... | TAINT |
 | swap1.cpp:40:16:40:26 | this | swap1.cpp:43:13:43:16 | this |  |
 | swap1.cpp:40:41:40:44 | that | swap1.cpp:42:24:42:27 | that |  |
 | swap1.cpp:42:23:42:27 | call to Class | swap1.cpp:43:18:43:20 | tmp |  |
 | swap1.cpp:42:24:42:27 | that | swap1.cpp:42:23:42:27 | call to Class |  |
 | swap1.cpp:43:13:43:16 | ref arg this | swap1.cpp:44:21:44:24 | this |  |
+| swap1.cpp:43:13:43:16 | this | swap1.cpp:43:18:43:20 | ref arg tmp | TAINT |
 | swap1.cpp:43:13:43:16 | this | swap1.cpp:44:21:44:24 | this |  |
+| swap1.cpp:43:18:43:20 | tmp | swap1.cpp:43:13:43:16 | ref arg this | TAINT |
 | swap1.cpp:44:21:44:24 | this | swap1.cpp:44:20:44:24 | * ... | TAINT |
 | swap1.cpp:47:16:47:26 | this | swap1.cpp:49:13:49:16 | this |  |
 | swap1.cpp:47:36:47:39 | that | swap1.cpp:47:36:47:39 | that |  |
 | swap1.cpp:47:36:47:39 | that | swap1.cpp:49:18:49:21 | that |  |
 | swap1.cpp:49:13:49:16 | ref arg this | swap1.cpp:50:21:50:24 | this |  |
+| swap1.cpp:49:13:49:16 | this | swap1.cpp:49:18:49:21 | ref arg that | TAINT |
 | swap1.cpp:49:13:49:16 | this | swap1.cpp:50:21:50:24 | this |  |
 | swap1.cpp:49:18:49:21 | ref arg that | swap1.cpp:47:36:47:39 | that |  |
+| swap1.cpp:49:18:49:21 | that | swap1.cpp:49:13:49:16 | ref arg this | TAINT |
 | swap1.cpp:50:21:50:24 | this | swap1.cpp:50:20:50:24 | * ... | TAINT |
 | swap1.cpp:53:14:53:17 | this | swap1.cpp:56:18:56:22 | this |  |
 | swap1.cpp:53:26:53:29 | that | swap1.cpp:53:26:53:29 | that |  |
@@ -5430,7 +5468,9 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | swap1.cpp:61:32:61:32 | y | swap1.cpp:61:32:61:32 | y |  |
 | swap1.cpp:61:32:61:32 | y | swap1.cpp:63:16:63:16 | y |  |
 | swap1.cpp:63:9:63:9 | ref arg x | swap1.cpp:61:22:61:22 | x |  |
+| swap1.cpp:63:9:63:9 | x | swap1.cpp:63:16:63:16 | ref arg y | TAINT |
 | swap1.cpp:63:16:63:16 | ref arg y | swap1.cpp:61:32:61:32 | y |  |
+| swap1.cpp:63:16:63:16 | y | swap1.cpp:63:9:63:9 | ref arg x | TAINT |
 | swap1.cpp:69:23:69:23 | x | swap1.cpp:71:5:71:5 | x |  |
 | swap1.cpp:69:23:69:23 | x | swap1.cpp:73:10:73:10 | x |  |
 | swap1.cpp:69:23:69:23 | x | swap1.cpp:76:9:76:9 | x |  |
@@ -5539,7 +5579,9 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | swap2.cpp:24:9:24:13 | this | swap2.cpp:24:31:24:34 | this |  |
 | swap2.cpp:24:23:24:26 | that | swap2.cpp:24:23:24:26 | that |  |
 | swap2.cpp:24:23:24:26 | that | swap2.cpp:24:36:24:39 | that |  |
+| swap2.cpp:24:31:24:34 | this | swap2.cpp:24:36:24:39 | ref arg that | TAINT |
 | swap2.cpp:24:36:24:39 | ref arg that | swap2.cpp:24:23:24:26 | that |  |
+| swap2.cpp:24:36:24:39 | that | swap2.cpp:24:31:24:34 | ref arg this | TAINT |
 | swap2.cpp:25:9:25:13 | this | swap2.cpp:25:36:25:52 | constructor init of field data1 [pre-this] |  |
 | swap2.cpp:25:28:25:31 | that | swap2.cpp:25:42:25:45 | that |  |
 | swap2.cpp:25:28:25:31 | that | swap2.cpp:25:61:25:64 | that |  |
@@ -5554,28 +5596,36 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | swap2.cpp:29:23:29:27 | call to Class | swap2.cpp:30:18:30:20 | tmp |  |
 | swap2.cpp:29:24:29:27 | that | swap2.cpp:29:23:29:27 | call to Class |  |
 | swap2.cpp:30:13:30:16 | ref arg this | swap2.cpp:31:21:31:24 | this |  |
+| swap2.cpp:30:13:30:16 | this | swap2.cpp:30:18:30:20 | ref arg tmp | TAINT |
 | swap2.cpp:30:13:30:16 | this | swap2.cpp:31:21:31:24 | this |  |
+| swap2.cpp:30:18:30:20 | tmp | swap2.cpp:30:13:30:16 | ref arg this | TAINT |
 | swap2.cpp:31:21:31:24 | this | swap2.cpp:31:20:31:24 | * ... | TAINT |
 | swap2.cpp:34:16:34:24 | this | swap2.cpp:36:13:36:16 | this |  |
 | swap2.cpp:34:34:34:37 | that | swap2.cpp:34:34:34:37 | that |  |
 | swap2.cpp:34:34:34:37 | that | swap2.cpp:36:18:36:21 | that |  |
 | swap2.cpp:36:13:36:16 | ref arg this | swap2.cpp:37:21:37:24 | this |  |
+| swap2.cpp:36:13:36:16 | this | swap2.cpp:36:18:36:21 | ref arg that | TAINT |
 | swap2.cpp:36:13:36:16 | this | swap2.cpp:37:21:37:24 | this |  |
 | swap2.cpp:36:18:36:21 | ref arg that | swap2.cpp:34:34:34:37 | that |  |
+| swap2.cpp:36:18:36:21 | that | swap2.cpp:36:13:36:16 | ref arg this | TAINT |
 | swap2.cpp:37:21:37:24 | this | swap2.cpp:37:20:37:24 | * ... | TAINT |
 | swap2.cpp:40:16:40:26 | this | swap2.cpp:43:13:43:16 | this |  |
 | swap2.cpp:40:41:40:44 | that | swap2.cpp:42:24:42:27 | that |  |
 | swap2.cpp:42:23:42:27 | call to Class | swap2.cpp:43:18:43:20 | tmp |  |
 | swap2.cpp:42:24:42:27 | that | swap2.cpp:42:23:42:27 | call to Class |  |
 | swap2.cpp:43:13:43:16 | ref arg this | swap2.cpp:44:21:44:24 | this |  |
+| swap2.cpp:43:13:43:16 | this | swap2.cpp:43:18:43:20 | ref arg tmp | TAINT |
 | swap2.cpp:43:13:43:16 | this | swap2.cpp:44:21:44:24 | this |  |
+| swap2.cpp:43:18:43:20 | tmp | swap2.cpp:43:13:43:16 | ref arg this | TAINT |
 | swap2.cpp:44:21:44:24 | this | swap2.cpp:44:20:44:24 | * ... | TAINT |
 | swap2.cpp:47:16:47:26 | this | swap2.cpp:49:13:49:16 | this |  |
 | swap2.cpp:47:36:47:39 | that | swap2.cpp:47:36:47:39 | that |  |
 | swap2.cpp:47:36:47:39 | that | swap2.cpp:49:18:49:21 | that |  |
 | swap2.cpp:49:13:49:16 | ref arg this | swap2.cpp:50:21:50:24 | this |  |
+| swap2.cpp:49:13:49:16 | this | swap2.cpp:49:18:49:21 | ref arg that | TAINT |
 | swap2.cpp:49:13:49:16 | this | swap2.cpp:50:21:50:24 | this |  |
 | swap2.cpp:49:18:49:21 | ref arg that | swap2.cpp:47:36:47:39 | that |  |
+| swap2.cpp:49:18:49:21 | that | swap2.cpp:49:13:49:16 | ref arg this | TAINT |
 | swap2.cpp:50:21:50:24 | this | swap2.cpp:50:20:50:24 | * ... | TAINT |
 | swap2.cpp:53:14:53:17 | this | swap2.cpp:56:18:56:22 | this |  |
 | swap2.cpp:53:26:53:29 | that | swap2.cpp:53:26:53:29 | that |  |
@@ -5597,7 +5647,9 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | swap2.cpp:61:32:61:32 | y | swap2.cpp:61:32:61:32 | y |  |
 | swap2.cpp:61:32:61:32 | y | swap2.cpp:63:16:63:16 | y |  |
 | swap2.cpp:63:9:63:9 | ref arg x | swap2.cpp:61:22:61:22 | x |  |
+| swap2.cpp:63:9:63:9 | x | swap2.cpp:63:16:63:16 | ref arg y | TAINT |
 | swap2.cpp:63:16:63:16 | ref arg y | swap2.cpp:61:32:61:32 | y |  |
+| swap2.cpp:63:16:63:16 | y | swap2.cpp:63:9:63:9 | ref arg x | TAINT |
 | swap2.cpp:69:23:69:23 | x | swap2.cpp:71:5:71:5 | x |  |
 | swap2.cpp:69:23:69:23 | x | swap2.cpp:73:10:73:10 | x |  |
 | swap2.cpp:69:23:69:23 | x | swap2.cpp:76:9:76:9 | x |  |
@@ -6545,45 +6597,38 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | taint.cpp:729:27:729:32 | endptr | taint.cpp:729:26:729:32 | & ... |  |
 | taint.cpp:731:7:731:12 | ref arg endptr | taint.cpp:732:8:732:13 | endptr |  |
 | taint.cpp:732:8:732:13 | endptr | taint.cpp:732:7:732:13 | * ... | TAINT |
-| taint.cpp:739:17:739:31 | call to indirect_source | taint.cpp:740:30:740:35 | source |  |
-| taint.cpp:740:22:740:28 | call to realloc | taint.cpp:741:7:741:10 | dest |  |
-| taint.cpp:740:30:740:35 | source | taint.cpp:740:22:740:28 | call to realloc | TAINT |
-| taint.cpp:744:40:744:45 | buffer | taint.cpp:745:5:745:10 | buffer |  |
-| taint.cpp:744:40:744:45 | buffer | taint.cpp:746:27:746:32 | buffer |  |
-| taint.cpp:745:4:745:10 | * ... | taint.cpp:745:3:745:10 | * ... | TAINT |
-| taint.cpp:745:5:745:10 | buffer | taint.cpp:745:4:745:10 | * ... | TAINT |
-| taint.cpp:745:14:745:19 | call to source | taint.cpp:745:3:745:21 | ... = ... |  |
-| taint.cpp:746:19:746:25 | call to realloc | taint.cpp:744:40:744:45 | buffer |  |
-| taint.cpp:746:19:746:25 | call to realloc | taint.cpp:746:3:746:37 | ... = ... |  |
-| taint.cpp:746:19:746:25 | call to realloc | taint.cpp:747:10:747:15 | buffer |  |
-| taint.cpp:746:27:746:32 | buffer | taint.cpp:746:19:746:25 | call to realloc | TAINT |
-| taint.cpp:747:9:747:15 | * ... | taint.cpp:747:8:747:15 | * ... | TAINT |
-| taint.cpp:747:10:747:15 | buffer | taint.cpp:747:9:747:15 | * ... | TAINT |
-| taint.cpp:752:13:752:18 | call to malloc | taint.cpp:753:2:753:2 | a |  |
-| taint.cpp:752:13:752:18 | call to malloc | taint.cpp:754:22:754:22 | a |  |
-| taint.cpp:753:2:753:2 | a [post update] | taint.cpp:754:22:754:22 | a |  |
-| taint.cpp:753:2:753:16 | ... = ... | taint.cpp:753:5:753:5 | x [post update] |  |
-| taint.cpp:753:9:753:14 | call to source | taint.cpp:753:2:753:16 | ... = ... |  |
-| taint.cpp:754:14:754:20 | call to realloc | taint.cpp:755:7:755:8 | a2 |  |
-| taint.cpp:754:22:754:22 | a | taint.cpp:754:14:754:20 | call to realloc | TAINT |
-| taint.cpp:760:31:760:34 | path | taint.cpp:760:31:760:34 | path |  |
-| taint.cpp:760:31:760:34 | path | taint.cpp:761:10:761:13 | path |  |
-| taint.cpp:760:31:760:34 | path | taint.cpp:762:10:762:13 | path |  |
-| taint.cpp:760:43:760:46 | data | taint.cpp:760:43:760:46 | data |  |
-| taint.cpp:760:43:760:46 | data | taint.cpp:762:22:762:25 | data |  |
-| taint.cpp:761:10:761:13 | ref arg path | taint.cpp:760:31:760:34 | path |  |
-| taint.cpp:761:10:761:13 | ref arg path | taint.cpp:762:10:762:13 | path |  |
-| taint.cpp:761:16:761:19 | %s | taint.cpp:761:10:761:13 | ref arg path | TAINT |
-| taint.cpp:761:22:761:26 | abc | taint.cpp:761:10:761:13 | ref arg path | TAINT |
-| taint.cpp:762:10:762:13 | ref arg path | taint.cpp:760:31:760:34 | path |  |
-| taint.cpp:762:16:762:19 | %s | taint.cpp:762:10:762:13 | ref arg path | TAINT |
-| taint.cpp:762:22:762:25 | data | taint.cpp:762:10:762:13 | ref arg path | TAINT |
-| taint.cpp:762:22:762:25 | ref arg data | taint.cpp:760:43:760:46 | data |  |
-| taint.cpp:766:7:766:10 | path | taint.cpp:767:21:767:24 | path |  |
-| taint.cpp:766:7:766:10 | path | taint.cpp:768:8:768:11 | path |  |
-| taint.cpp:767:21:767:24 | ref arg path | taint.cpp:768:8:768:11 | path |  |
-| taint.cpp:768:8:768:11 | path | taint.cpp:768:7:768:11 | * ... |  |
-| taint.cpp:778:37:778:42 | call to source | taint.cpp:779:7:779:9 | obj |  |
+| taint.cpp:738:17:738:31 | call to indirect_source | taint.cpp:739:30:739:35 | source |  |
+| taint.cpp:739:22:739:28 | call to realloc | taint.cpp:740:7:740:10 | dest |  |
+| taint.cpp:739:30:739:35 | source | taint.cpp:739:22:739:28 | call to realloc | TAINT |
+| taint.cpp:743:40:743:45 | buffer | taint.cpp:744:5:744:10 | buffer |  |
+| taint.cpp:743:40:743:45 | buffer | taint.cpp:745:27:745:32 | buffer |  |
+| taint.cpp:744:4:744:10 | * ... | taint.cpp:744:3:744:10 | * ... | TAINT |
+| taint.cpp:744:5:744:10 | buffer | taint.cpp:744:4:744:10 | * ... | TAINT |
+| taint.cpp:744:14:744:19 | call to source | taint.cpp:744:3:744:21 | ... = ... |  |
+| taint.cpp:745:19:745:25 | call to realloc | taint.cpp:743:40:743:45 | buffer |  |
+| taint.cpp:745:19:745:25 | call to realloc | taint.cpp:745:3:745:37 | ... = ... |  |
+| taint.cpp:745:19:745:25 | call to realloc | taint.cpp:746:10:746:15 | buffer |  |
+| taint.cpp:745:27:745:32 | buffer | taint.cpp:745:19:745:25 | call to realloc | TAINT |
+| taint.cpp:746:9:746:15 | * ... | taint.cpp:746:8:746:15 | * ... | TAINT |
+| taint.cpp:746:10:746:15 | buffer | taint.cpp:746:9:746:15 | * ... | TAINT |
+| taint.cpp:751:31:751:34 | path | taint.cpp:751:31:751:34 | path |  |
+| taint.cpp:751:31:751:34 | path | taint.cpp:752:10:752:13 | path |  |
+| taint.cpp:751:31:751:34 | path | taint.cpp:753:10:753:13 | path |  |
+| taint.cpp:751:43:751:46 | data | taint.cpp:751:43:751:46 | data |  |
+| taint.cpp:751:43:751:46 | data | taint.cpp:753:22:753:25 | data |  |
+| taint.cpp:752:10:752:13 | ref arg path | taint.cpp:751:31:751:34 | path |  |
+| taint.cpp:752:10:752:13 | ref arg path | taint.cpp:753:10:753:13 | path |  |
+| taint.cpp:752:16:752:19 | %s | taint.cpp:752:10:752:13 | ref arg path | TAINT |
+| taint.cpp:752:22:752:26 | abc | taint.cpp:752:10:752:13 | ref arg path | TAINT |
+| taint.cpp:753:10:753:13 | ref arg path | taint.cpp:751:31:751:34 | path |  |
+| taint.cpp:753:16:753:19 | %s | taint.cpp:753:10:753:13 | ref arg path | TAINT |
+| taint.cpp:753:22:753:25 | data | taint.cpp:753:10:753:13 | ref arg path | TAINT |
+| taint.cpp:753:22:753:25 | ref arg data | taint.cpp:751:43:751:46 | data |  |
+| taint.cpp:757:7:757:10 | path | taint.cpp:758:21:758:24 | path |  |
+| taint.cpp:757:7:757:10 | path | taint.cpp:759:8:759:11 | path |  |
+| taint.cpp:758:21:758:24 | ref arg path | taint.cpp:759:8:759:11 | path |  |
+| taint.cpp:759:8:759:11 | path | taint.cpp:759:7:759:11 | * ... |  |
+| taint.cpp:769:37:769:42 | call to source | taint.cpp:770:7:770:9 | obj |  |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:17:26:17:32 | source1 |  |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:31:38:31:44 | source1 |  |
 | vector.cpp:17:21:17:33 | call to vector | vector.cpp:19:14:19:14 | v |  |
@@ -6960,12 +7005,16 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:112:7:112:8 | ref arg v4 | vector.cpp:121:1:121:1 | v4 |  |
 | vector.cpp:114:2:114:3 | ref arg v1 | vector.cpp:117:7:117:8 | v1 |  |
 | vector.cpp:114:2:114:3 | ref arg v1 | vector.cpp:121:1:121:1 | v1 |  |
+| vector.cpp:114:2:114:3 | v1 | vector.cpp:114:10:114:11 | ref arg v2 | TAINT |
 | vector.cpp:114:10:114:11 | ref arg v2 | vector.cpp:118:7:118:8 | v2 |  |
 | vector.cpp:114:10:114:11 | ref arg v2 | vector.cpp:121:1:121:1 | v2 |  |
+| vector.cpp:114:10:114:11 | v2 | vector.cpp:114:2:114:3 | ref arg v1 | TAINT |
 | vector.cpp:115:2:115:3 | ref arg v3 | vector.cpp:119:7:119:8 | v3 |  |
 | vector.cpp:115:2:115:3 | ref arg v3 | vector.cpp:121:1:121:1 | v3 |  |
+| vector.cpp:115:2:115:3 | v3 | vector.cpp:115:10:115:11 | ref arg v4 | TAINT |
 | vector.cpp:115:10:115:11 | ref arg v4 | vector.cpp:120:7:120:8 | v4 |  |
 | vector.cpp:115:10:115:11 | ref arg v4 | vector.cpp:121:1:121:1 | v4 |  |
+| vector.cpp:115:10:115:11 | v4 | vector.cpp:115:2:115:3 | ref arg v3 | TAINT |
 | vector.cpp:117:7:117:8 | ref arg v1 | vector.cpp:121:1:121:1 | v1 |  |
 | vector.cpp:118:7:118:8 | ref arg v2 | vector.cpp:121:1:121:1 | v2 |  |
 | vector.cpp:119:7:119:8 | ref arg v3 | vector.cpp:121:1:121:1 | v3 |  |

cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp

@@ -68,8 +68,8 @@ void test_pair()
  	i.swap(j);
 	k.swap(l);
 	sink(i.first);
-	sink(i.second); // $ ir, MISSING: ast
-	sink(i); // $ ir
+	sink(i.second); // $ MISSING: ast,ir
+	sink(i); // $ ast,ir
 	sink(j.first);
 	sink(j.second); // $ SPURIOUS: ast
 	sink(j); // $ SPURIOUS: ast
@@ -77,8 +77,8 @@ void test_pair()
 	sink(k.second); // $ SPURIOUS: ast
 	sink(k); // $ SPURIOUS: ast
 	sink(l.first);
-	sink(l.second); // $ ir, MISSING: ast
-	sink(l); // $ ir
+	sink(l.second); // $ MISSING: ast,ir
+	sink(l); // $ ast,ir
 
 	sink(make_pair("123", "456"));
 	sink(make_pair("123", "456").first);
@@ -197,8 +197,8 @@ void test_map()
 	m15.swap(m16);
 	m17.swap(m18);
 	sink(m15); // $ SPURIOUS: ast
-	sink(m16); // $ ir
-	sink(m17); // $ ir
+	sink(m16); // $ ast,ir
+	sink(m17); // $ ast,ir
 	sink(m18); // $ SPURIOUS: ast
 
 	// merge
@@ -346,8 +346,8 @@ void test_unordered_map()
 	m15.swap(m16);
 	m17.swap(m18);
 	sink(m15); // $ SPURIOUS: ast
-	sink(m16); // $ ir
-	sink(m17); // $ ir
+	sink(m16); // $ ast,ir
+	sink(m17); // $ ast,ir
 	sink(m18); // $ SPURIOUS: ast
 
 	// merge

cpp/ql/test/library-tests/dataflow/taint-tests/set.cpp

@@ -82,8 +82,8 @@ void test_set()
 	s12.swap(s13);
 	s14.swap(s15);
 	sink(s12); // $ SPURIOUS: ast
-	sink(s13); // $ ir
-	sink(s14); // $ ir
+	sink(s13); // $ ast,ir
+	sink(s14); // $ ast,ir
 	sink(s15); // $ SPURIOUS: ast
 
 	// merge
@@ -194,8 +194,8 @@ void test_unordered_set()
 	s12.swap(s13);
 	s14.swap(s15);
 	sink(s12); // $ SPURIOUS: ast
-	sink(s13); // $ ir
-	sink(s14); // $ ir
+	sink(s13); // $ ast,ir
+	sink(s14); // $ ast,ir
 	sink(s15); // $ SPURIOUS: ast
 
 	// merge

cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp

@@ -279,9 +279,9 @@ void test_string_swap() {
 	s1.swap(s2);
 	s4.swap(s3);
 
-	sink(s1); // $ ir
+	sink(s1); // $ ast,ir
 	sink(s2); // $ SPURIOUS: ast
-	sink(s3); // $ ir
+	sink(s3); // $ ast,ir
 	sink(s4); // $ SPURIOUS: ast
 }
 

cpp/ql/test/library-tests/dataflow/taint-tests/stringstream.cpp

@@ -117,9 +117,9 @@ void test_stringstream_swap()
 	ss1.swap(ss2);
 	ss4.swap(ss3);
 
-	sink(ss1); // $ ir
+	sink(ss1); // $ ast,ir
 	sink(ss2); // $ SPURIOUS: ast
-	sink(ss3); // $ ir
+	sink(ss3); // $ ast,ir
 	sink(ss4); // $ SPURIOUS: ast
 }
 

cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp

@@ -732,7 +732,6 @@ void test_strtol(char *source) {
 	sink(*endptr); // $ ast,ir
 }
 
-void *malloc(size_t);
 void *realloc(void *, size_t);
 
 void test_realloc() {
@@ -747,14 +746,6 @@ void test_realloc_2_indirections(int **buffer) {
   sink(**buffer); // $ ir MISSING: ast
 }
 
-void test_realloc_struct_field() {
-	struct A { int x; };
-	A* a = (A*)malloc(sizeof(A));
-	a->x = source();
-	A* a2 = (A*)realloc(a, sizeof(A));
-	sink(a2->x); // $ ir MISSING: ast
-}
-
 int sprintf(char *, const char *, ...);
 
 void call_sprintf_twice(char* path, char* data) {

cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp

@@ -115,8 +115,8 @@ void test_vector_swap() {
 	v3.swap(v4);
 
 	sink(v1);
-	sink(v2); // $ ir MISSING: ast
-	sink(v3); // $ ir MISSING: ast
+	sink(v2); // $ MISSING:ir ast
+	sink(v3); // $ MISSING:ir ast
 	sink(v4);
 }
 

cpp/ql/test/library-tests/includes/include_next/includes.expected

@@ -1,3 +1,4 @@
+| a/test.h:2:1:2:22 | #include_next <test.h> | a/test.h:0:0:0:0 | a/test.h |
 | a/test.h:2:1:2:22 | #include_next <test.h> | b/test.h:0:0:0:0 | b/test.h |
 | b/loop.h:2:1:2:22 | #include_next <test.h> | a/test.h:0:0:0:0 | a/test.h |
 | b/test.h:4:1:4:17 | #include "loop.h" | b/loop.h:0:0:0:0 | b/loop.h |

cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency.expected

@@ -6,27 +6,8 @@ missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
-| ir.c:62:5:62:26 | Chi: call to ExRaiseAccessViolation | Instruction 'Chi: call to ExRaiseAccessViolation' has no successors in function '$@'. | ir.c:57:6:57:30 | void throw_in_try_with_finally() | void throw_in_try_with_finally() |
-| ir.c:73:5:73:26 | Chi: call to ExRaiseAccessViolation | Instruction 'Chi: call to ExRaiseAccessViolation' has no successors in function '$@'. | ir.c:70:6:70:39 | void throw_in_try_with_throw_in_finally() | void throw_in_try_with_throw_in_finally() |
-| ir.c:81:3:81:24 | Chi: call to ExRaiseAccessViolation | Instruction 'Chi: call to ExRaiseAccessViolation' has no successors in function '$@'. | ir.c:80:6:80:27 | void raise_access_violation() | void raise_access_violation() |
 ambiguousSuccessors
 unexplainedLoop
-| ir.c:38:13:38:37 | Constant: 1 | Instruction 'Constant: 1' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:38:13:38:37 | Phi: 1 | Instruction 'Phi: 1' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | CompareEQ: { ... } | Instruction 'CompareEQ: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | CompareEQ: { ... } | Instruction 'CompareEQ: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | CompareEQ: { ... } | Instruction 'CompareEQ: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | ConditionalBranch: { ... } | Instruction 'ConditionalBranch: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | ConditionalBranch: { ... } | Instruction 'ConditionalBranch: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | ConditionalBranch: { ... } | Instruction 'ConditionalBranch: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | Constant: { ... } | Instruction 'Constant: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | Constant: { ... } | Instruction 'Constant: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | Constant: { ... } | Instruction 'Constant: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:40:5:40:26 | Call: call to ExRaiseAccessViolation | Instruction 'Call: call to ExRaiseAccessViolation' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:40:5:40:26 | CallSideEffect: call to ExRaiseAccessViolation | Instruction 'CallSideEffect: call to ExRaiseAccessViolation' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:40:5:40:26 | Chi: call to ExRaiseAccessViolation | Instruction 'Chi: call to ExRaiseAccessViolation' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:40:5:40:26 | FunctionAddress: call to ExRaiseAccessViolation | Instruction 'FunctionAddress: call to ExRaiseAccessViolation' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:40:28:40:28 | Constant: 1 | Instruction 'Constant: 1' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
 unnecessaryPhiInstruction
 memoryOperandDefinitionIsUnmodeled
 operandAcrossFunctions
@@ -37,9 +18,6 @@ containsLoopOfForwardEdges
 missingIRType
 multipleIRTypes
 lostReachability
-| ir.c:39:3:41:3 | Constant: { ... } | Block 'Constant: { ... }' is not reachable by traversing only forward edges in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | Constant: { ... } | Block 'Constant: { ... }' is not reachable by traversing only forward edges in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:40:5:40:26 | FunctionAddress: call to ExRaiseAccessViolation | Block 'FunctionAddress: call to ExRaiseAccessViolation' is not reachable by traversing only forward edges in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
 backEdgeCountMismatch
 useNotDominatedByDefinition
 switchInstructionWithoutDefaultEdge
@@ -51,4 +29,26 @@ fieldAddressOnNonPointer
 thisArgumentIsNonPointer
 | ir.cpp:2546:34:2546:34 | Call: call to operator bool | Call instruction 'Call: call to operator bool' has a `this` argument operand that is not an address, in function '$@'. | ir.cpp:2545:6:2545:23 | void this_inconsistency(bool) | void this_inconsistency(bool) |
 nonUniqueIRVariable
+| coroutines.cpp:87:20:87:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
+| coroutines.cpp:87:20:87:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
+| coroutines.cpp:91:21:91:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
+| coroutines.cpp:91:21:91:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
+| coroutines.cpp:95:20:95:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
+| coroutines.cpp:95:20:95:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
+| coroutines.cpp:96:3:96:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
+| coroutines.cpp:99:21:99:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
+| coroutines.cpp:99:21:99:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
+| coroutines.cpp:100:3:100:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
+| coroutines.cpp:103:20:103:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
+| coroutines.cpp:103:20:103:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
+| coroutines.cpp:104:3:104:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
+| coroutines.cpp:108:21:108:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
+| coroutines.cpp:108:21:108:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
+| coroutines.cpp:109:3:109:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
 missingCppType

cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.expected

@@ -6,27 +6,8 @@ missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
-| ir.c:62:5:62:26 | Chi: call to ExRaiseAccessViolation | Instruction 'Chi: call to ExRaiseAccessViolation' has no successors in function '$@'. | ir.c:57:6:57:30 | void throw_in_try_with_finally() | void throw_in_try_with_finally() |
-| ir.c:73:5:73:26 | Chi: call to ExRaiseAccessViolation | Instruction 'Chi: call to ExRaiseAccessViolation' has no successors in function '$@'. | ir.c:70:6:70:39 | void throw_in_try_with_throw_in_finally() | void throw_in_try_with_throw_in_finally() |
-| ir.c:81:3:81:24 | Chi: call to ExRaiseAccessViolation | Instruction 'Chi: call to ExRaiseAccessViolation' has no successors in function '$@'. | ir.c:80:6:80:27 | void raise_access_violation() | void raise_access_violation() |
 ambiguousSuccessors
 unexplainedLoop
-| ir.c:38:13:38:37 | Constant: 1 | Instruction 'Constant: 1' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:38:13:38:37 | Phi: 1 | Instruction 'Phi: 1' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | CompareEQ: { ... } | Instruction 'CompareEQ: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | CompareEQ: { ... } | Instruction 'CompareEQ: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | CompareEQ: { ... } | Instruction 'CompareEQ: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | ConditionalBranch: { ... } | Instruction 'ConditionalBranch: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | ConditionalBranch: { ... } | Instruction 'ConditionalBranch: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | ConditionalBranch: { ... } | Instruction 'ConditionalBranch: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | Constant: { ... } | Instruction 'Constant: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | Constant: { ... } | Instruction 'Constant: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | Constant: { ... } | Instruction 'Constant: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:40:5:40:26 | Call: call to ExRaiseAccessViolation | Instruction 'Call: call to ExRaiseAccessViolation' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:40:5:40:26 | CallSideEffect: call to ExRaiseAccessViolation | Instruction 'CallSideEffect: call to ExRaiseAccessViolation' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:40:5:40:26 | Chi: call to ExRaiseAccessViolation | Instruction 'Chi: call to ExRaiseAccessViolation' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:40:5:40:26 | FunctionAddress: call to ExRaiseAccessViolation | Instruction 'FunctionAddress: call to ExRaiseAccessViolation' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:40:28:40:28 | Constant: 1 | Instruction 'Constant: 1' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
 unnecessaryPhiInstruction
 memoryOperandDefinitionIsUnmodeled
 operandAcrossFunctions
@@ -37,9 +18,6 @@ containsLoopOfForwardEdges
 missingIRType
 multipleIRTypes
 lostReachability
-| ir.c:39:3:41:3 | Constant: { ... } | Block 'Constant: { ... }' is not reachable by traversing only forward edges in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | Constant: { ... } | Block 'Constant: { ... }' is not reachable by traversing only forward edges in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:40:5:40:26 | FunctionAddress: call to ExRaiseAccessViolation | Block 'FunctionAddress: call to ExRaiseAccessViolation' is not reachable by traversing only forward edges in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
 backEdgeCountMismatch
 useNotDominatedByDefinition
 switchInstructionWithoutDefaultEdge
@@ -51,4 +29,26 @@ fieldAddressOnNonPointer
 thisArgumentIsNonPointer
 | ir.cpp:2546:34:2546:34 | Call: call to operator bool | Call instruction 'Call: call to operator bool' has a `this` argument operand that is not an address, in function '$@'. | ir.cpp:2545:6:2545:23 | void this_inconsistency(bool) | void this_inconsistency(bool) |
 nonUniqueIRVariable
+| coroutines.cpp:87:20:87:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
+| coroutines.cpp:87:20:87:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
+| coroutines.cpp:91:21:91:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
+| coroutines.cpp:91:21:91:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
+| coroutines.cpp:95:20:95:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
+| coroutines.cpp:95:20:95:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
+| coroutines.cpp:96:3:96:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
+| coroutines.cpp:99:21:99:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
+| coroutines.cpp:99:21:99:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
+| coroutines.cpp:100:3:100:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
+| coroutines.cpp:103:20:103:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
+| coroutines.cpp:103:20:103:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
+| coroutines.cpp:104:3:104:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
+| coroutines.cpp:108:21:108:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
+| coroutines.cpp:108:21:108:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
+| coroutines.cpp:109:3:109:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
 missingCppType

cpp/ql/test/library-tests/ir/ir/ir.c

@@ -29,56 +29,4 @@ int TryExceptTest(int x) {
   return 0;
 }
 
-void unexplained_loop_regression()
-{
-  __try
-  {
-    ExRaiseAccessViolation(0);
-  }
-  __except (EXCEPTION_EXECUTE_HANDLER)
-  {
-    ExRaiseAccessViolation(1);
-  }
-}
-
-void try_with_finally()
-{
-  int x = 0;
-  __try
-  {
-    x = 1;
-  }
-  __finally
-  {
-    x = 2;
-  }
-}
-
-void throw_in_try_with_finally()
-{
-  int x = 0;
-  __try
-  {
-    ExRaiseAccessViolation(0);
-  }
-  __finally
-  {
-    x = 1;
-  }
-}
-
-void throw_in_try_with_throw_in_finally()
-{
-  __try {
-    ExRaiseAccessViolation(0);
-  }
-  __finally {
-    ExRaiseAccessViolation(0);
-  }
-}
-
-void raise_access_violation() {
-  ExRaiseAccessViolation(1);
-}
-
 // semmle-extractor-options: --microsoft

cpp/ql/test/library-tests/ir/ir/raw_consistency.expected

@@ -6,26 +6,8 @@ missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
-| ir.c:62:5:62:26 | CallSideEffect: call to ExRaiseAccessViolation | Instruction 'CallSideEffect: call to ExRaiseAccessViolation' has no successors in function '$@'. | ir.c:57:6:57:30 | void throw_in_try_with_finally() | void throw_in_try_with_finally() |
-| ir.c:73:5:73:26 | CallSideEffect: call to ExRaiseAccessViolation | Instruction 'CallSideEffect: call to ExRaiseAccessViolation' has no successors in function '$@'. | ir.c:70:6:70:39 | void throw_in_try_with_throw_in_finally() | void throw_in_try_with_throw_in_finally() |
-| ir.c:76:5:76:26 | CallSideEffect: call to ExRaiseAccessViolation | Instruction 'CallSideEffect: call to ExRaiseAccessViolation' has no successors in function '$@'. | ir.c:70:6:70:39 | void throw_in_try_with_throw_in_finally() | void throw_in_try_with_throw_in_finally() |
-| ir.c:81:3:81:24 | CallSideEffect: call to ExRaiseAccessViolation | Instruction 'CallSideEffect: call to ExRaiseAccessViolation' has no successors in function '$@'. | ir.c:80:6:80:27 | void raise_access_violation() | void raise_access_violation() |
 ambiguousSuccessors
 unexplainedLoop
-| ir.c:38:13:38:37 | Constant: 1 | Instruction 'Constant: 1' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | CompareEQ: { ... } | Instruction 'CompareEQ: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | CompareEQ: { ... } | Instruction 'CompareEQ: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | CompareEQ: { ... } | Instruction 'CompareEQ: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | ConditionalBranch: { ... } | Instruction 'ConditionalBranch: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | ConditionalBranch: { ... } | Instruction 'ConditionalBranch: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | ConditionalBranch: { ... } | Instruction 'ConditionalBranch: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | Constant: { ... } | Instruction 'Constant: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | Constant: { ... } | Instruction 'Constant: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | Constant: { ... } | Instruction 'Constant: { ... }' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:40:5:40:26 | Call: call to ExRaiseAccessViolation | Instruction 'Call: call to ExRaiseAccessViolation' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:40:5:40:26 | CallSideEffect: call to ExRaiseAccessViolation | Instruction 'CallSideEffect: call to ExRaiseAccessViolation' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:40:5:40:26 | FunctionAddress: call to ExRaiseAccessViolation | Instruction 'FunctionAddress: call to ExRaiseAccessViolation' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:40:28:40:28 | Constant: 1 | Instruction 'Constant: 1' is part of an unexplained loop in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
 unnecessaryPhiInstruction
 memoryOperandDefinitionIsUnmodeled
 operandAcrossFunctions
@@ -36,10 +18,6 @@ containsLoopOfForwardEdges
 missingIRType
 multipleIRTypes
 lostReachability
-| ir.c:39:3:41:3 | Constant: { ... } | Block 'Constant: { ... }' is not reachable by traversing only forward edges in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | Constant: { ... } | Block 'Constant: { ... }' is not reachable by traversing only forward edges in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:39:3:41:3 | Unwind: { ... } | Block 'Unwind: { ... }' is not reachable by traversing only forward edges in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
-| ir.c:40:5:40:26 | FunctionAddress: call to ExRaiseAccessViolation | Block 'FunctionAddress: call to ExRaiseAccessViolation' is not reachable by traversing only forward edges in function '$@'. | ir.c:32:6:32:32 | void unexplained_loop_regression() | void unexplained_loop_regression() |
 backEdgeCountMismatch
 useNotDominatedByDefinition
 | ir.cpp:1535:8:1535:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1535:8:1535:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() |
@@ -60,4 +38,32 @@ fieldAddressOnNonPointer
 thisArgumentIsNonPointer
 | ir.cpp:2546:34:2546:34 | Call: call to operator bool | Call instruction 'Call: call to operator bool' has a `this` argument operand that is not an address, in function '$@'. | ir.cpp:2545:6:2545:23 | void this_inconsistency(bool) | void this_inconsistency(bool) |
 nonUniqueIRVariable
+| coroutines.cpp:87:20:87:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
+| coroutines.cpp:87:20:87:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
+| coroutines.cpp:91:21:91:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
+| coroutines.cpp:91:21:91:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
+| coroutines.cpp:95:20:95:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
+| coroutines.cpp:95:20:95:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
+| coroutines.cpp:96:3:96:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
+| coroutines.cpp:99:21:99:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
+| coroutines.cpp:99:21:99:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
+| coroutines.cpp:100:3:100:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
+| coroutines.cpp:103:20:103:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
+| coroutines.cpp:103:20:103:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
+| coroutines.cpp:104:3:104:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
+| coroutines.cpp:108:21:108:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
+| coroutines.cpp:108:21:108:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
+| coroutines.cpp:109:3:109:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
+| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
 missingCppType