Merge branch 'main' into rdmarsh2/swift/for-in

cpp/ql/lib/change-notes/2023-09-08-more-unreachble.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Functions that do not return due to calling functions that don't return (e.g. `exit`) are now detected as
+ non-returning in the IR and dataflow.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -193,13 +193,23 @@ class Node extends TIRDataFlowNode {
    * a `Conversion`, then the result is the underlying non-`Conversion` base
    * expression.
    */
-  Expr asExpr() { result = this.(ExprNode).getExpr() }
+  Expr asExpr() { result = this.asExpr(_) }
+
+  /**
+   * INTERNAL: Do not use.
+   */
+  Expr asExpr(int n) { result = this.(ExprNode).getExpr(n) }
+
+  /**
+   * INTERNAL: Do not use.
+   */
+  Expr asIndirectExpr(int n, int index) { result = this.(IndirectExprNode).getExpr(n, index) }
 
   /**
    * Gets the non-conversion expression that's indirectly tracked by this node
    * under `index` number of indirections.
    */
-  Expr asIndirectExpr(int index) { result = this.(IndirectExprNode).getExpr(index) }
+  Expr asIndirectExpr(int index) { result = this.asIndirectExpr(_, index) }
 
   /**
    * Gets the non-conversion expression that's indirectly tracked by this node
@@ -211,15 +221,26 @@ class Node extends TIRDataFlowNode {
    * Gets the expression corresponding to this node, if any. The returned
    * expression may be a `Conversion`.
    */
-  Expr asConvertedExpr() { result = this.(ExprNode).getConvertedExpr() }
+  Expr asConvertedExpr() { result = this.asConvertedExpr(_) }
+
+  /**
+   * Gets the expression corresponding to this node, if any. The returned
+   * expression may be a `Conversion`.
+   */
+  Expr asConvertedExpr(int n) { result = this.(ExprNode).getConvertedExpr(n) }
+
+  /**
+   * INTERNAL: Do not use.
+   */
+  Expr asIndirectConvertedExpr(int n, int index) {
+    result = this.(IndirectExprNode).getConvertedExpr(n, index)
+  }
 
   /**
    * Gets the expression that's indirectly tracked by this node
    * behind `index` number of indirections.
    */
-  Expr asIndirectConvertedExpr(int index) {
-    result = this.(IndirectExprNode).getConvertedExpr(index)
-  }
+  Expr asIndirectConvertedExpr(int index) { result = this.asIndirectConvertedExpr(_, index) }
 
   /**
    * Gets the expression that's indirectly tracked by this node behind a
@@ -391,9 +412,10 @@ class Node extends TIRDataFlowNode {
 }
 
 private string toExprString(Node n) {
-  result = n.asExpr().toString()
+  result = n.asExpr(0).toString()
   or
-  result = n.asIndirectExpr().toString() + " indirection"
+  not exists(n.asExpr()) and
+  result = n.asIndirectExpr(0, 1).toString() + " indirection"
 }
 
 /**
@@ -933,7 +955,7 @@ class RawIndirectOperand extends Node, TRawIndirectOperand {
   }
 
   override string toStringImpl() {
-    result = instructionNode(this.getOperand().getDef()).toStringImpl() + " indirection"
+    result = operandNode(this.getOperand()).toStringImpl() + " indirection"
   }
 }
 
@@ -1040,77 +1062,117 @@ class RawIndirectInstruction extends Node, TRawIndirectInstruction {
   }
 }
 
-/** Holds if `node` is an `OperandNode` that should map `node.asExpr()` to `e`. */
-predicate exprNodeShouldBeOperand(OperandNode node, Expr e) {
-  exists(Instruction def |
-    unique( | | getAUse(def)) = node.getOperand() and
-    e = def.getConvertedResultExpression()
-  )
+private module GetConvertedResultExpression {
+  private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedExpr
+  private import semmle.code.cpp.ir.implementation.raw.internal.InstructionTag
+
+  /**
+   * Gets the expression that should be returned as the result expression from `instr`.
+   *
+   * Note that this predicate may return multiple results in cases where a conversion belond to a
+   * different AST element than its operand.
+   */
+  Expr getConvertedResultExpression(Instruction instr, int n) {
+    // Only fully converted instructions has a result for `asConvertedExpr`
+    not conversionFlow(unique( | | getAUse(instr)), _, false, false) and
+    result = getConvertedResultExpressionImpl(instr) and
+    n = 0
+    or
+    // If the conversion also has a result then we return multiple results
+    exists(Operand operand | conversionFlow(operand, instr, false, false) |
+      n = 1 and
+      result = getConvertedResultExpressionImpl(operand.getDef())
+      or
+      result = getConvertedResultExpression(operand.getDef(), n - 1)
+    )
+  }
+
+  private Expr getConvertedResultExpressionImpl0(Instruction instr) {
+    // For an expression such as `i += 2` we pretend that the generated
+    // `StoreInstruction` contains the result of the expression even though
+    // this isn't totally aligned with the C/C++ standard.
+    exists(TranslatedAssignOperation tao |
+      result = tao.getExpr() and
+      instr = tao.getInstruction(any(AssignmentStoreTag tag))
+    )
+    or
+    // Similarly for `i++` and `++i` we pretend that the generated
+    // `StoreInstruction` is contains the result of the expression even though
+    // this isn't totally aligned with the C/C++ standard.
+    exists(TranslatedCrementOperation tco |
+      result = tco.getExpr() and
+      instr = tco.getInstruction(any(CrementStoreTag tag))
+    )
+    or
+    // IR construction inserts an additional cast to a `size_t` on the extent
+    // of a `new[]` expression. The resulting `ConvertInstruction` doesn't have
+    // a result for `getConvertedResultExpression`. We remap this here so that
+    // this `ConvertInstruction` maps to the result of the expression that
+    // represents the extent.
+    exists(TranslatedNonConstantAllocationSize tas |
+      result = tas.getExtent().getExpr() and
+      instr = tas.getInstruction(any(AllocationExtentConvertTag tag))
+    )
+    or
+    // There's no instruction that returns `ParenthesisExpr`, but some queries
+    // expect this
+    exists(TranslatedTransparentConversion ttc |
+      result = ttc.getExpr().(ParenthesisExpr) and
+      instr = ttc.getResult()
+    )
+  }
+
+  private Expr getConvertedResultExpressionImpl(Instruction instr) {
+    result = getConvertedResultExpressionImpl0(instr)
+    or
+    not exists(getConvertedResultExpressionImpl0(instr)) and
+    result = instr.getConvertedResultExpression()
+  }
 }
 
-private predicate indirectExprNodeShouldBeIndirectOperand0(
-  VariableAddressInstruction instr, RawIndirectOperand node, Expr e
-) {
-  instr = node.getOperand().getDef() and
-  e = instr.getAst().(Expr).getUnconverted()
+private import GetConvertedResultExpression
+
+/** Holds if `node` is an `OperandNode` that should map `node.asExpr()` to `e`. */
+predicate exprNodeShouldBeOperand(OperandNode node, Expr e, int n) {
+  exists(Instruction def |
+    unique( | | getAUse(def)) = node.getOperand() and
+    e = getConvertedResultExpression(def, n)
+  )
 }
 
 /** Holds if `node` should be an `IndirectOperand` that maps `node.asIndirectExpr()` to `e`. */
-private predicate indirectExprNodeShouldBeIndirectOperand(RawIndirectOperand node, Expr e) {
-  exists(Instruction instr | instr = node.getOperand().getDef() |
-    exists(Expr e0 |
-      indirectExprNodeShouldBeIndirectOperand0(instr, node, e0) and
-      e = e0.getFullyConverted()
-    )
-    or
-    not indirectExprNodeShouldBeIndirectOperand0(_, node, _) and
-    e = instr.getConvertedResultExpression()
+private predicate indirectExprNodeShouldBeIndirectOperand(
+  IndirectOperand node, Expr e, int n, int indirectionIndex
+) {
+  exists(Instruction def |
+    node.hasOperandAndIndirectionIndex(unique( | | getAUse(def)), indirectionIndex) and
+    e = getConvertedResultExpression(def, n)
   )
 }
 
-private predicate exprNodeShouldBeIndirectOutNode(IndirectArgumentOutNode node, Expr e) {
+private predicate exprNodeShouldBeIndirectOutNode(IndirectArgumentOutNode node, Expr e, int n) {
   exists(CallInstruction call |
     call.getStaticCallTarget() instanceof Constructor and
-    e = call.getConvertedResultExpression() and
+    e = getConvertedResultExpression(call, n) and
     call.getThisArgumentOperand() = node.getAddressOperand()
   )
 }
 
 /** Holds if `node` should be an instruction node that maps `node.asExpr()` to `e`. */
-predicate exprNodeShouldBeInstruction(Node node, Expr e) {
-  not exprNodeShouldBeOperand(_, e) and
-  not exprNodeShouldBeIndirectOutNode(_, e) and
-  (
-    e = node.asInstruction().getConvertedResultExpression()
-    or
-    // The instruction that contains the result of an `AssignOperation` is
-    // the unloaded left operand (see the comments in `TranslatedAssignOperation`).
-    // That means that for cases like
-    // ```cpp
-    // int x = ...;
-    // x += 1;
-    // ```
-    // the result of `x += 1` is the `VariableAddressInstruction` that represents `x`. But
-    // that instruction doesn't receive the flow from this `AssignOperation`. So instead we
-    // map the operation to the `AddInstruction`.
-    node.asInstruction().getAst() = e.(AssignOperation)
-    or
-    // Same story for `CrementOperation`s (cf. the comments in the subclasses
-    // of `TranslatedCrementOperation`).
-    node.asInstruction().getAst() = e.(CrementOperation)
-  )
+predicate exprNodeShouldBeInstruction(Node node, Expr e, int n) {
+  not exprNodeShouldBeOperand(_, e, n) and
+  not exprNodeShouldBeIndirectOutNode(_, e, n) and
+  e = getConvertedResultExpression(node.asInstruction(), n)
 }
 
 /** Holds if `node` should be an `IndirectInstruction` that maps `node.asIndirectExpr()` to `e`. */
-predicate indirectExprNodeShouldBeIndirectInstruction(IndirectInstruction node, Expr e) {
+predicate indirectExprNodeShouldBeIndirectInstruction(
+  IndirectInstruction node, Expr e, int n, int indirectionIndex
+) {
+  not indirectExprNodeShouldBeIndirectOperand(_, e, n, indirectionIndex) and
   exists(Instruction instr |
-    node.hasInstructionAndIndirectionIndex(instr, _) and
-    not indirectExprNodeShouldBeIndirectOperand(_, e)
-  |
-    e = instr.(VariableAddressInstruction).getAst().(Expr).getFullyConverted()
-    or
-    not instr instanceof VariableAddressInstruction and
-    e = instr.getConvertedResultExpression()
+    node.hasInstructionAndIndirectionIndex(instr, indirectionIndex) and
+    e = getConvertedResultExpression(instr, n)
   )
 }
 
@@ -1119,30 +1181,32 @@ abstract private class ExprNodeBase extends Node {
    * Gets the expression corresponding to this node, if any. The returned
    * expression may be a `Conversion`.
    */
-  abstract Expr getConvertedExpr();
+  abstract Expr getConvertedExpr(int n);
 
   /** Gets the non-conversion expression corresponding to this node, if any. */
-  abstract Expr getExpr();
+  final Expr getExpr(int n) { result = this.getConvertedExpr(n).getUnconverted() }
 }
 
 private class InstructionExprNode extends ExprNodeBase, InstructionNode {
-  InstructionExprNode() { exprNodeShouldBeInstruction(this, _) }
+  InstructionExprNode() {
+    exists(Expr e, int n |
+      exprNodeShouldBeInstruction(this, e, n) and
+      not exprNodeShouldBeInstruction(_, e, n + 1)
+    )
+  }
 
-  final override Expr getConvertedExpr() { exprNodeShouldBeInstruction(this, result) }
-
-  final override Expr getExpr() { result = this.getConvertedExpr().getUnconverted() }
-
-  final override string toStringImpl() { result = this.getConvertedExpr().toString() }
+  final override Expr getConvertedExpr(int n) { exprNodeShouldBeInstruction(this, result, n) }
 }
 
 private class OperandExprNode extends ExprNodeBase, OperandNode {
-  OperandExprNode() { exprNodeShouldBeOperand(this, _) }
+  OperandExprNode() {
+    exists(Expr e, int n |
+      exprNodeShouldBeOperand(this, e, n) and
+      not exprNodeShouldBeOperand(_, e, n + 1)
+    )
+  }
 
-  final override Expr getConvertedExpr() { exprNodeShouldBeOperand(this, result) }
-
-  final override Expr getExpr() { result = this.getConvertedExpr().getUnconverted() }
-
-  final override string toStringImpl() { result = this.getConvertedExpr().toString() }
+  final override Expr getConvertedExpr(int n) { exprNodeShouldBeOperand(this, result, n) }
 }
 
 abstract private class IndirectExprNodeBase extends Node {
@@ -1150,67 +1214,75 @@ abstract private class IndirectExprNodeBase extends Node {
    * Gets the expression corresponding to this node, if any. The returned
    * expression may be a `Conversion`.
    */
-  abstract Expr getConvertedExpr(int indirectionIndex);
+  abstract Expr getConvertedExpr(int n, int indirectionIndex);
 
   /** Gets the non-conversion expression corresponding to this node, if any. */
-  abstract Expr getExpr(int indirectionIndex);
-}
-
-private class IndirectOperandIndirectExprNode extends IndirectExprNodeBase, RawIndirectOperand {
-  IndirectOperandIndirectExprNode() { indirectExprNodeShouldBeIndirectOperand(this, _) }
-
-  final override Expr getConvertedExpr(int index) {
-    this.getIndirectionIndex() = index and
-    indirectExprNodeShouldBeIndirectOperand(this, result)
-  }
-
-  final override Expr getExpr(int index) {
-    this.getIndirectionIndex() = index and
-    result = this.getConvertedExpr(index).getUnconverted()
+  final Expr getExpr(int n, int indirectionIndex) {
+    result = this.getConvertedExpr(n, indirectionIndex).getUnconverted()
   }
 }
 
-private class IndirectInstructionIndirectExprNode extends IndirectExprNodeBase,
-  RawIndirectInstruction
+private class IndirectOperandIndirectExprNode extends IndirectExprNodeBase instanceof IndirectOperand
 {
-  IndirectInstructionIndirectExprNode() { indirectExprNodeShouldBeIndirectInstruction(this, _) }
-
-  final override Expr getConvertedExpr(int index) {
-    this.getIndirectionIndex() = index and
-    indirectExprNodeShouldBeIndirectInstruction(this, result)
+  IndirectOperandIndirectExprNode() {
+    exists(Expr e, int n, int indirectionIndex |
+      indirectExprNodeShouldBeIndirectOperand(this, e, n, indirectionIndex) and
+      not indirectExprNodeShouldBeIndirectOperand(_, e, n + 1, indirectionIndex)
+    )
   }
 
-  final override Expr getExpr(int index) {
-    this.getIndirectionIndex() = index and
-    result = this.getConvertedExpr(index).getUnconverted()
+  final override Expr getConvertedExpr(int n, int index) {
+    indirectExprNodeShouldBeIndirectOperand(this, result, n, index)
+  }
+}
+
+private class IndirectInstructionIndirectExprNode extends IndirectExprNodeBase instanceof IndirectInstruction
+{
+  IndirectInstructionIndirectExprNode() {
+    exists(Expr e, int n, int indirectionIndex |
+      indirectExprNodeShouldBeIndirectInstruction(this, e, n, indirectionIndex) and
+      not indirectExprNodeShouldBeIndirectInstruction(_, e, n + 1, indirectionIndex)
+    )
+  }
+
+  final override Expr getConvertedExpr(int n, int index) {
+    indirectExprNodeShouldBeIndirectInstruction(this, result, n, index)
   }
 }
 
 private class IndirectArgumentOutExprNode extends ExprNodeBase, IndirectArgumentOutNode {
-  IndirectArgumentOutExprNode() { exprNodeShouldBeIndirectOutNode(this, _) }
+  IndirectArgumentOutExprNode() { exprNodeShouldBeIndirectOutNode(this, _, _) }
 
-  final override Expr getConvertedExpr() { exprNodeShouldBeIndirectOutNode(this, result) }
-
-  final override Expr getExpr() { result = this.getConvertedExpr() }
+  final override Expr getConvertedExpr(int n) { exprNodeShouldBeIndirectOutNode(this, result, n) }
 }
 
 /**
  * An expression, viewed as a node in a data flow graph.
  */
 class ExprNode extends Node instanceof ExprNodeBase {
+  /**
+   * INTERNAL: Do not use.
+   */
+  Expr getExpr(int n) { result = super.getExpr(n) }
+
   /**
    * Gets the non-conversion expression corresponding to this node, if any. If
    * this node strictly (in the sense of `getConvertedExpr`) corresponds to a
    * `Conversion`, then the result is that `Conversion`'s non-`Conversion` base
    * expression.
    */
-  Expr getExpr() { result = super.getExpr() }
+  final Expr getExpr() { result = this.getExpr(_) }
+
+  /**
+   * INTERNAL: Do not use.
+   */
+  Expr getConvertedExpr(int n) { result = super.getConvertedExpr(n) }
 
   /**
    * Gets the expression corresponding to this node, if any. The returned
    * expression may be a `Conversion`.
    */
-  Expr getConvertedExpr() { result = super.getConvertedExpr() }
+  final Expr getConvertedExpr() { result = this.getConvertedExpr(_) }
 }
 
 /**
@@ -1223,13 +1295,27 @@ class IndirectExprNode extends Node instanceof IndirectExprNodeBase {
    * `Conversion`, then the result is that `Conversion`'s non-`Conversion` base
    * expression.
    */
-  Expr getExpr(int indirectionIndex) { result = super.getExpr(indirectionIndex) }
+  final Expr getExpr(int indirectionIndex) { result = this.getExpr(_, indirectionIndex) }
+
+  /**
+   * INTERNAL: Do not use.
+   */
+  Expr getExpr(int n, int indirectionIndex) { result = super.getExpr(n, indirectionIndex) }
+
+  /**
+   * INTERNAL: Do not use.
+   */
+  Expr getConvertedExpr(int n, int indirectionIndex) {
+    result = super.getConvertedExpr(n, indirectionIndex)
+  }
 
   /**
    * Gets the expression corresponding to this node, if any. The returned
    * expression may be a `Conversion`.
    */
-  Expr getConvertedExpr(int indirectionIndex) { result = super.getConvertedExpr(indirectionIndex) }
+  Expr getConvertedExpr(int indirectionIndex) {
+    result = this.getConvertedExpr(_, indirectionIndex)
+  }
 }
 
 /**
@@ -1442,7 +1528,7 @@ OperandNode operandNode(Operand operand) { result.getOperand() = operand }
  * _out of_ an expression, like when an argument is passed by reference, use
  * `definitionByReferenceNodeFromArgument` instead.
  */
-ExprNode exprNode(Expr e) { result.getExpr() = e }
+ExprNode exprNode(Expr e) { result.getExpr(_) = e }
 
 /**
  * Gets the `Node` corresponding to the value of evaluating `e`. Here, `e` may
@@ -1450,7 +1536,7 @@ ExprNode exprNode(Expr e) { result.getExpr() = e }
  * argument is passed by reference, use
  * `definitionByReferenceNodeFromArgument` instead.
  */
-ExprNode convertedExprNode(Expr e) { result.getConvertedExpr() = e }
+ExprNode convertedExprNode(Expr e) { result.getConvertedExpr(_) = e }
 
 /**
  * Gets the `Node` corresponding to the value of `p` at function entry.

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -824,6 +824,9 @@ abstract class TranslatedElement extends TTranslatedElement {
   /** DEPRECATED: Alias for getAst */
   deprecated Locatable getAST() { result = this.getAst() }
 
+  /** Gets the location of this element. */
+  Location getLocation() { result = this.getAst().getLocation() }
+
   /**
    * Get the first instruction to be executed in the evaluation of this element.
    */

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -1956,9 +1956,7 @@ class TranslatedNonConstantAllocationSize extends TranslatedAllocationSize {
     result = this.getExtent().getResult()
   }
 
-  private TranslatedExpr getExtent() {
-    result = getTranslatedExpr(expr.getExtent().getFullyConverted())
-  }
+  TranslatedExpr getExtent() { result = getTranslatedExpr(expr.getExtent().getFullyConverted()) }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedGlobalVar.qll

@@ -22,8 +22,6 @@ class TranslatedStaticStorageDurationVarInit extends TranslatedRootElement,
 
   final override Declaration getFunction() { result = var }
 
-  final Location getLocation() { result = var.getLocation() }
-
   override Instruction getFirstInstruction() { result = this.getInstruction(EnterFunctionTag()) }
 
   override TranslatedElement getChild(int n) {

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/ReachableBlock.qll

@@ -10,6 +10,65 @@ predicate isInfeasibleInstructionSuccessor(Instruction instr, EdgeKind kind) {
   or
   instr.getSuccessor(kind) instanceof UnreachedInstruction and
   kind instanceof GotoEdge
+  or
+  isCallToNonReturningFunction(instr) and exists(instr.getSuccessor(kind))
+}
+
+/**
+ * Holds if all calls to `f` never return (e.g. they call `exit` or loop forever)
+ */
+private predicate isNonReturningFunction(IRFunction f) {
+  // If the function has an instruction with a missing successor then
+  // the analysis is probably going to be incorrect, so assume they exit.
+  not hasInstructionWithMissingSuccessor(f) and
+  (
+    // If all flows to the exit block are pass through an unreachable then f never returns.
+    any(UnreachedInstruction instr).getBlock().postDominates(f.getEntryBlock())
+    or
+    // If there is no flow to the exit block then f never returns.
+    not exists(IRBlock entry, IRBlock exit |
+      exit = f.getExitFunctionInstruction().getBlock() and
+      entry = f.getEntryBlock() and
+      exit = entry.getASuccessor*()
+    )
+    or
+    // If all flows to the exit block are pass through a call that never returns then f never returns.
+    exists(CallInstruction ci |
+      ci.getBlock().postDominates(f.getEntryBlock()) and
+      isCallToNonReturningFunction(ci)
+    )
+  )
+}
+
+/**
+ * Holds if `f` has an instruction with a missing successor.
+ * This matches `instructionWithoutSuccessor` from `IRConsistency`, but
+ * avoids generating the error strings.
+ */
+predicate hasInstructionWithMissingSuccessor(IRFunction f) {
+  exists(Instruction missingSucc |
+    missingSucc.getEnclosingIRFunction() = f and
+    not exists(missingSucc.getASuccessor()) and
+    not missingSucc instanceof ExitFunctionInstruction and
+    // Phi instructions aren't linked into the instruction-level flow graph.
+    not missingSucc instanceof PhiInstruction and
+    not missingSucc instanceof UnreachedInstruction
+  )
+}
+
+/**
+ * Holds if the call `ci` never returns.
+ */
+private predicate isCallToNonReturningFunction(CallInstruction ci) {
+  exists(IRFunction callee, Language::Function staticTarget |
+    staticTarget = ci.getStaticCallTarget() and
+    staticTarget = callee.getFunction() and
+    // We can't easily tell if the call is virtual or not
+    // if the callee is virtual. So assume that the call is virtual
+    // if the target is.
+    not staticTarget.isVirtual() and
+    isNonReturningFunction(callee)
+  )
 }
 
 pragma[noinline]

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/ReachableBlockInternal.qll

@@ -1,2 +1,3 @@
 import semmle.code.cpp.ir.implementation.raw.IR as IR
 import semmle.code.cpp.ir.implementation.raw.constant.ConstantAnalysis as ConstantAnalysis
+import semmle.code.cpp.ir.internal.IRCppLanguage as Language

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/ReachableBlock.qll

@@ -10,6 +10,65 @@ predicate isInfeasibleInstructionSuccessor(Instruction instr, EdgeKind kind) {
   or
   instr.getSuccessor(kind) instanceof UnreachedInstruction and
   kind instanceof GotoEdge
+  or
+  isCallToNonReturningFunction(instr) and exists(instr.getSuccessor(kind))
+}
+
+/**
+ * Holds if all calls to `f` never return (e.g. they call `exit` or loop forever)
+ */
+private predicate isNonReturningFunction(IRFunction f) {
+  // If the function has an instruction with a missing successor then
+  // the analysis is probably going to be incorrect, so assume they exit.
+  not hasInstructionWithMissingSuccessor(f) and
+  (
+    // If all flows to the exit block are pass through an unreachable then f never returns.
+    any(UnreachedInstruction instr).getBlock().postDominates(f.getEntryBlock())
+    or
+    // If there is no flow to the exit block then f never returns.
+    not exists(IRBlock entry, IRBlock exit |
+      exit = f.getExitFunctionInstruction().getBlock() and
+      entry = f.getEntryBlock() and
+      exit = entry.getASuccessor*()
+    )
+    or
+    // If all flows to the exit block are pass through a call that never returns then f never returns.
+    exists(CallInstruction ci |
+      ci.getBlock().postDominates(f.getEntryBlock()) and
+      isCallToNonReturningFunction(ci)
+    )
+  )
+}
+
+/**
+ * Holds if `f` has an instruction with a missing successor.
+ * This matches `instructionWithoutSuccessor` from `IRConsistency`, but
+ * avoids generating the error strings.
+ */
+predicate hasInstructionWithMissingSuccessor(IRFunction f) {
+  exists(Instruction missingSucc |
+    missingSucc.getEnclosingIRFunction() = f and
+    not exists(missingSucc.getASuccessor()) and
+    not missingSucc instanceof ExitFunctionInstruction and
+    // Phi instructions aren't linked into the instruction-level flow graph.
+    not missingSucc instanceof PhiInstruction and
+    not missingSucc instanceof UnreachedInstruction
+  )
+}
+
+/**
+ * Holds if the call `ci` never returns.
+ */
+private predicate isCallToNonReturningFunction(CallInstruction ci) {
+  exists(IRFunction callee, Language::Function staticTarget |
+    staticTarget = ci.getStaticCallTarget() and
+    staticTarget = callee.getFunction() and
+    // We can't easily tell if the call is virtual or not
+    // if the callee is virtual. So assume that the call is virtual
+    // if the target is.
+    not staticTarget.isVirtual() and
+    isNonReturningFunction(callee)
+  )
 }
 
 pragma[noinline]

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/ReachableBlockInternal.qll

@@ -1,2 +1,3 @@
 import semmle.code.cpp.ir.implementation.unaliased_ssa.IR as IR
 import semmle.code.cpp.ir.implementation.unaliased_ssa.constant.ConstantAnalysis as ConstantAnalysis
+import semmle.code.cpp.ir.internal.IRCppLanguage as Language

cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll

@@ -72,7 +72,7 @@ predicate hasSize(HeuristicAllocationExpr alloc, DataFlow::Node n, int state) {
     // Compute `delta` as the constant difference between `x` and `x + 1`.
     bounded1(any(Instruction instr | instr.getUnconvertedResultExpression() = size),
       any(LoadInstruction load | load.getUnconvertedResultExpression() = va), delta) and
-    n.asConvertedExpr() = va.getFullyConverted() and
+    n.asExpr() = va and
     state = delta
   )
 }
@@ -210,7 +210,7 @@ private module InterestingPointerAddInstruction {
     predicate isSource(DataFlow::Node source) {
       // The sources is the same as in the sources for the second
       // projection in the `AllocToInvalidPointerConfig` module.
-      hasSize(source.asConvertedExpr(), _, _)
+      hasSize(source.asExpr(), _, _)
     }
 
     int fieldFlowBranchLimit() { result = allocationToInvalidPointerFieldFlowBranchLimit() }
@@ -243,7 +243,7 @@ private module InterestingPointerAddInstruction {
    */
   predicate isInterestingSize(DataFlow::Node n) {
     exists(DataFlow::Node alloc |
-      hasSize(alloc.asConvertedExpr(), n, _) and
+      hasSize(alloc.asExpr(), n, _) and
       flow(alloc, _)
     )
   }
@@ -268,7 +268,7 @@ private module Config implements ProductFlow::StateConfigSig {
     // we use `state2` to remember that there was an offset (in this case an offset of `1`) added
     // to the size of the allocation. This state is then checked in `isSinkPair`.
     exists(unit) and
-    hasSize(allocSource.asConvertedExpr(), sizeSource, sizeAddend)
+    hasSize(allocSource.asExpr(), sizeSource, sizeAddend)
   }
 
   int fieldFlowBranchLimit1() { result = allocationToInvalidPointerFieldFlowBranchLimit() }

cpp/ql/src/Critical/FlowAfterFree.qll

@@ -98,8 +98,11 @@ module FlowFromFree<isSinkSig/2 isASink, isExcludedSig/2 isExcluded> {
  * is being freed by a deallocation expression `dealloc`.
  */
 predicate isFree(DataFlow::Node n, Expr e, DeallocationExpr dealloc) {
-  e = dealloc.getFreedExpr() and
-  e = n.asExpr() and
+  exists(Expr conv |
+    e = conv.getUnconverted() and
+    conv = dealloc.getFreedExpr().getFullyConverted() and
+    conv = n.asConvertedExpr()
+  ) and
   // Ignore realloc functions
   not exists(dealloc.(FunctionCall).getTarget().(AllocationFunction).getReallocPtrArg())
 }

cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll

@@ -296,7 +296,7 @@ deprecated class PossibleYearArithmeticOperationCheckConfiguration extends Taint
   }
 
   override predicate isSource(DataFlow::Node source) {
-    exists(Operation op | op = source.asConvertedExpr() |
+    exists(Operation op | op = source.asExpr() |
       op.getAChild*().getValue().toInt() = 365 and
       (
         not op.getParent() instanceof Expr or
@@ -321,7 +321,7 @@ deprecated class PossibleYearArithmeticOperationCheckConfiguration extends Taint
 
   override predicate isSink(DataFlow::Node sink) {
     exists(StructLikeClass dds, FieldAccess fa, AssignExpr aexpr |
-      aexpr.getRValue() = sink.asConvertedExpr()
+      aexpr.getRValue() = sink.asExpr()
     |
       (dds instanceof PackedTimeType or dds instanceof UnpackedTimeType) and
       fa.getQualifier().getUnderlyingType() = dds and
@@ -336,7 +336,7 @@ deprecated class PossibleYearArithmeticOperationCheckConfiguration extends Taint
  */
 private module PossibleYearArithmeticOperationCheckConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    exists(Operation op | op = source.asConvertedExpr() |
+    exists(Operation op | op = source.asExpr() |
       op.getAChild*().getValue().toInt() = 365 and
       (
         not op.getParent() instanceof Expr or
@@ -361,7 +361,7 @@ private module PossibleYearArithmeticOperationCheckConfig implements DataFlow::C
 
   predicate isSink(DataFlow::Node sink) {
     exists(StructLikeClass dds, FieldAccess fa, AssignExpr aexpr |
-      aexpr.getRValue() = sink.asConvertedExpr()
+      aexpr.getRValue() = sink.asExpr()
     |
       (dds instanceof PackedTimeType or dds instanceof UnpackedTimeType) and
       fa.getQualifier().getUnderlyingType() = dds and

cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql

@@ -30,7 +30,7 @@ Expr asSinkExpr(DataFlow::Node node) {
   result = node.asIndirectArgument()
   or
   // We want the conversion so we only get one node for the expression
-  result = node.asConvertedExpr()
+  result = node.asExpr()
 }
 
 module SqlTaintedConfig implements DataFlow::ConfigSig {

cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql

@@ -38,7 +38,7 @@ predicate hasSize(HeuristicAllocationExpr alloc, DataFlow::Node n, int state) {
     // Compute `delta` as the constant difference between `x` and `x + 1`.
     bounded(any(Instruction instr | instr.getUnconvertedResultExpression() = size),
       any(LoadInstruction load | load.getUnconvertedResultExpression() = va), delta) and
-    n.asConvertedExpr() = va.getFullyConverted() and
+    n.asExpr() = va and
     state = delta
   )
 }
@@ -213,7 +213,7 @@ module StringSizeConfig implements ProductFlow::StateConfigSig {
     // we use `state2` to remember that there was an offset (in this case an offset of `1`) added
     // to the size of the allocation. This state is then checked in `isSinkPair`.
     exists(state1) and
-    hasSize(bufSource.asConvertedExpr(), sizeSource, state2) and
+    hasSize(bufSource.asExpr(), sizeSource, state2) and
     validState(sizeSource, state2)
   }
 

cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql

@@ -26,7 +26,7 @@ import TaintedAllocationSize::PathGraph
  * taint sink.
  */
 predicate allocSink(HeuristicAllocationExpr alloc, DataFlow::Node sink) {
-  exists(Expr e | e = sink.asConvertedExpr() |
+  exists(Expr e | e = sink.asExpr() |
     e = alloc.getAChild() and
     e.getUnspecifiedType() instanceof IntegralType
   )

cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql

@@ -206,25 +206,22 @@ class Encrypted extends Expr {
  * operation `nsr`.
  */
 predicate isSinkSendRecv(DataFlow::Node sink, NetworkSendRecv nsr) {
-  [sink.asIndirectConvertedExpr(), sink.asConvertedExpr()] = nsr.getDataExpr().getFullyConverted()
+  [sink.asIndirectExpr(), sink.asExpr()] = nsr.getDataExpr()
 }
 
 /**
  * Holds if `sink` is a node that is encrypted by `enc`.
  */
-predicate isSinkEncrypt(DataFlow::Node sink, Encrypted enc) {
-  sink.asConvertedExpr() = enc.getFullyConverted()
-}
+predicate isSinkEncrypt(DataFlow::Node sink, Encrypted enc) { sink.asExpr() = enc }
 
 /**
  * Holds if `source` represents a use of a sensitive variable, or data returned by a
  * function returning sensitive data.
  */
 predicate isSourceImpl(DataFlow::Node source) {
-  exists(Expr e |
-    e = source.asConvertedExpr() and
-    e.getUnconverted().(VariableAccess).getTarget() instanceof SourceVariable and
-    not e.hasConversion()
+  exists(VariableAccess e |
+    e = source.asExpr() and
+    e.getTarget() instanceof SourceVariable
   )
   or
   source.asExpr().(FunctionCall).getTarget() instanceof SourceFunction

cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql

@@ -33,14 +33,6 @@ module ExposedSystemDataConfig implements DataFlow::ConfigSig {
 module ExposedSystemData = TaintTracking::Global<ExposedSystemDataConfig>;
 
 from ExposedSystemData::PathNode source, ExposedSystemData::PathNode sink
-where
-  ExposedSystemData::flowPath(source, sink) and
-  not exists(
-    DataFlow::Node alt // remove duplicate results on conversions
-  |
-    ExposedSystemData::flow(source.getNode(), alt) and
-    alt.asConvertedExpr() = sink.getNode().asIndirectExpr() and
-    alt != sink.getNode()
-  )
+where ExposedSystemData::flowPath(source, sink)
 select sink, source, sink, "This operation exposes system data from $@.", source,
   source.getNode().toString()

cpp/ql/src/Security/CWE/CWE-497/SystemData.qll

@@ -34,7 +34,7 @@ class EnvData extends SystemData {
         .regexpMatch(".*(user|host|admin|root|home|path|http|ssl|snmp|sock|port|proxy|pass|token|crypt|key).*")
   }
 
-  override DataFlow::Node getAnExpr() { result.asIndirectConvertedExpr() = this }
+  override DataFlow::Node getAnExpr() { result.asIndirectExpr() = this }
 
   override predicate isSensitive() {
     this.(EnvironmentRead)
@@ -50,7 +50,7 @@ class EnvData extends SystemData {
 class SqlClientInfo extends SystemData {
   SqlClientInfo() { this.(FunctionCall).getTarget().hasName("mysql_get_client_info") }
 
-  override DataFlow::Node getAnExpr() { result.asIndirectConvertedExpr() = this }
+  override DataFlow::Node getAnExpr() { result.asIndirectExpr() = this }
 
   override predicate isSensitive() { any() }
 }

cpp/ql/src/Security/CWE/CWE-611/Xerces.qll

@@ -70,7 +70,7 @@ class XercesDomParserLibrary extends XmlLibrary {
     // sink is the read of the qualifier of a call to `AbstractDOMParser.parse`.
     exists(Call call |
       call.getTarget().getClassAndName("parse") instanceof AbstractDomParserClass and
-      call.getQualifier() = node.asIndirectConvertedExpr()
+      call.getQualifier() = node.asIndirectExpr()
     ) and
     flowstate instanceof XercesFlowState and
     not encodeXercesFlowState(flowstate, 1, 1) // safe configuration
@@ -114,7 +114,7 @@ class CreateLSParserLibrary extends XmlLibrary {
     // sink is the read of the qualifier of a call to `DOMLSParserClass.parse`.
     exists(Call call |
       call.getTarget().getClassAndName("parse") instanceof DomLSParserClass and
-      call.getQualifier() = node.asIndirectConvertedExpr()
+      call.getQualifier() = node.asIndirectExpr()
     ) and
     flowstate instanceof XercesFlowState and
     not encodeXercesFlowState(flowstate, 1, 1) // safe configuration
@@ -155,7 +155,7 @@ class SaxParserLibrary extends XmlLibrary {
     // sink is the read of the qualifier of a call to `SAXParser.parse`.
     exists(Call call |
       call.getTarget().getClassAndName("parse") instanceof SaxParserClass and
-      call.getQualifier() = node.asIndirectConvertedExpr()
+      call.getQualifier() = node.asIndirectExpr()
     ) and
     flowstate instanceof XercesFlowState and
     not encodeXercesFlowState(flowstate, 1, 1) // safe configuration
@@ -192,7 +192,7 @@ class Sax2XmlReaderLibrary extends XmlLibrary {
     // sink is the read of the qualifier of a call to `SAX2XMLReader.parse`.
     exists(Call call |
       call.getTarget().getClassAndName("parse") instanceof Sax2XmlReader and
-      call.getQualifier() = node.asIndirectConvertedExpr()
+      call.getQualifier() = node.asIndirectExpr()
     ) and
     flowstate instanceof XercesFlowState and
     not encodeXercesFlowState(flowstate, 1, 1) // safe configuration

cpp/ql/src/change-notes/2023-09-06-deduplicated-results.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The number of duplicated dataflow paths reported by queries has been significantly reduced.

cpp/ql/src/change-notes/2023-09-08-unreachble-edges.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* The queries `cpp/double-free` and `cpp/use-after-free` find fewer false positives
+  in cases where a non-returning function is called.

cpp/ql/src/experimental/Security/CWE/CWE-416/UseAfterExpiredLifetime.qhelp

@@ -0,0 +1,68 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+Using an object after its lifetime has ended results in undefined behavior.
+When an object's lifetime has ended it relinquishes ownership of its resources and the memory it occupied may be reused for other purposes.
+If the object is accessed after its lifetime has ended, the program may crash or behave in unexpected ways.
+</p>
+
+</overview>
+<recommendation>
+
+<p>
+Ensure that no object is accessed after its lifetime has ended.
+Use RAII ("Resource Acquisition Is Initialization") to manage the lifetime of objects, and avoid manual memory management, if possible.
+</p>
+
+</recommendation>
+<example>
+<p>
+The following two examples demonstrate common lifetime violations when working with the C++ standard library.
+</p>
+
+<p>
+The <code>bad_call_c_api</code> function contains a use of an expired lifetime.
+First, a temporary object of type <code>std::string</code> is constructed, and a pointer to its internal buffer is stored in a local variable.
+Once the <code>c_str()</code> call returns, the temporary object is destroyed, and the memory pointed to by <code>p</code> is freed.
+Thus, any attempt to dereference <code>p</code> inside <code>c_api</code> will result in a use-after-free vulnerability.
+
+The <code>good_call_c_api</code> function contains a fixed version of the first example.
+The variable <code>hello</code> is declared as a local variable, and the pointer to its internal buffer is stored in <code>p</code>.
+The lifetime of hello outlives the call to <code>c_api</code>, so the pointer stored in <code>p</code> remains valid throughout the call to <code>c_api</code>.
+</p>
+<sample src="UseAfterExpiredLifetime_c_api_call.cpp" />
+
+<p>
+The <code>bad_remove_even_numbers</code> function demonstrates a potential issue with iterator invalidation.
+Each C++ standard library container comes with a specification of which operations invalidates iterators pointing into the container.
+For example, calling <code>erase</code> on an object of type <code>std::vector&lt;T&gt;</code> invalidates all its iterators, and thus any attempt to dereference the iterator can result in a use-after-free vulnerability.
+
+The <code>good_remove_even_numbers</code> function contains a fixd version of the third example.
+The <code>erase</code> function returns an iterator to the element following the last element removed, and this return value is used to ensure that <code>it</code> remains valid after the call to <code>erase</code>.
+</p>
+<sample src="UseAfterExpiredLifetime_iterator_invalidation.cpp" />
+
+</example>
+<references>
+
+<li>CERT C Coding Standard:
+<a href="https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory">MEM30-C. Do not access freed memory</a>.</li>
+<li>
+OWASP:
+<a href="https://owasp.org/www-community/vulnerabilities/Using_freed_memory">Using freed memory</a>.
+</li>
+<li>
+<a href="https://github.com/isocpp/CppCoreGuidelines/blob/master/docs/Lifetime.pdf">Lifetime safety: Preventing common dangling</a>
+</li>
+<li>
+<a href="https://en.cppreference.com/w/cpp/container">Containers library</a>
+</li>
+<li>
+<a href="https://en.cppreference.com/w/cpp/language/raii">RAII</a>
+</li>
+
+</references>
+</qhelp>

cpp/ql/src/experimental/Security/CWE/CWE-416/UseAfterExpiredLifetime.ql

@@ -0,0 +1,736 @@
+/**
+ * @id cpp/use-after-expired-lifetime
+ * @name Use of object after its lifetime has ended
+ * @description Accessing an object after its lifetime has ended can result in security vulnerabilities and undefined behavior.
+ * @kind problem
+ * @precision medium
+ * @problem.severity error
+ * @tags correctness
+ *       security
+ *       experimental
+ *       external/cwe/cwe-416
+ */
+
+import cpp
+import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.controlflow.Nullness
+
+class StarOperator extends Operator {
+  StarOperator() {
+    this.hasName("operator*") and
+    this.getNumberOfParameters() = 0
+  }
+}
+
+class IncrementOperator extends Operator {
+  IncrementOperator() {
+    this.hasName("operator++") and
+    this.getNumberOfParameters() = 0
+  }
+}
+
+class StructureDerefOperator extends Operator {
+  StructureDerefOperator() {
+    this.hasName("operator->") and
+    this.getNumberOfParameters() = 0
+  }
+}
+
+class SubscriptOperator extends Operator {
+  SubscriptOperator() {
+    this.hasName("operator[]") and
+    this.getNumberOfParameters() = 1
+  }
+}
+
+/**
+ * A type which is an `Indirection` type according to the Lifetime profile.
+ *
+ * An indirection type is either a `LifetimePointerType` or `LifetimeOwnerType`.
+ */
+abstract class LifetimeIndirectionType extends Type {
+  /**
+   * Gets the `DerefType` of this indirection type.
+   *
+   * This corresponds to the owned or pointed to type.
+   */
+  Type getDerefType() {
+    result = this.(PointerType).getBaseType()
+    or
+    result = this.(ReferenceType).getBaseType()
+    or
+    exists(MemberFunction mf | mf.getDeclaringType() = this |
+      result = mf.(StarOperator).getType().getUnspecifiedType().(ReferenceType).getBaseType()
+      or
+      result = mf.(SubscriptOperator).getType().getUnspecifiedType().(ReferenceType).getBaseType()
+      or
+      result =
+        mf.(StructureDerefOperator).getType().getUnspecifiedType().(PointerType).getBaseType()
+      or
+      mf.getName() = "begin" and
+      result = mf.getType().(LifetimePointerType).getDerefType()
+    )
+  }
+}
+
+/**
+ * A lifetime owner type.
+ *
+ * A type which owns another object. For example, `std::unique_ptr`. Includes
+ * `LifetimeSharedOwnerType`.
+ */
+class LifetimeOwnerType extends LifetimeIndirectionType {
+  LifetimeOwnerType() {
+    // Any shared owner types are also owner types
+    this instanceof LifetimeSharedOwnerType
+    or
+    // This is a container type, or a type with a star operator and..
+    (
+      this instanceof ContainerType
+      or
+      exists(StarOperator mf | mf.getDeclaringType() = this)
+    ) and
+    // .. has a "user" provided destructor
+    exists(Destructor d |
+      d.getDeclaringType() = this and
+      not d.isCompilerGenerated()
+    )
+    or
+    // Any specified version of an owner type is also an owner type
+    this.getUnspecifiedType() instanceof LifetimeOwnerType
+    or
+    // Has a field which is a lifetime owner type
+    this.(Class).getAField().getType() instanceof LifetimeOwnerType
+    or
+    // Derived from a public base class which is a owner type
+    exists(ClassDerivation cd |
+      cd = this.(Class).getADerivation() and
+      cd.getBaseClass() instanceof LifetimeOwnerType and
+      cd.getASpecifier().hasName("public")
+    )
+    or
+    // Lifetime profile treats the following types as owner types, even though they don't fully
+    // adhere to the requirements above
+    this.(Class)
+        .hasQualifiedName("std",
+          ["stack", "queue", "priority_queue", "optional", "variant", "any", "regex"])
+    or
+    // Explicit annotation on the type
+    this.getAnAttribute().getName().matches("gsl::Owner%")
+  }
+}
+
+/**
+ * A `ContainerType`, based on `[container.requirements]` with some adaptions to capture more real
+ * world containers.
+ */
+class ContainerType extends Class {
+  ContainerType() {
+    // We use a simpler set of heuristics than the `[container.requirements]`, requiring only
+    // `begin()`/`end()`/`size()` as the minimum API for something to be considered a "container"
+    // type
+    this.getAMemberFunction().getName() = "begin" and
+    this.getAMemberFunction().getName() = "end" and
+    this.getAMemberFunction().getName() = "size"
+    or
+    // This class is a `ContainerType` if it is constructed from a `ContainerType`. This is
+    // important, because templates may not have instantiated all the required member functions
+    exists(TemplateClass tc |
+      this.isConstructedFrom(tc) and
+      tc instanceof ContainerType
+    )
+  }
+}
+
+/**
+ * A lifetime "shared owner" type.
+ *
+ * A shared owner is type that "owns" another object, and shares that ownership with other owners.
+ * Examples include `std::shared_ptr` along with other reference counting types.
+ */
+class LifetimeSharedOwnerType extends Type {
+  LifetimeSharedOwnerType() {
+    /*
+     * Find all types which can be dereferenced (i.e. have unary * operator), and are therefore
+     * likely to be "owner"s or "pointer"s to other objects. We then consider these classes to be
+     * shared owners if:
+     *  - They can be copied (a unique "owner" type would not be copyable)
+     *  - They can destroyed
+     */
+
+    // unary * (i.e. can be dereferenced)
+    exists(StarOperator mf | mf.getDeclaringType() = this) and
+    // "User" provided destructor
+    exists(Destructor d |
+      d.getDeclaringType() = this and
+      not d.isCompilerGenerated()
+    ) and
+    // A copy constructor and copy assignment operator
+    exists(CopyConstructor cc | cc.getDeclaringType() = this and not cc.isDeleted()) and
+    exists(CopyAssignmentOperator cc | cc.getDeclaringType() = this and not cc.isDeleted())
+    or
+    // This class is a `SharedOwnerType` if it is constructed from a `SharedOwnerType`. This is
+    // important, because templates may not have instantiated all the required member functions
+    exists(TemplateClass tc |
+      this.(Class).isConstructedFrom(tc) and
+      tc instanceof LifetimeSharedOwnerType
+    )
+    or
+    // Any specified version of a shared owner type is also a shared owner type
+    this.getUnspecifiedType() instanceof LifetimeSharedOwnerType
+    or
+    // Has a field which is a lifetime shared owner type
+    this.(Class).getAField().getType() instanceof LifetimeSharedOwnerType
+    or
+    // Derived from a public base class which is a shared owner type
+    exists(ClassDerivation cd |
+      cd = this.(Class).getADerivation() and
+      cd.getBaseClass() instanceof LifetimeSharedOwnerType and
+      cd.getASpecifier().hasName("public")
+    )
+    or
+    // Lifetime profile treats the following types as shared owner types, even though they don't
+    // fully adhere to the requirements above
+    this.(Class).hasQualifiedName("std", "shared_future")
+    or
+    // Explicit annotation on the type
+    this.getAnAttribute().getName().matches("gsl::SharedOwner%")
+  }
+}
+
+/**
+ * An `IteratorType`, based on `[iterator.requirements]` with some adaptions to capture more real
+ * world iterators.
+ */
+class IteratorType extends Type {
+  IteratorType() {
+    // We consider anything with an increment and * operator to be sufficient to be an iterator type
+    exists(StarOperator mf |
+      mf.getDeclaringType() = this and mf.getType().getUnspecifiedType() instanceof ReferenceType
+    ) and
+    exists(IncrementOperator op |
+      op.getDeclaringType() = this and op.getType().(ReferenceType).getBaseType() = this
+    )
+    or
+    // Along with unspecified versions of the types above
+    this.getUnspecifiedType() instanceof IteratorType
+  }
+}
+
+/**
+ * A lifetime pointer type.
+ *
+ * A type which points to another object. For example, `std::unique_ptr`. Includes
+ * `LifetimeSharedOwnerType`.
+ */
+class LifetimePointerType extends LifetimeIndirectionType {
+  LifetimePointerType() {
+    this instanceof IteratorType
+    or
+    this instanceof PointerType
+    or
+    this instanceof ReferenceType
+    or
+    // A shared owner type is a pointer type, but an owner type is not.
+    this instanceof LifetimeSharedOwnerType and
+    not this instanceof LifetimeOwnerType
+    or
+    this.(Class).hasQualifiedName("std", "reference_wrapper")
+    or
+    exists(Class vectorBool, UserType reference |
+      vectorBool.hasQualifiedName("std", "vector") and
+      vectorBool.getATemplateArgument() instanceof BoolType and
+      reference.hasName("reference") and
+      reference.getDeclaringType() = vectorBool and
+      this = reference.getUnderlyingType()
+    )
+    or
+    // Any specified version of a pointer type is also an owner type
+    this.getUnspecifiedType() instanceof LifetimePointerType
+    or
+    // Has a field which is a lifetime pointer type
+    this.(Class).getAField().getType() instanceof LifetimePointerType
+    or
+    // Derived from a public base class which is a pointer type
+    exists(ClassDerivation cd |
+      cd = this.(Class).getADerivation() and
+      cd.getBaseClass() instanceof LifetimePointerType and
+      cd.getASpecifier().hasName("public")
+    )
+    or
+    // Explicit annotation on the type
+    this.getAnAttribute().getName().matches("gsl::Pointer%")
+  }
+}
+
+/** A full expression as defined in [intro.execution] of N3797. */
+class FullExpr extends Expr {
+  FullExpr() {
+    // A full-expression is not a subexpression
+    not exists(Expr p | this.getParent() = p)
+    or
+    // A sub-expression that is an unevaluated operand
+    this.isUnevaluated()
+  }
+}
+
+/** Gets the `FullExpression` scope of the `TemporaryObjectExpr`. */
+FullExpr getTemporaryObjectExprScope(TemporaryObjectExpr toe) {
+  result = toe.getUnconverted().getParent*()
+}
+
+/**
+ * See `LifetimeLocalVariable` and subclasses.
+ */
+private newtype TLifetimeLocalVariable =
+  TLocalScopeVariable(LocalScopeVariable lsv) { not lsv.isStatic() } or
+  TTemporaryObject(TemporaryObjectExpr toe)
+
+/*
+ * Note, the lifetime profile also supports locally initialized _aggregates_, which we could
+ * support with something like this:
+ * ```
+ * TAggregateField(TLocalScopeVariable base, Field f) {
+ *   exists(LocalScopeVariable lsv |
+ *     base = TLocalScopeVariable(lsv) and
+ *     lsv.getType() = f.getDeclaringType() and
+ *     lsv.getType() instanceof LifetimeAggregateType
+ *   )
+ * }
+ * ```
+ */
+
+/**
+ * A "LocalVariable" as defined by the lifetime profile.
+ *
+ * This includes newly introduced objects with a local scope.
+ */
+class LifetimeLocalVariable extends TLifetimeLocalVariable {
+  string toString() { none() } // specified in sub-classes
+
+  Type getType() { none() }
+}
+
+/**
+ * A parameter or `LocalVariable`, used as a `LifetimeLocalVariable`
+ */
+class LifetimeLocalScopeVariable extends TLocalScopeVariable, LifetimeLocalVariable {
+  LocalScopeVariable getVariable() { this = TLocalScopeVariable(result) }
+
+  override Type getType() { result = this.getVariable().getType() }
+
+  override string toString() { result = this.getVariable().toString() }
+}
+
+/**
+ * A temporary object used as a `LifetimeLocalVariable`.
+ */
+class LifetimeTemporaryObject extends TTemporaryObject, LifetimeLocalVariable {
+  TemporaryObjectExpr getTemporaryObjectExpr() { this = TTemporaryObject(result) }
+
+  override Type getType() { result = this.getTemporaryObjectExpr().getType() }
+
+  override string toString() { result = this.getTemporaryObjectExpr().toString() }
+}
+
+newtype TInvalidReason =
+  /** LifetimeLocalVariable is invalid because it hasn't been initialized. */
+  TUninitialized(DeclStmt ds, Variable v) { ds.getADeclaration() = v } or
+  /** LifetimeLocalVariable is invalid because it points to a variable which has gone out of scope. */
+  TVariableOutOfScope(LocalScopeVariable v, ControlFlowNode cfn) { goesOutOfScopeAt(v, cfn) } or
+  /** LifetimeLocalVariable is invalid because it points to a temporary object expression which has gone out of scope. */
+  TTemporaryOutOfScope(TemporaryObjectExpr toe) or
+  /** LifetimeLocalVariable is invalid because it points to data held by an owner which has since been invalidated. */
+  TOwnerModified(FunctionCall fc)
+
+/**
+ * A reason why a pointer may be invalid.
+ */
+class InvalidReason extends TInvalidReason {
+  /** Holds if this reason indicates the pointer is accessed before the lifetime of an object began. */
+  predicate isBeforeLifetime() { this instanceof TUninitialized }
+
+  /** Holds if this reason indicates the pointer is accessed after the lifetime of an object has finished. */
+  predicate isAfterLifetime() { not this.isBeforeLifetime() }
+
+  /** Gets a description of the reason why this pointer may be invalid. */
+  string getDescription() {
+    exists(DeclStmt ds, Variable v |
+      this = TUninitialized(ds, v) and
+      result = "variable " + v.getName() + " was never initialized"
+    )
+    or
+    exists(LocalScopeVariable v, ControlFlowNode cfn |
+      this = TVariableOutOfScope(v, cfn) and
+      result = "variable " + v.getName() + " went out of scope"
+    )
+    or
+    exists(TemporaryObjectExpr toe |
+      this = TTemporaryOutOfScope(toe) and
+      result = "temporary object went out of scope"
+    )
+    or
+    exists(FunctionCall fc |
+      this = TOwnerModified(fc) and
+      result = "owner type was modified"
+    )
+  }
+
+  string toString() { result = this.getDescription() }
+
+  /** Get an element that explains the reason for the invalid determination. */
+  private Element getExplanatoryElement() {
+    exists(DeclStmt ds |
+      this = TUninitialized(ds, _) and
+      result = ds
+    )
+    or
+    exists(ControlFlowNode cfn |
+      this = TVariableOutOfScope(_, cfn) and
+      result = cfn
+    )
+    or
+    exists(TemporaryObjectExpr toe |
+      this = TTemporaryOutOfScope(toe) and
+      result = getTemporaryObjectExprScope(toe)
+    )
+    or
+    exists(FunctionCall fc |
+      this = TOwnerModified(fc) and
+      result = fc
+    )
+  }
+
+  /**
+   * Provides a `message` for use in alert messages.
+   *
+   * The message will contain a `$@` placeholder, for which `explanation` and `explanationDesc` are
+   * the placeholder components which should be added as extra columns.
+   */
+  predicate hasMessage(string message, Element explanation, string explanationDesc) {
+    message = "because the " + this.getDescription() + " $@." and
+    explanation = this.getExplanatoryElement() and
+    explanationDesc = "here"
+  }
+}
+
+/**
+ * A reason why a pointer may be null.
+ */
+newtype TNullReason =
+  // Null because the `NullValue` was assigned
+  TNullAssignment(NullValue e)
+
+class NullReason extends TNullReason {
+  /** Gets a description of the reason why this pointer may be null. */
+  string getDescription() {
+    exists(NullValue nv |
+      this = TNullAssignment(nv) and
+      result = "null value was assigned"
+    )
+  }
+
+  string toString() { result = this.getDescription() }
+}
+
+/** See `PSetEntry` and subclasses. */
+newtype TPSetEntry =
+  /** Points to a lifetime local variable. */
+  PSetVar(LifetimeLocalVariable lv) or
+  /** Points to a lifetime local variable that represents an owner type. */
+  PSetOwner(LifetimeLocalVariable lv, int level) {
+    level = [0 .. 2] and lv.getType() instanceof LifetimeOwnerType
+  } or
+  /** Points to a global variable. */
+  PSetGlobal() or
+  /** A null pointer. */
+  PSetNull(NullReason nr) or
+  /** An invalid pointer, for the given reason. */
+  PSetInvalid(InvalidReason ir) or
+  /** An unknown pointer. */
+  PSetUnknown()
+
+/**
+ * An entry in the points-to set for a particular "LifetimeLocalVariable" at a particular
+ * point in the program.
+ */
+class PSetEntry extends TPSetEntry {
+  string toString() {
+    exists(LifetimeLocalVariable lv |
+      this = PSetVar(lv) and
+      result = "Var(" + lv.toString() + ")"
+    )
+    or
+    this = PSetGlobal() and result = "global"
+    or
+    exists(LifetimeLocalVariable lv, int level |
+      this = PSetOwner(lv, level) and
+      result = "Owner(" + lv.toString() + "," + level + ")"
+    )
+    or
+    exists(NullReason nr | this = PSetNull(nr) and result = "null because" + nr)
+    or
+    exists(InvalidReason ir | this = PSetInvalid(ir) and result = "invalid because " + ir)
+    or
+    this = PSetUnknown() and result = "unknown"
+  }
+}
+
+/**
+ * The "pmap" or "points-to map" for a "lifetime" local variable.
+ */
+predicate pointsToMap(ControlFlowNode cfn, LifetimeLocalVariable lv, PSetEntry ps) {
+  if isPSetReassigned(cfn, lv)
+  then ps = getAnAssignedPSetEntry(cfn, lv)
+  else
+    // Exclude unknown for now
+    exists(ControlFlowNode pred, PSetEntry prevPSet |
+      pred = cfn.getAPredecessor() and
+      pointsToMap(pred, lv, prevPSet) and
+      // Not PSetNull() and a non-null successor of a null check
+      not exists(AnalysedExpr ae |
+        ps = PSetNull(_) and
+        cfn = ae.getNonNullSuccessor(lv.(LifetimeLocalScopeVariable).getVariable())
+      ) and
+      // lv is not out of scope at this node
+      not goesOutOfScopeAt(lv.(LifetimeLocalScopeVariable).getVariable(), cfn)
+    |
+      // Propagate a PSetEntry from the predecessor node, so long as the
+      // PSetEntry is not invalidated at this node
+      ps = prevPSet and
+      not exists(getAnInvalidation(prevPSet, cfn))
+      or
+      // Replace prevPSet with an invalidation reason at this node
+      ps = getAnInvalidation(prevPSet, cfn)
+    )
+}
+
+private predicate isPSetReassigned(ControlFlowNode cfn, LifetimeLocalVariable lv) {
+  exists(DeclStmt ds |
+    cfn = ds and
+    ds.getADeclaration() = lv.(LifetimeLocalScopeVariable).getVariable() and
+    lv.getType() instanceof PointerType
+  )
+  or
+  exists(TemporaryObjectExpr toe |
+    toe = lv.(LifetimeTemporaryObject).getTemporaryObjectExpr() and
+    cfn = toe
+  )
+  or
+  // Assigned a value
+  cfn = lv.(LifetimeLocalScopeVariable).getVariable().getAnAssignedValue()
+  or
+  // If the address of a local var is passed to a function, then assume it initializes it
+  exists(Call fc, AddressOfExpr aoe |
+    cfn = aoe and
+    fc.getAnArgument() = aoe and
+    lv.(LifetimeLocalScopeVariable).getVariable() = aoe.getOperand().(VariableAccess).getTarget()
+  )
+}
+
+/** Is the `lv` assigned or reassigned at this ControlFlowNode `cfn`. */
+private PSetEntry getAnAssignedPSetEntry(ControlFlowNode cfn, LifetimeLocalVariable lv) {
+  exists(DeclStmt ds |
+    cfn = ds and
+    ds.getADeclaration() = lv.(LifetimeLocalScopeVariable).getVariable()
+  |
+    lv.getType() instanceof PointerType and
+    result = PSetInvalid(TUninitialized(ds, lv.(LifetimeLocalScopeVariable).getVariable()))
+  )
+  or
+  exists(TemporaryObjectExpr toe |
+    toe = lv.(LifetimeTemporaryObject).getTemporaryObjectExpr() and
+    cfn = toe and
+    result = PSetVar(lv)
+  )
+  or
+  // Assigned a value
+  exists(Expr assign |
+    assign = lv.(LifetimeLocalScopeVariable).getVariable().getAnAssignedValue() and
+    cfn = assign
+  |
+    if isKnownAssignmentType(assign)
+    then knownAssignmentType(assign, result)
+    else result = PSetUnknown()
+  )
+  or
+  // If the address of a local var is passed to a function, then assume it initializes it
+  exists(Call fc, AddressOfExpr aoe |
+    cfn = aoe and
+    fc.getAnArgument() = aoe and
+    lv.(LifetimeLocalScopeVariable).getVariable() = aoe.getOperand().(VariableAccess).getTarget() and
+    result = PSetUnknown()
+  )
+}
+
+predicate isKnownAssignmentType(Expr assign) {
+  assign = any(LocalScopeVariable lv).getAnAssignedValue() and
+  (
+    exists(Variable v | v = assign.(AddressOfExpr).getOperand().(VariableAccess).getTarget() |
+      v instanceof LocalScopeVariable
+      or
+      v instanceof GlobalVariable
+    )
+    or
+    // Assignment of a previous variable
+    exists(VariableAccess va |
+      va = assign and
+      va.getTarget().(LocalScopeVariable).getType() instanceof LifetimePointerType
+    )
+    or
+    assign instanceof NullValue
+    or
+    exists(FunctionCall fc |
+      assign = fc and
+      fc.getNumberOfArguments() = 0 and
+      fc.getType() instanceof LifetimePointerType
+    |
+      // A function call is a product of its inputs (just handle qualifiers at the moment)
+      exists(LifetimeLocalVariable lv |
+        lv = TTemporaryObject(fc.getQualifier().getConversion())
+        or
+        lv = TLocalScopeVariable(fc.getQualifier().(VariableAccess).getTarget())
+      |
+        lv.getType() instanceof LifetimePointerType
+        or
+        lv.getType() instanceof LifetimeOwnerType
+      )
+    )
+  )
+}
+
+/**
+ * An expression which is assigned to a `LocalScopeVariable`, which has a known PSet value i.e. not
+ * an "Unknown" PSet value.
+ */
+predicate knownAssignmentType(Expr assign, PSetEntry ps) {
+  assign = any(LocalScopeVariable lv).getAnAssignedValue() and
+  (
+    // The assigned value is `&v`
+    exists(Variable v | v = assign.(AddressOfExpr).getOperand().(VariableAccess).getTarget() |
+      v instanceof LocalScopeVariable and
+      (
+        // If the variable we are taking the address of is a reference type, then we are really
+        // taking the address of whatever the reference type "points-to". Use the `pointsToMap`
+        // to determine viable `LifetimeLocalScopeVariable`s this could point to.
+        if v.getType() instanceof ReferenceType
+        then
+          pointsToMap(assign.getAPredecessor(),
+            any(LifetimeLocalScopeVariable lv | lv.getVariable() = v), ps)
+        else
+          // This assignment points-to `v` itself.
+          ps = PSetVar(TLocalScopeVariable(v))
+      )
+      or
+      // If the variable we are taking the address of is a reference variable, then this points-to
+      // a global. If the variable we taking the address of is a reference type, we need to consider
+      // that it might point-to a global, even if it is a LocalScopeVariable (this case is required
+      // so that we still produce a result even if the pointsToMap is empty for `lv`).
+      (v instanceof GlobalVariable or v.getType() instanceof ReferenceType) and
+      ps = PSetGlobal()
+    )
+    or
+    // Assignment of a previous variable
+    exists(VariableAccess va |
+      va = assign and
+      va.getTarget().(LocalScopeVariable).getType() instanceof LifetimePointerType and
+      // PSet of that become PSet of this
+      pointsToMap(assign.getAPredecessor(),
+        any(LifetimeLocalScopeVariable lv | lv.getVariable() = va.getTarget()), ps)
+    )
+    or
+    // The `NullValue` class covers all types of null equivalent expressions. This case also handles
+    // default and value initialization, where an "implicit" null value expression is added by the
+    // extractor
+    assign instanceof NullValue and ps = PSetNull(TNullAssignment(assign))
+    or
+    exists(FunctionCall fc |
+      assign = fc and
+      // If the assignment is being converted via a ReferenceDereferenceExpr, then
+      // we are essentially copying the original object
+      not assign.getFullyConverted() instanceof ReferenceDereferenceExpr and
+      fc.getNumberOfArguments() = 0 and
+      fc.getType() instanceof LifetimePointerType
+    |
+      // A function call is a product of its inputs (just handle qualifiers at the moment)
+      exists(LifetimeLocalVariable lv |
+        lv = TTemporaryObject(fc.getQualifier().getConversion())
+        or
+        lv = TLocalScopeVariable(fc.getQualifier().(VariableAccess).getTarget())
+      |
+        ps = PSetVar(lv) and lv.getType() instanceof LifetimePointerType
+        or
+        ps = PSetOwner(lv, 0) and lv.getType() instanceof LifetimeOwnerType
+      )
+    )
+  )
+}
+
+/**
+ * Holds if `cfn` is a node that occur directly after the local scope variable `lv` has gone out of scope.
+ */
+predicate goesOutOfScopeAt(LocalScopeVariable lv, ControlFlowNode cfn) {
+  exists(BlockStmt scope |
+    scope = lv.getParentScope() and
+    scope.getAChild+() = cfn.getAPredecessor().getEnclosingStmt() and
+    not scope.getAChild+() = cfn.getEnclosingStmt()
+  )
+}
+
+PSetInvalid getAnInvalidation(PSetEntry ps, ControlFlowNode cfn) {
+  exists(LifetimeLocalScopeVariable lv | ps = PSetVar(lv) |
+    result = PSetInvalid(TVariableOutOfScope(lv.getVariable(), cfn))
+  )
+  or
+  exists(LifetimeLocalScopeVariable lv | ps = PSetOwner(lv, _) |
+    result = PSetInvalid(TVariableOutOfScope(lv.getVariable(), cfn))
+    or
+    exists(FunctionCall fc |
+      fc = cfn and
+      fc.getQualifier() = lv.getVariable().getAnAccess() and
+      not fc.getTarget() instanceof ConstMemberFunction and
+      // non-const versions of begin and end should nevertheless be considered const
+      not fc.getTarget().hasName(["begin", "end"]) and
+      result = PSetInvalid(TOwnerModified(fc))
+    )
+  )
+  or
+  // temporary objects end after the full expression
+  exists(LifetimeTemporaryObject lto |
+    ps = PSetVar(lto)
+    or
+    ps = PSetOwner(lto, _)
+  |
+    cfn = lto.getTemporaryObjectExpr().getUnconverted().getParent*().(FullExpr).getASuccessor() and
+    result = PSetInvalid(TTemporaryOutOfScope(lto.getTemporaryObjectExpr()))
+  )
+}
+
+/**
+ * An expression which is dereferenced and may be an "invalid" value.
+ */
+class InvalidDereference extends VariableAccess {
+  InvalidReason ir;
+
+  InvalidDereference() {
+    // The local points to map suggests this points to an invalid set
+    exists(LocalScopeVariable lv |
+      lv = this.getTarget() and
+      pointsToMap(this, TLocalScopeVariable(lv), PSetInvalid(ir))
+    )
+  }
+
+  /** Gets a reason why this dereference could point to an invalid value. */
+  InvalidReason getAnInvalidReason() { result = ir }
+}
+
+from
+  InvalidDereference e, Element explanation, string explanationDesc, InvalidReason ir,
+  string invalidMessage
+where
+  ir = e.getAnInvalidReason() and
+  ir.isAfterLifetime() and
+  ir.hasMessage(invalidMessage, explanation, explanationDesc)
+select e,
+  e.(VariableAccess).getTarget().getName() + " is dereferenced here but accesses invalid memory " +
+    invalidMessage, explanation, explanationDesc

cpp/ql/src/experimental/Security/CWE/CWE-416/UseAfterExpiredLifetime_c_api_call.cpp

@@ -0,0 +1,14 @@
+void c_api(const char*);
+
+void bad_call_c_api() {
+  // BAD: the memory returned by `c_str()` is freed when the temporary string is destroyed
+  const char* p = std::string("hello").c_str();
+  c_api(p);
+}
+
+void good_call_c_api() {
+  // GOOD: the "hello" string outlives the pointer returned by `c_str()`, so it's safe to pass it to `c_api()`
+  std::string hello("hello");
+  const char* p = hello.c_str();
+  c_api(p);
+}

cpp/ql/src/experimental/Security/CWE/CWE-416/UseAfterExpiredLifetime_iterator_invalidation.cpp

@@ -0,0 +1,19 @@
+void bad_remove_even_numbers(std::vector<int>& v) {
+    // BAD: the iterator is invalidated after the call to `erase`.
+  for(std::vector<int>::iterator it = v.begin(); it != v.end(); ++it) {
+    if(*it % 2 == 0) {
+      v.erase(it);
+    }
+  }
+}
+
+void good_remove_even_numbers(std::vector<int>& v) {
+  // GOOD: `erase` returns the iterator to the next element.
+  for(std::vector<int>::iterator it = v.begin(); it != v.end(); ) {
+    if(*it % 2 == 0) {
+      it = v.erase(it);
+    } else {
+      ++it;
+    }
+  }
+}

cpp/ql/test/examples/docs-examples/analyzing-data-flow-in-cpp/printf-format-not-hard-coded.expected

@@ -1,2 +1 @@
 | printf.cpp:5:5:5:10 | call to printf | Argument to printf isn't hard-coded. |
-| printf.cpp:6:5:6:10 | call to printf | Argument to printf isn't hard-coded. |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected

@@ -1,58 +1,28 @@
 edges
-| test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... |
-| test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... |
-| test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... |
-| test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 |
 | test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 |
 | test.cpp:37:24:37:27 | size | test.cpp:37:46:37:49 | size |
 | test.cpp:45:36:45:40 | ... * ... | test.cpp:37:24:37:27 | size |
-| test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... |
-| test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... |
-| test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... |
 nodes
 | test.cpp:13:33:13:37 | ... * ... | semmle.label | ... * ... |
-| test.cpp:13:33:13:37 | ... * ... | semmle.label | ... * ... |
-| test.cpp:13:33:13:37 | ... * ... | semmle.label | ... * ... |
-| test.cpp:15:31:15:35 | ... * ... | semmle.label | ... * ... |
-| test.cpp:15:31:15:35 | ... * ... | semmle.label | ... * ... |
 | test.cpp:15:31:15:35 | ... * ... | semmle.label | ... * ... |
 | test.cpp:19:34:19:38 | ... * ... | semmle.label | ... * ... |
-| test.cpp:19:34:19:38 | ... * ... | semmle.label | ... * ... |
-| test.cpp:19:34:19:38 | ... * ... | semmle.label | ... * ... |
-| test.cpp:22:17:22:21 | ... * ... | semmle.label | ... * ... |
 | test.cpp:22:17:22:21 | ... * ... | semmle.label | ... * ... |
 | test.cpp:23:33:23:37 | size1 | semmle.label | size1 |
-| test.cpp:30:27:30:31 | ... * ... | semmle.label | ... * ... |
-| test.cpp:31:27:31:31 | ... * ... | semmle.label | ... * ... |
+| test.cpp:30:18:30:32 | ... * ... | semmle.label | ... * ... |
+| test.cpp:31:18:31:32 | ... * ... | semmle.label | ... * ... |
 | test.cpp:37:24:37:27 | size | semmle.label | size |
 | test.cpp:37:46:37:49 | size | semmle.label | size |
 | test.cpp:45:36:45:40 | ... * ... | semmle.label | ... * ... |
 | test.cpp:45:36:45:40 | ... * ... | semmle.label | ... * ... |
-| test.cpp:45:36:45:40 | ... * ... | semmle.label | ... * ... |
-| test.cpp:45:36:45:40 | ... * ... | semmle.label | ... * ... |
-| test.cpp:46:36:46:40 | ... * ... | semmle.label | ... * ... |
-| test.cpp:46:36:46:40 | ... * ... | semmle.label | ... * ... |
 | test.cpp:46:36:46:40 | ... * ... | semmle.label | ... * ... |
 subpaths
 #select
 | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:13:33:13:37 | ... * ... | multiplication |
-| test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:13:33:13:37 | ... * ... | multiplication |
-| test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:13:33:13:37 | ... * ... | multiplication |
 | test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:15:31:15:35 | ... * ... | multiplication |
-| test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:15:31:15:35 | ... * ... | multiplication |
-| test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:15:31:15:35 | ... * ... | multiplication |
-| test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:19:34:19:38 | ... * ... | multiplication |
-| test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:19:34:19:38 | ... * ... | multiplication |
 | test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:19:34:19:38 | ... * ... | multiplication |
 | test.cpp:23:33:23:37 | size1 | test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:22:17:22:21 | ... * ... | multiplication |
-| test.cpp:23:33:23:37 | size1 | test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:22:17:22:21 | ... * ... | multiplication |
-| test.cpp:30:27:30:31 | ... * ... | test.cpp:30:27:30:31 | ... * ... | test.cpp:30:27:30:31 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:30:27:30:31 | ... * ... | multiplication |
-| test.cpp:31:27:31:31 | ... * ... | test.cpp:31:27:31:31 | ... * ... | test.cpp:31:27:31:31 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:31:27:31:31 | ... * ... | multiplication |
-| test.cpp:37:46:37:49 | size | test.cpp:45:36:45:40 | ... * ... | test.cpp:37:46:37:49 | size | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication |
+| test.cpp:30:18:30:32 | ... * ... | test.cpp:30:18:30:32 | ... * ... | test.cpp:30:18:30:32 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:30:18:30:32 | ... * ... | multiplication |
+| test.cpp:31:18:31:32 | ... * ... | test.cpp:31:18:31:32 | ... * ... | test.cpp:31:18:31:32 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:31:18:31:32 | ... * ... | multiplication |
 | test.cpp:37:46:37:49 | size | test.cpp:45:36:45:40 | ... * ... | test.cpp:37:46:37:49 | size | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication |
 | test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication |
-| test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication |
-| test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication |
-| test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:46:36:46:40 | ... * ... | multiplication |
-| test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:46:36:46:40 | ... * ... | multiplication |
 | test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:46:36:46:40 | ... * ... | multiplication |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected

@@ -1,6 +1,5 @@
 edges
 | test.cpp:45:18:45:23 | buffer | test.cpp:45:7:45:10 | func indirection |
-| test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode |
 | test.cpp:74:24:74:30 | medical | test.cpp:78:24:78:27 | temp |
 | test.cpp:74:24:74:30 | medical | test.cpp:81:22:81:28 | medical |
 | test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp |
@@ -8,23 +7,12 @@ edges
 | test.cpp:81:17:81:20 | call to func | test.cpp:82:24:82:28 | buff5 |
 | test.cpp:81:22:81:28 | medical | test.cpp:45:18:45:23 | buffer |
 | test.cpp:81:22:81:28 | medical | test.cpp:81:17:81:20 | call to func |
-| test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode |
-| test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode |
 | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode |
-| test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode |
-| test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode |
-| test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode |
-| test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode |
-| test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode |
-| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode |
-| test.cpp:99:61:99:70 | theZipcode | test.cpp:99:42:99:51 | theZipcode |
 | test.cpp:99:61:99:70 | theZipcode | test.cpp:99:42:99:51 | theZipcode |
 nodes
 | test.cpp:45:7:45:10 | func indirection | semmle.label | func indirection |
 | test.cpp:45:18:45:23 | buffer | semmle.label | buffer |
 | test.cpp:57:9:57:18 | theZipcode | semmle.label | theZipcode |
-| test.cpp:57:9:57:18 | theZipcode | semmle.label | theZipcode |
-| test.cpp:57:9:57:18 | theZipcode | semmle.label | theZipcode |
 | test.cpp:74:24:74:30 | medical | semmle.label | medical |
 | test.cpp:74:24:74:30 | medical | semmle.label | medical |
 | test.cpp:77:16:77:22 | medical | semmle.label | medical |
@@ -34,19 +22,12 @@ nodes
 | test.cpp:82:24:82:28 | buff5 | semmle.label | buff5 |
 | test.cpp:96:37:96:46 | theZipcode | semmle.label | theZipcode |
 | test.cpp:96:37:96:46 | theZipcode | semmle.label | theZipcode |
-| test.cpp:96:37:96:46 | theZipcode | semmle.label | theZipcode |
-| test.cpp:96:37:96:46 | theZipcode | semmle.label | theZipcode |
 | test.cpp:99:42:99:51 | theZipcode | semmle.label | theZipcode |
-| test.cpp:99:42:99:51 | theZipcode | semmle.label | theZipcode |
-| test.cpp:99:42:99:51 | theZipcode | semmle.label | theZipcode |
-| test.cpp:99:61:99:70 | theZipcode | semmle.label | theZipcode |
 | test.cpp:99:61:99:70 | theZipcode | semmle.label | theZipcode |
 subpaths
 | test.cpp:81:22:81:28 | medical | test.cpp:45:18:45:23 | buffer | test.cpp:45:7:45:10 | func indirection | test.cpp:81:17:81:20 | call to func |
 #select
 | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:57:9:57:18 | theZipcode | this source of private data. |
-| test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:57:9:57:18 | theZipcode | this source of private data. |
-| test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:57:9:57:18 | theZipcode | this source of private data. |
 | test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | This write into the external location 'medical' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. |
 | test.cpp:78:24:78:27 | temp | test.cpp:74:24:74:30 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. |
 | test.cpp:78:24:78:27 | temp | test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@. | test.cpp:77:16:77:22 | medical | this source of private data. |
@@ -54,14 +35,6 @@ subpaths
 | test.cpp:82:24:82:28 | buff5 | test.cpp:77:16:77:22 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:77:16:77:22 | medical | this source of private data. |
 | test.cpp:82:24:82:28 | buff5 | test.cpp:81:22:81:28 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:81:22:81:28 | medical | this source of private data. |
 | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. |
-| test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. |
-| test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. |
 | test.cpp:99:42:99:51 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. |
-| test.cpp:99:42:99:51 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. |
-| test.cpp:99:42:99:51 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. |
-| test.cpp:99:42:99:51 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. |
-| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:42:99:51 | theZipcode | this source of private data. |
-| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:42:99:51 | theZipcode | this source of private data. |
 | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:42:99:51 | theZipcode | this source of private data. |
 | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:61:99:70 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:61:99:70 | theZipcode | this source of private data. |
-| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:61:99:70 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:61:99:70 | theZipcode | this source of private data. |

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/tainted.expected

@@ -1,4 +1,4 @@
 WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted.ql:9,8-47)
 WARNING: Predicate tainted has been deprecated and may be removed in future (tainted.ql:20,49-74)
-failures
 testFailures
+failures

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/test_diff.cpp

@@ -97,9 +97,9 @@ int main(int argc, char *argv[]) {
 
     char*** p = &argv; // $ ast,ir-path
 
-    sink(*p[0]); // $ ast ir-sink=96:26 ir-sink=98:18
+    sink(*p[0]); // $ ast ir-sink=96:26 ir-sink=98:18 ir-sink=98:17
 
-    calls_sink_with_argv(*p[i]); // $ ir-path=96:26 ir-path=98:18 MISSING:ast
+    calls_sink_with_argv(*p[i]); // $ ir-path=96:26 ir-path=98:18 ir-path=98:17 MISSING:ast
 
     sink(*(argv + 1)); // $ ast ir-path ir-sink
 

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected

@@ -4,7 +4,6 @@ uniqueType
 uniqueNodeLocation
 missingLocation
 uniqueNodeToString
-missingToString
 parameterCallable
 localFlowIsLocal
 readStepIsLocal
@@ -139,3 +138,5 @@ uniqueParameterNodeAtPosition
 uniqueParameterNodePosition
 uniqueContentApprox
 identityLocalStep
+missingArgumentCall
+multipleArgumentCall

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected

@@ -4,7 +4,6 @@ uniqueType
 uniqueNodeLocation
 missingLocation
 uniqueNodeToString
-missingToString
 parameterCallable
 localFlowIsLocal
 readStepIsLocal
@@ -32,3 +31,5 @@ uniqueParameterNodeAtPosition
 uniqueParameterNodePosition
 uniqueContentApprox
 identityLocalStep
+missingArgumentCall
+multipleArgumentCall

cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected

@@ -10,7 +10,6 @@ uniqueType
 uniqueNodeLocation
 missingLocation
 uniqueNodeToString
-missingToString
 parameterCallable
 localFlowIsLocal
 readStepIsLocal
@@ -192,3 +191,5 @@ uniqueParameterNodeAtPosition
 uniqueParameterNodePosition
 uniqueContentApprox
 identityLocalStep
+missingArgumentCall
+multipleArgumentCall

cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected

@@ -4,7 +4,6 @@ uniqueType
 uniqueNodeLocation
 missingLocation
 uniqueNodeToString
-missingToString
 parameterCallable
 localFlowIsLocal
 readStepIsLocal
@@ -53,3 +52,5 @@ uniqueParameterNodeAtPosition
 uniqueParameterNodePosition
 uniqueContentApprox
 identityLocalStep
+missingArgumentCall
+multipleArgumentCall

cpp/ql/test/library-tests/dataflow/fields/flow.expected

@@ -1,2 +1,2 @@
-failures
 testFailures
+failures

cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected

@@ -19,7 +19,6 @@ edges
 | A.cpp:48:20:48:20 | c | A.cpp:29:23:29:23 | c |
 | A.cpp:48:20:48:20 | c | A.cpp:48:12:48:18 | call to make indirection [c] |
 | A.cpp:49:10:49:10 | b indirection [c] | A.cpp:49:10:49:13 | c |
-| A.cpp:49:10:49:10 | b indirection [c] | A.cpp:49:13:49:13 | c |
 | A.cpp:55:5:55:5 | set output argument [c] | A.cpp:56:10:56:10 | b indirection [c] |
 | A.cpp:55:12:55:19 | new | A.cpp:27:17:27:17 | c |
 | A.cpp:55:12:55:19 | new | A.cpp:55:5:55:5 | set output argument [c] |
@@ -37,13 +36,11 @@ edges
 | A.cpp:64:21:64:28 | new | A.cpp:64:21:64:28 | new |
 | A.cpp:64:21:64:28 | new | A.cpp:85:26:85:26 | c |
 | A.cpp:66:10:66:11 | b2 indirection [c] | A.cpp:66:10:66:14 | c |
-| A.cpp:66:10:66:11 | b2 indirection [c] | A.cpp:66:14:66:14 | c |
 | A.cpp:73:10:73:19 | call to setOnBWrap indirection [c] | A.cpp:75:10:75:11 | b2 indirection [c] |
 | A.cpp:73:25:73:32 | new | A.cpp:73:10:73:19 | call to setOnBWrap indirection [c] |
 | A.cpp:73:25:73:32 | new | A.cpp:73:25:73:32 | new |
 | A.cpp:73:25:73:32 | new | A.cpp:78:27:78:27 | c |
 | A.cpp:75:10:75:11 | b2 indirection [c] | A.cpp:75:10:75:14 | c |
-| A.cpp:75:10:75:11 | b2 indirection [c] | A.cpp:75:14:75:14 | c |
 | A.cpp:78:27:78:27 | c | A.cpp:81:21:81:21 | c |
 | A.cpp:81:10:81:15 | call to setOnB indirection [c] | A.cpp:78:6:78:15 | setOnBWrap indirection [c] |
 | A.cpp:81:21:81:21 | c | A.cpp:81:10:81:15 | call to setOnB indirection [c] |
@@ -59,16 +56,13 @@ edges
 | A.cpp:103:14:103:14 | c indirection [a] | A.cpp:107:12:107:13 | c1 indirection [a] |
 | A.cpp:103:14:103:14 | c indirection [a] | A.cpp:120:12:120:13 | c1 indirection [a] |
 | A.cpp:107:12:107:13 | c1 indirection [a] | A.cpp:107:12:107:16 | a |
-| A.cpp:107:12:107:13 | c1 indirection [a] | A.cpp:107:16:107:16 | a |
 | A.cpp:120:12:120:13 | c1 indirection [a] | A.cpp:120:12:120:16 | a |
-| A.cpp:120:12:120:13 | c1 indirection [a] | A.cpp:120:16:120:16 | a |
 | A.cpp:126:5:126:5 | set output argument [c] | A.cpp:131:8:131:8 | f7 output argument [c] |
 | A.cpp:126:12:126:18 | new | A.cpp:27:17:27:17 | c |
 | A.cpp:126:12:126:18 | new | A.cpp:126:5:126:5 | set output argument [c] |
 | A.cpp:126:12:126:18 | new | A.cpp:126:12:126:18 | new |
 | A.cpp:131:8:131:8 | f7 output argument [c] | A.cpp:132:10:132:10 | b indirection [c] |
 | A.cpp:132:10:132:10 | b indirection [c] | A.cpp:132:10:132:13 | c |
-| A.cpp:132:10:132:10 | b indirection [c] | A.cpp:132:13:132:13 | c |
 | A.cpp:140:13:140:13 | b | A.cpp:143:7:143:31 | ... = ... |
 | A.cpp:142:7:142:20 | ... = ... | A.cpp:142:10:142:10 | b indirection [post update] [c] |
 | A.cpp:142:10:142:10 | b indirection [post update] [c] | A.cpp:143:7:143:31 | ... = ... indirection [c] |
@@ -87,13 +81,10 @@ edges
 | A.cpp:151:18:151:18 | b | A.cpp:140:13:140:13 | b |
 | A.cpp:151:18:151:18 | b | A.cpp:151:12:151:24 | call to D [b] |
 | A.cpp:152:10:152:10 | d indirection [b] | A.cpp:152:10:152:13 | b |
-| A.cpp:152:10:152:10 | d indirection [b] | A.cpp:152:13:152:13 | b |
 | A.cpp:153:10:153:10 | d indirection [b indirection, c] | A.cpp:153:13:153:13 | b indirection [c] |
 | A.cpp:153:13:153:13 | b indirection [c] | A.cpp:153:10:153:16 | c |
 | A.cpp:153:13:153:13 | b indirection [c] | A.cpp:153:13:153:13 | b indirection [c] |
-| A.cpp:153:13:153:13 | b indirection [c] | A.cpp:153:16:153:16 | c |
 | A.cpp:154:10:154:10 | b indirection [c] | A.cpp:154:10:154:13 | c |
-| A.cpp:154:10:154:10 | b indirection [c] | A.cpp:154:13:154:13 | c |
 | A.cpp:159:12:159:18 | new | A.cpp:160:29:160:29 | b |
 | A.cpp:160:18:160:60 | call to MyList [head] | A.cpp:161:38:161:39 | l1 indirection [head] |
 | A.cpp:160:29:160:29 | b | A.cpp:160:18:160:60 | call to MyList [head] |
@@ -110,13 +101,11 @@ edges
 | A.cpp:165:14:165:17 | next indirection [next indirection, head] | A.cpp:165:20:165:23 | next indirection [head] |
 | A.cpp:165:20:165:23 | next indirection [head] | A.cpp:165:10:165:29 | head |
 | A.cpp:165:20:165:23 | next indirection [head] | A.cpp:165:20:165:23 | next indirection [head] |
-| A.cpp:165:20:165:23 | next indirection [head] | A.cpp:165:26:165:29 | head |
 | A.cpp:167:44:167:44 | l indirection [next indirection, head] | A.cpp:167:47:167:50 | next indirection [head] |
 | A.cpp:167:44:167:44 | l indirection [next indirection, next indirection, head] | A.cpp:167:47:167:50 | next indirection [next indirection, head] |
 | A.cpp:167:47:167:50 | next indirection [head] | A.cpp:169:12:169:12 | l indirection [head] |
 | A.cpp:167:47:167:50 | next indirection [next indirection, head] | A.cpp:167:44:167:44 | l indirection [next indirection, head] |
 | A.cpp:169:12:169:12 | l indirection [head] | A.cpp:169:12:169:18 | head |
-| A.cpp:169:12:169:12 | l indirection [head] | A.cpp:169:15:169:18 | head |
 | A.cpp:181:15:181:21 | newHead | A.cpp:183:7:183:20 | ... = ... |
 | A.cpp:181:32:181:35 | next indirection [head] | A.cpp:184:7:184:23 | ... = ... indirection [head] |
 | A.cpp:181:32:181:35 | next indirection [next indirection, head] | A.cpp:184:7:184:23 | ... = ... indirection [next indirection, head] |
@@ -133,7 +122,6 @@ edges
 | B.cpp:9:10:9:11 | b2 indirection [box1 indirection, elem1] | B.cpp:9:14:9:17 | box1 indirection [elem1] |
 | B.cpp:9:14:9:17 | box1 indirection [elem1] | B.cpp:9:10:9:24 | elem1 |
 | B.cpp:9:14:9:17 | box1 indirection [elem1] | B.cpp:9:14:9:17 | box1 indirection [elem1] |
-| B.cpp:9:14:9:17 | box1 indirection [elem1] | B.cpp:9:20:9:24 | elem1 |
 | B.cpp:15:15:15:27 | new | B.cpp:16:37:16:37 | e |
 | B.cpp:16:16:16:38 | call to Box1 [elem2] | B.cpp:17:25:17:26 | b1 indirection [elem2] |
 | B.cpp:16:37:16:37 | e | B.cpp:16:16:16:38 | call to Box1 [elem2] |
@@ -144,7 +132,6 @@ edges
 | B.cpp:19:10:19:11 | b2 indirection [box1 indirection, elem2] | B.cpp:19:14:19:17 | box1 indirection [elem2] |
 | B.cpp:19:14:19:17 | box1 indirection [elem2] | B.cpp:19:10:19:24 | elem2 |
 | B.cpp:19:14:19:17 | box1 indirection [elem2] | B.cpp:19:14:19:17 | box1 indirection [elem2] |
-| B.cpp:19:14:19:17 | box1 indirection [elem2] | B.cpp:19:20:19:24 | elem2 |
 | B.cpp:33:16:33:17 | e1 | B.cpp:35:7:35:22 | ... = ... |
 | B.cpp:33:26:33:27 | e2 | B.cpp:36:7:36:22 | ... = ... |
 | B.cpp:35:7:35:22 | ... = ... | B.cpp:35:13:35:17 | this indirection [post update] [elem1] |
@@ -214,7 +201,6 @@ edges
 | D.cpp:64:10:64:17 | this indirection [boxfield indirection, box indirection, elem] | D.cpp:64:10:64:17 | boxfield indirection [box indirection, elem] |
 | D.cpp:64:20:64:22 | box indirection [elem] | D.cpp:64:10:64:28 | elem |
 | D.cpp:64:20:64:22 | box indirection [elem] | D.cpp:64:20:64:22 | box indirection [elem] |
-| D.cpp:64:20:64:22 | box indirection [elem] | D.cpp:64:25:64:28 | elem |
 | E.cpp:19:27:19:27 | p indirection [data, buffer indirection] | E.cpp:21:10:21:10 | p indirection [data, buffer indirection] |
 | E.cpp:21:10:21:10 | p indirection [data, buffer indirection] | E.cpp:21:13:21:16 | data indirection [buffer indirection] |
 | E.cpp:21:13:21:16 | data indirection [buffer indirection] | E.cpp:21:18:21:23 | buffer indirection |
@@ -621,7 +607,6 @@ edges
 | conflated.cpp:10:11:10:20 | call to user_input | conflated.cpp:10:3:10:22 | ... = ... |
 | conflated.cpp:11:9:11:10 | ra indirection [p indirection] | conflated.cpp:11:8:11:12 | * ... |
 | conflated.cpp:19:19:19:21 | argument_source output argument | conflated.cpp:20:8:20:10 | raw indirection |
-| conflated.cpp:19:19:19:21 | argument_source output argument | conflated.cpp:20:8:20:10 | raw indirection |
 | conflated.cpp:29:3:29:22 | ... = ... | conflated.cpp:29:7:29:7 | pa indirection [post update] [x] |
 | conflated.cpp:29:7:29:7 | pa indirection [post update] [x] | conflated.cpp:30:8:30:9 | pa indirection [x] |
 | conflated.cpp:29:11:29:20 | call to user_input | conflated.cpp:29:3:29:22 | ... = ... |
@@ -730,13 +715,11 @@ edges
 | realistic.cpp:53:25:53:33 | baz indirection [post update] [userInput, bufferLen] | realistic.cpp:53:20:53:22 | access to array indirection [post update] [baz indirection, userInput, bufferLen] |
 | realistic.cpp:53:35:53:43 | userInput indirection [post update] [bufferLen] | realistic.cpp:53:25:53:33 | baz indirection [post update] [userInput, bufferLen] |
 | realistic.cpp:53:47:53:66 | call to user_input | realistic.cpp:53:9:53:66 | ... = ... |
-| realistic.cpp:53:55:53:64 | call to user_input | realistic.cpp:53:9:53:66 | ... = ... |
 | realistic.cpp:61:21:61:23 | foo indirection [bar, baz indirection, userInput, bufferLen] | realistic.cpp:61:21:61:30 | access to array indirection [baz indirection, userInput, bufferLen] |
 | realistic.cpp:61:21:61:30 | access to array indirection [baz indirection, userInput, bufferLen] | realistic.cpp:61:32:61:34 | baz indirection [userInput, bufferLen] |
 | realistic.cpp:61:32:61:34 | baz indirection [userInput, bufferLen] | realistic.cpp:61:32:61:34 | baz indirection [userInput, bufferLen] |
 | realistic.cpp:61:32:61:34 | baz indirection [userInput, bufferLen] | realistic.cpp:61:37:61:45 | userInput indirection [bufferLen] |
 | realistic.cpp:61:37:61:45 | userInput indirection [bufferLen] | realistic.cpp:61:14:61:55 | bufferLen |
-| realistic.cpp:61:37:61:45 | userInput indirection [bufferLen] | realistic.cpp:61:47:61:55 | bufferLen |
 | simple.cpp:18:9:18:9 | this indirection [a_] | simple.cpp:18:22:18:23 | this indirection [a_] |
 | simple.cpp:18:22:18:23 | a_ | simple.cpp:18:9:18:9 | a indirection |
 | simple.cpp:18:22:18:23 | this indirection [a_] | simple.cpp:18:22:18:23 | a_ |
@@ -847,7 +830,6 @@ nodes
 | A.cpp:48:20:48:20 | c | semmle.label | c |
 | A.cpp:49:10:49:10 | b indirection [c] | semmle.label | b indirection [c] |
 | A.cpp:49:10:49:13 | c | semmle.label | c |
-| A.cpp:49:13:49:13 | c | semmle.label | c |
 | A.cpp:55:5:55:5 | set output argument [c] | semmle.label | set output argument [c] |
 | A.cpp:55:12:55:19 | new | semmle.label | new |
 | A.cpp:55:12:55:19 | new | semmle.label | new |
@@ -863,13 +845,11 @@ nodes
 | A.cpp:64:21:64:28 | new | semmle.label | new |
 | A.cpp:66:10:66:11 | b2 indirection [c] | semmle.label | b2 indirection [c] |
 | A.cpp:66:10:66:14 | c | semmle.label | c |
-| A.cpp:66:14:66:14 | c | semmle.label | c |
 | A.cpp:73:10:73:19 | call to setOnBWrap indirection [c] | semmle.label | call to setOnBWrap indirection [c] |
 | A.cpp:73:25:73:32 | new | semmle.label | new |
 | A.cpp:73:25:73:32 | new | semmle.label | new |
 | A.cpp:75:10:75:11 | b2 indirection [c] | semmle.label | b2 indirection [c] |
 | A.cpp:75:10:75:14 | c | semmle.label | c |
-| A.cpp:75:14:75:14 | c | semmle.label | c |
 | A.cpp:78:6:78:15 | setOnBWrap indirection [c] | semmle.label | setOnBWrap indirection [c] |
 | A.cpp:78:27:78:27 | c | semmle.label | c |
 | A.cpp:81:10:81:15 | call to setOnB indirection [c] | semmle.label | call to setOnB indirection [c] |
@@ -885,17 +865,14 @@ nodes
 | A.cpp:103:14:103:14 | c indirection [a] | semmle.label | c indirection [a] |
 | A.cpp:107:12:107:13 | c1 indirection [a] | semmle.label | c1 indirection [a] |
 | A.cpp:107:12:107:16 | a | semmle.label | a |
-| A.cpp:107:16:107:16 | a | semmle.label | a |
 | A.cpp:120:12:120:13 | c1 indirection [a] | semmle.label | c1 indirection [a] |
 | A.cpp:120:12:120:16 | a | semmle.label | a |
-| A.cpp:120:16:120:16 | a | semmle.label | a |
 | A.cpp:126:5:126:5 | set output argument [c] | semmle.label | set output argument [c] |
 | A.cpp:126:12:126:18 | new | semmle.label | new |
 | A.cpp:126:12:126:18 | new | semmle.label | new |
 | A.cpp:131:8:131:8 | f7 output argument [c] | semmle.label | f7 output argument [c] |
 | A.cpp:132:10:132:10 | b indirection [c] | semmle.label | b indirection [c] |
 | A.cpp:132:10:132:13 | c | semmle.label | c |
-| A.cpp:132:13:132:13 | c | semmle.label | c |
 | A.cpp:140:13:140:13 | b | semmle.label | b |
 | A.cpp:142:7:142:20 | ... = ... | semmle.label | ... = ... |
 | A.cpp:142:10:142:10 | b indirection [post update] [c] | semmle.label | b indirection [post update] [c] |
@@ -914,14 +891,11 @@ nodes
 | A.cpp:151:18:151:18 | b | semmle.label | b |
 | A.cpp:152:10:152:10 | d indirection [b] | semmle.label | d indirection [b] |
 | A.cpp:152:10:152:13 | b | semmle.label | b |
-| A.cpp:152:13:152:13 | b | semmle.label | b |
 | A.cpp:153:10:153:10 | d indirection [b indirection, c] | semmle.label | d indirection [b indirection, c] |
 | A.cpp:153:10:153:16 | c | semmle.label | c |
 | A.cpp:153:13:153:13 | b indirection [c] | semmle.label | b indirection [c] |
-| A.cpp:153:16:153:16 | c | semmle.label | c |
 | A.cpp:154:10:154:10 | b indirection [c] | semmle.label | b indirection [c] |
 | A.cpp:154:10:154:13 | c | semmle.label | c |
-| A.cpp:154:13:154:13 | c | semmle.label | c |
 | A.cpp:159:12:159:18 | new | semmle.label | new |
 | A.cpp:160:18:160:60 | call to MyList [head] | semmle.label | call to MyList [head] |
 | A.cpp:160:29:160:29 | b | semmle.label | b |
@@ -933,14 +907,12 @@ nodes
 | A.cpp:165:10:165:29 | head | semmle.label | head |
 | A.cpp:165:14:165:17 | next indirection [next indirection, head] | semmle.label | next indirection [next indirection, head] |
 | A.cpp:165:20:165:23 | next indirection [head] | semmle.label | next indirection [head] |
-| A.cpp:165:26:165:29 | head | semmle.label | head |
 | A.cpp:167:44:167:44 | l indirection [next indirection, head] | semmle.label | l indirection [next indirection, head] |
 | A.cpp:167:44:167:44 | l indirection [next indirection, next indirection, head] | semmle.label | l indirection [next indirection, next indirection, head] |
 | A.cpp:167:47:167:50 | next indirection [head] | semmle.label | next indirection [head] |
 | A.cpp:167:47:167:50 | next indirection [next indirection, head] | semmle.label | next indirection [next indirection, head] |
 | A.cpp:169:12:169:12 | l indirection [head] | semmle.label | l indirection [head] |
 | A.cpp:169:12:169:18 | head | semmle.label | head |
-| A.cpp:169:15:169:18 | head | semmle.label | head |
 | A.cpp:181:15:181:21 | newHead | semmle.label | newHead |
 | A.cpp:181:32:181:35 | next indirection [head] | semmle.label | next indirection [head] |
 | A.cpp:181:32:181:35 | next indirection [next indirection, head] | semmle.label | next indirection [next indirection, head] |
@@ -958,7 +930,6 @@ nodes
 | B.cpp:9:10:9:11 | b2 indirection [box1 indirection, elem1] | semmle.label | b2 indirection [box1 indirection, elem1] |
 | B.cpp:9:10:9:24 | elem1 | semmle.label | elem1 |
 | B.cpp:9:14:9:17 | box1 indirection [elem1] | semmle.label | box1 indirection [elem1] |
-| B.cpp:9:20:9:24 | elem1 | semmle.label | elem1 |
 | B.cpp:15:15:15:27 | new | semmle.label | new |
 | B.cpp:16:16:16:38 | call to Box1 [elem2] | semmle.label | call to Box1 [elem2] |
 | B.cpp:16:37:16:37 | e | semmle.label | e |
@@ -967,7 +938,6 @@ nodes
 | B.cpp:19:10:19:11 | b2 indirection [box1 indirection, elem2] | semmle.label | b2 indirection [box1 indirection, elem2] |
 | B.cpp:19:10:19:24 | elem2 | semmle.label | elem2 |
 | B.cpp:19:14:19:17 | box1 indirection [elem2] | semmle.label | box1 indirection [elem2] |
-| B.cpp:19:20:19:24 | elem2 | semmle.label | elem2 |
 | B.cpp:33:16:33:17 | e1 | semmle.label | e1 |
 | B.cpp:33:26:33:27 | e2 | semmle.label | e2 |
 | B.cpp:35:7:35:22 | ... = ... | semmle.label | ... = ... |
@@ -1042,7 +1012,6 @@ nodes
 | D.cpp:64:10:64:17 | this indirection [boxfield indirection, box indirection, elem] | semmle.label | this indirection [boxfield indirection, box indirection, elem] |
 | D.cpp:64:10:64:28 | elem | semmle.label | elem |
 | D.cpp:64:20:64:22 | box indirection [elem] | semmle.label | box indirection [elem] |
-| D.cpp:64:25:64:28 | elem | semmle.label | elem |
 | E.cpp:19:27:19:27 | p indirection [data, buffer indirection] | semmle.label | p indirection [data, buffer indirection] |
 | E.cpp:21:10:21:10 | p indirection [data, buffer indirection] | semmle.label | p indirection [data, buffer indirection] |
 | E.cpp:21:13:21:16 | data indirection [buffer indirection] | semmle.label | data indirection [buffer indirection] |
@@ -1439,7 +1408,6 @@ nodes
 | conflated.cpp:11:9:11:10 | ra indirection [p indirection] | semmle.label | ra indirection [p indirection] |
 | conflated.cpp:19:19:19:21 | argument_source output argument | semmle.label | argument_source output argument |
 | conflated.cpp:20:8:20:10 | raw indirection | semmle.label | raw indirection |
-| conflated.cpp:20:8:20:10 | raw indirection | semmle.label | raw indirection |
 | conflated.cpp:29:3:29:22 | ... = ... | semmle.label | ... = ... |
 | conflated.cpp:29:7:29:7 | pa indirection [post update] [x] | semmle.label | pa indirection [post update] [x] |
 | conflated.cpp:29:11:29:20 | call to user_input | semmle.label | call to user_input |
@@ -1550,13 +1518,11 @@ nodes
 | realistic.cpp:53:25:53:33 | baz indirection [post update] [userInput, bufferLen] | semmle.label | baz indirection [post update] [userInput, bufferLen] |
 | realistic.cpp:53:35:53:43 | userInput indirection [post update] [bufferLen] | semmle.label | userInput indirection [post update] [bufferLen] |
 | realistic.cpp:53:47:53:66 | call to user_input | semmle.label | call to user_input |
-| realistic.cpp:53:55:53:64 | call to user_input | semmle.label | call to user_input |
 | realistic.cpp:61:14:61:55 | bufferLen | semmle.label | bufferLen |
 | realistic.cpp:61:21:61:23 | foo indirection [bar, baz indirection, userInput, bufferLen] | semmle.label | foo indirection [bar, baz indirection, userInput, bufferLen] |
 | realistic.cpp:61:21:61:30 | access to array indirection [baz indirection, userInput, bufferLen] | semmle.label | access to array indirection [baz indirection, userInput, bufferLen] |
 | realistic.cpp:61:32:61:34 | baz indirection [userInput, bufferLen] | semmle.label | baz indirection [userInput, bufferLen] |
 | realistic.cpp:61:37:61:45 | userInput indirection [bufferLen] | semmle.label | userInput indirection [bufferLen] |
-| realistic.cpp:61:47:61:55 | bufferLen | semmle.label | bufferLen |
 | simple.cpp:18:9:18:9 | a indirection | semmle.label | a indirection |
 | simple.cpp:18:9:18:9 | this indirection [a_] | semmle.label | this indirection [a_] |
 | simple.cpp:18:22:18:23 | a_ | semmle.label | a_ |
@@ -1706,40 +1672,24 @@ subpaths
 | A.cpp:43:10:43:12 | & ... indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | & ... indirection | & ... indirection flows from $@ | A.cpp:41:15:41:21 | new | new |
 | A.cpp:43:10:43:12 | & ... indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | & ... indirection | & ... indirection flows from $@ | A.cpp:41:15:41:21 | new | new |
 | A.cpp:49:10:49:13 | c | A.cpp:47:12:47:18 | new | A.cpp:49:10:49:13 | c | c flows from $@ | A.cpp:47:12:47:18 | new | new |
-| A.cpp:49:13:49:13 | c | A.cpp:47:12:47:18 | new | A.cpp:49:13:49:13 | c | c flows from $@ | A.cpp:47:12:47:18 | new | new |
 | A.cpp:56:10:56:17 | call to get | A.cpp:55:12:55:19 | new | A.cpp:56:10:56:17 | call to get | call to get flows from $@ | A.cpp:55:12:55:19 | new | new |
 | A.cpp:56:10:56:17 | call to get | A.cpp:55:12:55:19 | new | A.cpp:56:10:56:17 | call to get | call to get flows from $@ | A.cpp:55:12:55:19 | new | new |
 | A.cpp:57:10:57:32 | call to get | A.cpp:57:17:57:23 | new | A.cpp:57:10:57:32 | call to get | call to get flows from $@ | A.cpp:57:17:57:23 | new | new |
 | A.cpp:66:10:66:14 | c | A.cpp:64:21:64:28 | new | A.cpp:66:10:66:14 | c | c flows from $@ | A.cpp:64:21:64:28 | new | new |
 | A.cpp:66:10:66:14 | c | A.cpp:64:21:64:28 | new | A.cpp:66:10:66:14 | c | c flows from $@ | A.cpp:64:21:64:28 | new | new |
-| A.cpp:66:14:66:14 | c | A.cpp:64:21:64:28 | new | A.cpp:66:14:66:14 | c | c flows from $@ | A.cpp:64:21:64:28 | new | new |
-| A.cpp:66:14:66:14 | c | A.cpp:64:21:64:28 | new | A.cpp:66:14:66:14 | c | c flows from $@ | A.cpp:64:21:64:28 | new | new |
 | A.cpp:75:10:75:14 | c | A.cpp:73:25:73:32 | new | A.cpp:75:10:75:14 | c | c flows from $@ | A.cpp:73:25:73:32 | new | new |
 | A.cpp:75:10:75:14 | c | A.cpp:73:25:73:32 | new | A.cpp:75:10:75:14 | c | c flows from $@ | A.cpp:73:25:73:32 | new | new |
-| A.cpp:75:14:75:14 | c | A.cpp:73:25:73:32 | new | A.cpp:75:14:75:14 | c | c flows from $@ | A.cpp:73:25:73:32 | new | new |
-| A.cpp:75:14:75:14 | c | A.cpp:73:25:73:32 | new | A.cpp:75:14:75:14 | c | c flows from $@ | A.cpp:73:25:73:32 | new | new |
 | A.cpp:107:12:107:16 | a | A.cpp:98:12:98:18 | new | A.cpp:107:12:107:16 | a | a flows from $@ | A.cpp:98:12:98:18 | new | new |
-| A.cpp:107:16:107:16 | a | A.cpp:98:12:98:18 | new | A.cpp:107:16:107:16 | a | a flows from $@ | A.cpp:98:12:98:18 | new | new |
 | A.cpp:120:12:120:16 | a | A.cpp:98:12:98:18 | new | A.cpp:120:12:120:16 | a | a flows from $@ | A.cpp:98:12:98:18 | new | new |
-| A.cpp:120:16:120:16 | a | A.cpp:98:12:98:18 | new | A.cpp:120:16:120:16 | a | a flows from $@ | A.cpp:98:12:98:18 | new | new |
 | A.cpp:132:10:132:13 | c | A.cpp:126:12:126:18 | new | A.cpp:132:10:132:13 | c | c flows from $@ | A.cpp:126:12:126:18 | new | new |
-| A.cpp:132:13:132:13 | c | A.cpp:126:12:126:18 | new | A.cpp:132:13:132:13 | c | c flows from $@ | A.cpp:126:12:126:18 | new | new |
 | A.cpp:152:10:152:13 | b | A.cpp:143:25:143:31 | new | A.cpp:152:10:152:13 | b | b flows from $@ | A.cpp:143:25:143:31 | new | new |
 | A.cpp:152:10:152:13 | b | A.cpp:150:12:150:18 | new | A.cpp:152:10:152:13 | b | b flows from $@ | A.cpp:150:12:150:18 | new | new |
-| A.cpp:152:13:152:13 | b | A.cpp:143:25:143:31 | new | A.cpp:152:13:152:13 | b | b flows from $@ | A.cpp:143:25:143:31 | new | new |
-| A.cpp:152:13:152:13 | b | A.cpp:150:12:150:18 | new | A.cpp:152:13:152:13 | b | b flows from $@ | A.cpp:150:12:150:18 | new | new |
 | A.cpp:153:10:153:16 | c | A.cpp:142:14:142:20 | new | A.cpp:153:10:153:16 | c | c flows from $@ | A.cpp:142:14:142:20 | new | new |
-| A.cpp:153:16:153:16 | c | A.cpp:142:14:142:20 | new | A.cpp:153:16:153:16 | c | c flows from $@ | A.cpp:142:14:142:20 | new | new |
 | A.cpp:154:10:154:13 | c | A.cpp:142:14:142:20 | new | A.cpp:154:10:154:13 | c | c flows from $@ | A.cpp:142:14:142:20 | new | new |
-| A.cpp:154:13:154:13 | c | A.cpp:142:14:142:20 | new | A.cpp:154:13:154:13 | c | c flows from $@ | A.cpp:142:14:142:20 | new | new |
 | A.cpp:165:10:165:29 | head | A.cpp:159:12:159:18 | new | A.cpp:165:10:165:29 | head | head flows from $@ | A.cpp:159:12:159:18 | new | new |
-| A.cpp:165:26:165:29 | head | A.cpp:159:12:159:18 | new | A.cpp:165:26:165:29 | head | head flows from $@ | A.cpp:159:12:159:18 | new | new |
 | A.cpp:169:12:169:18 | head | A.cpp:159:12:159:18 | new | A.cpp:169:12:169:18 | head | head flows from $@ | A.cpp:159:12:159:18 | new | new |
-| A.cpp:169:15:169:18 | head | A.cpp:159:12:159:18 | new | A.cpp:169:15:169:18 | head | head flows from $@ | A.cpp:159:12:159:18 | new | new |
 | B.cpp:9:10:9:24 | elem1 | B.cpp:6:15:6:24 | new | B.cpp:9:10:9:24 | elem1 | elem1 flows from $@ | B.cpp:6:15:6:24 | new | new |
-| B.cpp:9:20:9:24 | elem1 | B.cpp:6:15:6:24 | new | B.cpp:9:20:9:24 | elem1 | elem1 flows from $@ | B.cpp:6:15:6:24 | new | new |
 | B.cpp:19:10:19:24 | elem2 | B.cpp:15:15:15:27 | new | B.cpp:19:10:19:24 | elem2 | elem2 flows from $@ | B.cpp:15:15:15:27 | new | new |
-| B.cpp:19:20:19:24 | elem2 | B.cpp:15:15:15:27 | new | B.cpp:19:20:19:24 | elem2 | elem2 flows from $@ | B.cpp:15:15:15:27 | new | new |
 | C.cpp:29:10:29:11 | s1 | C.cpp:22:12:22:21 | new | C.cpp:29:10:29:11 | s1 | s1 flows from $@ | C.cpp:22:12:22:21 | new | new |
 | C.cpp:31:10:31:11 | s3 | C.cpp:24:16:24:25 | new | C.cpp:31:10:31:11 | s3 | s3 flows from $@ | C.cpp:24:16:24:25 | new | new |
 | D.cpp:22:10:22:33 | call to getElem | D.cpp:28:15:28:24 | new | D.cpp:22:10:22:33 | call to getElem | call to getElem flows from $@ | D.cpp:28:15:28:24 | new | new |
@@ -1747,7 +1697,6 @@ subpaths
 | D.cpp:22:10:22:33 | call to getElem | D.cpp:42:15:42:24 | new | D.cpp:22:10:22:33 | call to getElem | call to getElem flows from $@ | D.cpp:42:15:42:24 | new | new |
 | D.cpp:22:10:22:33 | call to getElem | D.cpp:49:15:49:24 | new | D.cpp:22:10:22:33 | call to getElem | call to getElem flows from $@ | D.cpp:49:15:49:24 | new | new |
 | D.cpp:64:10:64:28 | elem | D.cpp:56:15:56:24 | new | D.cpp:64:10:64:28 | elem | elem flows from $@ | D.cpp:56:15:56:24 | new | new |
-| D.cpp:64:25:64:28 | elem | D.cpp:56:15:56:24 | new | D.cpp:64:25:64:28 | elem | elem flows from $@ | D.cpp:56:15:56:24 | new | new |
 | E.cpp:21:18:21:23 | buffer indirection | E.cpp:30:21:30:33 | argument_source output argument | E.cpp:21:18:21:23 | buffer indirection | buffer indirection flows from $@ | E.cpp:30:21:30:33 | argument_source output argument | argument_source output argument |
 | E.cpp:31:10:31:12 | raw indirection | E.cpp:28:21:28:23 | argument_source output argument | E.cpp:31:10:31:12 | raw indirection | raw indirection flows from $@ | E.cpp:28:21:28:23 | argument_source output argument | argument_source output argument |
 | E.cpp:32:13:32:18 | buffer indirection | E.cpp:29:21:29:29 | argument_source output argument | E.cpp:32:13:32:18 | buffer indirection | buffer indirection flows from $@ | E.cpp:29:21:29:29 | argument_source output argument | argument_source output argument |
@@ -1811,7 +1760,6 @@ subpaths
 | complex.cpp:43:18:43:18 | call to b | complex.cpp:56:19:56:28 | call to user_input | complex.cpp:43:18:43:18 | call to b | call to b flows from $@ | complex.cpp:56:19:56:28 | call to user_input | call to user_input |
 | conflated.cpp:11:8:11:12 | * ... | conflated.cpp:10:11:10:20 | call to user_input | conflated.cpp:11:8:11:12 | * ... | * ... flows from $@ | conflated.cpp:10:11:10:20 | call to user_input | call to user_input |
 | conflated.cpp:20:8:20:10 | raw indirection | conflated.cpp:19:19:19:21 | argument_source output argument | conflated.cpp:20:8:20:10 | raw indirection | raw indirection flows from $@ | conflated.cpp:19:19:19:21 | argument_source output argument | argument_source output argument |
-| conflated.cpp:20:8:20:10 | raw indirection | conflated.cpp:19:19:19:21 | argument_source output argument | conflated.cpp:20:8:20:10 | raw indirection | raw indirection flows from $@ | conflated.cpp:19:19:19:21 | argument_source output argument | argument_source output argument |
 | conflated.cpp:30:12:30:12 | x | conflated.cpp:29:11:29:20 | call to user_input | conflated.cpp:30:12:30:12 | x | x flows from $@ | conflated.cpp:29:11:29:20 | call to user_input | call to user_input |
 | conflated.cpp:37:12:37:12 | x | conflated.cpp:36:11:36:20 | call to user_input | conflated.cpp:37:12:37:12 | x | x flows from $@ | conflated.cpp:36:11:36:20 | call to user_input | call to user_input |
 | conflated.cpp:55:18:55:18 | y | conflated.cpp:54:17:54:26 | call to user_input | conflated.cpp:55:18:55:18 | y | y flows from $@ | conflated.cpp:54:17:54:26 | call to user_input | call to user_input |
@@ -1827,9 +1775,6 @@ subpaths
 | qualifiers.cpp:43:23:43:23 | a | qualifiers.cpp:42:29:42:38 | call to user_input | qualifiers.cpp:43:23:43:23 | a | a flows from $@ | qualifiers.cpp:42:29:42:38 | call to user_input | call to user_input |
 | qualifiers.cpp:48:23:48:23 | a | qualifiers.cpp:47:31:47:40 | call to user_input | qualifiers.cpp:48:23:48:23 | a | a flows from $@ | qualifiers.cpp:47:31:47:40 | call to user_input | call to user_input |
 | realistic.cpp:61:14:61:55 | bufferLen | realistic.cpp:53:47:53:66 | call to user_input | realistic.cpp:61:14:61:55 | bufferLen | bufferLen flows from $@ | realistic.cpp:53:47:53:66 | call to user_input | call to user_input |
-| realistic.cpp:61:14:61:55 | bufferLen | realistic.cpp:53:55:53:64 | call to user_input | realistic.cpp:61:14:61:55 | bufferLen | bufferLen flows from $@ | realistic.cpp:53:55:53:64 | call to user_input | call to user_input |
-| realistic.cpp:61:47:61:55 | bufferLen | realistic.cpp:53:47:53:66 | call to user_input | realistic.cpp:61:47:61:55 | bufferLen | bufferLen flows from $@ | realistic.cpp:53:47:53:66 | call to user_input | call to user_input |
-| realistic.cpp:61:47:61:55 | bufferLen | realistic.cpp:53:55:53:64 | call to user_input | realistic.cpp:61:47:61:55 | bufferLen | bufferLen flows from $@ | realistic.cpp:53:55:53:64 | call to user_input | call to user_input |
 | simple.cpp:28:12:28:12 | call to a | simple.cpp:39:12:39:21 | call to user_input | simple.cpp:28:12:28:12 | call to a | call to a flows from $@ | simple.cpp:39:12:39:21 | call to user_input | call to user_input |
 | simple.cpp:28:12:28:12 | call to a | simple.cpp:41:12:41:21 | call to user_input | simple.cpp:28:12:28:12 | call to a | call to a flows from $@ | simple.cpp:41:12:41:21 | call to user_input | call to user_input |
 | simple.cpp:29:12:29:12 | call to b | simple.cpp:40:12:40:21 | call to user_input | simple.cpp:29:12:29:12 | call to b | call to b flows from $@ | simple.cpp:40:12:40:21 | call to user_input | call to user_input |

cpp/ql/test/library-tests/dataflow/fields/realistic.cpp

@@ -58,7 +58,7 @@ int main(int argc, char** argv) {
             return -1;
         }
         memcpy(dst, foo.bar[i].baz->userInput.buffer, foo.bar[i].baz->userInput.bufferLen);
-        sink((void*)foo.bar[i].baz->userInput.bufferLen); // $ ast ir=53:47 ir=53:55
+        sink((void*)foo.bar[i].baz->userInput.bufferLen); // $ ast ir
         // There is no flow to the following two `sink` calls because the
         // source is the _pointer_ returned by `user_input` rather than the
         // _data_ to which it points.

cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp

@@ -165,9 +165,9 @@ void test_map()
 	// array-like access
 	std::map<char *, char *> m10, m11, m12, m13;
 	sink(m10["abc"] = "def");
-	sink(m11["abc"] = source()); // $ ast,ir
+	sink(m11["abc"] = source()); // $ ast ir=168:7 ir=168:20
 	sink(m12.at("abc") = "def");
-	sink(m13.at("abc") = source()); // $ ast,ir
+	sink(m13.at("abc") = source()); // $ ast ir=170:7 ir=170:23
 	sink(m10["abc"]);
 	sink(m11["abc"]); // $ ast,ir
 	sink(m12["abc"]);
@@ -317,9 +317,9 @@ void test_unordered_map()
 	// array-like access
 	std::unordered_map<char *, char *> m10, m11, m12, m13;
 	sink(m10["abc"] = "def");
-	sink(m11["abc"] = source()); // $ ast,ir
+	sink(m11["abc"] = source()); // $ ast ir=320:7 ir=320:20
 	sink(m12.at("abc") = "def");
-	sink(m13.at("abc") = source()); // $ ast,ir
+	sink(m13.at("abc") = source()); // $ ast ir=322:7 ir=322:23
 	sink(m10["abc"]);
 	sink(m11["abc"]); // $ ast,ir
 	sink(m12["abc"]);

cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp

@@ -13,8 +13,8 @@ void arithAssignments(int source1, int clean1) {
   source1++;
   ++source1;
   source1 += 1;
-  sink(source1); // $ ast,ir
-  sink(++source1); // $ ast,ir
+  sink(source1); // $ ast ir=12:13 ir=12:22
+  sink(++source1); // $ ast ir=12:13 ir=12:22
 }
 
 // --- globals ---

cpp/ql/test/library-tests/ir/ir/PrintAST.expected

@@ -15740,6 +15740,112 @@ ir.cpp:
 # 2072|             Value = [VariableAccess] 116
 # 2072|             ValueCategory = prvalue(load)
 # 2073|     getStmt(2): [ReturnStmt] return ...
+# 2075| [TopLevelFunction] void exit(int)
+# 2075|   <params>: 
+# 2075|     getParameter(0): [Parameter] code
+# 2075|         Type = [IntType] int
+# 2077| [TopLevelFunction] int NonExit()
+# 2077|   <params>: 
+# 2077|   getEntryPoint(): [BlockStmt] { ... }
+# 2078|     getStmt(0): [DeclStmt] declaration
+# 2078|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of x
+# 2078|           Type = [IntType] int
+# 2078|         getVariable().getInitializer(): [Initializer] initializer for x
+# 2078|           getExpr(): [FunctionCall] call to Add
+# 2078|               Type = [IntType] int
+# 2078|               ValueCategory = prvalue
+# 2078|             getArgument(0): [Literal] 3
+# 2078|                 Type = [IntType] int
+# 2078|                 Value = [Literal] 3
+# 2078|                 ValueCategory = prvalue
+# 2078|             getArgument(1): [Literal] 4
+# 2078|                 Type = [IntType] int
+# 2078|                 Value = [Literal] 4
+# 2078|                 ValueCategory = prvalue
+# 2079|     getStmt(1): [IfStmt] if (...) ... 
+# 2079|       getCondition(): [EQExpr] ... == ...
+# 2079|           Type = [BoolType] bool
+# 2079|           ValueCategory = prvalue
+# 2079|         getLeftOperand(): [VariableAccess] x
+# 2079|             Type = [IntType] int
+# 2079|             ValueCategory = prvalue(load)
+# 2079|         getRightOperand(): [Literal] 7
+# 2079|             Type = [IntType] int
+# 2079|             Value = [Literal] 7
+# 2079|             ValueCategory = prvalue
+# 2080|       getThen(): [ExprStmt] ExprStmt
+# 2080|         getExpr(): [FunctionCall] call to exit
+# 2080|             Type = [VoidType] void
+# 2080|             ValueCategory = prvalue
+# 2080|           getArgument(0): [Literal] 3
+# 2080|               Type = [IntType] int
+# 2080|               Value = [Literal] 3
+# 2080|               ValueCategory = prvalue
+# 2081|     getStmt(2): [ExprStmt] ExprStmt
+# 2081|       getExpr(): [FunctionCall] call to VoidFunc
+# 2081|           Type = [VoidType] void
+# 2081|           ValueCategory = prvalue
+# 2082|     getStmt(3): [ReturnStmt] return ...
+# 2082|       getExpr(): [VariableAccess] x
+# 2082|           Type = [IntType] int
+# 2082|           ValueCategory = prvalue(load)
+# 2085| [TopLevelFunction] void CallsNonExit()
+# 2085|   <params>: 
+# 2085|   getEntryPoint(): [BlockStmt] { ... }
+# 2086|     getStmt(0): [ExprStmt] ExprStmt
+# 2086|       getExpr(): [FunctionCall] call to VoidFunc
+# 2086|           Type = [VoidType] void
+# 2086|           ValueCategory = prvalue
+# 2087|     getStmt(1): [ExprStmt] ExprStmt
+# 2087|       getExpr(): [FunctionCall] call to exit
+# 2087|           Type = [VoidType] void
+# 2087|           ValueCategory = prvalue
+# 2087|         getArgument(0): [Literal] 3
+# 2087|             Type = [IntType] int
+# 2087|             Value = [Literal] 3
+# 2087|             ValueCategory = prvalue
+# 2088|     getStmt(2): [ReturnStmt] return ...
+# 2090| [TopLevelFunction] int TransNonExit()
+# 2090|   <params>: 
+# 2090|   getEntryPoint(): [BlockStmt] { ... }
+# 2091|     getStmt(0): [DeclStmt] declaration
+# 2091|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of x
+# 2091|           Type = [IntType] int
+# 2091|         getVariable().getInitializer(): [Initializer] initializer for x
+# 2091|           getExpr(): [FunctionCall] call to Add
+# 2091|               Type = [IntType] int
+# 2091|               ValueCategory = prvalue
+# 2091|             getArgument(0): [Literal] 3
+# 2091|                 Type = [IntType] int
+# 2091|                 Value = [Literal] 3
+# 2091|                 ValueCategory = prvalue
+# 2091|             getArgument(1): [Literal] 4
+# 2091|                 Type = [IntType] int
+# 2091|                 Value = [Literal] 4
+# 2091|                 ValueCategory = prvalue
+# 2092|     getStmt(1): [IfStmt] if (...) ... 
+# 2092|       getCondition(): [EQExpr] ... == ...
+# 2092|           Type = [BoolType] bool
+# 2092|           ValueCategory = prvalue
+# 2092|         getLeftOperand(): [VariableAccess] x
+# 2092|             Type = [IntType] int
+# 2092|             ValueCategory = prvalue(load)
+# 2092|         getRightOperand(): [Literal] 7
+# 2092|             Type = [IntType] int
+# 2092|             Value = [Literal] 7
+# 2092|             ValueCategory = prvalue
+# 2093|       getThen(): [ExprStmt] ExprStmt
+# 2093|         getExpr(): [FunctionCall] call to CallsNonExit
+# 2093|             Type = [VoidType] void
+# 2093|             ValueCategory = prvalue
+# 2094|     getStmt(2): [ExprStmt] ExprStmt
+# 2094|       getExpr(): [FunctionCall] call to VoidFunc
+# 2094|           Type = [VoidType] void
+# 2094|           ValueCategory = prvalue
+# 2095|     getStmt(3): [ReturnStmt] return ...
+# 2095|       getExpr(): [VariableAccess] x
+# 2095|           Type = [IntType] int
+# 2095|           ValueCategory = prvalue(load)
 perf-regression.cpp:
 #    4| [CopyAssignmentOperator] Big& Big::operator=(Big const&)
 #    4|   <params>: 

cpp/ql/test/library-tests/ir/ir/aliased_ir.ql

@@ -0,0 +1,11 @@
+/**
+ * @kind graph
+ */
+
+private import cpp
+private import semmle.code.cpp.ir.implementation.aliased_ssa.PrintIR
+private import PrintConfig
+
+private class PrintConfig extends PrintIRConfiguration {
+  override predicate shouldPrintDeclaration(Declaration decl) { shouldDumpDeclaration(decl) }
+}

cpp/ql/test/library-tests/ir/ir/ir.cpp

@@ -2072,4 +2072,27 @@ void test_constant_folding() {
   test_constant_folding_use(x);
 }
 
+void exit(int code);
+
+int NonExit() {
+    int x = Add(3,4);
+    if (x == 7)
+        exit(3);
+    VoidFunc();
+    return x;
+}
+
+void CallsNonExit() {
+    VoidFunc();
+    exit(3);
+}
+
+int TransNonExit() {
+    int x = Add(3,4);
+    if (x == 7)
+        CallsNonExit();
+    VoidFunc();
+    return x;
+}
+
 // semmle-extractor-options: -std=c++17 --clang

cpp/ql/test/library-tests/ir/ir/operand_locations.expected

@@ -9827,6 +9827,75 @@
 | ir.cpp:2072:3:2072:27 | ChiTotal | total:m2070_4 |
 | ir.cpp:2072:3:2072:27 | SideEffect | ~m2070_4 |
 | ir.cpp:2072:29:2072:29 | Arg(0) | 0:r2072_2 |
+| ir.cpp:2077:5:2077:11 | Address | &:r2077_6 |
+| ir.cpp:2077:5:2077:11 | ChiPartial | partial:m2077_3 |
+| ir.cpp:2077:5:2077:11 | ChiTotal | total:m2077_2 |
+| ir.cpp:2077:5:2077:11 | Load | m2082_4 |
+| ir.cpp:2077:5:2077:11 | SideEffect | ~m2081_4 |
+| ir.cpp:2078:9:2078:9 | Address | &:r2078_1 |
+| ir.cpp:2078:13:2078:15 | CallTarget | func:r2078_2 |
+| ir.cpp:2078:13:2078:15 | ChiPartial | partial:m2078_6 |
+| ir.cpp:2078:13:2078:15 | ChiTotal | total:m2077_4 |
+| ir.cpp:2078:13:2078:15 | SideEffect | ~m2077_4 |
+| ir.cpp:2078:13:2078:15 | StoreValue | r2078_5 |
+| ir.cpp:2078:17:2078:17 | Arg(0) | 0:r2078_3 |
+| ir.cpp:2078:19:2078:19 | Arg(1) | 1:r2078_4 |
+| ir.cpp:2079:9:2079:9 | Address | &:r2079_1 |
+| ir.cpp:2079:9:2079:9 | Left | r2079_2 |
+| ir.cpp:2079:9:2079:9 | Load | m2078_8 |
+| ir.cpp:2079:9:2079:14 | Condition | r2079_4 |
+| ir.cpp:2079:14:2079:14 | Right | r2079_3 |
+| ir.cpp:2080:9:2080:12 | CallTarget | func:r2080_1 |
+| ir.cpp:2080:9:2080:12 | ChiPartial | partial:m2080_4 |
+| ir.cpp:2080:9:2080:12 | ChiTotal | total:m2078_7 |
+| ir.cpp:2080:9:2080:12 | SideEffect | ~m2078_7 |
+| ir.cpp:2080:14:2080:14 | Arg(0) | 0:r2080_2 |
+| ir.cpp:2081:5:2081:12 | CallTarget | func:r2081_1 |
+| ir.cpp:2081:5:2081:12 | ChiPartial | partial:m2081_3 |
+| ir.cpp:2081:5:2081:12 | ChiTotal | total:m2078_7 |
+| ir.cpp:2081:5:2081:12 | SideEffect | ~m2078_7 |
+| ir.cpp:2082:5:2082:13 | Address | &:r2082_1 |
+| ir.cpp:2082:12:2082:12 | Address | &:r2082_2 |
+| ir.cpp:2082:12:2082:12 | Load | m2078_8 |
+| ir.cpp:2082:12:2082:12 | StoreValue | r2082_3 |
+| ir.cpp:2085:6:2085:17 | ChiPartial | partial:m2085_3 |
+| ir.cpp:2085:6:2085:17 | ChiTotal | total:m2085_2 |
+| ir.cpp:2086:5:2086:12 | CallTarget | func:r2086_1 |
+| ir.cpp:2086:5:2086:12 | ChiPartial | partial:m2086_3 |
+| ir.cpp:2086:5:2086:12 | ChiTotal | total:m2085_4 |
+| ir.cpp:2086:5:2086:12 | SideEffect | ~m2085_4 |
+| ir.cpp:2087:5:2087:8 | CallTarget | func:r2087_1 |
+| ir.cpp:2087:5:2087:8 | ChiPartial | partial:m2087_4 |
+| ir.cpp:2087:5:2087:8 | ChiTotal | total:m2086_4 |
+| ir.cpp:2087:5:2087:8 | SideEffect | ~m2086_4 |
+| ir.cpp:2087:10:2087:10 | Arg(0) | 0:r2087_2 |
+| ir.cpp:2090:5:2090:16 | Address | &:r2090_6 |
+| ir.cpp:2090:5:2090:16 | ChiPartial | partial:m2090_3 |
+| ir.cpp:2090:5:2090:16 | ChiTotal | total:m2090_2 |
+| ir.cpp:2090:5:2090:16 | Load | m2095_4 |
+| ir.cpp:2090:5:2090:16 | SideEffect | ~m2094_4 |
+| ir.cpp:2091:9:2091:9 | Address | &:r2091_1 |
+| ir.cpp:2091:13:2091:15 | CallTarget | func:r2091_2 |
+| ir.cpp:2091:13:2091:15 | ChiPartial | partial:m2091_6 |
+| ir.cpp:2091:13:2091:15 | ChiTotal | total:m2090_4 |
+| ir.cpp:2091:13:2091:15 | SideEffect | ~m2090_4 |
+| ir.cpp:2091:13:2091:15 | StoreValue | r2091_5 |
+| ir.cpp:2091:17:2091:17 | Arg(0) | 0:r2091_3 |
+| ir.cpp:2091:19:2091:19 | Arg(1) | 1:r2091_4 |
+| ir.cpp:2092:9:2092:9 | Address | &:r2092_1 |
+| ir.cpp:2092:9:2092:9 | Left | r2092_2 |
+| ir.cpp:2092:9:2092:9 | Load | m2091_8 |
+| ir.cpp:2092:9:2092:14 | Condition | r2092_4 |
+| ir.cpp:2092:14:2092:14 | Right | r2092_3 |
+| ir.cpp:2093:9:2093:20 | CallTarget | func:r2093_1 |
+| ir.cpp:2094:5:2094:12 | CallTarget | func:r2094_1 |
+| ir.cpp:2094:5:2094:12 | ChiPartial | partial:m2094_3 |
+| ir.cpp:2094:5:2094:12 | ChiTotal | total:m2091_7 |
+| ir.cpp:2094:5:2094:12 | SideEffect | ~m2091_7 |
+| ir.cpp:2095:5:2095:13 | Address | &:r2095_1 |
+| ir.cpp:2095:12:2095:12 | Address | &:r2095_2 |
+| ir.cpp:2095:12:2095:12 | Load | m2091_8 |
+| ir.cpp:2095:12:2095:12 | StoreValue | r2095_3 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_7 |

cpp/ql/test/library-tests/ir/ir/raw_ir.expected

@@ -11330,6 +11330,105 @@ ir.cpp:
 # 2070|     v2070_5(void)           = AliasedUse                                 : ~m?
 # 2070|     v2070_6(void)           = ExitFunction                               : 
 
+# 2077| int NonExit()
+# 2077|   Block 0
+# 2077|     v2077_1(void)           = EnterFunction        : 
+# 2077|     mu2077_2(unknown)       = AliasedDefinition    : 
+# 2077|     mu2077_3(unknown)       = InitializeNonLocal   : 
+# 2078|     r2078_1(glval<int>)     = VariableAddress[x]   : 
+# 2078|     r2078_2(glval<unknown>) = FunctionAddress[Add] : 
+# 2078|     r2078_3(int)            = Constant[3]          : 
+# 2078|     r2078_4(int)            = Constant[4]          : 
+# 2078|     r2078_5(int)            = Call[Add]            : func:r2078_2, 0:r2078_3, 1:r2078_4
+# 2078|     mu2078_6(unknown)       = ^CallSideEffect      : ~m?
+# 2078|     mu2078_7(int)           = Store[x]             : &:r2078_1, r2078_5
+# 2079|     r2079_1(glval<int>)     = VariableAddress[x]   : 
+# 2079|     r2079_2(int)            = Load[x]              : &:r2079_1, ~m?
+# 2079|     r2079_3(int)            = Constant[7]          : 
+# 2079|     r2079_4(bool)           = CompareEQ            : r2079_2, r2079_3
+# 2079|     v2079_5(void)           = ConditionalBranch    : r2079_4
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+# 2080|   Block 1
+# 2080|     r2080_1(glval<unknown>) = FunctionAddress[exit] : 
+# 2080|     r2080_2(int)            = Constant[3]           : 
+# 2080|     v2080_3(void)           = Call[exit]            : func:r2080_1, 0:r2080_2
+# 2080|     mu2080_4(unknown)       = ^CallSideEffect       : ~m?
+# 2077|     v2077_4(void)           = Unreached             : 
+
+# 2081|   Block 2
+# 2081|     r2081_1(glval<unknown>) = FunctionAddress[VoidFunc] : 
+# 2081|     v2081_2(void)           = Call[VoidFunc]            : func:r2081_1
+# 2081|     mu2081_3(unknown)       = ^CallSideEffect           : ~m?
+# 2082|     r2082_1(glval<int>)     = VariableAddress[#return]  : 
+# 2082|     r2082_2(glval<int>)     = VariableAddress[x]        : 
+# 2082|     r2082_3(int)            = Load[x]                   : &:r2082_2, ~m?
+# 2082|     mu2082_4(int)           = Store[#return]            : &:r2082_1, r2082_3
+# 2077|     r2077_5(glval<int>)     = VariableAddress[#return]  : 
+# 2077|     v2077_6(void)           = ReturnValue               : &:r2077_5, ~m?
+# 2077|     v2077_7(void)           = AliasedUse                : ~m?
+# 2077|     v2077_8(void)           = ExitFunction              : 
+
+# 2085| void CallsNonExit()
+# 2085|   Block 0
+# 2085|     v2085_1(void)           = EnterFunction             : 
+# 2085|     mu2085_2(unknown)       = AliasedDefinition         : 
+# 2085|     mu2085_3(unknown)       = InitializeNonLocal        : 
+# 2086|     r2086_1(glval<unknown>) = FunctionAddress[VoidFunc] : 
+# 2086|     v2086_2(void)           = Call[VoidFunc]            : func:r2086_1
+# 2086|     mu2086_3(unknown)       = ^CallSideEffect           : ~m?
+# 2087|     r2087_1(glval<unknown>) = FunctionAddress[exit]     : 
+# 2087|     r2087_2(int)            = Constant[3]               : 
+# 2087|     v2087_3(void)           = Call[exit]                : func:r2087_1, 0:r2087_2
+# 2087|     mu2087_4(unknown)       = ^CallSideEffect           : ~m?
+# 2085|     v2085_4(void)           = Unreached                 : 
+
+# 2088|   Block 1
+# 2088|     v2088_1(void) = NoOp         : 
+# 2085|     v2085_5(void) = ReturnVoid   : 
+# 2085|     v2085_6(void) = AliasedUse   : ~m?
+# 2085|     v2085_7(void) = ExitFunction : 
+
+# 2090| int TransNonExit()
+# 2090|   Block 0
+# 2090|     v2090_1(void)           = EnterFunction        : 
+# 2090|     mu2090_2(unknown)       = AliasedDefinition    : 
+# 2090|     mu2090_3(unknown)       = InitializeNonLocal   : 
+# 2091|     r2091_1(glval<int>)     = VariableAddress[x]   : 
+# 2091|     r2091_2(glval<unknown>) = FunctionAddress[Add] : 
+# 2091|     r2091_3(int)            = Constant[3]          : 
+# 2091|     r2091_4(int)            = Constant[4]          : 
+# 2091|     r2091_5(int)            = Call[Add]            : func:r2091_2, 0:r2091_3, 1:r2091_4
+# 2091|     mu2091_6(unknown)       = ^CallSideEffect      : ~m?
+# 2091|     mu2091_7(int)           = Store[x]             : &:r2091_1, r2091_5
+# 2092|     r2092_1(glval<int>)     = VariableAddress[x]   : 
+# 2092|     r2092_2(int)            = Load[x]              : &:r2092_1, ~m?
+# 2092|     r2092_3(int)            = Constant[7]          : 
+# 2092|     r2092_4(bool)           = CompareEQ            : r2092_2, r2092_3
+# 2092|     v2092_5(void)           = ConditionalBranch    : r2092_4
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+# 2093|   Block 1
+# 2093|     r2093_1(glval<unknown>) = FunctionAddress[CallsNonExit] : 
+# 2093|     v2093_2(void)           = Call[CallsNonExit]            : func:r2093_1
+# 2093|     mu2093_3(unknown)       = ^CallSideEffect               : ~m?
+#-----|   Goto -> Block 2
+
+# 2094|   Block 2
+# 2094|     r2094_1(glval<unknown>) = FunctionAddress[VoidFunc] : 
+# 2094|     v2094_2(void)           = Call[VoidFunc]            : func:r2094_1
+# 2094|     mu2094_3(unknown)       = ^CallSideEffect           : ~m?
+# 2095|     r2095_1(glval<int>)     = VariableAddress[#return]  : 
+# 2095|     r2095_2(glval<int>)     = VariableAddress[x]        : 
+# 2095|     r2095_3(int)            = Load[x]                   : &:r2095_2, ~m?
+# 2095|     mu2095_4(int)           = Store[#return]            : &:r2095_1, r2095_3
+# 2090|     r2090_4(glval<int>)     = VariableAddress[#return]  : 
+# 2090|     v2090_5(void)           = ReturnValue               : &:r2090_4, ~m?
+# 2090|     v2090_6(void)           = AliasedUse                : ~m?
+# 2090|     v2090_7(void)           = ExitFunction              : 
+
 perf-regression.cpp:
 #    6| void Big::Big()
 #    6|   Block 0

cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected

@@ -16,7 +16,6 @@ uniqueNodeLocation
 missingLocation
 | Nodes without location: 2 |
 uniqueNodeToString
-missingToString
 parameterCallable
 localFlowIsLocal
 readStepIsLocal
@@ -98,3 +97,5 @@ uniqueParameterNodeAtPosition
 uniqueParameterNodePosition
 uniqueContentApprox
 identityLocalStep
+missingArgumentCall
+multipleArgumentCall

cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected

@@ -5,8 +5,6 @@ uniqueNodeLocation
 missingLocation
 uniqueNodeToString
 | cpp11.cpp:50:15:50:16 | (no string representation) | Node should have one toString but has 0. |
-missingToString
-| Nodes without toString: 1 |
 parameterCallable
 localFlowIsLocal
 readStepIsLocal
@@ -54,3 +52,5 @@ uniqueParameterNodeAtPosition
 uniqueParameterNodePosition
 uniqueContentApprox
 identityLocalStep
+missingArgumentCall
+multipleArgumentCall

cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected

@@ -1,58 +1,30 @@
 edges
 | test_free.cpp:11:10:11:10 | a | test_free.cpp:14:10:14:10 | a |
-| test_free.cpp:11:10:11:10 | a | test_free.cpp:14:10:14:10 | a |
-| test_free.cpp:11:10:11:10 | a | test_free.cpp:14:10:14:10 | a |
-| test_free.cpp:11:10:11:10 | a | test_free.cpp:14:10:14:10 | a |
 | test_free.cpp:30:10:30:10 | a | test_free.cpp:31:27:31:27 | a |
 | test_free.cpp:35:10:35:10 | a | test_free.cpp:37:27:37:27 | a |
 | test_free.cpp:42:27:42:27 | a | test_free.cpp:46:10:46:10 | a |
-| test_free.cpp:42:27:42:27 | a | test_free.cpp:46:10:46:10 | a |
-| test_free.cpp:42:27:42:27 | a | test_free.cpp:46:10:46:10 | a |
-| test_free.cpp:42:27:42:27 | a | test_free.cpp:46:10:46:10 | a |
-| test_free.cpp:44:27:44:27 | a | test_free.cpp:46:10:46:10 | a |
-| test_free.cpp:44:27:44:27 | a | test_free.cpp:46:10:46:10 | a |
-| test_free.cpp:44:27:44:27 | a | test_free.cpp:46:10:46:10 | a |
 | test_free.cpp:44:27:44:27 | a | test_free.cpp:46:10:46:10 | a |
 | test_free.cpp:50:27:50:27 | a | test_free.cpp:51:10:51:10 | a |
 | test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a |
-| test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a |
-| test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a |
-| test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a |
 | test_free.cpp:83:12:83:12 | a | test_free.cpp:85:12:85:12 | a |
 | test_free.cpp:101:10:101:10 | a | test_free.cpp:103:10:103:10 | a |
 | test_free.cpp:128:10:128:11 | * ... | test_free.cpp:129:10:129:11 | * ... |
 | test_free.cpp:152:27:152:27 | a | test_free.cpp:154:10:154:10 | a |
-| test_free.cpp:152:27:152:27 | a | test_free.cpp:154:10:154:10 | a |
-| test_free.cpp:152:27:152:27 | a | test_free.cpp:154:10:154:10 | a |
-| test_free.cpp:152:27:152:27 | a | test_free.cpp:154:10:154:10 | a |
 | test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a |
-| test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a |
-| test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a |
-| test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a |
-| test_free.cpp:252:7:252:7 | p | test_free.cpp:255:10:255:10 | p |
-| test_free.cpp:260:9:260:9 | p | test_free.cpp:263:12:263:12 | p |
 nodes
 | test_free.cpp:11:10:11:10 | a | semmle.label | a |
-| test_free.cpp:11:10:11:10 | a | semmle.label | a |
-| test_free.cpp:14:10:14:10 | a | semmle.label | a |
 | test_free.cpp:14:10:14:10 | a | semmle.label | a |
 | test_free.cpp:30:10:30:10 | a | semmle.label | a |
 | test_free.cpp:31:27:31:27 | a | semmle.label | a |
 | test_free.cpp:35:10:35:10 | a | semmle.label | a |
 | test_free.cpp:37:27:37:27 | a | semmle.label | a |
 | test_free.cpp:42:27:42:27 | a | semmle.label | a |
-| test_free.cpp:42:27:42:27 | a | semmle.label | a |
 | test_free.cpp:44:27:44:27 | a | semmle.label | a |
-| test_free.cpp:44:27:44:27 | a | semmle.label | a |
-| test_free.cpp:46:10:46:10 | a | semmle.label | a |
-| test_free.cpp:46:10:46:10 | a | semmle.label | a |
 | test_free.cpp:46:10:46:10 | a | semmle.label | a |
 | test_free.cpp:46:10:46:10 | a | semmle.label | a |
 | test_free.cpp:50:27:50:27 | a | semmle.label | a |
 | test_free.cpp:51:10:51:10 | a | semmle.label | a |
 | test_free.cpp:69:10:69:10 | a | semmle.label | a |
-| test_free.cpp:69:10:69:10 | a | semmle.label | a |
-| test_free.cpp:72:14:72:14 | a | semmle.label | a |
 | test_free.cpp:72:14:72:14 | a | semmle.label | a |
 | test_free.cpp:83:12:83:12 | a | semmle.label | a |
 | test_free.cpp:85:12:85:12 | a | semmle.label | a |
@@ -61,48 +33,20 @@ nodes
 | test_free.cpp:128:10:128:11 | * ... | semmle.label | * ... |
 | test_free.cpp:129:10:129:11 | * ... | semmle.label | * ... |
 | test_free.cpp:152:27:152:27 | a | semmle.label | a |
-| test_free.cpp:152:27:152:27 | a | semmle.label | a |
-| test_free.cpp:154:10:154:10 | a | semmle.label | a |
 | test_free.cpp:154:10:154:10 | a | semmle.label | a |
 | test_free.cpp:207:10:207:10 | a | semmle.label | a |
-| test_free.cpp:207:10:207:10 | a | semmle.label | a |
 | test_free.cpp:209:10:209:10 | a | semmle.label | a |
-| test_free.cpp:209:10:209:10 | a | semmle.label | a |
-| test_free.cpp:252:7:252:7 | p | semmle.label | p |
-| test_free.cpp:255:10:255:10 | p | semmle.label | p |
-| test_free.cpp:260:9:260:9 | p | semmle.label | p |
-| test_free.cpp:263:12:263:12 | p | semmle.label | p |
 subpaths
 #select
 | test_free.cpp:14:10:14:10 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:14:10:14:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
-| test_free.cpp:14:10:14:10 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:14:10:14:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
-| test_free.cpp:14:10:14:10 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:14:10:14:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
-| test_free.cpp:14:10:14:10 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:14:10:14:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
 | test_free.cpp:31:27:31:27 | a | test_free.cpp:30:10:30:10 | a | test_free.cpp:31:27:31:27 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:30:5:30:8 | call to free | call to free |
 | test_free.cpp:37:27:37:27 | a | test_free.cpp:35:10:35:10 | a | test_free.cpp:37:27:37:27 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:35:5:35:8 | call to free | call to free |
 | test_free.cpp:46:10:46:10 | a | test_free.cpp:42:27:42:27 | a | test_free.cpp:46:10:46:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:42:22:42:25 | call to free | call to free |
-| test_free.cpp:46:10:46:10 | a | test_free.cpp:42:27:42:27 | a | test_free.cpp:46:10:46:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:42:22:42:25 | call to free | call to free |
-| test_free.cpp:46:10:46:10 | a | test_free.cpp:42:27:42:27 | a | test_free.cpp:46:10:46:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:42:22:42:25 | call to free | call to free |
-| test_free.cpp:46:10:46:10 | a | test_free.cpp:42:27:42:27 | a | test_free.cpp:46:10:46:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:42:22:42:25 | call to free | call to free |
-| test_free.cpp:46:10:46:10 | a | test_free.cpp:44:27:44:27 | a | test_free.cpp:46:10:46:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:44:22:44:25 | call to free | call to free |
-| test_free.cpp:46:10:46:10 | a | test_free.cpp:44:27:44:27 | a | test_free.cpp:46:10:46:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:44:22:44:25 | call to free | call to free |
-| test_free.cpp:46:10:46:10 | a | test_free.cpp:44:27:44:27 | a | test_free.cpp:46:10:46:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:44:22:44:25 | call to free | call to free |
 | test_free.cpp:46:10:46:10 | a | test_free.cpp:44:27:44:27 | a | test_free.cpp:46:10:46:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:44:22:44:25 | call to free | call to free |
 | test_free.cpp:51:10:51:10 | a | test_free.cpp:50:27:50:27 | a | test_free.cpp:51:10:51:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:50:22:50:25 | call to free | call to free |
 | test_free.cpp:72:14:72:14 | a | test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free |
-| test_free.cpp:72:14:72:14 | a | test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free |
-| test_free.cpp:72:14:72:14 | a | test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free |
-| test_free.cpp:72:14:72:14 | a | test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free |
 | test_free.cpp:85:12:85:12 | a | test_free.cpp:83:12:83:12 | a | test_free.cpp:85:12:85:12 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:83:5:83:13 | delete | delete |
 | test_free.cpp:103:10:103:10 | a | test_free.cpp:101:10:101:10 | a | test_free.cpp:103:10:103:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:101:5:101:8 | call to free | call to free |
 | test_free.cpp:129:10:129:11 | * ... | test_free.cpp:128:10:128:11 | * ... | test_free.cpp:129:10:129:11 | * ... | Memory pointed to by '* ...' may already have been freed by $@. | test_free.cpp:128:5:128:8 | call to free | call to free |
 | test_free.cpp:154:10:154:10 | a | test_free.cpp:152:27:152:27 | a | test_free.cpp:154:10:154:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free |
-| test_free.cpp:154:10:154:10 | a | test_free.cpp:152:27:152:27 | a | test_free.cpp:154:10:154:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free |
-| test_free.cpp:154:10:154:10 | a | test_free.cpp:152:27:152:27 | a | test_free.cpp:154:10:154:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free |
-| test_free.cpp:154:10:154:10 | a | test_free.cpp:152:27:152:27 | a | test_free.cpp:154:10:154:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free |
 | test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:207:5:207:8 | call to free | call to free |
-| test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:207:5:207:8 | call to free | call to free |
-| test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:207:5:207:8 | call to free | call to free |
-| test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:207:5:207:8 | call to free | call to free |
-| test_free.cpp:255:10:255:10 | p | test_free.cpp:252:7:252:7 | p | test_free.cpp:255:10:255:10 | p | Memory pointed to by 'p' may already have been freed by $@. | test_free.cpp:252:2:252:5 | call to free | call to free |
-| test_free.cpp:263:12:263:12 | p | test_free.cpp:260:9:260:9 | p | test_free.cpp:263:12:263:12 | p | Memory pointed to by 'p' may already have been freed by $@. | test_free.cpp:260:2:260:9 | delete | delete |

cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected

@@ -1,107 +1,55 @@
 edges
 | test_free.cpp:11:10:11:10 | a | test_free.cpp:12:5:12:5 | a |
-| test_free.cpp:11:10:11:10 | a | test_free.cpp:12:5:12:5 | a |
-| test_free.cpp:11:10:11:10 | a | test_free.cpp:13:6:13:6 | a |
-| test_free.cpp:11:10:11:10 | a | test_free.cpp:13:6:13:6 | a |
-| test_free.cpp:42:27:42:27 | a | test_free.cpp:45:5:45:5 | a |
+| test_free.cpp:11:10:11:10 | a | test_free.cpp:13:5:13:6 | * ... |
 | test_free.cpp:42:27:42:27 | a | test_free.cpp:45:5:45:5 | a |
 | test_free.cpp:44:27:44:27 | a | test_free.cpp:45:5:45:5 | a |
-| test_free.cpp:44:27:44:27 | a | test_free.cpp:45:5:45:5 | a |
-| test_free.cpp:69:10:69:10 | a | test_free.cpp:71:9:71:9 | a |
 | test_free.cpp:69:10:69:10 | a | test_free.cpp:71:9:71:9 | a |
 | test_free.cpp:83:12:83:12 | a | test_free.cpp:84:5:84:5 | a |
 | test_free.cpp:90:10:90:10 | a | test_free.cpp:91:5:91:5 | a |
-| test_free.cpp:90:10:90:10 | a | test_free.cpp:91:5:91:5 | a |
 | test_free.cpp:95:10:95:10 | a | test_free.cpp:96:9:96:9 | a |
 | test_free.cpp:101:10:101:10 | a | test_free.cpp:102:23:102:23 | a |
 | test_free.cpp:152:27:152:27 | a | test_free.cpp:153:5:153:5 | a |
-| test_free.cpp:152:27:152:27 | a | test_free.cpp:153:5:153:5 | a |
-| test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... |
-| test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... |
-| test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... |
 | test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... |
 | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
-| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
-| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
-| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
 | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
-| test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
-| test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
-| test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
-| test_free.cpp:252:7:252:7 | p | test_free.cpp:254:6:254:6 | p |
-| test_free.cpp:260:9:260:9 | p | test_free.cpp:262:6:262:6 | p |
 nodes
 | test_free.cpp:11:10:11:10 | a | semmle.label | a |
-| test_free.cpp:11:10:11:10 | a | semmle.label | a |
 | test_free.cpp:12:5:12:5 | a | semmle.label | a |
-| test_free.cpp:13:6:13:6 | a | semmle.label | a |
+| test_free.cpp:13:5:13:6 | * ... | semmle.label | * ... |
 | test_free.cpp:42:27:42:27 | a | semmle.label | a |
-| test_free.cpp:42:27:42:27 | a | semmle.label | a |
-| test_free.cpp:44:27:44:27 | a | semmle.label | a |
 | test_free.cpp:44:27:44:27 | a | semmle.label | a |
 | test_free.cpp:45:5:45:5 | a | semmle.label | a |
 | test_free.cpp:45:5:45:5 | a | semmle.label | a |
 | test_free.cpp:69:10:69:10 | a | semmle.label | a |
-| test_free.cpp:69:10:69:10 | a | semmle.label | a |
 | test_free.cpp:71:9:71:9 | a | semmle.label | a |
 | test_free.cpp:83:12:83:12 | a | semmle.label | a |
 | test_free.cpp:84:5:84:5 | a | semmle.label | a |
 | test_free.cpp:90:10:90:10 | a | semmle.label | a |
-| test_free.cpp:90:10:90:10 | a | semmle.label | a |
 | test_free.cpp:91:5:91:5 | a | semmle.label | a |
 | test_free.cpp:95:10:95:10 | a | semmle.label | a |
 | test_free.cpp:96:9:96:9 | a | semmle.label | a |
 | test_free.cpp:101:10:101:10 | a | semmle.label | a |
 | test_free.cpp:102:23:102:23 | a | semmle.label | a |
 | test_free.cpp:152:27:152:27 | a | semmle.label | a |
-| test_free.cpp:152:27:152:27 | a | semmle.label | a |
 | test_free.cpp:153:5:153:5 | a | semmle.label | a |
 | test_free.cpp:233:14:233:15 | * ... | semmle.label | * ... |
-| test_free.cpp:233:14:233:15 | * ... | semmle.label | * ... |
-| test_free.cpp:236:9:236:10 | * ... | semmle.label | * ... |
 | test_free.cpp:236:9:236:10 | * ... | semmle.label | * ... |
 | test_free.cpp:239:14:239:15 | * ... | semmle.label | * ... |
-| test_free.cpp:239:14:239:15 | * ... | semmle.label | * ... |
-| test_free.cpp:241:9:241:10 | * ... | semmle.label | * ... |
 | test_free.cpp:241:9:241:10 | * ... | semmle.label | * ... |
 | test_free.cpp:245:10:245:11 | * ... | semmle.label | * ... |
-| test_free.cpp:245:10:245:11 | * ... | semmle.label | * ... |
 | test_free.cpp:246:9:246:10 | * ... | semmle.label | * ... |
-| test_free.cpp:246:9:246:10 | * ... | semmle.label | * ... |
-| test_free.cpp:252:7:252:7 | p | semmle.label | p |
-| test_free.cpp:254:6:254:6 | p | semmle.label | p |
-| test_free.cpp:260:9:260:9 | p | semmle.label | p |
-| test_free.cpp:262:6:262:6 | p | semmle.label | p |
 subpaths
 #select
 | test_free.cpp:12:5:12:5 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:12:5:12:5 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
-| test_free.cpp:12:5:12:5 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:12:5:12:5 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
-| test_free.cpp:13:6:13:6 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:13:6:13:6 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
-| test_free.cpp:13:6:13:6 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:13:6:13:6 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
-| test_free.cpp:45:5:45:5 | a | test_free.cpp:42:27:42:27 | a | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:42:22:42:25 | call to free | call to free |
+| test_free.cpp:13:5:13:6 | * ... | test_free.cpp:11:10:11:10 | a | test_free.cpp:13:5:13:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
 | test_free.cpp:45:5:45:5 | a | test_free.cpp:42:27:42:27 | a | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:42:22:42:25 | call to free | call to free |
 | test_free.cpp:45:5:45:5 | a | test_free.cpp:44:27:44:27 | a | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:44:22:44:25 | call to free | call to free |
-| test_free.cpp:45:5:45:5 | a | test_free.cpp:44:27:44:27 | a | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:44:22:44:25 | call to free | call to free |
-| test_free.cpp:71:9:71:9 | a | test_free.cpp:69:10:69:10 | a | test_free.cpp:71:9:71:9 | a | Memory may have been previously freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free |
 | test_free.cpp:71:9:71:9 | a | test_free.cpp:69:10:69:10 | a | test_free.cpp:71:9:71:9 | a | Memory may have been previously freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free |
 | test_free.cpp:84:5:84:5 | a | test_free.cpp:83:12:83:12 | a | test_free.cpp:84:5:84:5 | a | Memory may have been previously freed by $@. | test_free.cpp:83:5:83:13 | delete | delete |
 | test_free.cpp:91:5:91:5 | a | test_free.cpp:90:10:90:10 | a | test_free.cpp:91:5:91:5 | a | Memory may have been previously freed by $@. | test_free.cpp:90:5:90:8 | call to free | call to free |
-| test_free.cpp:91:5:91:5 | a | test_free.cpp:90:10:90:10 | a | test_free.cpp:91:5:91:5 | a | Memory may have been previously freed by $@. | test_free.cpp:90:5:90:8 | call to free | call to free |
 | test_free.cpp:96:9:96:9 | a | test_free.cpp:95:10:95:10 | a | test_free.cpp:96:9:96:9 | a | Memory may have been previously freed by $@. | test_free.cpp:95:5:95:8 | call to free | call to free |
 | test_free.cpp:102:23:102:23 | a | test_free.cpp:101:10:101:10 | a | test_free.cpp:102:23:102:23 | a | Memory may have been previously freed by $@. | test_free.cpp:101:5:101:8 | call to free | call to free |
 | test_free.cpp:153:5:153:5 | a | test_free.cpp:152:27:152:27 | a | test_free.cpp:153:5:153:5 | a | Memory may have been previously freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free |
-| test_free.cpp:153:5:153:5 | a | test_free.cpp:152:27:152:27 | a | test_free.cpp:153:5:153:5 | a | Memory may have been previously freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free |
-| test_free.cpp:236:9:236:10 | * ... | test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:233:9:233:12 | call to free | call to free |
-| test_free.cpp:236:9:236:10 | * ... | test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:233:9:233:12 | call to free | call to free |
-| test_free.cpp:236:9:236:10 | * ... | test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:233:9:233:12 | call to free | call to free |
 | test_free.cpp:236:9:236:10 | * ... | test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:233:9:233:12 | call to free | call to free |
 | test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
-| test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
-| test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
-| test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
 | test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
-| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
-| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
-| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
-| test_free.cpp:254:6:254:6 | p | test_free.cpp:252:7:252:7 | p | test_free.cpp:254:6:254:6 | p | Memory may have been previously freed by $@. | test_free.cpp:252:2:252:5 | call to free | call to free |
-| test_free.cpp:262:6:262:6 | p | test_free.cpp:260:9:260:9 | p | test_free.cpp:262:6:262:6 | p | Memory may have been previously freed by $@. | test_free.cpp:260:2:260:9 | delete | delete |

cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp

@@ -251,14 +251,14 @@ void test_deref(char **a) {
 void test_ref(char *&p) {
 	free(p);
 	p = (char *)malloc(sizeof(char)*10);
-	use(p);  // GOOD [FALSE POSITIVE]
-    free(p); // GOOD [FALSE POSITIVE]
+	use(p);  // GOOD
+    free(p); // GOOD
 }
 
 
 void test_ref_delete(int *&p) {
 	delete p;
 	p = new int;
-	use(p);  // GOOD [FALSE POSITIVE]
-    delete p;  // GOOD [FALSE POSITIVE]
+	use(p);  // GOOD
+    delete p;  // GOOD
 }

cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected

@@ -3,65 +3,23 @@ edges
 | test.cpp:30:34:30:34 | b | test.cpp:31:2:31:2 | b |
 | test.cpp:34:31:34:31 | b | test.cpp:35:2:35:2 | b |
 | test.cpp:57:19:57:19 | d | test.cpp:26:29:26:29 | b |
-| test.cpp:57:19:57:19 | d | test.cpp:57:19:57:19 | d |
-| test.cpp:57:19:57:19 | d | test.cpp:57:19:57:19 | d |
 | test.cpp:57:19:57:19 | d | test.cpp:58:25:58:25 | d |
-| test.cpp:57:19:57:19 | d | test.cpp:58:25:58:25 | d |
-| test.cpp:57:19:57:19 | d | test.cpp:58:25:58:25 | d |
-| test.cpp:57:19:57:19 | d | test.cpp:59:21:59:21 | d |
-| test.cpp:57:19:57:19 | d | test.cpp:59:21:59:21 | d |
 | test.cpp:57:19:57:19 | d | test.cpp:59:21:59:21 | d |
 | test.cpp:58:25:58:25 | d | test.cpp:30:34:30:34 | b |
-| test.cpp:58:25:58:25 | d | test.cpp:58:25:58:25 | d |
-| test.cpp:58:25:58:25 | d | test.cpp:58:25:58:25 | d |
-| test.cpp:58:25:58:25 | d | test.cpp:59:21:59:21 | d |
-| test.cpp:58:25:58:25 | d | test.cpp:59:21:59:21 | d |
 | test.cpp:58:25:58:25 | d | test.cpp:59:21:59:21 | d |
 | test.cpp:59:21:59:21 | d | test.cpp:34:31:34:31 | b |
-| test.cpp:59:21:59:21 | d | test.cpp:59:21:59:21 | d |
-| test.cpp:59:21:59:21 | d | test.cpp:59:21:59:21 | d |
 | test.cpp:74:19:74:21 | dss | test.cpp:26:29:26:29 | b |
-| test.cpp:74:19:74:21 | dss | test.cpp:74:19:74:21 | dss |
-| test.cpp:74:19:74:21 | dss | test.cpp:74:19:74:21 | dss |
 | test.cpp:74:19:74:21 | dss | test.cpp:75:25:75:27 | dss |
-| test.cpp:74:19:74:21 | dss | test.cpp:75:25:75:27 | dss |
-| test.cpp:74:19:74:21 | dss | test.cpp:75:25:75:27 | dss |
-| test.cpp:74:19:74:21 | dss | test.cpp:76:21:76:23 | dss |
-| test.cpp:74:19:74:21 | dss | test.cpp:76:21:76:23 | dss |
 | test.cpp:74:19:74:21 | dss | test.cpp:76:21:76:23 | dss |
 | test.cpp:75:25:75:27 | dss | test.cpp:30:34:30:34 | b |
-| test.cpp:75:25:75:27 | dss | test.cpp:75:25:75:27 | dss |
-| test.cpp:75:25:75:27 | dss | test.cpp:75:25:75:27 | dss |
-| test.cpp:75:25:75:27 | dss | test.cpp:76:21:76:23 | dss |
-| test.cpp:75:25:75:27 | dss | test.cpp:76:21:76:23 | dss |
 | test.cpp:75:25:75:27 | dss | test.cpp:76:21:76:23 | dss |
 | test.cpp:76:21:76:23 | dss | test.cpp:34:31:34:31 | b |
-| test.cpp:76:21:76:23 | dss | test.cpp:76:21:76:23 | dss |
-| test.cpp:76:21:76:23 | dss | test.cpp:76:21:76:23 | dss |
 | test.cpp:86:19:86:20 | d2 | test.cpp:26:29:26:29 | b |
-| test.cpp:86:19:86:20 | d2 | test.cpp:86:19:86:20 | d2 |
-| test.cpp:86:19:86:20 | d2 | test.cpp:86:19:86:20 | d2 |
-| test.cpp:86:19:86:20 | d2 | test.cpp:86:19:86:20 | d2 |
 | test.cpp:86:19:86:20 | d2 | test.cpp:87:25:87:26 | d2 |
-| test.cpp:86:19:86:20 | d2 | test.cpp:87:25:87:26 | d2 |
-| test.cpp:86:19:86:20 | d2 | test.cpp:87:25:87:26 | d2 |
-| test.cpp:86:19:86:20 | d2 | test.cpp:87:25:87:26 | d2 |
-| test.cpp:86:19:86:20 | d2 | test.cpp:88:21:88:22 | d2 |
-| test.cpp:86:19:86:20 | d2 | test.cpp:88:21:88:22 | d2 |
-| test.cpp:86:19:86:20 | d2 | test.cpp:88:21:88:22 | d2 |
 | test.cpp:86:19:86:20 | d2 | test.cpp:88:21:88:22 | d2 |
 | test.cpp:87:25:87:26 | d2 | test.cpp:30:34:30:34 | b |
-| test.cpp:87:25:87:26 | d2 | test.cpp:87:25:87:26 | d2 |
-| test.cpp:87:25:87:26 | d2 | test.cpp:87:25:87:26 | d2 |
-| test.cpp:87:25:87:26 | d2 | test.cpp:87:25:87:26 | d2 |
-| test.cpp:87:25:87:26 | d2 | test.cpp:88:21:88:22 | d2 |
-| test.cpp:87:25:87:26 | d2 | test.cpp:88:21:88:22 | d2 |
-| test.cpp:87:25:87:26 | d2 | test.cpp:88:21:88:22 | d2 |
 | test.cpp:87:25:87:26 | d2 | test.cpp:88:21:88:22 | d2 |
 | test.cpp:88:21:88:22 | d2 | test.cpp:34:31:34:31 | b |
-| test.cpp:88:21:88:22 | d2 | test.cpp:88:21:88:22 | d2 |
-| test.cpp:88:21:88:22 | d2 | test.cpp:88:21:88:22 | d2 |
-| test.cpp:88:21:88:22 | d2 | test.cpp:88:21:88:22 | d2 |
 nodes
 | test.cpp:26:29:26:29 | b | semmle.label | b |
 | test.cpp:27:2:27:2 | b | semmle.label | b |
@@ -70,94 +28,31 @@ nodes
 | test.cpp:34:31:34:31 | b | semmle.label | b |
 | test.cpp:35:2:35:2 | b | semmle.label | b |
 | test.cpp:57:19:57:19 | d | semmle.label | d |
-| test.cpp:57:19:57:19 | d | semmle.label | d |
-| test.cpp:57:19:57:19 | d | semmle.label | d |
-| test.cpp:58:25:58:25 | d | semmle.label | d |
-| test.cpp:58:25:58:25 | d | semmle.label | d |
 | test.cpp:58:25:58:25 | d | semmle.label | d |
 | test.cpp:59:21:59:21 | d | semmle.label | d |
-| test.cpp:59:21:59:21 | d | semmle.label | d |
-| test.cpp:59:21:59:21 | d | semmle.label | d |
-| test.cpp:74:19:74:21 | dss | semmle.label | dss |
-| test.cpp:74:19:74:21 | dss | semmle.label | dss |
 | test.cpp:74:19:74:21 | dss | semmle.label | dss |
 | test.cpp:75:25:75:27 | dss | semmle.label | dss |
-| test.cpp:75:25:75:27 | dss | semmle.label | dss |
-| test.cpp:75:25:75:27 | dss | semmle.label | dss |
-| test.cpp:76:21:76:23 | dss | semmle.label | dss |
-| test.cpp:76:21:76:23 | dss | semmle.label | dss |
 | test.cpp:76:21:76:23 | dss | semmle.label | dss |
 | test.cpp:86:19:86:20 | d2 | semmle.label | d2 |
-| test.cpp:86:19:86:20 | d2 | semmle.label | d2 |
-| test.cpp:86:19:86:20 | d2 | semmle.label | d2 |
-| test.cpp:86:19:86:20 | d2 | semmle.label | d2 |
 | test.cpp:87:25:87:26 | d2 | semmle.label | d2 |
-| test.cpp:87:25:87:26 | d2 | semmle.label | d2 |
-| test.cpp:87:25:87:26 | d2 | semmle.label | d2 |
-| test.cpp:87:25:87:26 | d2 | semmle.label | d2 |
-| test.cpp:88:21:88:22 | d2 | semmle.label | d2 |
-| test.cpp:88:21:88:22 | d2 | semmle.label | d2 |
-| test.cpp:88:21:88:22 | d2 | semmle.label | d2 |
 | test.cpp:88:21:88:22 | d2 | semmle.label | d2 |
 subpaths
 #select
 | test.cpp:27:2:27:2 | b | test.cpp:57:19:57:19 | d | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast |
-| test.cpp:27:2:27:2 | b | test.cpp:57:19:57:19 | d | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast |
-| test.cpp:27:2:27:2 | b | test.cpp:57:19:57:19 | d | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast |
-| test.cpp:27:2:27:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast |
-| test.cpp:27:2:27:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast |
 | test.cpp:27:2:27:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast |
 | test.cpp:27:2:27:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
-| test.cpp:27:2:27:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
-| test.cpp:27:2:27:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
-| test.cpp:27:2:27:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
-| test.cpp:31:2:31:2 | b | test.cpp:57:19:57:19 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast |
-| test.cpp:31:2:31:2 | b | test.cpp:57:19:57:19 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast |
 | test.cpp:31:2:31:2 | b | test.cpp:57:19:57:19 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast |
 | test.cpp:31:2:31:2 | b | test.cpp:58:25:58:25 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast |
-| test.cpp:31:2:31:2 | b | test.cpp:58:25:58:25 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast |
-| test.cpp:31:2:31:2 | b | test.cpp:58:25:58:25 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast |
-| test.cpp:31:2:31:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast |
-| test.cpp:31:2:31:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast |
 | test.cpp:31:2:31:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast |
 | test.cpp:31:2:31:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast |
-| test.cpp:31:2:31:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast |
-| test.cpp:31:2:31:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast |
 | test.cpp:31:2:31:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
-| test.cpp:31:2:31:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
-| test.cpp:31:2:31:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
-| test.cpp:31:2:31:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
-| test.cpp:31:2:31:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast |
-| test.cpp:31:2:31:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast |
-| test.cpp:31:2:31:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast |
 | test.cpp:31:2:31:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast |
 | test.cpp:35:2:35:2 | b | test.cpp:57:19:57:19 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:57:19:57:19 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:57:19:57:19 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:58:25:58:25 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:58:25:58:25 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast |
 | test.cpp:35:2:35:2 | b | test.cpp:58:25:58:25 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast |
 | test.cpp:35:2:35:2 | b | test.cpp:59:21:59:21 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:59:21:59:21 | d | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:59:21:59:21 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:59:21:59:21 | d | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:59:21:59:21 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:59:21:59:21 | d | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast |
 | test.cpp:35:2:35:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast |
 | test.cpp:35:2:35:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:76:21:76:23 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:76:21:76:23 | dss | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:76:21:76:23 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:76:21:76:23 | dss | this cast |
 | test.cpp:35:2:35:2 | b | test.cpp:76:21:76:23 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:76:21:76:23 | dss | this cast |
 | test.cpp:35:2:35:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast |
 | test.cpp:35:2:35:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast |
 | test.cpp:35:2:35:2 | b | test.cpp:88:21:88:22 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:88:21:88:22 | d2 | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:88:21:88:22 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:88:21:88:22 | d2 | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:88:21:88:22 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:88:21:88:22 | d2 | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:88:21:88:22 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:88:21:88:22 | d2 | this cast |

cpp/ql/test/query-tests/Likely Bugs/Memory Management/NtohlArrayNoBound/NtohlArrayNoBound.expected

@@ -1,17 +1,8 @@
-| test.cpp:12:25:12:29 | call to ntohl | Unchecked use of data from network function $@. | test.cpp:12:25:12:29 | call to ntohl | call to ntohl |
-| test.cpp:12:25:12:34 | call to ntohl | Unchecked use of data from network function $@. | test.cpp:12:25:12:29 | call to ntohl | call to ntohl |
 | test.cpp:12:25:12:34 | call to ntohl | Unchecked use of data from network function $@. | test.cpp:12:25:12:34 | call to ntohl | call to ntohl |
-| test.cpp:21:26:21:29 | len2 | Unchecked use of data from network function $@. | test.cpp:10:16:10:20 | call to ntohl | call to ntohl |
 | test.cpp:21:26:21:29 | len2 | Unchecked use of data from network function $@. | test.cpp:10:16:10:25 | call to ntohl | call to ntohl |
-| test.cpp:31:26:31:29 | len2 | Unchecked use of data from network function $@. | test.cpp:10:16:10:20 | call to ntohl | call to ntohl |
 | test.cpp:31:26:31:29 | len2 | Unchecked use of data from network function $@. | test.cpp:10:16:10:25 | call to ntohl | call to ntohl |
-| test.cpp:61:26:61:29 | len2 | Unchecked use of data from network function $@. | test.cpp:10:16:10:20 | call to ntohl | call to ntohl |
 | test.cpp:61:26:61:29 | len2 | Unchecked use of data from network function $@. | test.cpp:10:16:10:25 | call to ntohl | call to ntohl |
-| test.cpp:64:9:64:12 | len2 | Unchecked use of data from network function $@. | test.cpp:10:16:10:20 | call to ntohl | call to ntohl |
 | test.cpp:64:9:64:12 | len2 | Unchecked use of data from network function $@. | test.cpp:10:16:10:25 | call to ntohl | call to ntohl |
-| test.cpp:73:10:73:13 | lens | Unchecked use of data from network function $@. | test.cpp:10:16:10:20 | call to ntohl | call to ntohl |
 | test.cpp:73:10:73:13 | lens | Unchecked use of data from network function $@. | test.cpp:10:16:10:25 | call to ntohl | call to ntohl |
-| test.cpp:86:10:86:13 | len3 | Unchecked use of data from network function $@. | test.cpp:85:10:85:14 | call to ntohl | call to ntohl |
 | test.cpp:86:10:86:13 | len3 | Unchecked use of data from network function $@. | test.cpp:85:10:85:19 | call to ntohl | call to ntohl |
-| test.cpp:94:9:94:11 | len | Unchecked use of data from network function $@. | test.cpp:99:8:99:12 | call to ntohl | call to ntohl |
 | test.cpp:94:9:94:11 | len | Unchecked use of data from network function $@. | test.cpp:99:8:99:17 | call to ntohl | call to ntohl |

cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected

@@ -1,7 +1,6 @@
 edges
 | search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
 | search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
-| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
 | search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
 | search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
 | search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | raw_query |
@@ -15,7 +14,6 @@ nodes
 | search.c:14:24:14:28 | query | semmle.label | query |
 | search.c:17:8:17:12 | query | semmle.label | query |
 | search.c:17:8:17:12 | query | semmle.label | query |
-| search.c:17:8:17:12 | query | semmle.label | query |
 | search.c:22:24:22:28 | query | semmle.label | query |
 | search.c:23:39:23:43 | query | semmle.label | query |
 | search.c:23:39:23:43 | query | semmle.label | query |

cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected

@@ -1,8 +1,6 @@
 edges
 | test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data |
 | test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data |
-| test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data |
-| test.cpp:37:73:37:76 | data indirection | test.cpp:43:32:43:35 | data |
 | test.cpp:37:73:37:76 | data indirection | test.cpp:43:32:43:35 | data |
 | test.cpp:37:73:37:76 | data indirection | test.cpp:43:32:43:35 | data |
 | test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data |
@@ -17,7 +15,6 @@ nodes
 | test.cpp:37:73:37:76 | data indirection | semmle.label | data indirection |
 | test.cpp:43:32:43:35 | data | semmle.label | data |
 | test.cpp:43:32:43:35 | data | semmle.label | data |
-| test.cpp:43:32:43:35 | data | semmle.label | data |
 | test.cpp:64:30:64:35 | call to getenv | semmle.label | call to getenv |
 | test.cpp:64:30:64:35 | call to getenv | semmle.label | call to getenv |
 | test.cpp:73:24:73:27 | data | semmle.label | data |

cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected

@@ -15,18 +15,12 @@ edges
 | test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
 | test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
 | test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
 | test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
 | test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
 | test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
 | test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
 | test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
 | test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 |
-| test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 |
 | test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 |
 | test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 |
 | test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 |
@@ -35,12 +29,9 @@ edges
 | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer |
 | test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data |
 | test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data |
 | test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref |
 | test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref |
 | test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 |
 | test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 |
 | test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 |
 | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer |
@@ -80,12 +71,9 @@ nodes
 | test.cpp:62:10:62:15 | buffer | semmle.label | buffer |
 | test.cpp:63:10:63:13 | data | semmle.label | data |
 | test.cpp:63:10:63:13 | data | semmle.label | data |
-| test.cpp:63:10:63:13 | data | semmle.label | data |
 | test.cpp:64:10:64:16 | dataref | semmle.label | dataref |
 | test.cpp:64:10:64:16 | dataref | semmle.label | dataref |
 | test.cpp:64:10:64:16 | dataref | semmle.label | dataref |
-| test.cpp:64:10:64:16 | dataref | semmle.label | dataref |
-| test.cpp:65:10:65:14 | data2 | semmle.label | data2 |
 | test.cpp:65:10:65:14 | data2 | semmle.label | data2 |
 | test.cpp:65:10:65:14 | data2 | semmle.label | data2 |
 | test.cpp:76:12:76:17 | buffer | semmle.label | buffer |

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected

@@ -46,19 +46,25 @@ edges
 | test.cpp:203:17:203:19 | str indirection [string] | test.cpp:203:22:203:27 | string |
 | test.cpp:207:17:207:19 | str indirection [string] | test.cpp:207:22:207:27 | string |
 | test.cpp:214:24:214:24 | p | test.cpp:216:10:216:10 | p |
+| test.cpp:220:27:220:54 | call to malloc | test.cpp:222:15:222:20 | buffer |
 | test.cpp:220:43:220:48 | call to malloc | test.cpp:222:15:222:20 | buffer |
 | test.cpp:222:15:222:20 | buffer | test.cpp:214:24:214:24 | p |
+| test.cpp:228:27:228:54 | call to malloc | test.cpp:232:10:232:15 | buffer |
 | test.cpp:228:43:228:48 | call to malloc | test.cpp:232:10:232:15 | buffer |
 | test.cpp:235:40:235:45 | buffer | test.cpp:236:5:236:26 | ... = ... |
 | test.cpp:236:5:236:26 | ... = ... | test.cpp:236:12:236:17 | p_str indirection [post update] [string] |
+| test.cpp:241:20:241:38 | call to malloc | test.cpp:242:22:242:27 | buffer |
 | test.cpp:241:27:241:32 | call to malloc | test.cpp:242:22:242:27 | buffer |
 | test.cpp:242:16:242:19 | set_string output argument [string] | test.cpp:243:12:243:14 | str indirection [string] |
 | test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer |
 | test.cpp:242:22:242:27 | buffer | test.cpp:242:16:242:19 | set_string output argument [string] |
 | test.cpp:243:12:243:14 | str indirection [string] | test.cpp:243:12:243:21 | string |
-| test.cpp:249:20:249:27 | call to my_alloc | test.cpp:250:12:250:12 | p |
+| test.cpp:249:14:249:33 | call to my_alloc | test.cpp:250:12:250:12 | p |
+| test.cpp:256:9:256:25 | call to malloc | test.cpp:257:12:257:12 | p |
 | test.cpp:256:17:256:22 | call to malloc | test.cpp:257:12:257:12 | p |
+| test.cpp:262:15:262:30 | call to malloc | test.cpp:266:12:266:12 | p |
 | test.cpp:262:22:262:27 | call to malloc | test.cpp:266:12:266:12 | p |
+| test.cpp:264:13:264:30 | call to malloc | test.cpp:266:12:266:12 | p |
 | test.cpp:264:20:264:25 | call to malloc | test.cpp:266:12:266:12 | p |
 nodes
 | test.cpp:16:11:16:21 | mk_string_t indirection [string] | semmle.label | mk_string_t indirection [string] |
@@ -109,23 +115,29 @@ nodes
 | test.cpp:207:22:207:27 | string | semmle.label | string |
 | test.cpp:214:24:214:24 | p | semmle.label | p |
 | test.cpp:216:10:216:10 | p | semmle.label | p |
+| test.cpp:220:27:220:54 | call to malloc | semmle.label | call to malloc |
 | test.cpp:220:43:220:48 | call to malloc | semmle.label | call to malloc |
 | test.cpp:222:15:222:20 | buffer | semmle.label | buffer |
+| test.cpp:228:27:228:54 | call to malloc | semmle.label | call to malloc |
 | test.cpp:228:43:228:48 | call to malloc | semmle.label | call to malloc |
 | test.cpp:232:10:232:15 | buffer | semmle.label | buffer |
 | test.cpp:235:40:235:45 | buffer | semmle.label | buffer |
 | test.cpp:236:5:236:26 | ... = ... | semmle.label | ... = ... |
 | test.cpp:236:12:236:17 | p_str indirection [post update] [string] | semmle.label | p_str indirection [post update] [string] |
+| test.cpp:241:20:241:38 | call to malloc | semmle.label | call to malloc |
 | test.cpp:241:27:241:32 | call to malloc | semmle.label | call to malloc |
 | test.cpp:242:16:242:19 | set_string output argument [string] | semmle.label | set_string output argument [string] |
 | test.cpp:242:22:242:27 | buffer | semmle.label | buffer |
 | test.cpp:243:12:243:14 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:243:12:243:21 | string | semmle.label | string |
-| test.cpp:249:20:249:27 | call to my_alloc | semmle.label | call to my_alloc |
+| test.cpp:249:14:249:33 | call to my_alloc | semmle.label | call to my_alloc |
 | test.cpp:250:12:250:12 | p | semmle.label | p |
+| test.cpp:256:9:256:25 | call to malloc | semmle.label | call to malloc |
 | test.cpp:256:17:256:22 | call to malloc | semmle.label | call to malloc |
 | test.cpp:257:12:257:12 | p | semmle.label | p |
+| test.cpp:262:15:262:30 | call to malloc | semmle.label | call to malloc |
 | test.cpp:262:22:262:27 | call to malloc | semmle.label | call to malloc |
+| test.cpp:264:13:264:30 | call to malloc | semmle.label | call to malloc |
 | test.cpp:264:20:264:25 | call to malloc | semmle.label | call to malloc |
 | test.cpp:266:12:266:12 | p | semmle.label | p |
 subpaths
@@ -146,6 +158,8 @@ subpaths
 | test.cpp:199:9:199:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:199:22:199:27 | string | This write may overflow $@ by 2 elements. | test.cpp:199:22:199:27 | string | string |
 | test.cpp:203:9:203:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:203:22:203:27 | string | This write may overflow $@ by 2 elements. | test.cpp:203:22:203:27 | string | string |
 | test.cpp:207:9:207:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:207:22:207:27 | string | This write may overflow $@ by 3 elements. | test.cpp:207:22:207:27 | string | string |
+| test.cpp:243:5:243:10 | call to memset | test.cpp:241:20:241:38 | call to malloc | test.cpp:243:12:243:21 | string | This write may overflow $@ by 1 element. | test.cpp:243:16:243:21 | string | string |
 | test.cpp:243:5:243:10 | call to memset | test.cpp:241:27:241:32 | call to malloc | test.cpp:243:12:243:21 | string | This write may overflow $@ by 1 element. | test.cpp:243:16:243:21 | string | string |
-| test.cpp:250:5:250:10 | call to memset | test.cpp:249:20:249:27 | call to my_alloc | test.cpp:250:12:250:12 | p | This write may overflow $@ by 1 element. | test.cpp:250:12:250:12 | p | p |
+| test.cpp:250:5:250:10 | call to memset | test.cpp:249:14:249:33 | call to my_alloc | test.cpp:250:12:250:12 | p | This write may overflow $@ by 1 element. | test.cpp:250:12:250:12 | p | p |
+| test.cpp:266:5:266:10 | call to memset | test.cpp:262:15:262:30 | call to malloc | test.cpp:266:12:266:12 | p | This write may overflow $@ by 1 element. | test.cpp:266:12:266:12 | p | p |
 | test.cpp:266:5:266:10 | call to memset | test.cpp:262:22:262:27 | call to malloc | test.cpp:266:12:266:12 | p | This write may overflow $@ by 1 element. | test.cpp:266:12:266:12 | p | p |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected

@@ -19,9 +19,6 @@
 | tests.cpp:310:2:310:7 | call to memset | This 'memset' operation accesses 21 bytes but the $@ is only 20 bytes. | tests.cpp:301:10:301:14 | myVar | destination buffer |
 | tests.cpp:312:2:312:7 | call to memset | This 'memset' operation accesses 17 bytes but the $@ is only 16 bytes. | tests.cpp:298:7:298:12 | buffer | destination buffer |
 | tests.cpp:314:2:314:7 | call to memset | This 'memset' operation accesses 8 bytes but the $@ is only 4 bytes. | tests.cpp:299:6:299:10 | field | destination buffer |
-| tests.cpp:327:3:327:8 | call to memset | This 'memset' operation accesses 21 bytes but the $@ is only 20 bytes. | tests.cpp:301:10:301:14 | myVar | destination buffer |
-| tests.cpp:329:3:329:8 | call to memset | This 'memset' operation accesses 21 bytes but the $@ is only 20 bytes. | tests.cpp:301:10:301:14 | myVar | destination buffer |
-| tests.cpp:336:3:336:8 | call to memset | This 'memset' operation accesses 21 bytes but the $@ is only 20 bytes. | tests.cpp:301:10:301:14 | myVar | destination buffer |
 | tests.cpp:346:2:346:14 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:342:7:342:15 | charArray | array |
 | tests.cpp:349:2:349:14 | access to array | This array indexing operation accesses byte offset 10 but the $@ is only 10 bytes. | tests.cpp:342:7:342:15 | charArray | array |
 | tests.cpp:350:17:350:29 | access to array | This array indexing operation accesses byte offset 10 but the $@ is only 10 bytes. | tests.cpp:342:7:342:15 | charArray | array |
@@ -52,9 +49,6 @@
 | tests.cpp:577:7:577:13 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:565:7:565:12 | buffer | array |
 | tests_restrict.c:12:2:12:7 | call to memcpy | This 'memcpy' operation accesses 2 bytes but the $@ is only 1 byte. | tests_restrict.c:7:6:7:13 | smallbuf | source buffer |
 | unions.cpp:26:2:26:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:21:10:21:11 | mu | destination buffer |
-| unions.cpp:27:2:27:7 | call to memset | This 'memset' operation accesses 100 bytes but the $@ is only 10 bytes. | unions.cpp:15:7:15:11 | small | destination buffer |
-| unions.cpp:29:2:29:7 | call to memset | This 'memset' operation accesses 100 bytes but the $@ is only 10 bytes. | unions.cpp:15:7:15:11 | small | destination buffer |
-| unions.cpp:30:2:30:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 10 bytes. | unions.cpp:15:7:15:11 | small | destination buffer |
 | unions.cpp:30:2:30:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:15:7:15:11 | small | destination buffer |
 | unions.cpp:34:2:34:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:16:7:16:11 | large | destination buffer |
 | var_size_struct.cpp:71:3:71:8 | call to memset | This 'memset' operation accesses 1025 bytes but the $@ is only 1024 bytes. | var_size_struct.cpp:63:8:63:11 | data | destination buffer |

cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/BadlyBoundedWrite.expected

@@ -1,6 +1,4 @@
-| tests2.cpp:59:3:59:10 | call to snprintf | This 'call to snprintf' operation is limited to 13 bytes but the destination is only 0 bytes. |
 | tests2.cpp:59:3:59:10 | call to snprintf | This 'call to snprintf' operation is limited to 13 bytes but the destination is only 2 bytes. |
-| tests2.cpp:63:3:63:10 | call to snprintf | This 'call to snprintf' operation is limited to 13 bytes but the destination is only 0 bytes. |
 | tests2.cpp:63:3:63:10 | call to snprintf | This 'call to snprintf' operation is limited to 13 bytes but the destination is only 3 bytes. |
 | tests.c:43:3:43:10 | call to snprintf | This 'call to snprintf' operation is limited to 111 bytes but the destination is only 110 bytes. |
 | tests.c:46:3:46:10 | call to snprintf | This 'call to snprintf' operation is limited to 111 bytes but the destination is only 110 bytes. |

cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected

@@ -3,8 +3,6 @@ edges
 | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
 | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
 | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
-| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
-| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
 | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
 | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
 | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
@@ -13,30 +11,24 @@ edges
 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
-| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
-| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
 subpaths
 nodes
 | tests.c:28:22:28:25 | argv | semmle.label | argv |
 | tests.c:28:22:28:25 | argv | semmle.label | argv |
 | tests.c:28:22:28:28 | access to array | semmle.label | access to array |
 | tests.c:28:22:28:28 | access to array | semmle.label | access to array |
-| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
 | tests.c:29:28:29:31 | argv | semmle.label | argv |
 | tests.c:29:28:29:31 | argv | semmle.label | argv |
 | tests.c:29:28:29:34 | access to array | semmle.label | access to array |
 | tests.c:29:28:29:34 | access to array | semmle.label | access to array |
 | tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
 | tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
-| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
-| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
 | tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
 | tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
 | tests.c:34:10:34:13 | argv | semmle.label | argv |
 | tests.c:34:10:34:13 | argv | semmle.label | argv |
 | tests.c:34:10:34:16 | access to array | semmle.label | access to array |
 | tests.c:34:10:34:16 | access to array | semmle.label | access to array |
-| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
 #select
 | tests.c:28:3:28:9 | call to sprintf | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
 | tests.c:29:3:29:9 | call to sprintf | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |

cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/VeryLikelyOverrunWrite.expected

@@ -17,6 +17,5 @@
 | tests.c:186:3:186:9 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 2 bytes. |
 | tests.c:189:3:189:9 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. |
 | unions.c:26:2:26:7 | call to strcpy | This 'call to strcpy' operation requires 21 bytes but the destination is only 16 bytes. |
-| unions.c:27:2:27:7 | call to strcpy | This 'call to strcpy' operation requires 21 bytes but the destination is only 15 bytes. |
 | unions.c:27:2:27:7 | call to strcpy | This 'call to strcpy' operation requires 21 bytes but the destination is only 16 bytes. |
 | var_size_struct.cpp:22:3:22:8 | call to strcpy | This 'call to strcpy' operation requires 10 bytes but the destination is only 9 bytes. |

cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected

@@ -5,12 +5,8 @@ edges
 | char_connect_socket_w32_vsnprintf_01_bad.c:94:55:94:68 | ... + ... | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data |
 | char_console_fprintf_01_bad.c:30:23:30:35 | ... + ... | char_console_fprintf_01_bad.c:49:21:49:24 | data |
 | char_console_fprintf_01_bad.c:30:23:30:35 | ... + ... | char_console_fprintf_01_bad.c:49:21:49:24 | data |
-| char_console_fprintf_01_bad.c:30:23:30:35 | ... + ... | char_console_fprintf_01_bad.c:49:21:49:24 | data |
 | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | data |
 | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | data |
-| char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | data |
-| char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | data |
-| char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | data |
 | char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | data |
 | char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | data |
 | char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | data |
@@ -25,12 +21,10 @@ nodes
 | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | semmle.label | fgets output argument |
 | char_console_fprintf_01_bad.c:49:21:49:24 | data | semmle.label | data |
 | char_console_fprintf_01_bad.c:49:21:49:24 | data | semmle.label | data |
-| char_console_fprintf_01_bad.c:49:21:49:24 | data | semmle.label | data |
 | char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | semmle.label | call to getenv |
 | char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | semmle.label | call to getenv |
 | char_environment_fprintf_01_bad.c:36:21:36:24 | data | semmle.label | data |
 | char_environment_fprintf_01_bad.c:36:21:36:24 | data | semmle.label | data |
-| char_environment_fprintf_01_bad.c:36:21:36:24 | data | semmle.label | data |
 #select
 | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data | char_connect_socket_w32_vsnprintf_01_bad.c:94:55:94:68 | ... + ... | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data | The value of this argument may come from $@ and is being used as a formatting argument to badVaSink(data), which calls vsnprintf(format). | char_connect_socket_w32_vsnprintf_01_bad.c:94:55:94:68 | ... + ... | recv |
 | char_console_fprintf_01_bad.c:49:21:49:24 | data | char_console_fprintf_01_bad.c:30:23:30:35 | ... + ... | char_console_fprintf_01_bad.c:49:21:49:24 | data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_console_fprintf_01_bad.c:30:23:30:35 | ... + ... | fgets |

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected

@@ -3,8 +3,6 @@ edges
 | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
 | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
 | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
-| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
-| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
 | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
 | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
 | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
@@ -13,8 +11,6 @@ edges
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
-| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
-| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
@@ -23,8 +19,6 @@ edges
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
-| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
-| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
@@ -33,8 +27,6 @@ edges
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
-| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
-| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
@@ -43,8 +35,6 @@ edges
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
-| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
-| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
@@ -61,8 +51,6 @@ edges
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
-| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
-| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
@@ -95,8 +83,6 @@ edges
 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
-| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
-| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
@@ -105,8 +91,6 @@ edges
 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:139:9:139:26 | ... ? ... : ... |
 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:139:9:139:26 | ... ? ... : ... |
 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:139:9:139:26 | ... ? ... : ... |
-| argvLocal.c:126:10:126:13 | argv | argvLocal.c:139:9:139:26 | ... ? ... : ... |
-| argvLocal.c:126:10:126:13 | argv | argvLocal.c:139:9:139:26 | ... ? ... : ... |
 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:140:15:140:32 | ... ? ... : ... |
 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:140:15:140:32 | ... ? ... : ... |
 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:140:15:140:32 | ... ? ... : ... |
@@ -115,33 +99,24 @@ edges
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
-| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
-| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | i10 |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | i10 |
-| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | i10 |
-| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | i10 |
-| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
-| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | i10 |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | i10 |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
-| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
-| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
 subpaths
 nodes
 | argvLocal.c:95:9:95:12 | argv | semmle.label | argv |
 | argvLocal.c:95:9:95:12 | argv | semmle.label | argv |
 | argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
 | argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
-| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
 | argvLocal.c:96:15:96:18 | argv | semmle.label | argv |
 | argvLocal.c:96:15:96:18 | argv | semmle.label | argv |
 | argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
@@ -150,19 +125,16 @@ nodes
 | argvLocal.c:100:7:100:10 | argv | semmle.label | argv |
 | argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
 | argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
-| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
 | argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
 | argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
 | argvLocal.c:105:14:105:17 | argv | semmle.label | argv |
 | argvLocal.c:105:14:105:17 | argv | semmle.label | argv |
 | argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
 | argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
-| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
 | argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
 | argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
 | argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
 | argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
-| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
 | argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
 | argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
 | argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
@@ -173,7 +145,6 @@ nodes
 | argvLocal.c:117:15:117:16 | i3 | semmle.label | i3 |
 | argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 |
 | argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 |
-| argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 |
 | argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
 | argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
 | argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
@@ -184,7 +155,6 @@ nodes
 | argvLocal.c:128:15:128:16 | i5 | semmle.label | i5 |
 | argvLocal.c:131:9:131:14 | ... + ... | semmle.label | ... + ... |
 | argvLocal.c:131:9:131:14 | ... + ... | semmle.label | ... + ... |
-| argvLocal.c:131:9:131:14 | ... + ... | semmle.label | ... + ... |
 | argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
 | argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
 | argvLocal.c:135:9:135:10 | i4 | semmle.label | i4 |
@@ -197,30 +167,24 @@ nodes
 | argvLocal.c:136:17:136:18 | i4 | semmle.label | i4 |
 | argvLocal.c:139:9:139:26 | ... ? ... : ... | semmle.label | ... ? ... : ... |
 | argvLocal.c:139:9:139:26 | ... ? ... : ... | semmle.label | ... ? ... : ... |
-| argvLocal.c:139:9:139:26 | ... ? ... : ... | semmle.label | ... ? ... : ... |
 | argvLocal.c:140:15:140:32 | ... ? ... : ... | semmle.label | ... ? ... : ... |
 | argvLocal.c:140:15:140:32 | ... ? ... : ... | semmle.label | ... ? ... : ... |
 | argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
 | argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
-| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
 | argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
 | argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
 | argvLocal.c:149:11:149:14 | argv | semmle.label | argv |
 | argvLocal.c:149:11:149:14 | argv | semmle.label | argv |
 | argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
 | argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
-| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
 | argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
 | argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
 | argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
 | argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
 | argvLocal.c:169:9:169:20 | i10 | semmle.label | i10 |
-| argvLocal.c:169:9:169:20 | i10 | semmle.label | i10 |
-| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
 | argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
 | argvLocal.c:170:15:170:26 | i10 | semmle.label | i10 |
 | argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
-| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
 #select
 | argvLocal.c:95:9:95:15 | access to array | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:95:9:95:12 | argv | argv |
 | argvLocal.c:96:15:96:21 | access to array | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:96:15:96:18 | argv | argv |

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected

@@ -21,8 +21,6 @@ edges
 | funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
 | funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
 | funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
-| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
-| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
 | funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | i5 |
 | funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | i5 |
 | funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | i5 |
@@ -33,19 +31,12 @@ edges
 | funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
 | funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
 | funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
-| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
-| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
-| funcsLocal.c:46:7:46:9 | * ... | funcsLocal.c:47:9:47:11 | * ... |
-| funcsLocal.c:46:7:46:9 | * ... | funcsLocal.c:47:9:47:11 | * ... |
 | funcsLocal.c:46:7:46:9 | * ... | funcsLocal.c:47:9:47:11 | * ... |
 | funcsLocal.c:46:7:46:9 | * ... | funcsLocal.c:47:9:47:11 | * ... |
 | funcsLocal.c:46:7:46:9 | * ... | funcsLocal.c:47:9:47:11 | * ... |
 | funcsLocal.c:46:7:46:9 | * ... | funcsLocal.c:47:9:47:11 | * ... |
 | funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | * ... |
 | funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | * ... |
-| funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | * ... |
-| funcsLocal.c:52:8:52:11 | call to gets | funcsLocal.c:53:9:53:11 | * ... |
-| funcsLocal.c:52:8:52:11 | call to gets | funcsLocal.c:53:9:53:11 | * ... |
 | funcsLocal.c:52:8:52:11 | call to gets | funcsLocal.c:53:9:53:11 | * ... |
 | funcsLocal.c:52:8:52:11 | call to gets | funcsLocal.c:53:9:53:11 | * ... |
 | funcsLocal.c:52:8:52:11 | call to gets | funcsLocal.c:53:9:53:11 | * ... |
@@ -66,7 +57,6 @@ nodes
 | funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets |
 | funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
 | funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
-| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
 | funcsLocal.c:36:7:36:8 | gets output argument | semmle.label | gets output argument |
 | funcsLocal.c:36:7:36:8 | i5 | semmle.label | i5 |
 | funcsLocal.c:36:7:36:8 | i5 | semmle.label | i5 |
@@ -76,18 +66,15 @@ nodes
 | funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets |
 | funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
 | funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
-| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
 | funcsLocal.c:46:7:46:9 | * ... | semmle.label | * ... |
 | funcsLocal.c:46:7:46:9 | * ... | semmle.label | * ... |
 | funcsLocal.c:46:7:46:9 | gets output argument | semmle.label | gets output argument |
 | funcsLocal.c:47:9:47:11 | * ... | semmle.label | * ... |
 | funcsLocal.c:47:9:47:11 | * ... | semmle.label | * ... |
-| funcsLocal.c:47:9:47:11 | * ... | semmle.label | * ... |
 | funcsLocal.c:52:8:52:11 | call to gets | semmle.label | call to gets |
 | funcsLocal.c:52:8:52:11 | call to gets | semmle.label | call to gets |
 | funcsLocal.c:53:9:53:11 | * ... | semmle.label | * ... |
 | funcsLocal.c:53:9:53:11 | * ... | semmle.label | * ... |
-| funcsLocal.c:53:9:53:11 | * ... | semmle.label | * ... |
 | funcsLocal.c:58:9:58:10 | e1 | semmle.label | e1 |
 | funcsLocal.c:58:9:58:10 | e1 | semmle.label | e1 |
 #select

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected

@@ -1,18 +1,15 @@
 edges
 | globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
 | globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
-| globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
 | globalVars.c:8:7:8:10 | copy | globalVars.c:30:15:30:18 | copy |
 | globalVars.c:8:7:8:10 | copy | globalVars.c:30:15:30:18 | copy |
 | globalVars.c:8:7:8:10 | copy | globalVars.c:35:11:35:14 | copy |
 | globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
 | globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
-| globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
 | globalVars.c:9:7:9:11 | copy2 | globalVars.c:41:15:41:19 | copy2 |
 | globalVars.c:9:7:9:11 | copy2 | globalVars.c:41:15:41:19 | copy2 |
 | globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
 | globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
-| globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
 | globalVars.c:11:22:11:25 | argv | globalVars.c:8:7:8:10 | copy |
 | globalVars.c:15:21:15:23 | val | globalVars.c:9:7:9:11 | copy2 |
 | globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv |
@@ -28,18 +25,15 @@ nodes
 | globalVars.c:24:11:24:14 | argv | semmle.label | argv |
 | globalVars.c:27:9:27:12 | copy | semmle.label | copy |
 | globalVars.c:27:9:27:12 | copy | semmle.label | copy |
-| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
 | globalVars.c:30:15:30:18 | copy | semmle.label | copy |
 | globalVars.c:30:15:30:18 | copy | semmle.label | copy |
 | globalVars.c:35:11:35:14 | copy | semmle.label | copy |
 | globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
 | globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
-| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
 | globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
 | globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
 | globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
 | globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
-| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
 #select
 | globalVars.c:27:9:27:12 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:27:9:27:12 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:24:11:24:14 | argv | argv |
 | globalVars.c:30:15:30:18 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:30:15:30:18 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:24:11:24:14 | argv | argv |

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatStringThroughGlobalVar.expected

@@ -1,7 +1,6 @@
 edges
 | globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
 | globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
-| globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
 | globalVars.c:8:7:8:10 | copy | globalVars.c:30:15:30:18 | copy |
 | globalVars.c:8:7:8:10 | copy | globalVars.c:30:15:30:18 | copy |
 | globalVars.c:8:7:8:10 | copy | globalVars.c:30:15:30:18 | copy |
@@ -9,14 +8,12 @@ edges
 | globalVars.c:8:7:8:10 | copy | globalVars.c:35:11:35:14 | copy |
 | globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
 | globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
-| globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
 | globalVars.c:9:7:9:11 | copy2 | globalVars.c:41:15:41:19 | copy2 |
 | globalVars.c:9:7:9:11 | copy2 | globalVars.c:41:15:41:19 | copy2 |
 | globalVars.c:9:7:9:11 | copy2 | globalVars.c:41:15:41:19 | copy2 |
 | globalVars.c:9:7:9:11 | copy2 | globalVars.c:44:15:44:19 | copy2 |
 | globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
 | globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
-| globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
 | globalVars.c:11:22:11:25 | argv | globalVars.c:8:7:8:10 | copy |
 | globalVars.c:11:22:11:25 | argv | globalVars.c:12:2:12:15 | ... = ... |
 | globalVars.c:12:2:12:15 | ... = ... | globalVars.c:8:7:8:10 | copy |
@@ -37,8 +34,6 @@ edges
 | globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
 | globalVars.c:41:15:41:19 | copy2 | globalVars.c:50:9:50:13 | copy2 |
 | globalVars.c:41:15:41:19 | copy2 | globalVars.c:50:9:50:13 | copy2 |
-| globalVars.c:41:15:41:19 | copy2 | globalVars.c:50:9:50:13 | copy2 |
-| globalVars.c:44:15:44:19 | copy2 | globalVars.c:50:9:50:13 | copy2 |
 | globalVars.c:44:15:44:19 | copy2 | globalVars.c:50:9:50:13 | copy2 |
 | globalVars.c:44:15:44:19 | copy2 | globalVars.c:50:9:50:13 | copy2 |
 subpaths
@@ -53,7 +48,6 @@ nodes
 | globalVars.c:24:11:24:14 | argv | semmle.label | argv |
 | globalVars.c:27:9:27:12 | copy | semmle.label | copy |
 | globalVars.c:27:9:27:12 | copy | semmle.label | copy |
-| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
 | globalVars.c:30:15:30:18 | copy | semmle.label | copy |
 | globalVars.c:30:15:30:18 | copy | semmle.label | copy |
 | globalVars.c:30:15:30:18 | copy | semmle.label | copy |
@@ -61,14 +55,12 @@ nodes
 | globalVars.c:35:11:35:14 | copy | semmle.label | copy |
 | globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
 | globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
-| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
 | globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
 | globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
 | globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
 | globalVars.c:44:15:44:19 | copy2 | semmle.label | copy2 |
 | globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
 | globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
-| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
 #select
 | globalVars.c:27:9:27:12 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:27:9:27:12 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:24:11:24:14 | argv | argv |
 | globalVars.c:30:15:30:18 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:30:15:30:18 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:24:11:24:14 | argv | argv |

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected

@@ -3,10 +3,6 @@ edges
 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
-| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
-| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
-| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
-| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
@@ -15,10 +11,6 @@ edges
 | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
 | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
 | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
-| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
-| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
-| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
-| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
 | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
 | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
 | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
@@ -27,10 +19,6 @@ edges
 | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
 | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
 | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
-| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
-| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
-| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
-| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
 | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
 | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
 | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
@@ -39,10 +27,6 @@ edges
 | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
 | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
 | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
-| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
-| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
-| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
-| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
 | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
 | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
 | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
@@ -51,16 +35,10 @@ edges
 | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
 | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
 | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
-| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
-| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
 | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
 | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
 | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
 | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
-| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
-| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
-| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
-| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
 | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
 | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
 | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
@@ -71,57 +49,46 @@ nodes
 | ifs.c:61:8:61:11 | argv | semmle.label | argv |
 | ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
 | ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
-| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
 | ifs.c:68:8:68:11 | argv | semmle.label | argv |
 | ifs.c:68:8:68:11 | argv | semmle.label | argv |
 | ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
 | ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
-| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
 | ifs.c:74:8:74:11 | argv | semmle.label | argv |
 | ifs.c:74:8:74:11 | argv | semmle.label | argv |
 | ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
 | ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
-| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
 | ifs.c:80:8:80:11 | argv | semmle.label | argv |
 | ifs.c:80:8:80:11 | argv | semmle.label | argv |
 | ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
 | ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
-| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
 | ifs.c:86:8:86:11 | argv | semmle.label | argv |
 | ifs.c:86:8:86:11 | argv | semmle.label | argv |
 | ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
 | ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
-| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
 | ifs.c:92:8:92:11 | argv | semmle.label | argv |
 | ifs.c:92:8:92:11 | argv | semmle.label | argv |
 | ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
 | ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
-| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
 | ifs.c:98:8:98:11 | argv | semmle.label | argv |
 | ifs.c:98:8:98:11 | argv | semmle.label | argv |
 | ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
 | ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
-| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
 | ifs.c:105:8:105:11 | argv | semmle.label | argv |
 | ifs.c:105:8:105:11 | argv | semmle.label | argv |
 | ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
 | ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
-| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
 | ifs.c:111:8:111:11 | argv | semmle.label | argv |
 | ifs.c:111:8:111:11 | argv | semmle.label | argv |
 | ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
 | ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
-| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
 | ifs.c:117:8:117:11 | argv | semmle.label | argv |
 | ifs.c:117:8:117:11 | argv | semmle.label | argv |
 | ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
 | ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
-| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
 | ifs.c:123:8:123:11 | argv | semmle.label | argv |
 | ifs.c:123:8:123:11 | argv | semmle.label | argv |
 | ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
 | ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
-| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
 #select
 | ifs.c:62:9:62:10 | c7 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:61:8:61:11 | argv | argv |
 | ifs.c:69:9:69:10 | c8 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:68:8:68:11 | argv | argv |

cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.expected

@@ -5,18 +5,6 @@ edges
 | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
 | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
 | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
-| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
-| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
-| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
-| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
-| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
-| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
-| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
-| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
-| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
-| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
-| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
-| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
 | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
 | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
 | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
@@ -30,12 +18,6 @@ nodes
 | examples.cpp:22:26:22:33 | call to rand | semmle.label | call to rand |
 | examples.cpp:22:26:22:33 | call to rand | semmle.label | call to rand |
 | examples.cpp:22:26:22:33 | call to rand | semmle.label | call to rand |
-| examples.cpp:22:26:22:33 | call to rand | semmle.label | call to rand |
-| examples.cpp:22:26:22:33 | call to rand | semmle.label | call to rand |
-| examples.cpp:22:26:22:33 | call to rand | semmle.label | call to rand |
-| examples.cpp:22:26:22:33 | call to rand | semmle.label | call to rand |
-| examples.cpp:22:26:22:33 | call to rand | semmle.label | call to rand |
-| examples.cpp:22:26:22:33 | call to rand | semmle.label | call to rand |
 | examples.cpp:25:31:25:34 | data | semmle.label | data |
 | examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand |
 | examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand |
@@ -43,12 +25,6 @@ nodes
 | examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand |
 | examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand |
 | examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand |
-| examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand |
-| examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand |
-| examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand |
-| examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand |
-| examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand |
-| examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand |
 | examples.cpp:38:9:38:12 | data | semmle.label | data |
 subpaths
 #select
@@ -58,18 +34,6 @@ subpaths
 | examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
 | examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
 | examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
-| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
-| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
-| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
-| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
-| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
-| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
-| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
-| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
-| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
-| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
-| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
-| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
 | examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
 | examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
 | examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected

@@ -9,7 +9,6 @@ edges
 | test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r |
 | test.c:131:13:131:16 | call to rand | test.c:133:5:133:5 | r |
 | test.c:137:13:137:16 | call to rand | test.c:139:10:139:10 | r |
-| test.c:155:22:155:25 | call to rand | test.c:157:9:157:9 | r |
 | test.c:155:22:155:27 | call to rand | test.c:157:9:157:9 | r |
 | test.cpp:6:5:6:12 | get_rand indirection | test.cpp:24:11:24:18 | call to get_rand |
 | test.cpp:8:9:8:12 | call to rand | test.cpp:6:5:6:12 | get_rand indirection |
@@ -25,7 +24,6 @@ edges
 | test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y |
 | test.cpp:151:10:151:13 | call to rand | test.cpp:154:10:154:10 | b |
 | test.cpp:169:11:169:14 | call to rand | test.cpp:171:11:171:16 | y |
-| test.cpp:169:11:169:14 | call to rand | test.cpp:171:16:171:16 | y |
 | test.cpp:189:10:189:13 | call to rand | test.cpp:196:7:196:7 | x |
 | test.cpp:189:10:189:13 | call to rand | test.cpp:198:7:198:7 | x |
 | test.cpp:189:10:189:13 | call to rand | test.cpp:199:7:199:7 | x |
@@ -52,7 +50,6 @@ nodes
 | test.c:133:5:133:5 | r | semmle.label | r |
 | test.c:137:13:137:16 | call to rand | semmle.label | call to rand |
 | test.c:139:10:139:10 | r | semmle.label | r |
-| test.c:155:22:155:25 | call to rand | semmle.label | call to rand |
 | test.c:155:22:155:27 | call to rand | semmle.label | call to rand |
 | test.c:157:9:157:9 | r | semmle.label | r |
 | test.cpp:6:5:6:12 | get_rand indirection | semmle.label | get_rand indirection |
@@ -77,7 +74,6 @@ nodes
 | test.cpp:154:10:154:10 | b | semmle.label | b |
 | test.cpp:169:11:169:14 | call to rand | semmle.label | call to rand |
 | test.cpp:171:11:171:16 | y | semmle.label | y |
-| test.cpp:171:16:171:16 | y | semmle.label | y |
 | test.cpp:189:10:189:13 | call to rand | semmle.label | call to rand |
 | test.cpp:190:10:190:13 | call to rand | semmle.label | call to rand |
 | test.cpp:196:7:196:7 | x | semmle.label | x |
@@ -100,7 +96,6 @@ subpaths
 | test.c:127:9:127:9 | r | test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:125:13:125:16 | call to rand | uncontrolled value |
 | test.c:133:5:133:5 | r | test.c:131:13:131:16 | call to rand | test.c:133:5:133:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:131:13:131:16 | call to rand | uncontrolled value |
 | test.c:139:10:139:10 | r | test.c:137:13:137:16 | call to rand | test.c:139:10:139:10 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:137:13:137:16 | call to rand | uncontrolled value |
-| test.c:157:9:157:9 | r | test.c:155:22:155:25 | call to rand | test.c:157:9:157:9 | r | This arithmetic expression depends on an $@, potentially causing an underflow. | test.c:155:22:155:25 | call to rand | uncontrolled value |
 | test.c:157:9:157:9 | r | test.c:155:22:155:27 | call to rand | test.c:157:9:157:9 | r | This arithmetic expression depends on an $@, potentially causing an underflow. | test.c:155:22:155:25 | call to rand | uncontrolled value |
 | test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | uncontrolled value |
 | test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | uncontrolled value |
@@ -110,7 +105,6 @@ subpaths
 | test.cpp:146:9:146:9 | y | test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:137:10:137:13 | call to rand | uncontrolled value |
 | test.cpp:154:10:154:10 | b | test.cpp:151:10:151:13 | call to rand | test.cpp:154:10:154:10 | b | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:151:10:151:13 | call to rand | uncontrolled value |
 | test.cpp:171:11:171:16 | y | test.cpp:169:11:169:14 | call to rand | test.cpp:171:11:171:16 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:169:11:169:14 | call to rand | uncontrolled value |
-| test.cpp:171:16:171:16 | y | test.cpp:169:11:169:14 | call to rand | test.cpp:171:16:171:16 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:169:11:169:14 | call to rand | uncontrolled value |
 | test.cpp:196:7:196:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:196:7:196:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value |
 | test.cpp:198:7:198:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:198:7:198:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value |
 | test.cpp:199:7:199:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:199:7:199:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected

@@ -3,7 +3,7 @@ edges
 | test.cpp:39:27:39:30 | argv indirection | test.cpp:44:38:44:63 | ... * ... |
 | test.cpp:39:27:39:30 | argv indirection | test.cpp:46:38:46:63 | ... + ... |
 | test.cpp:39:27:39:30 | argv indirection | test.cpp:49:32:49:35 | size |
-| test.cpp:39:27:39:30 | argv indirection | test.cpp:50:26:50:29 | size |
+| test.cpp:39:27:39:30 | argv indirection | test.cpp:50:17:50:30 | size |
 | test.cpp:39:27:39:30 | argv indirection | test.cpp:53:35:53:60 | ... * ... |
 | test.cpp:124:18:124:23 | call to getenv | test.cpp:128:24:128:41 | ... * ... |
 | test.cpp:124:18:124:31 | call to getenv indirection | test.cpp:128:24:128:41 | ... * ... |
@@ -40,7 +40,7 @@ nodes
 | test.cpp:44:38:44:63 | ... * ... | semmle.label | ... * ... |
 | test.cpp:46:38:46:63 | ... + ... | semmle.label | ... + ... |
 | test.cpp:49:32:49:35 | size | semmle.label | size |
-| test.cpp:50:26:50:29 | size | semmle.label | size |
+| test.cpp:50:17:50:30 | size | semmle.label | size |
 | test.cpp:53:35:53:60 | ... * ... | semmle.label | ... * ... |
 | test.cpp:124:18:124:23 | call to getenv | semmle.label | call to getenv |
 | test.cpp:124:18:124:31 | call to getenv indirection | semmle.label | call to getenv indirection |
@@ -82,7 +82,7 @@ subpaths
 | test.cpp:44:31:44:36 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
 | test.cpp:46:31:46:36 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
 | test.cpp:49:25:49:30 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
-| test.cpp:50:17:50:30 | new[] | test.cpp:39:27:39:30 | argv indirection | test.cpp:50:26:50:29 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
+| test.cpp:50:17:50:30 | new[] | test.cpp:39:27:39:30 | argv indirection | test.cpp:50:17:50:30 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
 | test.cpp:53:21:53:27 | call to realloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
 | test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:23 | call to getenv | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:124:18:124:23 | call to getenv | user input (an environment variable) |
 | test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:31 | call to getenv indirection | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:124:18:124:31 | call to getenv indirection | user input (an environment variable) |

cpp/ql/test/query-tests/Security/CWE/CWE-193/InvalidPointerDeref.expected

@@ -45,21 +45,21 @@ edges
 | test.cpp:53:5:53:23 | ... = ... | test.cpp:51:33:51:35 | end |
 | test.cpp:53:12:53:23 | ... + ... | test.cpp:53:5:53:23 | ... = ... |
 | test.cpp:60:34:60:37 | mk_array output argument | test.cpp:67:9:67:14 | ... = ... |
-| test.cpp:194:23:194:28 | call to malloc | test.cpp:195:17:195:23 | ... + ... |
-| test.cpp:194:23:194:28 | call to malloc | test.cpp:195:17:195:23 | ... + ... |
-| test.cpp:194:23:194:28 | call to malloc | test.cpp:201:5:201:19 | ... = ... |
+| test.cpp:194:15:194:33 | call to malloc | test.cpp:195:17:195:23 | ... + ... |
+| test.cpp:194:15:194:33 | call to malloc | test.cpp:195:17:195:23 | ... + ... |
+| test.cpp:194:15:194:33 | call to malloc | test.cpp:201:5:201:19 | ... = ... |
 | test.cpp:195:17:195:23 | ... + ... | test.cpp:195:17:195:23 | ... + ... |
 | test.cpp:195:17:195:23 | ... + ... | test.cpp:201:5:201:19 | ... = ... |
 | test.cpp:195:17:195:23 | ... + ... | test.cpp:201:5:201:19 | ... = ... |
-| test.cpp:205:23:205:28 | call to malloc | test.cpp:206:17:206:23 | ... + ... |
-| test.cpp:205:23:205:28 | call to malloc | test.cpp:206:17:206:23 | ... + ... |
-| test.cpp:205:23:205:28 | call to malloc | test.cpp:213:5:213:13 | ... = ... |
+| test.cpp:205:15:205:33 | call to malloc | test.cpp:206:17:206:23 | ... + ... |
+| test.cpp:205:15:205:33 | call to malloc | test.cpp:206:17:206:23 | ... + ... |
+| test.cpp:205:15:205:33 | call to malloc | test.cpp:213:5:213:13 | ... = ... |
 | test.cpp:206:17:206:23 | ... + ... | test.cpp:206:17:206:23 | ... + ... |
 | test.cpp:206:17:206:23 | ... + ... | test.cpp:213:5:213:13 | ... = ... |
 | test.cpp:206:17:206:23 | ... + ... | test.cpp:213:5:213:13 | ... = ... |
 | test.cpp:231:18:231:30 | new[] | test.cpp:232:3:232:20 | ... = ... |
 | test.cpp:238:20:238:32 | new[] | test.cpp:239:5:239:22 | ... = ... |
-| test.cpp:248:24:248:30 | call to realloc | test.cpp:254:9:254:16 | ... = ... |
+| test.cpp:248:13:248:36 | call to realloc | test.cpp:254:9:254:16 | ... = ... |
 | test.cpp:260:13:260:24 | new[] | test.cpp:261:14:261:21 | ... + ... |
 | test.cpp:260:13:260:24 | new[] | test.cpp:261:14:261:21 | ... + ... |
 | test.cpp:260:13:260:24 | new[] | test.cpp:264:13:264:14 | * ... |
@@ -81,28 +81,28 @@ edges
 | test.cpp:355:14:355:27 | new[] | test.cpp:356:15:356:23 | ... + ... |
 | test.cpp:355:14:355:27 | new[] | test.cpp:357:24:357:30 | ... + ... |
 | test.cpp:355:14:355:27 | new[] | test.cpp:357:24:357:30 | ... + ... |
-| test.cpp:355:14:355:27 | new[] | test.cpp:358:14:358:26 | * ... |
-| test.cpp:355:14:355:27 | new[] | test.cpp:359:14:359:32 | * ... |
+| test.cpp:355:14:355:27 | new[] | test.cpp:358:14:358:26 | end_plus_one indirection |
+| test.cpp:355:14:355:27 | new[] | test.cpp:359:14:359:32 | ... + ... indirection |
 | test.cpp:356:15:356:23 | ... + ... | test.cpp:356:15:356:23 | ... + ... |
-| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | * ... |
-| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | * ... |
-| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | * ... |
-| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | * ... |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | end_plus_one indirection |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | end_plus_one indirection |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | ... + ... indirection |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | ... + ... indirection |
 | test.cpp:357:24:357:30 | ... + ... | test.cpp:357:24:357:30 | ... + ... |
-| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:14:358:26 | * ... |
-| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:14:358:26 | * ... |
-| test.cpp:357:24:357:30 | ... + ... | test.cpp:359:14:359:32 | * ... |
-| test.cpp:357:24:357:30 | ... + ... | test.cpp:359:14:359:32 | * ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:14:358:26 | end_plus_one indirection |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:14:358:26 | end_plus_one indirection |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:359:14:359:32 | ... + ... indirection |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:359:14:359:32 | ... + ... indirection |
 | test.cpp:377:14:377:27 | new[] | test.cpp:378:15:378:23 | ... + ... |
 | test.cpp:377:14:377:27 | new[] | test.cpp:378:15:378:23 | ... + ... |
 | test.cpp:377:14:377:27 | new[] | test.cpp:381:5:381:9 | ... ++ |
 | test.cpp:377:14:377:27 | new[] | test.cpp:381:5:381:9 | ... ++ |
-| test.cpp:377:14:377:27 | new[] | test.cpp:384:13:384:16 | * ... |
+| test.cpp:377:14:377:27 | new[] | test.cpp:384:13:384:16 | end indirection |
 | test.cpp:378:15:378:23 | ... + ... | test.cpp:378:15:378:23 | ... + ... |
-| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | * ... |
-| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | * ... |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | end indirection |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | end indirection |
 | test.cpp:381:5:381:9 | ... ++ | test.cpp:381:5:381:9 | ... ++ |
-| test.cpp:381:5:381:9 | ... ++ | test.cpp:384:13:384:16 | * ... |
+| test.cpp:381:5:381:9 | ... ++ | test.cpp:384:13:384:16 | end indirection |
 | test.cpp:410:14:410:27 | new[] | test.cpp:411:15:411:23 | & ... |
 | test.cpp:410:14:410:27 | new[] | test.cpp:411:15:411:23 | & ... |
 | test.cpp:410:14:410:27 | new[] | test.cpp:413:5:413:8 | ... ++ |
@@ -164,7 +164,7 @@ edges
 | test.cpp:695:13:695:26 | new[] | test.cpp:698:5:698:10 | ... += ... |
 | test.cpp:695:13:695:26 | new[] | test.cpp:698:5:698:10 | ... += ... |
 | test.cpp:698:5:698:10 | ... += ... | test.cpp:698:5:698:10 | ... += ... |
-| test.cpp:698:5:698:10 | ... += ... | test.cpp:701:15:701:16 | * ... |
+| test.cpp:698:5:698:10 | ... += ... | test.cpp:701:15:701:16 | p indirection |
 | test.cpp:705:18:705:18 | q | test.cpp:705:18:705:18 | q |
 | test.cpp:705:18:705:18 | q | test.cpp:706:12:706:13 | * ... |
 | test.cpp:705:18:705:18 | q | test.cpp:706:12:706:13 | * ... |
@@ -220,11 +220,11 @@ nodes
 | test.cpp:53:12:53:23 | ... + ... | semmle.label | ... + ... |
 | test.cpp:60:34:60:37 | mk_array output argument | semmle.label | mk_array output argument |
 | test.cpp:67:9:67:14 | ... = ... | semmle.label | ... = ... |
-| test.cpp:194:23:194:28 | call to malloc | semmle.label | call to malloc |
+| test.cpp:194:15:194:33 | call to malloc | semmle.label | call to malloc |
 | test.cpp:195:17:195:23 | ... + ... | semmle.label | ... + ... |
 | test.cpp:195:17:195:23 | ... + ... | semmle.label | ... + ... |
 | test.cpp:201:5:201:19 | ... = ... | semmle.label | ... = ... |
-| test.cpp:205:23:205:28 | call to malloc | semmle.label | call to malloc |
+| test.cpp:205:15:205:33 | call to malloc | semmle.label | call to malloc |
 | test.cpp:206:17:206:23 | ... + ... | semmle.label | ... + ... |
 | test.cpp:206:17:206:23 | ... + ... | semmle.label | ... + ... |
 | test.cpp:213:5:213:13 | ... = ... | semmle.label | ... = ... |
@@ -232,7 +232,7 @@ nodes
 | test.cpp:232:3:232:20 | ... = ... | semmle.label | ... = ... |
 | test.cpp:238:20:238:32 | new[] | semmle.label | new[] |
 | test.cpp:239:5:239:22 | ... = ... | semmle.label | ... = ... |
-| test.cpp:248:24:248:30 | call to realloc | semmle.label | call to realloc |
+| test.cpp:248:13:248:36 | call to realloc | semmle.label | call to realloc |
 | test.cpp:254:9:254:16 | ... = ... | semmle.label | ... = ... |
 | test.cpp:260:13:260:24 | new[] | semmle.label | new[] |
 | test.cpp:261:14:261:21 | ... + ... | semmle.label | ... + ... |
@@ -248,14 +248,14 @@ nodes
 | test.cpp:356:15:356:23 | ... + ... | semmle.label | ... + ... |
 | test.cpp:357:24:357:30 | ... + ... | semmle.label | ... + ... |
 | test.cpp:357:24:357:30 | ... + ... | semmle.label | ... + ... |
-| test.cpp:358:14:358:26 | * ... | semmle.label | * ... |
-| test.cpp:359:14:359:32 | * ... | semmle.label | * ... |
+| test.cpp:358:14:358:26 | end_plus_one indirection | semmle.label | end_plus_one indirection |
+| test.cpp:359:14:359:32 | ... + ... indirection | semmle.label | ... + ... indirection |
 | test.cpp:377:14:377:27 | new[] | semmle.label | new[] |
 | test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... |
 | test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... |
 | test.cpp:381:5:381:9 | ... ++ | semmle.label | ... ++ |
 | test.cpp:381:5:381:9 | ... ++ | semmle.label | ... ++ |
-| test.cpp:384:13:384:16 | * ... | semmle.label | * ... |
+| test.cpp:384:13:384:16 | end indirection | semmle.label | end indirection |
 | test.cpp:410:14:410:27 | new[] | semmle.label | new[] |
 | test.cpp:411:15:411:23 | & ... | semmle.label | & ... |
 | test.cpp:411:15:411:23 | & ... | semmle.label | & ... |
@@ -295,7 +295,7 @@ nodes
 | test.cpp:695:13:695:26 | new[] | semmle.label | new[] |
 | test.cpp:698:5:698:10 | ... += ... | semmle.label | ... += ... |
 | test.cpp:698:5:698:10 | ... += ... | semmle.label | ... += ... |
-| test.cpp:701:15:701:16 | * ... | semmle.label | * ... |
+| test.cpp:701:15:701:16 | p indirection | semmle.label | p indirection |
 | test.cpp:705:18:705:18 | q | semmle.label | q |
 | test.cpp:705:18:705:18 | q | semmle.label | q |
 | test.cpp:706:12:706:13 | * ... | semmle.label | * ... |
@@ -333,16 +333,16 @@ subpaths
 | test.cpp:42:14:42:15 | * ... | test.cpp:40:15:40:20 | call to malloc | test.cpp:42:14:42:15 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:40:15:40:20 | call to malloc | call to malloc | test.cpp:41:20:41:27 | ... - ... | ... - ... |
 | test.cpp:44:14:44:21 | * ... | test.cpp:40:15:40:20 | call to malloc | test.cpp:44:14:44:21 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:40:15:40:20 | call to malloc | call to malloc | test.cpp:41:20:41:27 | ... - ... | ... - ... |
 | test.cpp:67:9:67:14 | ... = ... | test.cpp:52:19:52:24 | call to malloc | test.cpp:67:9:67:14 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:52:19:52:24 | call to malloc | call to malloc | test.cpp:53:20:53:23 | size | size |
-| test.cpp:201:5:201:19 | ... = ... | test.cpp:194:23:194:28 | call to malloc | test.cpp:201:5:201:19 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:194:23:194:28 | call to malloc | call to malloc | test.cpp:195:21:195:23 | len | len |
-| test.cpp:213:5:213:13 | ... = ... | test.cpp:205:23:205:28 | call to malloc | test.cpp:213:5:213:13 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:205:23:205:28 | call to malloc | call to malloc | test.cpp:206:21:206:23 | len | len |
+| test.cpp:201:5:201:19 | ... = ... | test.cpp:194:15:194:33 | call to malloc | test.cpp:201:5:201:19 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:194:15:194:33 | call to malloc | call to malloc | test.cpp:195:21:195:23 | len | len |
+| test.cpp:213:5:213:13 | ... = ... | test.cpp:205:15:205:33 | call to malloc | test.cpp:213:5:213:13 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:205:15:205:33 | call to malloc | call to malloc | test.cpp:206:21:206:23 | len | len |
 | test.cpp:232:3:232:20 | ... = ... | test.cpp:231:18:231:30 | new[] | test.cpp:232:3:232:20 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:231:18:231:30 | new[] | new[] | test.cpp:232:11:232:15 | index | index |
 | test.cpp:239:5:239:22 | ... = ... | test.cpp:238:20:238:32 | new[] | test.cpp:239:5:239:22 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:238:20:238:32 | new[] | new[] | test.cpp:239:13:239:17 | index | index |
-| test.cpp:254:9:254:16 | ... = ... | test.cpp:248:24:248:30 | call to realloc | test.cpp:254:9:254:16 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:248:24:248:30 | call to realloc | call to realloc | test.cpp:254:11:254:11 | i | i |
+| test.cpp:254:9:254:16 | ... = ... | test.cpp:248:13:248:36 | call to realloc | test.cpp:254:9:254:16 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:248:13:248:36 | call to realloc | call to realloc | test.cpp:254:11:254:11 | i | i |
 | test.cpp:264:13:264:14 | * ... | test.cpp:260:13:260:24 | new[] | test.cpp:264:13:264:14 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:260:13:260:24 | new[] | new[] | test.cpp:261:19:261:21 | len | len |
 | test.cpp:274:5:274:10 | ... = ... | test.cpp:270:13:270:24 | new[] | test.cpp:274:5:274:10 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:270:13:270:24 | new[] | new[] | test.cpp:271:19:271:21 | len | len |
-| test.cpp:358:14:358:26 | * ... | test.cpp:355:14:355:27 | new[] | test.cpp:358:14:358:26 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
-| test.cpp:359:14:359:32 | * ... | test.cpp:355:14:355:27 | new[] | test.cpp:359:14:359:32 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 2. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
-| test.cpp:384:13:384:16 | * ... | test.cpp:377:14:377:27 | new[] | test.cpp:384:13:384:16 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:377:14:377:27 | new[] | new[] | test.cpp:378:20:378:23 | size | size |
+| test.cpp:358:14:358:26 | end_plus_one indirection | test.cpp:355:14:355:27 | new[] | test.cpp:358:14:358:26 | end_plus_one indirection | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
+| test.cpp:359:14:359:32 | ... + ... indirection | test.cpp:355:14:355:27 | new[] | test.cpp:359:14:359:32 | ... + ... indirection | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 2. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
+| test.cpp:384:13:384:16 | end indirection | test.cpp:377:14:377:27 | new[] | test.cpp:384:13:384:16 | end indirection | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:377:14:377:27 | new[] | new[] | test.cpp:378:20:378:23 | size | size |
 | test.cpp:415:7:415:15 | ... = ... | test.cpp:410:14:410:27 | new[] | test.cpp:415:7:415:15 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:410:14:410:27 | new[] | new[] | test.cpp:411:19:411:22 | size | size |
 | test.cpp:426:7:426:15 | ... = ... | test.cpp:421:14:421:27 | new[] | test.cpp:426:7:426:15 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:421:14:421:27 | new[] | new[] | test.cpp:422:19:422:22 | size | size |
 | test.cpp:438:7:438:15 | ... = ... | test.cpp:432:14:432:27 | new[] | test.cpp:438:7:438:15 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:432:14:432:27 | new[] | new[] | test.cpp:433:19:433:22 | size | size |
@@ -351,7 +351,7 @@ subpaths
 | test.cpp:548:5:548:19 | ... = ... | test.cpp:543:14:543:27 | new[] | test.cpp:548:5:548:19 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:543:14:543:27 | new[] | new[] | test.cpp:548:8:548:14 | src_pos | src_pos |
 | test.cpp:559:5:559:19 | ... = ... | test.cpp:554:14:554:27 | new[] | test.cpp:559:5:559:19 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:554:14:554:27 | new[] | new[] | test.cpp:559:8:559:14 | src_pos | src_pos |
 | test.cpp:647:5:647:19 | ... = ... | test.cpp:642:14:642:31 | new[] | test.cpp:647:5:647:19 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:642:14:642:31 | new[] | new[] | test.cpp:647:8:647:14 | src_pos | src_pos |
-| test.cpp:701:15:701:16 | * ... | test.cpp:695:13:695:26 | new[] | test.cpp:701:15:701:16 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:695:13:695:26 | new[] | new[] | test.cpp:696:19:696:22 | size | size |
+| test.cpp:701:15:701:16 | p indirection | test.cpp:695:13:695:26 | new[] | test.cpp:701:15:701:16 | p indirection | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:695:13:695:26 | new[] | new[] | test.cpp:696:19:696:22 | size | size |
 | test.cpp:706:12:706:13 | * ... | test.cpp:711:13:711:26 | new[] | test.cpp:706:12:706:13 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:711:13:711:26 | new[] | new[] | test.cpp:712:19:712:22 | size | size |
 | test.cpp:733:5:733:12 | ... = ... | test.cpp:730:12:730:28 | new[] | test.cpp:733:5:733:12 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:730:12:730:28 | new[] | new[] | test.cpp:732:21:732:25 | ... + ... | ... + ... |
 | test.cpp:767:16:767:29 | access to array | test.cpp:754:18:754:31 | new[] | test.cpp:767:16:767:29 | access to array | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:754:18:754:31 | new[] | new[] | test.cpp:767:22:767:28 | ... + ... | ... + ... |

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected

@@ -2,20 +2,8 @@ edges
 | test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 |
 | test2.cpp:72:15:72:24 | password | test2.cpp:73:30:73:32 | buf indirection |
 | test2.cpp:72:15:72:24 | password | test2.cpp:76:30:76:32 | buf indirection |
-| test2.cpp:72:17:72:24 | password | test2.cpp:73:30:73:32 | buf indirection |
-| test2.cpp:72:17:72:24 | password | test2.cpp:76:30:76:32 | buf indirection |
 | test2.cpp:98:45:98:52 | password | test2.cpp:99:27:99:32 | buffer indirection |
-| test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword |
-| test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword |
-| test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword |
 | test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword |
-| test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword |
-| test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword |
-| test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword |
-| test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword |
-| test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword |
-| test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword |
-| test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword |
 | test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword |
 nodes
 | test2.cpp:43:36:43:43 | password | semmle.label | password |
@@ -28,22 +16,14 @@ nodes
 | test2.cpp:62:18:62:25 | password | semmle.label | password |
 | test2.cpp:65:31:65:34 | cpy1 | semmle.label | cpy1 |
 | test2.cpp:72:15:72:24 | password | semmle.label | password |
-| test2.cpp:72:17:72:24 | password | semmle.label | password |
 | test2.cpp:73:30:73:32 | buf indirection | semmle.label | buf indirection |
 | test2.cpp:76:30:76:32 | buf indirection | semmle.label | buf indirection |
 | test2.cpp:98:45:98:52 | password | semmle.label | password |
 | test2.cpp:99:27:99:32 | buffer indirection | semmle.label | buffer indirection |
 | test.cpp:45:9:45:19 | thePassword | semmle.label | thePassword |
-| test.cpp:45:9:45:19 | thePassword | semmle.label | thePassword |
-| test.cpp:45:9:45:19 | thePassword | semmle.label | thePassword |
-| test.cpp:70:38:70:48 | thePassword | semmle.label | thePassword |
-| test.cpp:70:38:70:48 | thePassword | semmle.label | thePassword |
 | test.cpp:70:38:70:48 | thePassword | semmle.label | thePassword |
 | test.cpp:70:38:70:48 | thePassword | semmle.label | thePassword |
 | test.cpp:73:43:73:53 | thePassword | semmle.label | thePassword |
-| test.cpp:73:43:73:53 | thePassword | semmle.label | thePassword |
-| test.cpp:73:43:73:53 | thePassword | semmle.label | thePassword |
-| test.cpp:73:63:73:73 | thePassword | semmle.label | thePassword |
 | test.cpp:73:63:73:73 | thePassword | semmle.label | thePassword |
 subpaths
 #select
@@ -56,22 +36,10 @@ subpaths
 | test2.cpp:57:2:57:8 | call to fprintf | test2.cpp:57:39:57:49 | call to getPassword | test2.cpp:57:39:57:49 | call to getPassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:57:39:57:49 | call to getPassword | this source. |
 | test2.cpp:65:3:65:9 | call to fprintf | test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:62:18:62:25 | password | this source. |
 | test2.cpp:73:3:73:9 | call to fprintf | test2.cpp:72:15:72:24 | password | test2.cpp:73:30:73:32 | buf indirection | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. |
-| test2.cpp:73:3:73:9 | call to fprintf | test2.cpp:72:17:72:24 | password | test2.cpp:73:30:73:32 | buf indirection | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. |
 | test2.cpp:76:3:76:9 | call to fprintf | test2.cpp:72:15:72:24 | password | test2.cpp:76:30:76:32 | buf indirection | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. |
-| test2.cpp:76:3:76:9 | call to fprintf | test2.cpp:72:17:72:24 | password | test2.cpp:76:30:76:32 | buf indirection | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. |
 | test2.cpp:99:3:99:9 | call to fprintf | test2.cpp:98:45:98:52 | password | test2.cpp:99:27:99:32 | buffer indirection | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:98:45:98:52 | password | this source. |
 | test.cpp:45:3:45:7 | call to fputs | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | This write into file 'file' may contain unencrypted data from $@. | test.cpp:45:9:45:19 | thePassword | this source. |
-| test.cpp:45:3:45:7 | call to fputs | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | This write into file 'file' may contain unencrypted data from $@. | test.cpp:45:9:45:19 | thePassword | this source. |
-| test.cpp:45:3:45:7 | call to fputs | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | This write into file 'file' may contain unencrypted data from $@. | test.cpp:45:9:45:19 | thePassword | this source. |
-| test.cpp:70:35:70:35 | call to operator<< | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. |
-| test.cpp:70:35:70:35 | call to operator<< | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. |
 | test.cpp:70:35:70:35 | call to operator<< | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. |
 | test.cpp:73:37:73:41 | call to write | test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. |
-| test.cpp:73:37:73:41 | call to write | test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. |
-| test.cpp:73:37:73:41 | call to write | test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. |
-| test.cpp:73:37:73:41 | call to write | test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. |
-| test.cpp:73:37:73:41 | call to write | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:43:73:53 | thePassword | this source. |
-| test.cpp:73:37:73:41 | call to write | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:43:73:53 | thePassword | this source. |
 | test.cpp:73:37:73:41 | call to write | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:43:73:53 | thePassword | this source. |
 | test.cpp:73:37:73:41 | call to write | test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:63:73:73 | thePassword | this source. |
-| test.cpp:73:37:73:41 | call to write | test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:63:73:73 | thePassword | this source. |

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected

@@ -25,7 +25,6 @@ edges
 | test3.cpp:322:16:322:24 | password2 | test3.cpp:325:11:325:14 | data |
 | test3.cpp:324:11:324:14 | data | test3.cpp:293:20:293:23 | data |
 | test3.cpp:325:11:325:14 | data | test3.cpp:298:20:298:23 | data |
-| test3.cpp:400:16:400:23 | password | test3.cpp:400:15:400:23 | & ... |
 | test3.cpp:526:44:526:54 | my_latitude | test3.cpp:527:15:527:20 | buffer indirection |
 | test3.cpp:532:45:532:58 | home_longitude | test3.cpp:533:15:533:20 | buffer indirection |
 | test3.cpp:551:47:551:58 | salaryString | test3.cpp:552:15:552:20 | buffer indirection |
@@ -90,7 +89,6 @@ nodes
 | test3.cpp:368:15:368:22 | password | semmle.label | password |
 | test3.cpp:388:15:388:22 | password | semmle.label | password |
 | test3.cpp:400:15:400:23 | & ... | semmle.label | & ... |
-| test3.cpp:400:16:400:23 | password | semmle.label | password |
 | test3.cpp:414:15:414:24 | password | semmle.label | password |
 | test3.cpp:420:15:420:24 | password | semmle.label | password |
 | test3.cpp:431:8:431:15 | password | semmle.label | password |

cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected

@@ -2,57 +2,36 @@ edges
 | test.cpp:11:26:11:28 | url indirection | test.cpp:15:30:15:32 | url indirection |
 | test.cpp:24:13:24:17 | url_g indirection | test.cpp:38:11:38:15 | url_g indirection |
 | test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:24:13:24:17 | url_g indirection |
-| test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:24:13:24:17 | url_g indirection |
 | test.cpp:28:10:28:29 | http://example.com indirection | test.cpp:11:26:11:28 | url indirection |
-| test.cpp:28:10:28:29 | http://example.com indirection | test.cpp:28:10:28:29 | http://example.com indirection |
 | test.cpp:35:23:35:42 | http://example.com indirection | test.cpp:39:11:39:15 | url_l indirection |
-| test.cpp:35:23:35:42 | http://example.com indirection | test.cpp:39:11:39:15 | url_l indirection |
-| test.cpp:36:26:36:45 | http://example.com indirection | test.cpp:40:11:40:17 | access to array indirection |
 | test.cpp:36:26:36:45 | http://example.com indirection | test.cpp:40:11:40:17 | access to array indirection |
 | test.cpp:38:11:38:15 | url_g indirection | test.cpp:11:26:11:28 | url indirection |
 | test.cpp:39:11:39:15 | url_l indirection | test.cpp:11:26:11:28 | url indirection |
 | test.cpp:40:11:40:17 | access to array indirection | test.cpp:11:26:11:28 | url indirection |
 | test.cpp:46:18:46:26 | http:// indirection | test.cpp:49:11:49:16 | buffer indirection |
-| test.cpp:46:18:46:26 | http:// indirection | test.cpp:49:11:49:16 | buffer indirection |
 | test.cpp:49:11:49:16 | buffer indirection | test.cpp:11:26:11:28 | url indirection |
 | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:121:11:121:13 | ptr indirection |
-| test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:121:11:121:13 | ptr indirection |
-| test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:121:11:121:13 | ptr indirection |
 | test.cpp:121:11:121:13 | ptr indirection | test.cpp:11:26:11:28 | url indirection |
 nodes
 | test.cpp:11:26:11:28 | url indirection | semmle.label | url indirection |
 | test.cpp:15:30:15:32 | url indirection | semmle.label | url indirection |
 | test.cpp:24:13:24:17 | url_g indirection | semmle.label | url_g indirection |
 | test.cpp:24:21:24:40 | http://example.com indirection | semmle.label | http://example.com indirection |
-| test.cpp:24:21:24:40 | http://example.com indirection | semmle.label | http://example.com indirection |
-| test.cpp:28:10:28:29 | http://example.com indirection | semmle.label | http://example.com indirection |
 | test.cpp:28:10:28:29 | http://example.com indirection | semmle.label | http://example.com indirection |
 | test.cpp:35:23:35:42 | http://example.com indirection | semmle.label | http://example.com indirection |
-| test.cpp:35:23:35:42 | http://example.com indirection | semmle.label | http://example.com indirection |
-| test.cpp:36:26:36:45 | http://example.com indirection | semmle.label | http://example.com indirection |
 | test.cpp:36:26:36:45 | http://example.com indirection | semmle.label | http://example.com indirection |
 | test.cpp:38:11:38:15 | url_g indirection | semmle.label | url_g indirection |
 | test.cpp:39:11:39:15 | url_l indirection | semmle.label | url_l indirection |
 | test.cpp:40:11:40:17 | access to array indirection | semmle.label | access to array indirection |
 | test.cpp:46:18:46:26 | http:// indirection | semmle.label | http:// indirection |
-| test.cpp:46:18:46:26 | http:// indirection | semmle.label | http:// indirection |
 | test.cpp:49:11:49:16 | buffer indirection | semmle.label | buffer indirection |
 | test.cpp:110:21:110:40 | http://example.com indirection | semmle.label | http://example.com indirection |
-| test.cpp:110:21:110:40 | http://example.com indirection | semmle.label | http://example.com indirection |
-| test.cpp:110:21:110:40 | http://example.com indirection | semmle.label | http://example.com indirection |
 | test.cpp:121:11:121:13 | ptr indirection | semmle.label | ptr indirection |
 subpaths
 #select
 | test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |

cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree.expected

@@ -1,60 +1,35 @@
 edges
 | test.cpp:39:7:39:10 | data | test.cpp:41:6:41:9 | data |
-| test.cpp:39:7:39:10 | data | test.cpp:41:6:41:9 | data |
-| test.cpp:75:7:75:10 | data | test.cpp:79:7:79:10 | data |
 | test.cpp:75:7:75:10 | data | test.cpp:79:7:79:10 | data |
 | test.cpp:106:7:106:10 | data | test.cpp:108:6:108:9 | data |
-| test.cpp:106:7:106:10 | data | test.cpp:108:6:108:9 | data |
-| test.cpp:116:7:116:10 | data | test.cpp:119:6:119:9 | data |
 | test.cpp:116:7:116:10 | data | test.cpp:119:6:119:9 | data |
 | test.cpp:127:7:127:10 | data | test.cpp:130:6:130:9 | data |
-| test.cpp:127:7:127:10 | data | test.cpp:130:6:130:9 | data |
-| test.cpp:138:7:138:10 | data | test.cpp:141:6:141:9 | data |
-| test.cpp:138:7:138:10 | data | test.cpp:141:6:141:9 | data |
 | test.cpp:164:9:164:9 | c | test.cpp:165:2:165:2 | c |
 | test.cpp:164:9:164:9 | c | test.cpp:166:3:166:4 | * ... |
-| test.cpp:164:9:164:9 | c | test.cpp:166:4:166:4 | c |
-| test.cpp:181:7:181:10 | data | test.cpp:186:6:186:9 | data |
 | test.cpp:181:7:181:10 | data | test.cpp:186:6:186:9 | data |
 | test.cpp:192:7:192:10 | data | test.cpp:197:6:197:9 | data |
-| test.cpp:192:7:192:10 | data | test.cpp:197:6:197:9 | data |
 | test.cpp:203:7:203:10 | data | test.cpp:209:6:209:9 | data |
-| test.cpp:203:7:203:10 | data | test.cpp:209:6:209:9 | data |
-| test.cpp:207:8:207:11 | data | test.cpp:209:6:209:9 | data |
 | test.cpp:207:8:207:11 | data | test.cpp:209:6:209:9 | data |
 | test.cpp:216:9:216:9 | x | test.cpp:217:6:217:6 | x |
 nodes
 | test.cpp:39:7:39:10 | data | semmle.label | data |
-| test.cpp:39:7:39:10 | data | semmle.label | data |
 | test.cpp:41:6:41:9 | data | semmle.label | data |
 | test.cpp:75:7:75:10 | data | semmle.label | data |
-| test.cpp:75:7:75:10 | data | semmle.label | data |
 | test.cpp:79:7:79:10 | data | semmle.label | data |
 | test.cpp:106:7:106:10 | data | semmle.label | data |
-| test.cpp:106:7:106:10 | data | semmle.label | data |
 | test.cpp:108:6:108:9 | data | semmle.label | data |
 | test.cpp:116:7:116:10 | data | semmle.label | data |
-| test.cpp:116:7:116:10 | data | semmle.label | data |
 | test.cpp:119:6:119:9 | data | semmle.label | data |
 | test.cpp:127:7:127:10 | data | semmle.label | data |
-| test.cpp:127:7:127:10 | data | semmle.label | data |
 | test.cpp:130:6:130:9 | data | semmle.label | data |
-| test.cpp:138:7:138:10 | data | semmle.label | data |
-| test.cpp:138:7:138:10 | data | semmle.label | data |
-| test.cpp:141:6:141:9 | data | semmle.label | data |
 | test.cpp:164:9:164:9 | c | semmle.label | c |
 | test.cpp:165:2:165:2 | c | semmle.label | c |
 | test.cpp:166:3:166:4 | * ... | semmle.label | * ... |
-| test.cpp:166:4:166:4 | c | semmle.label | c |
-| test.cpp:181:7:181:10 | data | semmle.label | data |
 | test.cpp:181:7:181:10 | data | semmle.label | data |
 | test.cpp:186:6:186:9 | data | semmle.label | data |
 | test.cpp:192:7:192:10 | data | semmle.label | data |
-| test.cpp:192:7:192:10 | data | semmle.label | data |
 | test.cpp:197:6:197:9 | data | semmle.label | data |
 | test.cpp:203:7:203:10 | data | semmle.label | data |
-| test.cpp:203:7:203:10 | data | semmle.label | data |
-| test.cpp:207:8:207:11 | data | semmle.label | data |
 | test.cpp:207:8:207:11 | data | semmle.label | data |
 | test.cpp:209:6:209:9 | data | semmle.label | data |
 | test.cpp:209:6:209:9 | data | semmle.label | data |
@@ -63,26 +38,14 @@ nodes
 subpaths
 #select
 | test.cpp:41:6:41:9 | data | test.cpp:39:7:39:10 | data | test.cpp:41:6:41:9 | data | Memory may have been previously freed by $@. | test.cpp:39:2:39:5 | call to free | call to free |
-| test.cpp:41:6:41:9 | data | test.cpp:39:7:39:10 | data | test.cpp:41:6:41:9 | data | Memory may have been previously freed by $@. | test.cpp:39:2:39:5 | call to free | call to free |
-| test.cpp:79:7:79:10 | data | test.cpp:75:7:75:10 | data | test.cpp:79:7:79:10 | data | Memory may have been previously freed by $@. | test.cpp:75:2:75:5 | call to free | call to free |
 | test.cpp:79:7:79:10 | data | test.cpp:75:7:75:10 | data | test.cpp:79:7:79:10 | data | Memory may have been previously freed by $@. | test.cpp:75:2:75:5 | call to free | call to free |
 | test.cpp:108:6:108:9 | data | test.cpp:106:7:106:10 | data | test.cpp:108:6:108:9 | data | Memory may have been previously freed by $@. | test.cpp:106:2:106:5 | call to free | call to free |
-| test.cpp:108:6:108:9 | data | test.cpp:106:7:106:10 | data | test.cpp:108:6:108:9 | data | Memory may have been previously freed by $@. | test.cpp:106:2:106:5 | call to free | call to free |
-| test.cpp:119:6:119:9 | data | test.cpp:116:7:116:10 | data | test.cpp:119:6:119:9 | data | Memory may have been previously freed by $@. | test.cpp:116:2:116:5 | call to free | call to free |
 | test.cpp:119:6:119:9 | data | test.cpp:116:7:116:10 | data | test.cpp:119:6:119:9 | data | Memory may have been previously freed by $@. | test.cpp:116:2:116:5 | call to free | call to free |
 | test.cpp:130:6:130:9 | data | test.cpp:127:7:127:10 | data | test.cpp:130:6:130:9 | data | Memory may have been previously freed by $@. | test.cpp:127:2:127:5 | call to free | call to free |
-| test.cpp:130:6:130:9 | data | test.cpp:127:7:127:10 | data | test.cpp:130:6:130:9 | data | Memory may have been previously freed by $@. | test.cpp:127:2:127:5 | call to free | call to free |
-| test.cpp:141:6:141:9 | data | test.cpp:138:7:138:10 | data | test.cpp:141:6:141:9 | data | Memory may have been previously freed by $@. | test.cpp:138:2:138:5 | call to free | call to free |
-| test.cpp:141:6:141:9 | data | test.cpp:138:7:138:10 | data | test.cpp:141:6:141:9 | data | Memory may have been previously freed by $@. | test.cpp:138:2:138:5 | call to free | call to free |
 | test.cpp:165:2:165:2 | c | test.cpp:164:9:164:9 | c | test.cpp:165:2:165:2 | c | Memory may have been previously freed by $@. | test.cpp:164:2:164:10 | delete | delete |
 | test.cpp:166:3:166:4 | * ... | test.cpp:164:9:164:9 | c | test.cpp:166:3:166:4 | * ... | Memory may have been previously freed by $@. | test.cpp:164:2:164:10 | delete | delete |
-| test.cpp:166:4:166:4 | c | test.cpp:164:9:164:9 | c | test.cpp:166:4:166:4 | c | Memory may have been previously freed by $@. | test.cpp:164:2:164:10 | delete | delete |
-| test.cpp:186:6:186:9 | data | test.cpp:181:7:181:10 | data | test.cpp:186:6:186:9 | data | Memory may have been previously freed by $@. | test.cpp:181:2:181:5 | call to free | call to free |
 | test.cpp:186:6:186:9 | data | test.cpp:181:7:181:10 | data | test.cpp:186:6:186:9 | data | Memory may have been previously freed by $@. | test.cpp:181:2:181:5 | call to free | call to free |
 | test.cpp:197:6:197:9 | data | test.cpp:192:7:192:10 | data | test.cpp:197:6:197:9 | data | Memory may have been previously freed by $@. | test.cpp:192:2:192:5 | call to free | call to free |
-| test.cpp:197:6:197:9 | data | test.cpp:192:7:192:10 | data | test.cpp:197:6:197:9 | data | Memory may have been previously freed by $@. | test.cpp:192:2:192:5 | call to free | call to free |
 | test.cpp:209:6:209:9 | data | test.cpp:203:7:203:10 | data | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:203:2:203:5 | call to free | call to free |
-| test.cpp:209:6:209:9 | data | test.cpp:203:7:203:10 | data | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:203:2:203:5 | call to free | call to free |
-| test.cpp:209:6:209:9 | data | test.cpp:207:8:207:11 | data | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:207:3:207:6 | call to free | call to free |
 | test.cpp:209:6:209:9 | data | test.cpp:207:8:207:11 | data | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:207:3:207:6 | call to free | call to free |
 | test.cpp:217:6:217:6 | x | test.cpp:216:9:216:9 | x | test.cpp:217:6:217:6 | x | Memory may have been previously freed by $@. | test.cpp:216:2:216:9 | delete | delete |

cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/test.cpp

@@ -138,7 +138,7 @@ void test9()
 	free(data);
 	noReturnWrapper();
 	use_if_nonzero(data); // GOOD
-	use(data); // GOOD [FALSE POSITIVE]
+	use(data); // GOOD
 }
 
 void test10()

cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected

@@ -1,14 +1,8 @@
 edges
 | tests.c:57:21:57:28 | password indirection | tests.c:70:70:70:77 | password indirection |
-| tests.c:57:21:57:28 | password indirection | tests.c:70:70:70:77 | password indirection |
-| tests.c:57:21:57:28 | password indirection | tests.c:70:70:70:77 | password indirection |
 nodes
 | tests.c:57:21:57:28 | password indirection | semmle.label | password indirection |
-| tests.c:57:21:57:28 | password indirection | semmle.label | password indirection |
-| tests.c:57:21:57:28 | password indirection | semmle.label | password indirection |
 | tests.c:70:70:70:77 | password indirection | semmle.label | password indirection |
 subpaths
 #select
 | tests.c:70:70:70:77 | password indirection | tests.c:57:21:57:28 | password indirection | tests.c:70:70:70:77 | password indirection | This operation potentially exposes sensitive system data from $@. | tests.c:57:21:57:28 | password indirection | password indirection |
-| tests.c:70:70:70:77 | password indirection | tests.c:57:21:57:28 | password indirection | tests.c:70:70:70:77 | password indirection | This operation potentially exposes sensitive system data from $@. | tests.c:57:21:57:28 | password indirection | password indirection |
-| tests.c:70:70:70:77 | password indirection | tests.c:57:21:57:28 | password indirection | tests.c:70:70:70:77 | password indirection | This operation potentially exposes sensitive system data from $@. | tests.c:57:21:57:28 | password indirection | password indirection |

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected

@@ -1,10 +1,6 @@
 edges
 | tests2.cpp:50:13:50:19 | global1 indirection | tests2.cpp:82:14:82:20 | global1 indirection |
 | tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | tests2.cpp:50:13:50:19 | global1 indirection |
-| tests2.cpp:63:13:63:18 | call to getenv indirection | tests2.cpp:63:13:63:26 | call to getenv indirection |
-| tests2.cpp:64:13:64:18 | call to getenv indirection | tests2.cpp:64:13:64:26 | call to getenv indirection |
-| tests2.cpp:65:13:65:18 | call to getenv indirection | tests2.cpp:65:13:65:30 | call to getenv indirection |
-| tests2.cpp:66:13:66:18 | call to getenv indirection | tests2.cpp:66:13:66:34 | call to getenv indirection |
 | tests2.cpp:78:18:78:38 | call to mysql_get_client_info indirection | tests2.cpp:81:14:81:19 | buffer indirection |
 | tests2.cpp:91:42:91:45 | str1 indirection | tests2.cpp:93:14:93:17 | str1 indirection |
 | tests2.cpp:101:8:101:15 | call to getpwuid indirection | tests2.cpp:102:14:102:15 | pw indirection |
@@ -13,34 +9,18 @@ edges
 | tests2.cpp:109:12:109:17 | call to getenv indirection | tests2.cpp:109:3:109:36 | ... = ... indirection |
 | tests2.cpp:111:14:111:15 | c1 indirection [ptr indirection] | tests2.cpp:111:14:111:19 | ptr indirection |
 | tests2.cpp:111:14:111:15 | c1 indirection [ptr indirection] | tests2.cpp:111:17:111:19 | ptr indirection |
-| tests2.cpp:111:14:111:15 | c1 indirection [ptr indirection] | tests2.cpp:111:17:111:19 | ptr indirection |
 | tests2.cpp:111:17:111:19 | ptr indirection | tests2.cpp:111:14:111:19 | ptr indirection |
-| tests2.cpp:111:17:111:19 | ptr indirection | tests2.cpp:111:17:111:19 | ptr indirection |
-| tests2.cpp:111:17:111:19 | ptr indirection | tests2.cpp:111:17:111:19 | ptr indirection |
-| tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection |
 | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection |
 | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection |
-| tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection |
-| tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection |
 | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection |
 | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection |
-| tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection |
-| tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection |
 | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection |
 nodes
 | tests2.cpp:50:13:50:19 | global1 indirection | semmle.label | global1 indirection |
 | tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | semmle.label | call to mysql_get_client_info indirection |
-| tests2.cpp:63:13:63:18 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests2.cpp:63:13:63:18 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests2.cpp:63:13:63:26 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests2.cpp:64:13:64:18 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests2.cpp:64:13:64:18 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests2.cpp:64:13:64:26 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests2.cpp:65:13:65:18 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests2.cpp:65:13:65:18 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests2.cpp:65:13:65:30 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests2.cpp:66:13:66:18 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests2.cpp:66:13:66:18 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests2.cpp:66:13:66:34 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests2.cpp:78:18:78:38 | call to mysql_get_client_info indirection | semmle.label | call to mysql_get_client_info indirection |
 | tests2.cpp:80:14:80:34 | call to mysql_get_client_info indirection | semmle.label | call to mysql_get_client_info indirection |
@@ -56,44 +36,28 @@ nodes
 | tests2.cpp:111:14:111:15 | c1 indirection [ptr indirection] | semmle.label | c1 indirection [ptr indirection] |
 | tests2.cpp:111:14:111:19 | ptr indirection | semmle.label | ptr indirection |
 | tests2.cpp:111:17:111:19 | ptr indirection | semmle.label | ptr indirection |
-| tests2.cpp:111:17:111:19 | ptr indirection | semmle.label | ptr indirection |
 | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests_sockets.cpp:39:19:39:22 | path indirection | semmle.label | path indirection |
-| tests_sockets.cpp:39:19:39:22 | path indirection | semmle.label | path indirection |
-| tests_sockets.cpp:43:20:43:23 | path indirection | semmle.label | path indirection |
 | tests_sockets.cpp:43:20:43:23 | path indirection | semmle.label | path indirection |
 | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests_sockets.cpp:76:19:76:22 | path indirection | semmle.label | path indirection |
-| tests_sockets.cpp:76:19:76:22 | path indirection | semmle.label | path indirection |
-| tests_sockets.cpp:80:20:80:23 | path indirection | semmle.label | path indirection |
 | tests_sockets.cpp:80:20:80:23 | path indirection | semmle.label | path indirection |
 | tests_sysconf.cpp:36:21:36:27 | confstr output argument | semmle.label | confstr output argument |
 | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | semmle.label | pathbuf indirection |
-| tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | semmle.label | pathbuf indirection |
 subpaths
 #select
-| tests2.cpp:63:13:63:18 | call to getenv indirection | tests2.cpp:63:13:63:18 | call to getenv indirection | tests2.cpp:63:13:63:18 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:63:13:63:18 | call to getenv indirection | call to getenv indirection |
-| tests2.cpp:63:13:63:26 | call to getenv indirection | tests2.cpp:63:13:63:18 | call to getenv indirection | tests2.cpp:63:13:63:26 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:63:13:63:18 | call to getenv indirection | call to getenv indirection |
-| tests2.cpp:64:13:64:18 | call to getenv indirection | tests2.cpp:64:13:64:18 | call to getenv indirection | tests2.cpp:64:13:64:18 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:64:13:64:18 | call to getenv indirection | call to getenv indirection |
-| tests2.cpp:64:13:64:26 | call to getenv indirection | tests2.cpp:64:13:64:18 | call to getenv indirection | tests2.cpp:64:13:64:26 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:64:13:64:18 | call to getenv indirection | call to getenv indirection |
-| tests2.cpp:65:13:65:18 | call to getenv indirection | tests2.cpp:65:13:65:18 | call to getenv indirection | tests2.cpp:65:13:65:18 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:65:13:65:18 | call to getenv indirection | call to getenv indirection |
-| tests2.cpp:65:13:65:30 | call to getenv indirection | tests2.cpp:65:13:65:18 | call to getenv indirection | tests2.cpp:65:13:65:30 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:65:13:65:18 | call to getenv indirection | call to getenv indirection |
-| tests2.cpp:66:13:66:18 | call to getenv indirection | tests2.cpp:66:13:66:18 | call to getenv indirection | tests2.cpp:66:13:66:18 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:66:13:66:18 | call to getenv indirection | call to getenv indirection |
-| tests2.cpp:66:13:66:34 | call to getenv indirection | tests2.cpp:66:13:66:18 | call to getenv indirection | tests2.cpp:66:13:66:34 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:66:13:66:18 | call to getenv indirection | call to getenv indirection |
+| tests2.cpp:63:13:63:26 | call to getenv indirection | tests2.cpp:63:13:63:26 | call to getenv indirection | tests2.cpp:63:13:63:26 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:63:13:63:26 | call to getenv indirection | call to getenv indirection |
+| tests2.cpp:64:13:64:26 | call to getenv indirection | tests2.cpp:64:13:64:26 | call to getenv indirection | tests2.cpp:64:13:64:26 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:64:13:64:26 | call to getenv indirection | call to getenv indirection |
+| tests2.cpp:65:13:65:30 | call to getenv indirection | tests2.cpp:65:13:65:30 | call to getenv indirection | tests2.cpp:65:13:65:30 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:65:13:65:30 | call to getenv indirection | call to getenv indirection |
+| tests2.cpp:66:13:66:34 | call to getenv indirection | tests2.cpp:66:13:66:34 | call to getenv indirection | tests2.cpp:66:13:66:34 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:66:13:66:34 | call to getenv indirection | call to getenv indirection |
 | tests2.cpp:80:14:80:34 | call to mysql_get_client_info indirection | tests2.cpp:80:14:80:34 | call to mysql_get_client_info indirection | tests2.cpp:80:14:80:34 | call to mysql_get_client_info indirection | This operation exposes system data from $@. | tests2.cpp:80:14:80:34 | call to mysql_get_client_info indirection | call to mysql_get_client_info indirection |
 | tests2.cpp:81:14:81:19 | buffer indirection | tests2.cpp:78:18:78:38 | call to mysql_get_client_info indirection | tests2.cpp:81:14:81:19 | buffer indirection | This operation exposes system data from $@. | tests2.cpp:78:18:78:38 | call to mysql_get_client_info indirection | call to mysql_get_client_info indirection |
 | tests2.cpp:82:14:82:20 | global1 indirection | tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | tests2.cpp:82:14:82:20 | global1 indirection | This operation exposes system data from $@. | tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | call to mysql_get_client_info indirection |
 | tests2.cpp:93:14:93:17 | str1 indirection | tests2.cpp:91:42:91:45 | str1 indirection | tests2.cpp:93:14:93:17 | str1 indirection | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | str1 indirection | str1 indirection |
 | tests2.cpp:102:14:102:15 | pw indirection | tests2.cpp:101:8:101:15 | call to getpwuid indirection | tests2.cpp:102:14:102:15 | pw indirection | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | call to getpwuid indirection | call to getpwuid indirection |
 | tests2.cpp:111:14:111:19 | ptr indirection | tests2.cpp:109:12:109:17 | call to getenv indirection | tests2.cpp:111:14:111:19 | ptr indirection | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | call to getenv indirection | call to getenv indirection |
-| tests2.cpp:111:17:111:19 | ptr indirection | tests2.cpp:109:12:109:17 | call to getenv indirection | tests2.cpp:111:17:111:19 | ptr indirection | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | call to getenv indirection | call to getenv indirection |
-| tests_sockets.cpp:39:19:39:22 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:39:19:39:22 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:43:20:43:23 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
-| tests_sockets.cpp:43:20:43:23 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
-| tests_sockets.cpp:76:19:76:22 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:76:19:76:22 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:80:20:80:23 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
-| tests_sockets.cpp:80:20:80:23 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
-| tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |
 | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected

@@ -1,47 +1,23 @@
 edges
-| tests.cpp:48:15:48:20 | call to getenv indirection | tests.cpp:48:15:48:36 | call to getenv indirection |
-| tests.cpp:49:15:49:20 | call to getenv indirection | tests.cpp:49:15:49:36 | call to getenv indirection |
-| tests.cpp:50:15:50:20 | call to getenv indirection | tests.cpp:50:15:50:36 | call to getenv indirection |
-| tests.cpp:57:18:57:23 | call to getenv indirection | tests.cpp:57:18:57:39 | call to getenv indirection |
-| tests.cpp:58:41:58:46 | call to getenv indirection | tests.cpp:58:41:58:62 | call to getenv indirection |
-| tests.cpp:59:43:59:48 | call to getenv indirection | tests.cpp:59:43:59:64 | call to getenv indirection |
 | tests.cpp:62:7:62:18 | global_token indirection | tests.cpp:71:27:71:38 | global_token indirection |
 | tests.cpp:62:7:62:18 | global_token indirection | tests.cpp:73:27:73:31 | maybe indirection |
 | tests.cpp:62:22:62:27 | call to getenv indirection | tests.cpp:62:7:62:18 | global_token indirection |
 | tests.cpp:86:29:86:31 | msg indirection | tests.cpp:88:15:88:17 | msg indirection |
-| tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:97:13:97:34 | call to getenv indirection |
-| tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:97:13:97:34 | call to getenv indirection |
 | tests.cpp:97:13:97:34 | call to getenv indirection | tests.cpp:86:29:86:31 | msg indirection |
 | tests.cpp:107:30:107:32 | msg indirection | tests.cpp:111:15:111:17 | tmp indirection |
 | tests.cpp:114:30:114:32 | msg indirection | tests.cpp:119:7:119:12 | buffer indirection |
 | tests.cpp:122:30:122:32 | msg indirection | tests.cpp:124:15:124:17 | msg indirection |
-| tests.cpp:131:14:131:19 | call to getenv indirection | tests.cpp:131:14:131:35 | call to getenv indirection |
 | tests.cpp:131:14:131:35 | call to getenv indirection | tests.cpp:107:30:107:32 | msg indirection |
-| tests.cpp:132:14:132:19 | call to getenv indirection | tests.cpp:132:14:132:35 | call to getenv indirection |
 | tests.cpp:132:14:132:35 | call to getenv indirection | tests.cpp:114:30:114:32 | msg indirection |
-| tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:133:14:133:35 | call to getenv indirection |
-| tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:133:14:133:35 | call to getenv indirection |
 | tests.cpp:133:14:133:35 | call to getenv indirection | tests.cpp:122:30:122:32 | msg indirection |
 | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:18:29:18:31 | pwd indirection |
 | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:19:26:19:28 | pwd indirection |
 nodes
-| tests.cpp:48:15:48:20 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:48:15:48:20 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:48:15:48:36 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:49:15:49:20 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:49:15:49:20 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:49:15:49:36 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:50:15:50:20 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:50:15:50:20 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:50:15:50:36 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:57:18:57:23 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:57:18:57:23 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:57:18:57:39 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:58:41:58:46 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:58:41:58:46 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:58:41:58:62 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:59:43:59:48 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:59:43:59:48 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:59:43:59:64 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:62:7:62:18 | global_token indirection | semmle.label | global_token indirection |
 | tests.cpp:62:22:62:27 | call to getenv indirection | semmle.label | call to getenv indirection |
@@ -49,8 +25,6 @@ nodes
 | tests.cpp:73:27:73:31 | maybe indirection | semmle.label | maybe indirection |
 | tests.cpp:86:29:86:31 | msg indirection | semmle.label | msg indirection |
 | tests.cpp:88:15:88:17 | msg indirection | semmle.label | msg indirection |
-| tests.cpp:97:13:97:18 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:97:13:97:18 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:97:13:97:34 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:97:13:97:34 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:107:30:107:32 | msg indirection | semmle.label | msg indirection |
@@ -59,12 +33,8 @@ nodes
 | tests.cpp:119:7:119:12 | buffer indirection | semmle.label | buffer indirection |
 | tests.cpp:122:30:122:32 | msg indirection | semmle.label | msg indirection |
 | tests.cpp:124:15:124:17 | msg indirection | semmle.label | msg indirection |
-| tests.cpp:131:14:131:19 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:131:14:131:35 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:132:14:132:19 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:132:14:132:35 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:133:14:133:19 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:133:14:133:19 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:133:14:133:35 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:133:14:133:35 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | semmle.label | call to getpwnam indirection |
@@ -72,27 +42,19 @@ nodes
 | tests_passwd.cpp:19:26:19:28 | pwd indirection | semmle.label | pwd indirection |
 subpaths
 #select
-| tests.cpp:48:15:48:20 | call to getenv indirection | tests.cpp:48:15:48:20 | call to getenv indirection | tests.cpp:48:15:48:20 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:48:15:48:20 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:48:15:48:36 | call to getenv indirection | tests.cpp:48:15:48:20 | call to getenv indirection | tests.cpp:48:15:48:36 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:48:15:48:20 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:49:15:49:20 | call to getenv indirection | tests.cpp:49:15:49:20 | call to getenv indirection | tests.cpp:49:15:49:20 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:49:15:49:20 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:49:15:49:36 | call to getenv indirection | tests.cpp:49:15:49:20 | call to getenv indirection | tests.cpp:49:15:49:36 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:49:15:49:20 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:50:15:50:20 | call to getenv indirection | tests.cpp:50:15:50:20 | call to getenv indirection | tests.cpp:50:15:50:20 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:50:15:50:20 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:50:15:50:36 | call to getenv indirection | tests.cpp:50:15:50:20 | call to getenv indirection | tests.cpp:50:15:50:36 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:50:15:50:20 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:57:18:57:23 | call to getenv indirection | tests.cpp:57:18:57:23 | call to getenv indirection | tests.cpp:57:18:57:23 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:57:18:57:23 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:57:18:57:39 | call to getenv indirection | tests.cpp:57:18:57:23 | call to getenv indirection | tests.cpp:57:18:57:39 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:57:18:57:23 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:58:41:58:46 | call to getenv indirection | tests.cpp:58:41:58:46 | call to getenv indirection | tests.cpp:58:41:58:46 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:58:41:58:46 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:58:41:58:62 | call to getenv indirection | tests.cpp:58:41:58:46 | call to getenv indirection | tests.cpp:58:41:58:62 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:58:41:58:46 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:59:43:59:48 | call to getenv indirection | tests.cpp:59:43:59:48 | call to getenv indirection | tests.cpp:59:43:59:48 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:59:43:59:48 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:59:43:59:64 | call to getenv indirection | tests.cpp:59:43:59:48 | call to getenv indirection | tests.cpp:59:43:59:64 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:59:43:59:48 | call to getenv indirection | call to getenv indirection |
+| tests.cpp:48:15:48:36 | call to getenv indirection | tests.cpp:48:15:48:36 | call to getenv indirection | tests.cpp:48:15:48:36 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:48:15:48:36 | call to getenv indirection | call to getenv indirection |
+| tests.cpp:49:15:49:36 | call to getenv indirection | tests.cpp:49:15:49:36 | call to getenv indirection | tests.cpp:49:15:49:36 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:49:15:49:36 | call to getenv indirection | call to getenv indirection |
+| tests.cpp:50:15:50:36 | call to getenv indirection | tests.cpp:50:15:50:36 | call to getenv indirection | tests.cpp:50:15:50:36 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:50:15:50:36 | call to getenv indirection | call to getenv indirection |
+| tests.cpp:57:18:57:39 | call to getenv indirection | tests.cpp:57:18:57:39 | call to getenv indirection | tests.cpp:57:18:57:39 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:57:18:57:39 | call to getenv indirection | call to getenv indirection |
+| tests.cpp:58:41:58:62 | call to getenv indirection | tests.cpp:58:41:58:62 | call to getenv indirection | tests.cpp:58:41:58:62 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:58:41:58:62 | call to getenv indirection | call to getenv indirection |
+| tests.cpp:59:43:59:64 | call to getenv indirection | tests.cpp:59:43:59:64 | call to getenv indirection | tests.cpp:59:43:59:64 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:59:43:59:64 | call to getenv indirection | call to getenv indirection |
 | tests.cpp:71:27:71:38 | global_token indirection | tests.cpp:62:22:62:27 | call to getenv indirection | tests.cpp:71:27:71:38 | global_token indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | call to getenv indirection | call to getenv indirection |
 | tests.cpp:73:27:73:31 | maybe indirection | tests.cpp:62:22:62:27 | call to getenv indirection | tests.cpp:73:27:73:31 | maybe indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:88:15:88:17 | msg indirection | tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:88:15:88:17 | msg indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:18 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:97:13:97:18 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:18 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:97:13:97:34 | call to getenv indirection | tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:97:13:97:34 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:18 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:111:15:111:17 | tmp indirection | tests.cpp:131:14:131:19 | call to getenv indirection | tests.cpp:111:15:111:17 | tmp indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:131:14:131:19 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:119:7:119:12 | buffer indirection | tests.cpp:132:14:132:19 | call to getenv indirection | tests.cpp:119:7:119:12 | buffer indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:132:14:132:19 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:124:15:124:17 | msg indirection | tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:124:15:124:17 | msg indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:19 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:133:14:133:19 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:19 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:133:14:133:35 | call to getenv indirection | tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:133:14:133:35 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:19 | call to getenv indirection | call to getenv indirection |
+| tests.cpp:88:15:88:17 | msg indirection | tests.cpp:97:13:97:34 | call to getenv indirection | tests.cpp:88:15:88:17 | msg indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:34 | call to getenv indirection | call to getenv indirection |
+| tests.cpp:97:13:97:34 | call to getenv indirection | tests.cpp:97:13:97:34 | call to getenv indirection | tests.cpp:97:13:97:34 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:34 | call to getenv indirection | call to getenv indirection |
+| tests.cpp:111:15:111:17 | tmp indirection | tests.cpp:131:14:131:35 | call to getenv indirection | tests.cpp:111:15:111:17 | tmp indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:131:14:131:35 | call to getenv indirection | call to getenv indirection |
+| tests.cpp:119:7:119:12 | buffer indirection | tests.cpp:132:14:132:35 | call to getenv indirection | tests.cpp:119:7:119:12 | buffer indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:132:14:132:35 | call to getenv indirection | call to getenv indirection |
+| tests.cpp:124:15:124:17 | msg indirection | tests.cpp:133:14:133:35 | call to getenv indirection | tests.cpp:124:15:124:17 | msg indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:35 | call to getenv indirection | call to getenv indirection |
+| tests.cpp:133:14:133:35 | call to getenv indirection | tests.cpp:133:14:133:35 | call to getenv indirection | tests.cpp:133:14:133:35 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:35 | call to getenv indirection | call to getenv indirection |
 | tests_passwd.cpp:18:29:18:31 | pwd indirection | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:18:29:18:31 | pwd indirection | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | call to getpwnam indirection |
 | tests_passwd.cpp:19:26:19:28 | pwd indirection | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:19:26:19:28 | pwd indirection | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | call to getpwnam indirection |

cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected

@@ -22,20 +22,32 @@ edges
 | tests5.cpp:88:2:88:2 | p indirection | tests5.cpp:89:2:89:2 | p indirection |
 | tests.cpp:15:23:15:43 | call to XercesDOMParser | tests.cpp:17:2:17:2 | p indirection |
 | tests.cpp:28:23:28:43 | call to XercesDOMParser | tests.cpp:31:2:31:2 | p indirection |
-| tests.cpp:35:23:35:43 | call to XercesDOMParser | tests.cpp:35:23:35:43 | new indirection |
-| tests.cpp:35:23:35:43 | new indirection | tests.cpp:37:2:37:2 | p indirection |
+| tests.cpp:35:23:35:43 | call to XercesDOMParser | tests.cpp:37:2:37:2 | (AbstractDOMParser *)... indirection |
+| tests.cpp:35:23:35:43 | call to XercesDOMParser | tests.cpp:37:2:37:2 | p indirection |
+| tests.cpp:37:2:37:2 | (AbstractDOMParser *)... indirection | tests.cpp:37:2:37:2 | p indirection |
 | tests.cpp:37:2:37:2 | p indirection | tests.cpp:37:2:37:2 | p indirection |
+| tests.cpp:37:2:37:2 | p indirection | tests.cpp:38:2:38:2 | (AbstractDOMParser *)... indirection |
 | tests.cpp:37:2:37:2 | p indirection | tests.cpp:38:2:38:2 | p indirection |
+| tests.cpp:38:2:38:2 | (AbstractDOMParser *)... indirection | tests.cpp:38:2:38:2 | p indirection |
+| tests.cpp:38:2:38:2 | p indirection | tests.cpp:38:2:38:2 | p indirection |
 | tests.cpp:38:2:38:2 | p indirection | tests.cpp:39:2:39:2 | p indirection |
-| tests.cpp:51:23:51:43 | call to XercesDOMParser | tests.cpp:51:23:51:43 | new indirection |
-| tests.cpp:51:23:51:43 | new indirection | tests.cpp:53:2:53:2 | p indirection |
-| tests.cpp:53:2:53:2 | p indirection | tests.cpp:54:2:54:2 | p indirection |
-| tests.cpp:54:2:54:2 | p indirection | tests.cpp:55:2:55:2 | p indirection |
+| tests.cpp:51:23:51:43 | call to XercesDOMParser | tests.cpp:53:2:53:2 | (AbstractDOMParser *)... indirection |
+| tests.cpp:51:23:51:43 | call to XercesDOMParser | tests.cpp:53:2:53:2 | p indirection |
+| tests.cpp:53:2:53:2 | (AbstractDOMParser *)... indirection | tests.cpp:53:2:53:2 | p indirection |
+| tests.cpp:53:2:53:2 | p indirection | tests.cpp:53:2:53:2 | p indirection |
+| tests.cpp:53:2:53:2 | p indirection | tests.cpp:55:2:55:2 | (AbstractDOMParser *)... indirection |
+| tests.cpp:53:2:53:2 | p indirection | tests.cpp:55:2:55:2 | p indirection |
+| tests.cpp:55:2:55:2 | (AbstractDOMParser *)... indirection | tests.cpp:55:2:55:2 | p indirection |
+| tests.cpp:55:2:55:2 | p indirection | tests.cpp:55:2:55:2 | p indirection |
 | tests.cpp:55:2:55:2 | p indirection | tests.cpp:56:2:56:2 | p indirection |
-| tests.cpp:55:2:55:2 | p indirection | tests.cpp:56:2:56:2 | p indirection |
-| tests.cpp:56:2:56:2 | p indirection | tests.cpp:57:2:57:2 | p indirection |
-| tests.cpp:57:2:57:2 | p indirection | tests.cpp:58:2:58:2 | p indirection |
-| tests.cpp:58:2:58:2 | p indirection | tests.cpp:59:2:59:2 | p indirection |
+| tests.cpp:55:2:55:2 | p indirection | tests.cpp:57:2:57:2 | (AbstractDOMParser *)... indirection |
+| tests.cpp:55:2:55:2 | p indirection | tests.cpp:57:2:57:2 | p indirection |
+| tests.cpp:57:2:57:2 | (AbstractDOMParser *)... indirection | tests.cpp:57:2:57:2 | p indirection |
+| tests.cpp:57:2:57:2 | p indirection | tests.cpp:57:2:57:2 | p indirection |
+| tests.cpp:57:2:57:2 | p indirection | tests.cpp:59:2:59:2 | (AbstractDOMParser *)... indirection |
+| tests.cpp:57:2:57:2 | p indirection | tests.cpp:59:2:59:2 | p indirection |
+| tests.cpp:59:2:59:2 | (AbstractDOMParser *)... indirection | tests.cpp:59:2:59:2 | p indirection |
+| tests.cpp:59:2:59:2 | p indirection | tests.cpp:59:2:59:2 | p indirection |
 | tests.cpp:59:2:59:2 | p indirection | tests.cpp:60:2:60:2 | p indirection |
 | tests.cpp:66:23:66:43 | call to XercesDOMParser | tests.cpp:69:2:69:2 | p indirection |
 | tests.cpp:73:23:73:43 | call to XercesDOMParser | tests.cpp:80:2:80:2 | p indirection |
@@ -92,20 +104,26 @@ nodes
 | tests.cpp:28:23:28:43 | call to XercesDOMParser | semmle.label | call to XercesDOMParser |
 | tests.cpp:31:2:31:2 | p indirection | semmle.label | p indirection |
 | tests.cpp:35:23:35:43 | call to XercesDOMParser | semmle.label | call to XercesDOMParser |
-| tests.cpp:35:23:35:43 | new indirection | semmle.label | new indirection |
+| tests.cpp:37:2:37:2 | (AbstractDOMParser *)... indirection | semmle.label | (AbstractDOMParser *)... indirection |
 | tests.cpp:37:2:37:2 | p indirection | semmle.label | p indirection |
 | tests.cpp:37:2:37:2 | p indirection | semmle.label | p indirection |
+| tests.cpp:38:2:38:2 | (AbstractDOMParser *)... indirection | semmle.label | (AbstractDOMParser *)... indirection |
+| tests.cpp:38:2:38:2 | p indirection | semmle.label | p indirection |
 | tests.cpp:38:2:38:2 | p indirection | semmle.label | p indirection |
 | tests.cpp:39:2:39:2 | p indirection | semmle.label | p indirection |
 | tests.cpp:51:23:51:43 | call to XercesDOMParser | semmle.label | call to XercesDOMParser |
-| tests.cpp:51:23:51:43 | new indirection | semmle.label | new indirection |
+| tests.cpp:53:2:53:2 | (AbstractDOMParser *)... indirection | semmle.label | (AbstractDOMParser *)... indirection |
 | tests.cpp:53:2:53:2 | p indirection | semmle.label | p indirection |
-| tests.cpp:54:2:54:2 | p indirection | semmle.label | p indirection |
+| tests.cpp:53:2:53:2 | p indirection | semmle.label | p indirection |
+| tests.cpp:55:2:55:2 | (AbstractDOMParser *)... indirection | semmle.label | (AbstractDOMParser *)... indirection |
+| tests.cpp:55:2:55:2 | p indirection | semmle.label | p indirection |
 | tests.cpp:55:2:55:2 | p indirection | semmle.label | p indirection |
 | tests.cpp:56:2:56:2 | p indirection | semmle.label | p indirection |
-| tests.cpp:56:2:56:2 | p indirection | semmle.label | p indirection |
+| tests.cpp:57:2:57:2 | (AbstractDOMParser *)... indirection | semmle.label | (AbstractDOMParser *)... indirection |
 | tests.cpp:57:2:57:2 | p indirection | semmle.label | p indirection |
-| tests.cpp:58:2:58:2 | p indirection | semmle.label | p indirection |
+| tests.cpp:57:2:57:2 | p indirection | semmle.label | p indirection |
+| tests.cpp:59:2:59:2 | (AbstractDOMParser *)... indirection | semmle.label | (AbstractDOMParser *)... indirection |
+| tests.cpp:59:2:59:2 | p indirection | semmle.label | p indirection |
 | tests.cpp:59:2:59:2 | p indirection | semmle.label | p indirection |
 | tests.cpp:60:2:60:2 | p indirection | semmle.label | p indirection |
 | tests.cpp:66:23:66:43 | call to XercesDOMParser | semmle.label | call to XercesDOMParser |

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs

@@ -103,8 +103,9 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                     progressMonitor.MissingNuGet();
                 }
 
-                Restore(solutions);
-                Restore(allProjects);
+                var restoredProjects = RestoreSolutions(solutions);
+                var projects = allProjects.Except(restoredProjects);
+                RestoreProjects(projects);
                 DownloadMissingPackages(allFiles);
             }
 
@@ -351,14 +352,48 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
 
         }
 
-        private bool Restore(string target, string? pathToNugetConfig = null) =>
-            dotnet.RestoreToDirectory(target, packageDirectory.DirInfo.FullName, pathToNugetConfig);
+        private bool RestoreProject(string project, out string stdout, string? pathToNugetConfig = null) =>
+            dotnet.RestoreProjectToDirectory(project, packageDirectory.DirInfo.FullName, out stdout, pathToNugetConfig);
 
-        private void Restore(IEnumerable<string> targets, string? pathToNugetConfig = null)
+        private bool RestoreSolution(string solution, out IEnumerable<string> projects) =>
+            dotnet.RestoreSolutionToDirectory(solution, packageDirectory.DirInfo.FullName, out projects);
+
+        /// <summary>
+        /// Executes `dotnet restore` on all solution files in solutions.
+        /// As opposed to RestoreProjects this is not run in parallel using PLINQ
+        /// as `dotnet restore` on a solution already uses multiple threads for restoring
+        /// the projects (this can be disabled with the `--disable-parallel` flag).
+        /// Returns a list of projects that are up to date with respect to restore.
+        /// </summary>
+        /// <param name="solutions">A list of paths to solution files.</param>
+        private IEnumerable<string> RestoreSolutions(IEnumerable<string> solutions) =>
+            solutions.SelectMany(solution =>
+                {
+                    RestoreSolution(solution, out var restoredProjects);
+                    return restoredProjects;
+                });
+
+        /// <summary>
+        /// Executes `dotnet restore` on all projects in projects.
+        /// This is done in parallel for performance reasons.
+        /// To ensure that output is not interleaved, the output of each
+        /// restore is collected and printed.
+        /// </summary>
+        /// <param name="projects">A list of paths to project files.</param>
+        private void RestoreProjects(IEnumerable<string> projects)
         {
-            foreach (var target in targets)
+            var stdoutLines = projects
+                .AsParallel()
+                .WithDegreeOfParallelism(options.Threads)
+                .Select(project =>
+                    {
+                        RestoreProject(project, out var stdout);
+                        return stdout;
+                    })
+                .ToList();
+            foreach (var line in stdoutLines)
             {
-                Restore(target, pathToNugetConfig);
+                Console.WriteLine(line);
             }
         }
 
@@ -401,10 +436,10 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                     continue;
                 }
 
-                success = Restore(tempDir.DirInfo.FullName, nugetConfig);
+                success = RestoreProject(tempDir.DirInfo.FullName, out var stdout, nugetConfig);
+                Console.WriteLine(stdout);
 
                 // TODO: the restore might fail, we could retry with a prerelease (*-* instead of *) version of the package.
-
                 if (!success)
                 {
                     progressMonitor.FailedToRestoreNugetPackage(package);

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs

@@ -2,6 +2,8 @@
 using System.Collections.Generic;
 using System.Diagnostics;
 using System.IO;
+using System.Linq;
+using System.Text.RegularExpressions;
 using Semmle.Util;
 
 namespace Semmle.Extraction.CSharp.DependencyFetching
@@ -9,7 +11,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
     /// <summary>
     /// Utilities to run the "dotnet" command.
     /// </summary>
-    internal class DotNet : IDotNet
+    internal partial class DotNet : IDotNet
     {
         private readonly ProgressMonitor progressMonitor;
         private readonly string dotnet;
@@ -31,17 +33,22 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             }
         }
 
-        private ProcessStartInfo MakeDotnetStartInfo(string args, bool redirectStandardOutput) =>
-            new ProcessStartInfo(dotnet, args)
+        private ProcessStartInfo MakeDotnetStartInfo(string args, bool redirectStandardOutput)
+        {
+            var startInfo = new ProcessStartInfo(dotnet, args)
             {
                 UseShellExecute = false,
                 RedirectStandardOutput = redirectStandardOutput
             };
+            // Set the .NET CLI language to English to avoid localized output.
+            startInfo.EnvironmentVariables["DOTNET_CLI_UI_LANGUAGE"] = "en";
+            return startInfo;
+        }
 
         private bool RunCommand(string args)
         {
             progressMonitor.RunningProcess($"{dotnet} {args}");
-            using var proc = Process.Start(this.MakeDotnetStartInfo(args, redirectStandardOutput: false));
+            using var proc = Process.Start(MakeDotnetStartInfo(args, redirectStandardOutput: false));
             proc?.WaitForExit();
             var exitCode = proc?.ExitCode ?? -1;
             if (exitCode != 0)
@@ -52,12 +59,50 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             return true;
         }
 
-        public bool RestoreToDirectory(string projectOrSolutionFile, string packageDirectory, string? pathToNugetConfig = null)
+        private bool RunCommand(string args, out IList<string> output)
         {
-            var args = $"restore --no-dependencies \"{projectOrSolutionFile}\" --packages \"{packageDirectory}\" /p:DisableImplicitNuGetFallbackFolder=true";
+            progressMonitor.RunningProcess($"{dotnet} {args}");
+            var pi = MakeDotnetStartInfo(args, redirectStandardOutput: true);
+            var exitCode = pi.ReadOutput(out output);
+            if (exitCode != 0)
+            {
+                progressMonitor.CommandFailed(dotnet, args, exitCode);
+                return false;
+            }
+            return true;
+        }
+
+        private static string GetRestoreArgs(string projectOrSolutionFile, string packageDirectory) =>
+            $"restore --no-dependencies \"{projectOrSolutionFile}\" --packages \"{packageDirectory}\" /p:DisableImplicitNuGetFallbackFolder=true";
+
+        public bool RestoreProjectToDirectory(string projectFile, string packageDirectory, out string stdout, string? pathToNugetConfig = null)
+        {
+            var args = GetRestoreArgs(projectFile, packageDirectory);
             if (pathToNugetConfig != null)
+            {
                 args += $" --configfile \"{pathToNugetConfig}\"";
-            return RunCommand(args);
+            }
+            var success = RunCommand(args, out var output);
+            stdout = string.Join("\n", output);
+            return success;
+        }
+
+        public bool RestoreSolutionToDirectory(string solutionFile, string packageDirectory, out IEnumerable<string> projects)
+        {
+            var args = GetRestoreArgs(solutionFile, packageDirectory);
+            args += " --verbosity normal";
+            if (RunCommand(args, out var output))
+            {
+                var regex = RestoreProjectRegex();
+                projects = output
+                    .Select(line => regex.Match(line))
+                    .Where(match => match.Success)
+                    .Select(match => match.Groups[1].Value);
+                return true;
+            }
+
+            projects = Array.Empty<string>();
+            return false;
         }
 
         public bool New(string folder)
@@ -78,16 +123,12 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
 
         private IList<string> GetListed(string args, string artifact)
         {
-            progressMonitor.RunningProcess($"{dotnet} {args}");
-            var pi = this.MakeDotnetStartInfo(args, redirectStandardOutput: true);
-            var exitCode = pi.ReadOutput(out var artifacts);
-            if (exitCode != 0)
+            if (RunCommand(args, out var artifacts))
             {
-                progressMonitor.CommandFailed(dotnet, args, exitCode);
-                return new List<string>();
+                progressMonitor.LogInfo($"Found {artifact}s: {string.Join("\n", artifacts)}");
+                return artifacts;
             }
-            progressMonitor.LogInfo($"Found {artifact}s: {string.Join("\n", artifacts)}");
-            return artifacts;
+            return new List<string>();
         }
 
         public bool Exec(string execArgs)
@@ -95,5 +136,8 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             var args = $"exec {execArgs}";
             return RunCommand(args);
         }
+
+        [GeneratedRegex("Restored\\s+(.+\\.csproj)", RegexOptions.Compiled)]
+        private static partial Regex RestoreProjectRegex();
     }
 }

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNet.cs

@@ -4,7 +4,8 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
 {
     internal interface IDotNet
     {
-        bool RestoreToDirectory(string project, string directory, string? pathToNugetConfig = null);
+        bool RestoreProjectToDirectory(string project, string directory, out string stdout, string? pathToNugetConfig = null);
+        bool RestoreSolutionToDirectory(string solutionFile, string packageDirectory, out IEnumerable<string> projects);
         bool New(string folder);
         bool AddPackage(string folder, string package);
         IList<string> GetListedRuntimes();

csharp/extractor/Semmle.Extraction.Tests/FileContent.cs

@@ -1,6 +1,5 @@
 using Xunit;
 using System.Collections.Generic;
-using System.Linq;
 using Semmle.Util.Logging;
 using Semmle.Extraction.CSharp.DependencyFetching;
 

csharp/extractor/Semmle.Extraction.Tests/Runtime.cs

@@ -1,4 +1,5 @@
 using Xunit;
+using System;
 using System.Collections.Generic;
 using Semmle.Extraction.CSharp.DependencyFetching;
 
@@ -18,7 +19,17 @@ namespace Semmle.Extraction.Tests
 
         public bool New(string folder) => true;
 
-        public bool RestoreToDirectory(string project, string directory, string? pathToNugetConfig = null) => true;
+        public bool RestoreProjectToDirectory(string project, string directory, out string stdout, string? pathToNugetConfig = null)
+        {
+            stdout = "";
+            return true;
+        }
+
+        public bool RestoreSolutionToDirectory(string solution, string directory, out IEnumerable<string> projects)
+        {
+            projects = Array.Empty<string>();
+            return true;
+        }
 
         public IList<string> GetListedRuntimes() => runtimes;
 

csharp/ql/consistency-queries/DataFlowConsistency.ql

@@ -72,11 +72,44 @@ private module Input implements InputSig<CsharpDataFlow> {
   }
 
   predicate reverseReadExclude(Node n) { n.asExpr() = any(AwaitExpr ae).getExpr() }
+
+  predicate missingArgumentCallExclude(ArgumentNode arg) {
+    // TODO: Remove once object initializers are modeled properly
+    arg.(Private::PostUpdateNodes::ObjectInitializerNode).getInitializer() instanceof
+      ObjectInitializer
+    or
+    // TODO: Remove once underlying issue is fixed
+    exists(QualifiableExpr qe |
+      qe.isConditional() and
+      qe.getQualifier() = arg.asExpr()
+    )
+  }
+
+  predicate multipleArgumentCallExclude(ArgumentNode arg, DataFlowCall call) {
+    isArgumentNode(arg, call, _) and
+    (
+      // TODO: Remove once object initializers are modeled properly
+      arg =
+        any(Private::PostUpdateNodes::ObjectInitializerNode init |
+          init.argumentOf(call, _) and
+          init.getInitializer().getNumberOfChildren() > 1
+        )
+      or
+      exists(ControlFlow::Nodes::ElementNode cfn, ControlFlow::Nodes::Split split |
+        exists(arg.asExprAtNode(cfn))
+      |
+        split = cfn.getASplit() and
+        not split = call.getControlFlowNode().getASplit()
+        or
+        split = call.getControlFlowNode().getASplit() and
+        not split = cfn.getASplit()
+      )
+      or
+      call instanceof TransitiveCapturedDataFlowCall
+      or
+      call.(NonDelegateDataFlowCall).getDispatchCall().isReflection()
+    )
+  }
 }
 
 import MakeConsistency<CsharpDataFlow, CsharpTaintTracking, Input>
-
-query predicate multipleToString(DataFlow::Node n, string s) {
-  s = strictconcat(n.toString(), ",") and
-  strictcount(n.toString()) > 1
-}

csharp/ql/integration-tests/all-platforms/dotnet_run/test.py

@@ -53,3 +53,8 @@ check_diagnostics(test_db="test7-db")
 s = run_codeql_database_create_stdout(['dotnet clean', 'rm -rf test7-db', 'dotnet build', 'dotnet run --no-build hello world'], "test8-db")
 check_build_out("hello, world", s)
 check_diagnostics(test_db="test8-db")
+
+# two arguments, no '--' (first argument quoted)
+s = run_codeql_database_create_stdout(['dotnet clean', 'rm -rf test8-db', 'dotnet run "hello world part1" part2'], "test9-db")
+check_build_out("hello world part1, part2", s)
+check_diagnostics(test_db="test9-db")

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll

@@ -415,6 +415,9 @@ class CilDataFlowCall extends DataFlowCall, TCilCall {
 
   CilDataFlowCall() { this = TCilCall(call) }
 
+  /** Gets the underlying CIL call. */
+  CIL::Call getCilCall() { result = call }
+
   override DataFlowCallable getARuntimeTarget() {
     // There is no dispatch library for CIL, so do not consider overrides for now
     result.getUnderlyingCallable() = getCallableForDataFlow(call.getTarget())

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -1181,7 +1181,7 @@ private module ArgumentNodes {
     ExplicitArgumentNode() {
       this.asExpr() instanceof Argument
       or
-      this.asExpr() = any(CIL::Call call).getAnArgument()
+      this.asExpr() = any(CilDataFlowCall cc).getCilCall().getAnArgument()
     }
 
     override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
@@ -2032,7 +2032,7 @@ abstract class PostUpdateNode extends Node {
   abstract Node getPreUpdateNode();
 }
 
-private module PostUpdateNodes {
+module PostUpdateNodes {
   class ObjectCreationNode extends PostUpdateNode, ExprNode, TExprNode {
     private ObjectCreation oc;
 

csharp/ql/lib/semmle/code/csharp/dispatch/Dispatch.qll

@@ -50,6 +50,9 @@ class DispatchCall extends Internal::TDispatchCall {
   RuntimeCallable getADynamicTargetInCallContext(DispatchCall ctx) {
     result = Internal::getADynamicTargetInCallContext(this, ctx)
   }
+
+  /** Holds if this call uses reflection. */
+  predicate isReflection() { this instanceof Internal::TDispatchReflectionCall }
 }
 
 /** Internal implementation details. */

csharp/tools/tracing-config.lua

@@ -64,7 +64,7 @@ function RegisterExtractorPack(id)
 
                 -- for `dotnet test`, we should not append `-p:UseSharedCompilation=false` to the command line
                 -- if an `exe` or `dll` is passed as an argument as the call is forwarded to vstest.
-                if testMatch and (arg:match('%.exe$') or arg:match('%.dll'))  then
+                if testMatch and (arg:match('%.exe$') or arg:match('%.dll')) then
                     match = false
                     break
                 end
@@ -110,7 +110,7 @@ function RegisterExtractorPack(id)
                     invocation = {
                         path = AbsolutifyExtractorPath(id, compilerPath),
                         arguments = {
-                            commandLineString = table.concat(argv, " ")
+                            commandLineString = ArgvToCommandLineString(argv)
                         }
                     }
                 }
@@ -174,7 +174,7 @@ function RegisterExtractorPack(id)
                     seenCompilerCall = true
                 end
                 if seenCompilerCall then
-                    table.insert(extractorArgs, '"' .. arg .. '"')
+                    table.insert(extractorArgs, arg)
                 end
             end
 
@@ -184,7 +184,7 @@ function RegisterExtractorPack(id)
                     invocation = {
                         path = AbsolutifyExtractorPath(id, extractor),
                         arguments = {
-                            commandLineString = table.concat(extractorArgs, " ")
+                            commandLineString = ArgvToCommandLineString(extractorArgs)
                         }
                     }
                 }

docs/codeql/ql-language-reference/annotations.rst

@@ -435,9 +435,11 @@ For more information, see ":ref:`Binding <binding>`."
 
 **Available for**: |characteristic predicates|, |member predicates|, |non-member predicates|
 
-The ``pragma[assume_small_delta]`` annotation changes the compilation of the annotated recursive predicate.
-If the compiler normally generates the join orders ``order_<1>``, ``order_<2>``, ``order_<3>``, and ``standard_order``,
-applying this annotation makes ``standard_order`` the same as ``order_<3>`` and removes the (now redundant) ``order_<3>`` join order.
+.. pull-quote:: Important
+
+   This annotation is deprecated.
+
+The ``pragma[assume_small_delta]`` annotation has no effect and can be safely removed.
 
 .. _language:
 

docs/codeql/reusables/supported-versions-compilers.rst

@@ -20,7 +20,7 @@
    Java,"Java 7 to 20 [4]_","javac (OpenJDK and Oracle JDK),
 
    Eclipse compiler for Java (ECJ) [5]_",``.java``
-   Kotlin [6]_,"Kotlin 1.5.0 to 1.9.10","kotlinc",``.kt``
+   Kotlin [6]_,"Kotlin 1.5.0 to 1.9.20","kotlinc",``.kt``
    JavaScript,ECMAScript 2022 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhtm``, ``.xhtml``, ``.vue``, ``.hbs``, ``.ejs``, ``.njk``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [7]_"
    Python [8]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11",Not applicable,``.py``
    Ruby [9]_,"up to 3.2",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"

go/codeql-tools/configure-baseline.cmd

@@ -1,6 +1,6 @@
 @echo off
 if exist vendor\modules.txt (
-  type %CODEQL_EXTRACTOR_GO_ROOT%\tools\baseline-config-vendor.json
+  type "%CODEQL_EXTRACTOR_GO_ROOT%\tools\baseline-config-vendor.json"
 ) else (
-  type %CODEQL_EXTRACTOR_GO_ROOT%\tools\baseline-config-empty.json
+  type "%CODEQL_EXTRACTOR_GO_ROOT%\tools\baseline-config-empty.json"
 )

go/codeql-tools/configure-baseline.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 if [ -f vendor/modules.txt ]; then
-  cat $CODEQL_EXTRACTOR_GO_ROOT/tools/baseline-config-vendor.json
+  cat "$CODEQL_EXTRACTOR_GO_ROOT/tools/baseline-config-vendor.json"
 else
-  cat $CODEQL_EXTRACTOR_GO_ROOT/tools/baseline-config-empty.json
+  cat "$CODEQL_EXTRACTOR_GO_ROOT/tools/baseline-config-empty.json"
 fi

go/extractor/diagnostics/diagnostics.go

@@ -482,3 +482,14 @@ func EmitGoModVersionSupportedLowerEqualGoEnv(msg string) {
 		noLocation,
 	)
 }
+
+func EmitNewerSystemGoRequired(requiredVersion string) {
+	emitDiagnostic(
+		"go/autobuilder/newer-system-go-version-required",
+		"The Go version installed on the system is too old to support this project",
+		"At least Go version `"+requiredVersion+"` is required to build this project, but the version installed on the system is older. [Install a newer version](https://github.com/actions/setup-go#basic).",
+		severityError,
+		fullVisibility,
+		noLocation,
+	)
+}

go/extractor/extractor.go

@@ -91,6 +91,10 @@ func ExtractWithFlags(buildFlags []string, patterns []string) error {
 	}
 	pkgs, err := packages.Load(cfg, patterns...)
 	if err != nil {
+		// the toolchain directive is only supported in Go 1.21 and above
+		if strings.Contains(err.Error(), "unknown directive: toolchain") {
+			diagnostics.EmitNewerSystemGoRequired("1.21.0")
+		}
 		return err
 	}
 	log.Println("Done running packages.Load.")

java/kotlin-extractor/kotlin_plugin_versions.py

@@ -24,7 +24,7 @@ def version_string_to_tuple(version):
 # Version number used by CI.
 ci_version = '1.9.0'
 
-many_versions = [ '1.4.32', '1.5.0', '1.5.10', '1.5.20', '1.5.30', '1.6.0', '1.6.20', '1.7.0', '1.7.20', '1.8.0', '1.9.0-Beta' ]
+many_versions = [ '1.4.32', '1.5.0', '1.5.10', '1.5.20', '1.5.30', '1.6.0', '1.6.20', '1.7.0', '1.7.20', '1.8.0', '1.9.0-Beta', '1.9.20-Beta' ]
 
 many_versions_tuples = [version_string_to_tuple(v) for v in many_versions]
 

java/kotlin-extractor/src/main/kotlin/KotlinFileExtractor.kt

@@ -4858,9 +4858,16 @@ open class KotlinFileExtractor(
                 logger.errorElement("Cannot find class for kPropertyType. ${kPropertyType.classFqName?.asString()}", propertyReferenceExpr)
                 return
             }
-            val parameterTypes = kPropertyType.arguments.map { it as? IrType }.requireNoNullsOrNull()
+            val parameterTypes: List<IrType>? = kPropertyType.arguments.map {
+                if (it is IrType) {
+                    it
+                } else {
+                    logger.errorElement("Unexpected: Non-IrType (${it.javaClass}) property reference parameter.", propertyReferenceExpr)
+                    null
+                }
+            }.requireNoNullsOrNull()
             if (parameterTypes == null) {
-                logger.errorElement("Unexpected: Non-IrType parameter.", propertyReferenceExpr)
+                logger.errorElement("Unexpected: One or more non-IrType property reference parameters.", propertyReferenceExpr)
                 return
             }
 
@@ -5041,9 +5048,16 @@ open class KotlinFileExtractor(
                 return
             }
 
-            val parameterTypes = type.arguments.map { it as? IrType }.requireNoNullsOrNull()
+            val parameterTypes: List<IrType>? = type.arguments.map {
+                if (it is IrType) {
+                    it
+                } else {
+                    logger.errorElement("Unexpected: Non-IrType (${it.javaClass}) function reference parameter.", functionReferenceExpr)
+                    null
+                }
+            }.requireNoNullsOrNull()
             if (parameterTypes == null) {
-                logger.errorElement("Unexpected: Non-IrType parameter.", functionReferenceExpr)
+                logger.errorElement("Unexpected: One or more non-IrType function reference parameters.", functionReferenceExpr)
                 return
             }
 

java/kotlin-extractor/src/main/kotlin/KotlinUsesExtractor.kt

@@ -1,11 +1,7 @@
 package com.github.codeql
 
 import com.github.codeql.utils.*
-import com.github.codeql.utils.versions.codeQlWithHasQuestionMark
-import com.github.codeql.utils.versions.getFileClassFqName
-import com.github.codeql.utils.versions.getKotlinType
-import com.github.codeql.utils.versions.isRawType
-import com.github.codeql.utils.versions.packageFqName
+import com.github.codeql.utils.versions.*
 import com.semmle.extractor.java.OdasaOutput
 import org.jetbrains.kotlin.backend.common.extensions.IrPluginContext
 import org.jetbrains.kotlin.backend.common.ir.*

java/kotlin-extractor/src/main/kotlin/PrimitiveTypeInfo.kt

@@ -8,7 +8,7 @@ import org.jetbrains.kotlin.ir.types.IrSimpleType
 import org.jetbrains.kotlin.ir.types.classOrNull
 import org.jetbrains.kotlin.name.FqName
 import com.github.codeql.utils.*
-import com.github.codeql.utils.versions.packageFqName
+import com.github.codeql.utils.versions.*
 
 class PrimitiveTypeMapping(val logger: Logger, val pluginContext: IrPluginContext) {
     fun getPrimitiveInfo(s: IrSimpleType) =