Merge remote-tracking branch 'upstream/main' into SimpleRangeAnalysis-mul-constant

2020-08-20 08:20:31 +02:00 · 2020-08-20 08:20:31 +02:00 · b1c0e6f626
--- a/change-notes/1.26/analysis-cpp.md
+++ b/change-notes/1.26/analysis-cpp.md
@ -19,6 +19,6 @@ The following changes in version 1.26 affect C/C++ analysis in all applications.

 ## Changes to libraries

-* The models library now models more taint flows through `std::string`.
+* The models library now models many more taint flows through `std::string`.
 * The `SimpleRangeAnalysis` library now supports multiplications of the form
  `e1 * e2` and `x *= e2` when `e1` and `e2` are unsigned or constant.
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
@ -8,10 +8,13 @@ class StdBasicString extends TemplateClass {
 }

 /**
- * The standard function `std::string.c_str`.
+ * The `std::string` functions `c_str` and  `data`.
 */
 class StdStringCStr extends TaintFunction {
-  StdStringCStr() { this.hasQualifiedName("std", "basic_string", "c_str") }
+  StdStringCStr() {
+    this.hasQualifiedName("std", "basic_string", "c_str") or
+    this.hasQualifiedName("std", "basic_string", "data")
+  }

  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // flow from string itself (qualifier) to return value
@ -40,12 +43,16 @@ class StdStringPlus extends TaintFunction {
 }

 /**
- * The `std::string` functions `operator+=` and `append`.
+ * The `std::string` functions `operator+=`, `append`, `insert` and
+ * `replace`. All of these functions combine the existing string
+ * with a new string (or character) from one of the arguments.
 */
 class StdStringAppend extends TaintFunction {
  StdStringAppend() {
    this.hasQualifiedName("std", "basic_string", "operator+=") or
-    this.hasQualifiedName("std", "basic_string", "append")
+    this.hasQualifiedName("std", "basic_string", "append") or
+    this.hasQualifiedName("std", "basic_string", "insert") or
+    this.hasQualifiedName("std", "basic_string", "replace")
  }

  /**
@ -58,6 +65,35 @@ class StdStringAppend extends TaintFunction {
    getParameter(result).getType() = getDeclaringType().getTemplateArgument(0) // i.e. `std::basic_string::CharT`
  }

+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from string and parameter to string (qualifier) and return value
+    (
+      input.isQualifierObject() or
+      input.isParameterDeref(getAStringParameter())
+    ) and
+    (
+      output.isQualifierObject() or
+      output.isReturnValueDeref()
+    )
+  }
+}
+
+/**
+ * The standard function `std::string.assign`.
+ */
+class StdStringAssign extends TaintFunction {
+  StdStringAssign() { this.hasQualifiedName("std", "basic_string", "assign") }
+
+  /**
+   * Gets the index of a parameter to this function that is a string (or
+   * character).
+   */
+  int getAStringParameter() {
+    getParameter(result).getType() instanceof PointerType or
+    getParameter(result).getType() instanceof ReferenceType or
+    getParameter(result).getType() = getDeclaringType().getTemplateArgument(0) // i.e. `std::basic_string::CharT`
+  }
+
  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // flow from parameter to string itself (qualifier) and return value
    input.isParameterDeref(getAStringParameter()) and
@ -67,3 +103,45 @@ class StdStringAppend extends TaintFunction {
    )
  }
 }
+
+/**
+ * The standard function `std::string.copy`.
+ */
+class StdStringCopy extends TaintFunction {
+  StdStringCopy() { this.hasQualifiedName("std", "basic_string", "copy") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // copy(dest, num, pos)
+    input.isQualifierObject() and
+    output.isParameterDeref(0)
+  }
+}
+
+/**
+ * The standard function `std::string.substr`.
+ */
+class StdStringSubstr extends TaintFunction {
+  StdStringSubstr() { this.hasQualifiedName("std", "basic_string", "substr") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // substr(pos, num)
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
+
+/**
+ * The standard function `std::string.swap`.
+ */
+class StdStringSwap extends TaintFunction {
+  StdStringSwap() { this.hasQualifiedName("std", "basic_string", "swap") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // str1.swap(str2)
+    input.isQualifierObject() and
+    output.isParameterDeref(0)
+    or
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+  }
+}
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@ -457,6 +457,7 @@
 | string.cpp:160:8:160:9 | s3 | string.cpp:161:3:161:4 | s6 |  |
 | string.cpp:160:8:160:9 | s3 | string.cpp:162:8:162:9 | s6 |  |
 | string.cpp:161:3:161:4 | ref arg s6 | string.cpp:162:8:162:9 | s6 |  |
+| string.cpp:161:3:161:4 | s6 | string.cpp:161:6:161:6 | call to operator+= | TAINT |
 | string.cpp:161:9:161:10 | s4 | string.cpp:161:3:161:4 | ref arg s6 | TAINT |
 | string.cpp:161:9:161:10 | s4 | string.cpp:161:6:161:6 | call to operator+= | TAINT |
 | string.cpp:164:8:164:9 | s3 | string.cpp:164:3:164:9 | ... = ... |  |
@ -465,15 +466,18 @@
 | string.cpp:164:8:164:9 | s3 | string.cpp:167:8:167:9 | s7 |  |
 | string.cpp:165:3:165:4 | ref arg s7 | string.cpp:166:3:166:4 | s7 |  |
 | string.cpp:165:3:165:4 | ref arg s7 | string.cpp:167:8:167:9 | s7 |  |
+| string.cpp:165:3:165:4 | s7 | string.cpp:165:6:165:6 | call to operator+= | TAINT |
 | string.cpp:165:9:165:14 | call to source | string.cpp:165:3:165:4 | ref arg s7 | TAINT |
 | string.cpp:165:9:165:14 | call to source | string.cpp:165:6:165:6 | call to operator+= | TAINT |
 | string.cpp:166:3:166:4 | ref arg s7 | string.cpp:167:8:167:9 | s7 |  |
+| string.cpp:166:3:166:4 | s7 | string.cpp:166:6:166:6 | call to operator+= | TAINT |
 | string.cpp:166:9:166:11 |   | string.cpp:166:3:166:4 | ref arg s7 | TAINT |
 | string.cpp:166:9:166:11 |   | string.cpp:166:6:166:6 | call to operator+= | TAINT |
 | string.cpp:169:8:169:9 | s3 | string.cpp:169:3:169:9 | ... = ... |  |
 | string.cpp:169:8:169:9 | s3 | string.cpp:170:3:170:4 | s8 |  |
 | string.cpp:169:8:169:9 | s3 | string.cpp:171:8:171:9 | s8 |  |
 | string.cpp:170:3:170:4 | ref arg s8 | string.cpp:171:8:171:9 | s8 |  |
+| string.cpp:170:3:170:4 | s8 | string.cpp:170:6:170:11 | call to append | TAINT |
 | string.cpp:170:13:170:14 | s4 | string.cpp:170:3:170:4 | ref arg s8 | TAINT |
 | string.cpp:170:13:170:14 | s4 | string.cpp:170:6:170:11 | call to append | TAINT |
 | string.cpp:173:8:173:9 | s3 | string.cpp:173:3:173:9 | ... = ... |  |
@ -482,9 +486,11 @@
 | string.cpp:173:8:173:9 | s3 | string.cpp:176:8:176:9 | s9 |  |
 | string.cpp:174:3:174:4 | ref arg s9 | string.cpp:175:3:175:4 | s9 |  |
 | string.cpp:174:3:174:4 | ref arg s9 | string.cpp:176:8:176:9 | s9 |  |
+| string.cpp:174:3:174:4 | s9 | string.cpp:174:6:174:11 | call to append | TAINT |
 | string.cpp:174:13:174:18 | call to source | string.cpp:174:3:174:4 | ref arg s9 | TAINT |
 | string.cpp:174:13:174:18 | call to source | string.cpp:174:6:174:11 | call to append | TAINT |
 | string.cpp:175:3:175:4 | ref arg s9 | string.cpp:176:8:176:9 | s9 |  |
+| string.cpp:175:3:175:4 | s9 | string.cpp:175:6:175:11 | call to append | TAINT |
 | string.cpp:175:13:175:15 |   | string.cpp:175:3:175:4 | ref arg s9 | TAINT |
 | string.cpp:175:13:175:15 |   | string.cpp:175:6:175:11 | call to append | TAINT |
 | string.cpp:180:19:180:23 | abc | string.cpp:180:19:180:24 | call to basic_string | TAINT |
@ -492,8 +498,185 @@
 | string.cpp:180:19:180:24 | call to basic_string | string.cpp:184:8:184:10 | s10 |  |
 | string.cpp:181:12:181:26 | call to source | string.cpp:183:17:183:17 | c |  |
 | string.cpp:183:3:183:5 | ref arg s10 | string.cpp:184:8:184:10 | s10 |  |
+| string.cpp:183:3:183:5 | s10 | string.cpp:183:7:183:12 | call to append | TAINT |
 | string.cpp:183:17:183:17 | c | string.cpp:183:3:183:5 | ref arg s10 | TAINT |
 | string.cpp:183:17:183:17 | c | string.cpp:183:7:183:12 | call to append | TAINT |
+| string.cpp:189:17:189:23 | hello | string.cpp:189:17:189:24 | call to basic_string | TAINT |
+| string.cpp:189:17:189:24 | call to basic_string | string.cpp:195:17:195:18 | s1 |  |
+| string.cpp:189:17:189:24 | call to basic_string | string.cpp:204:17:204:18 | s1 |  |
+| string.cpp:190:17:190:22 | call to source | string.cpp:190:17:190:25 | call to basic_string | TAINT |
+| string.cpp:190:17:190:25 | call to basic_string | string.cpp:198:17:198:18 | s2 |  |
+| string.cpp:191:11:191:25 | call to source | string.cpp:201:21:201:21 | c |  |
+| string.cpp:192:14:192:15 | call to basic_string | string.cpp:195:7:195:8 | s3 |  |
+| string.cpp:192:14:192:15 | call to basic_string | string.cpp:196:7:196:8 | s3 |  |
+| string.cpp:192:18:192:19 | call to basic_string | string.cpp:198:7:198:8 | s4 |  |
+| string.cpp:192:18:192:19 | call to basic_string | string.cpp:199:7:199:8 | s4 |  |
+| string.cpp:192:22:192:23 | call to basic_string | string.cpp:201:7:201:8 | s5 |  |
+| string.cpp:192:22:192:23 | call to basic_string | string.cpp:202:7:202:8 | s5 |  |
+| string.cpp:193:17:193:22 | call to source | string.cpp:193:17:193:25 | call to basic_string | TAINT |
+| string.cpp:193:17:193:25 | call to basic_string | string.cpp:204:7:204:8 | s6 |  |
+| string.cpp:193:17:193:25 | call to basic_string | string.cpp:205:7:205:8 | s6 |  |
+| string.cpp:195:7:195:8 | ref arg s3 | string.cpp:196:7:196:8 | s3 |  |
+| string.cpp:195:17:195:18 | s1 | string.cpp:195:7:195:8 | ref arg s3 | TAINT |
+| string.cpp:195:17:195:18 | s1 | string.cpp:195:10:195:15 | call to assign | TAINT |
+| string.cpp:198:7:198:8 | ref arg s4 | string.cpp:199:7:199:8 | s4 |  |
+| string.cpp:198:17:198:18 | s2 | string.cpp:198:7:198:8 | ref arg s4 | TAINT |
+| string.cpp:198:17:198:18 | s2 | string.cpp:198:10:198:15 | call to assign | TAINT |
+| string.cpp:201:7:201:8 | ref arg s5 | string.cpp:202:7:202:8 | s5 |  |
+| string.cpp:201:21:201:21 | c | string.cpp:201:7:201:8 | ref arg s5 | TAINT |
+| string.cpp:201:21:201:21 | c | string.cpp:201:10:201:15 | call to assign | TAINT |
+| string.cpp:204:7:204:8 | ref arg s6 | string.cpp:205:7:205:8 | s6 |  |
+| string.cpp:204:17:204:18 | s1 | string.cpp:204:7:204:8 | ref arg s6 | TAINT |
+| string.cpp:204:17:204:18 | s1 | string.cpp:204:10:204:15 | call to assign | TAINT |
+| string.cpp:209:17:209:23 | hello | string.cpp:209:17:209:24 | call to basic_string | TAINT |
+| string.cpp:209:17:209:24 | call to basic_string | string.cpp:214:7:214:8 | s1 |  |
+| string.cpp:209:17:209:24 | call to basic_string | string.cpp:215:20:215:21 | s1 |  |
+| string.cpp:209:17:209:24 | call to basic_string | string.cpp:219:20:219:21 | s1 |  |
+| string.cpp:209:17:209:24 | call to basic_string | string.cpp:222:7:222:8 | s1 |  |
+| string.cpp:209:17:209:24 | call to basic_string | string.cpp:226:7:226:8 | s1 |  |
+| string.cpp:210:17:210:22 | call to source | string.cpp:210:17:210:25 | call to basic_string | TAINT |
+| string.cpp:210:17:210:25 | call to basic_string | string.cpp:218:7:218:8 | s2 |  |
+| string.cpp:210:17:210:25 | call to basic_string | string.cpp:223:20:223:21 | s2 |  |
+| string.cpp:211:11:211:25 | call to source | string.cpp:227:24:227:24 | c |  |
+| string.cpp:214:7:214:8 | s1 | string.cpp:214:2:214:8 | ... = ... |  |
+| string.cpp:214:7:214:8 | s1 | string.cpp:215:7:215:8 | s3 |  |
+| string.cpp:214:7:214:8 | s1 | string.cpp:216:7:216:8 | s3 |  |
+| string.cpp:215:7:215:8 | ref arg s3 | string.cpp:216:7:216:8 | s3 |  |
+| string.cpp:215:7:215:8 | s3 | string.cpp:215:10:215:15 | call to insert | TAINT |
+| string.cpp:215:20:215:21 | s1 | string.cpp:215:7:215:8 | ref arg s3 | TAINT |
+| string.cpp:215:20:215:21 | s1 | string.cpp:215:10:215:15 | call to insert | TAINT |
+| string.cpp:218:7:218:8 | s2 | string.cpp:218:2:218:8 | ... = ... |  |
+| string.cpp:218:7:218:8 | s2 | string.cpp:219:7:219:8 | s4 |  |
+| string.cpp:218:7:218:8 | s2 | string.cpp:220:7:220:8 | s4 |  |
+| string.cpp:219:7:219:8 | ref arg s4 | string.cpp:220:7:220:8 | s4 |  |
+| string.cpp:219:7:219:8 | s4 | string.cpp:219:10:219:15 | call to insert | TAINT |
+| string.cpp:219:20:219:21 | s1 | string.cpp:219:7:219:8 | ref arg s4 | TAINT |
+| string.cpp:219:20:219:21 | s1 | string.cpp:219:10:219:15 | call to insert | TAINT |
+| string.cpp:222:7:222:8 | s1 | string.cpp:222:2:222:8 | ... = ... |  |
+| string.cpp:222:7:222:8 | s1 | string.cpp:223:7:223:8 | s5 |  |
+| string.cpp:222:7:222:8 | s1 | string.cpp:224:7:224:8 | s5 |  |
+| string.cpp:223:7:223:8 | ref arg s5 | string.cpp:224:7:224:8 | s5 |  |
+| string.cpp:223:7:223:8 | s5 | string.cpp:223:10:223:15 | call to insert | TAINT |
+| string.cpp:223:20:223:21 | s2 | string.cpp:223:7:223:8 | ref arg s5 | TAINT |
+| string.cpp:223:20:223:21 | s2 | string.cpp:223:10:223:15 | call to insert | TAINT |
+| string.cpp:226:7:226:8 | s1 | string.cpp:226:2:226:8 | ... = ... |  |
+| string.cpp:226:7:226:8 | s1 | string.cpp:227:7:227:8 | s6 |  |
+| string.cpp:226:7:226:8 | s1 | string.cpp:228:7:228:8 | s6 |  |
+| string.cpp:227:7:227:8 | ref arg s6 | string.cpp:228:7:228:8 | s6 |  |
+| string.cpp:227:7:227:8 | s6 | string.cpp:227:10:227:15 | call to insert | TAINT |
+| string.cpp:227:24:227:24 | c | string.cpp:227:7:227:8 | ref arg s6 | TAINT |
+| string.cpp:227:24:227:24 | c | string.cpp:227:10:227:15 | call to insert | TAINT |
+| string.cpp:232:17:232:23 | hello | string.cpp:232:17:232:24 | call to basic_string | TAINT |
+| string.cpp:232:17:232:24 | call to basic_string | string.cpp:237:7:237:8 | s1 |  |
+| string.cpp:232:17:232:24 | call to basic_string | string.cpp:238:24:238:25 | s1 |  |
+| string.cpp:232:17:232:24 | call to basic_string | string.cpp:242:24:242:25 | s1 |  |
+| string.cpp:232:17:232:24 | call to basic_string | string.cpp:245:7:245:8 | s1 |  |
+| string.cpp:232:17:232:24 | call to basic_string | string.cpp:249:7:249:8 | s1 |  |
+| string.cpp:233:17:233:22 | call to source | string.cpp:233:17:233:25 | call to basic_string | TAINT |
+| string.cpp:233:17:233:25 | call to basic_string | string.cpp:241:7:241:8 | s2 |  |
+| string.cpp:233:17:233:25 | call to basic_string | string.cpp:246:24:246:25 | s2 |  |
+| string.cpp:234:11:234:25 | call to source | string.cpp:250:28:250:28 | c |  |
+| string.cpp:237:7:237:8 | s1 | string.cpp:237:2:237:8 | ... = ... |  |
+| string.cpp:237:7:237:8 | s1 | string.cpp:238:7:238:8 | s3 |  |
+| string.cpp:237:7:237:8 | s1 | string.cpp:239:7:239:8 | s3 |  |
+| string.cpp:238:7:238:8 | ref arg s3 | string.cpp:239:7:239:8 | s3 |  |
+| string.cpp:238:7:238:8 | s3 | string.cpp:238:10:238:16 | call to replace | TAINT |
+| string.cpp:238:24:238:25 | s1 | string.cpp:238:7:238:8 | ref arg s3 | TAINT |
+| string.cpp:238:24:238:25 | s1 | string.cpp:238:10:238:16 | call to replace | TAINT |
+| string.cpp:241:7:241:8 | s2 | string.cpp:241:2:241:8 | ... = ... |  |
+| string.cpp:241:7:241:8 | s2 | string.cpp:242:7:242:8 | s4 |  |
+| string.cpp:241:7:241:8 | s2 | string.cpp:243:7:243:8 | s4 |  |
+| string.cpp:242:7:242:8 | ref arg s4 | string.cpp:243:7:243:8 | s4 |  |
+| string.cpp:242:7:242:8 | s4 | string.cpp:242:10:242:16 | call to replace | TAINT |
+| string.cpp:242:24:242:25 | s1 | string.cpp:242:7:242:8 | ref arg s4 | TAINT |
+| string.cpp:242:24:242:25 | s1 | string.cpp:242:10:242:16 | call to replace | TAINT |
+| string.cpp:245:7:245:8 | s1 | string.cpp:245:2:245:8 | ... = ... |  |
+| string.cpp:245:7:245:8 | s1 | string.cpp:246:7:246:8 | s5 |  |
+| string.cpp:245:7:245:8 | s1 | string.cpp:247:7:247:8 | s5 |  |
+| string.cpp:246:7:246:8 | ref arg s5 | string.cpp:247:7:247:8 | s5 |  |
+| string.cpp:246:7:246:8 | s5 | string.cpp:246:10:246:16 | call to replace | TAINT |
+| string.cpp:246:24:246:25 | s2 | string.cpp:246:7:246:8 | ref arg s5 | TAINT |
+| string.cpp:246:24:246:25 | s2 | string.cpp:246:10:246:16 | call to replace | TAINT |
+| string.cpp:249:7:249:8 | s1 | string.cpp:249:2:249:8 | ... = ... |  |
+| string.cpp:249:7:249:8 | s1 | string.cpp:250:7:250:8 | s6 |  |
+| string.cpp:249:7:249:8 | s1 | string.cpp:251:7:251:8 | s6 |  |
+| string.cpp:250:7:250:8 | ref arg s6 | string.cpp:251:7:251:8 | s6 |  |
+| string.cpp:250:7:250:8 | s6 | string.cpp:250:10:250:16 | call to replace | TAINT |
+| string.cpp:250:28:250:28 | c | string.cpp:250:7:250:8 | ref arg s6 | TAINT |
+| string.cpp:250:28:250:28 | c | string.cpp:250:10:250:16 | call to replace | TAINT |
+| string.cpp:255:17:255:20 | {...} | string.cpp:260:10:260:11 | b1 |  |
+| string.cpp:255:17:255:20 | {...} | string.cpp:261:7:261:8 | b1 |  |
+| string.cpp:255:19:255:19 | 0 | string.cpp:255:17:255:20 | {...} | TAINT |
+| string.cpp:256:17:256:20 | {...} | string.cpp:263:10:263:11 | b2 |  |
+| string.cpp:256:17:256:20 | {...} | string.cpp:264:7:264:8 | b2 |  |
+| string.cpp:256:19:256:19 | 0 | string.cpp:256:17:256:20 | {...} | TAINT |
+| string.cpp:257:17:257:23 | hello | string.cpp:257:17:257:24 | call to basic_string | TAINT |
+| string.cpp:257:17:257:24 | call to basic_string | string.cpp:260:2:260:3 | s1 |  |
+| string.cpp:257:17:257:24 | call to basic_string | string.cpp:260:14:260:15 | s1 |  |
+| string.cpp:257:17:257:24 | call to basic_string | string.cpp:263:14:263:15 | s1 |  |
+| string.cpp:258:17:258:22 | call to source | string.cpp:258:17:258:25 | call to basic_string | TAINT |
+| string.cpp:258:17:258:25 | call to basic_string | string.cpp:263:2:263:3 | s2 |  |
+| string.cpp:260:2:260:3 | s1 | string.cpp:260:10:260:11 | ref arg b1 | TAINT |
+| string.cpp:260:10:260:11 | ref arg b1 | string.cpp:261:7:261:8 | b1 |  |
+| string.cpp:263:2:263:3 | s2 | string.cpp:263:10:263:11 | ref arg b2 | TAINT |
+| string.cpp:263:10:263:11 | ref arg b2 | string.cpp:264:7:264:8 | b2 |  |
+| string.cpp:268:17:268:23 | hello | string.cpp:268:17:268:24 | call to basic_string | TAINT |
+| string.cpp:268:17:268:24 | call to basic_string | string.cpp:273:7:273:8 | s1 |  |
+| string.cpp:268:17:268:24 | call to basic_string | string.cpp:278:2:278:3 | s1 |  |
+| string.cpp:268:17:268:24 | call to basic_string | string.cpp:281:7:281:8 | s1 |  |
+| string.cpp:269:17:269:22 | call to source | string.cpp:269:17:269:25 | call to basic_string | TAINT |
+| string.cpp:269:17:269:25 | call to basic_string | string.cpp:274:7:274:8 | s2 |  |
+| string.cpp:269:17:269:25 | call to basic_string | string.cpp:278:10:278:11 | s2 |  |
+| string.cpp:269:17:269:25 | call to basic_string | string.cpp:282:7:282:8 | s2 |  |
+| string.cpp:270:17:270:23 | world | string.cpp:270:17:270:24 | call to basic_string | TAINT |
+| string.cpp:270:17:270:24 | call to basic_string | string.cpp:275:7:275:8 | s3 |  |
+| string.cpp:270:17:270:24 | call to basic_string | string.cpp:279:10:279:11 | s3 |  |
+| string.cpp:270:17:270:24 | call to basic_string | string.cpp:283:7:283:8 | s3 |  |
+| string.cpp:271:17:271:22 | call to source | string.cpp:271:17:271:25 | call to basic_string | TAINT |
+| string.cpp:271:17:271:25 | call to basic_string | string.cpp:276:7:276:8 | s4 |  |
+| string.cpp:271:17:271:25 | call to basic_string | string.cpp:279:2:279:3 | s4 |  |
+| string.cpp:271:17:271:25 | call to basic_string | string.cpp:284:7:284:8 | s4 |  |
+| string.cpp:278:2:278:3 | ref arg s1 | string.cpp:281:7:281:8 | s1 |  |
+| string.cpp:278:2:278:3 | s1 | string.cpp:278:10:278:11 | ref arg s2 | TAINT |
+| string.cpp:278:10:278:11 | ref arg s2 | string.cpp:282:7:282:8 | s2 |  |
+| string.cpp:278:10:278:11 | s2 | string.cpp:278:2:278:3 | ref arg s1 | TAINT |
+| string.cpp:279:2:279:3 | ref arg s4 | string.cpp:284:7:284:8 | s4 |  |
+| string.cpp:279:2:279:3 | s4 | string.cpp:279:10:279:11 | ref arg s3 | TAINT |
+| string.cpp:279:10:279:11 | ref arg s3 | string.cpp:283:7:283:8 | s3 |  |
+| string.cpp:279:10:279:11 | s3 | string.cpp:279:2:279:3 | ref arg s4 | TAINT |
+| string.cpp:288:17:288:22 | call to source | string.cpp:288:17:288:25 | call to basic_string | TAINT |
+| string.cpp:288:17:288:25 | call to basic_string | string.cpp:292:7:292:8 | s1 |  |
+| string.cpp:288:17:288:25 | call to basic_string | string.cpp:296:2:296:3 | s1 |  |
+| string.cpp:288:17:288:25 | call to basic_string | string.cpp:300:7:300:8 | s1 |  |
+| string.cpp:289:17:289:22 | call to source | string.cpp:289:17:289:25 | call to basic_string | TAINT |
+| string.cpp:289:17:289:25 | call to basic_string | string.cpp:293:7:293:8 | s2 |  |
+| string.cpp:290:17:290:22 | call to source | string.cpp:290:17:290:25 | call to basic_string | TAINT |
+| string.cpp:290:17:290:25 | call to basic_string | string.cpp:294:7:294:8 | s3 |  |
+| string.cpp:290:17:290:25 | call to basic_string | string.cpp:298:7:298:8 | s3 |  |
+| string.cpp:296:2:296:3 | ref arg s1 | string.cpp:300:7:300:8 | s1 |  |
+| string.cpp:297:7:297:8 |  | string.cpp:297:7:297:8 | call to basic_string | TAINT |
+| string.cpp:297:7:297:8 | call to basic_string | string.cpp:297:2:297:8 | ... = ... |  |
+| string.cpp:297:7:297:8 | call to basic_string | string.cpp:301:7:301:8 | s2 |  |
+| string.cpp:298:7:298:8 | s3 | string.cpp:298:2:298:8 | ... = ... |  |
+| string.cpp:298:7:298:8 | s3 | string.cpp:302:7:302:8 | s3 |  |
+| string.cpp:307:16:307:20 | 123 | string.cpp:307:16:307:21 | call to basic_string | TAINT |
+| string.cpp:307:16:307:21 | call to basic_string | string.cpp:310:7:310:7 | a |  |
+| string.cpp:307:16:307:21 | call to basic_string | string.cpp:312:7:312:7 | a |  |
+| string.cpp:308:16:308:21 | call to source | string.cpp:308:16:308:24 | call to basic_string | TAINT |
+| string.cpp:308:16:308:24 | call to basic_string | string.cpp:311:7:311:7 | b |  |
+| string.cpp:308:16:308:24 | call to basic_string | string.cpp:313:7:313:7 | b |  |
+| string.cpp:310:7:310:7 | a | string.cpp:310:9:310:12 | call to data | TAINT |
+| string.cpp:310:7:310:7 | ref arg a | string.cpp:312:7:312:7 | a |  |
+| string.cpp:311:7:311:7 | b | string.cpp:311:9:311:12 | call to data | TAINT |
+| string.cpp:311:7:311:7 | ref arg b | string.cpp:313:7:313:7 | b |  |
+| string.cpp:318:16:318:20 | 123 | string.cpp:318:16:318:21 | call to basic_string | TAINT |
+| string.cpp:318:16:318:21 | call to basic_string | string.cpp:321:7:321:7 | a |  |
+| string.cpp:318:16:318:21 | call to basic_string | string.cpp:321:19:321:19 | a |  |
+| string.cpp:319:16:319:21 | call to source | string.cpp:319:16:319:24 | call to basic_string | TAINT |
+| string.cpp:319:16:319:24 | call to basic_string | string.cpp:322:7:322:7 | b |  |
+| string.cpp:319:16:319:24 | call to basic_string | string.cpp:322:19:322:19 | b |  |
+| string.cpp:321:7:321:7 | a | string.cpp:321:9:321:14 | call to substr | TAINT |
+| string.cpp:322:7:322:7 | b | string.cpp:322:9:322:14 | call to substr | TAINT |
 | stringstream.cpp:13:20:13:22 | call to basic_stringstream | stringstream.cpp:16:2:16:4 | ss1 |  |
 | stringstream.cpp:13:20:13:22 | call to basic_stringstream | stringstream.cpp:22:7:22:9 | ss1 |  |
 | stringstream.cpp:13:20:13:22 | call to basic_stringstream | stringstream.cpp:27:7:27:9 | ss1 |  |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
@ -39,11 +39,14 @@ namespace std
 	class basic_string {
 	public:
 		typedef typename Allocator::size_type size_type;
+		static const size_type npos = -1;

 		explicit basic_string(const Allocator& a = Allocator());
 		basic_string(const charT* s, const Allocator& a = Allocator());

 		const charT* c_str() const;
+		charT* data() noexcept;
+		size_t length() const;

 		typedef std::iterator<random_access_iterator_tag, charT> iterator;
 		typedef std::iterator<random_access_iterator_tag, const charT> const_iterator;
@ -60,6 +63,16 @@ namespace std
 		basic_string& append(const basic_string& str);
 		basic_string& append(const charT* s);
 		basic_string& append(size_type n, charT c);
+		basic_string& assign(const basic_string& str);
+		basic_string& assign(size_type n, charT c);
+		basic_string& insert(size_type pos, const basic_string& str);
+		basic_string& insert(size_type pos, size_type n, charT c);
+		basic_string& replace(size_type pos1, size_type n1, const basic_string& str);
+		basic_string& replace(size_type pos1, size_type n1, size_type n2, charT c);
+		size_type copy(charT* s, size_type n, size_type pos = 0) const;
+		void clear() noexcept;
+		basic_string substr(size_type pos = 0, size_type n = npos) const;
+		void swap(basic_string& s) noexcept/*(allocator_traits<Allocator>::propagate_on_container_swap::value || allocator_traits<Allocator>::is_always_equal::value)*/;
 	};

 	template<class charT, class traits, class Allocator> basic_string<charT, traits, Allocator> operator+(const basic_string<charT, traits, Allocator>& lhs, const basic_string<charT, traits, Allocator>& rhs);
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
@ -184,3 +184,140 @@ void test_string_append() {
 		sink(s10); // tainted
 	}
 }
+
+void test_string_assign() {
+	std::string s1("hello");
+	std::string s2(source());
+	char c = ns_char::source();
+	std::string s3, s4, s5;
+	std::string s6(source());
+
+	sink(s3.assign(s1));
+	sink(s3);
+
+	sink(s4.assign(s2)); // tainted
+	sink(s4); // tainted
+
+	sink(s5.assign(10, c)); // tainted
+	sink(s5); // tainted
+
+	sink(s6.assign(s1));
+	sink(s6); // [FALSE POSITIVE]
+}
+
+void test_string_insert() {
+	std::string s1("hello");
+	std::string s2(source());
+	char c = ns_char::source();
+	std::string s3, s4, s5, s6;
+
+	s3 = s1;
+	sink(s3.insert(0, s1));
+	sink(s3);
+
+	s4 = s2;
+	sink(s4.insert(0, s1)); // tainted
+	sink(s4); // tainted
+
+	s5 = s1;
+	sink(s5.insert(0, s2)); // tainted
+	sink(s5); // tainted
+
+	s6 = s1;
+	sink(s6.insert(0, 10, c)); // tainted
+	sink(s6); // tainted
+}
+
+void test_string_replace() {
+	std::string s1("hello");
+	std::string s2(source());
+	char c = ns_char::source();
+	std::string s3, s4, s5, s6;
+
+	s3 = s1;
+	sink(s3.replace(1, 2, s1));
+	sink(s3);
+
+	s4 = s2;
+	sink(s4.replace(1, 2, s1)); // tainted
+	sink(s4); // tainted
+
+	s5 = s1;
+	sink(s5.replace(1, 2, s2)); // tainted
+	sink(s5); // tainted
+
+	s6 = s1;
+	sink(s6.replace(1, 2, 10, c)); // tainted
+	sink(s6); // tainted
+}
+
+void test_string_copy() {
+	char b1[1024] = {0};
+	char b2[1024] = {0};
+	std::string s1("hello");
+	std::string s2(source());
+
+	s1.copy(b1, s1.length(), 0);
+	sink(b1);
+
+	s2.copy(b2, s1.length(), 0);
+	sink(b2); // tainted
+}
+
+void test_string_swap() {
+	std::string s1("hello");
+	std::string s2(source());
+	std::string s3("world");
+	std::string s4(source());
+
+	sink(s1);
+	sink(s2); // tainted
+	sink(s3);
+	sink(s4); // tainted
+
+	s1.swap(s2);
+	s4.swap(s3);
+
+	sink(s1); // tainted
+	sink(s2); // [FALSE POSITIVE]
+	sink(s3); // tainted
+	sink(s4); // [FALSE POSITIVE]
+}
+
+void test_string_clear() {
+	std::string s1(source());
+	std::string s2(source());
+	std::string s3(source());
+
+	sink(s1); // tainted
+	sink(s2); // tainted
+	sink(s3); // tainted
+
+	s1.clear();
+	s2 = "";
+	s3 = s3;
+
+	sink(s1); // [FALSE POSITIVE]
+	sink(s2);
+	sink(s3); // tainted
+}
+
+void test_string_data()
+{
+	std::string a("123");
+	std::string b(source());
+
+	sink(a.data());
+	sink(b.data()); // tainted
+	sink(a.length());
+	sink(b.length());
+}
+
+void test_string_substr()
+{
+	std::string a("123");
+	std::string b(source());
+
+	sink(a.substr(0, a.length()));
+	sink(b.substr(0, b.length())); // tainted
+}
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@ -60,6 +60,37 @@
 | string.cpp:171:8:171:9 | s8 | string.cpp:154:18:154:23 | call to source |
 | string.cpp:176:8:176:9 | s9 | string.cpp:174:13:174:18 | call to source |
 | string.cpp:184:8:184:10 | s10 | string.cpp:181:12:181:26 | call to source |
+| string.cpp:198:10:198:15 | call to assign | string.cpp:190:17:190:22 | call to source |
+| string.cpp:199:7:199:8 | s4 | string.cpp:190:17:190:22 | call to source |
+| string.cpp:201:10:201:15 | call to assign | string.cpp:191:11:191:25 | call to source |
+| string.cpp:202:7:202:8 | s5 | string.cpp:191:11:191:25 | call to source |
+| string.cpp:205:7:205:8 | s6 | string.cpp:193:17:193:22 | call to source |
+| string.cpp:219:10:219:15 | call to insert | string.cpp:210:17:210:22 | call to source |
+| string.cpp:220:7:220:8 | s4 | string.cpp:210:17:210:22 | call to source |
+| string.cpp:223:10:223:15 | call to insert | string.cpp:210:17:210:22 | call to source |
+| string.cpp:224:7:224:8 | s5 | string.cpp:210:17:210:22 | call to source |
+| string.cpp:227:10:227:15 | call to insert | string.cpp:211:11:211:25 | call to source |
+| string.cpp:228:7:228:8 | s6 | string.cpp:211:11:211:25 | call to source |
+| string.cpp:242:10:242:16 | call to replace | string.cpp:233:17:233:22 | call to source |
+| string.cpp:243:7:243:8 | s4 | string.cpp:233:17:233:22 | call to source |
+| string.cpp:246:10:246:16 | call to replace | string.cpp:233:17:233:22 | call to source |
+| string.cpp:247:7:247:8 | s5 | string.cpp:233:17:233:22 | call to source |
+| string.cpp:250:10:250:16 | call to replace | string.cpp:234:11:234:25 | call to source |
+| string.cpp:251:7:251:8 | s6 | string.cpp:234:11:234:25 | call to source |
+| string.cpp:264:7:264:8 | b2 | string.cpp:258:17:258:22 | call to source |
+| string.cpp:274:7:274:8 | s2 | string.cpp:269:17:269:22 | call to source |
+| string.cpp:276:7:276:8 | s4 | string.cpp:271:17:271:22 | call to source |
+| string.cpp:281:7:281:8 | s1 | string.cpp:269:17:269:22 | call to source |
+| string.cpp:282:7:282:8 | s2 | string.cpp:269:17:269:22 | call to source |
+| string.cpp:283:7:283:8 | s3 | string.cpp:271:17:271:22 | call to source |
+| string.cpp:284:7:284:8 | s4 | string.cpp:271:17:271:22 | call to source |
+| string.cpp:292:7:292:8 | s1 | string.cpp:288:17:288:22 | call to source |
+| string.cpp:293:7:293:8 | s2 | string.cpp:289:17:289:22 | call to source |
+| string.cpp:294:7:294:8 | s3 | string.cpp:290:17:290:22 | call to source |
+| string.cpp:300:7:300:8 | s1 | string.cpp:288:17:288:22 | call to source |
+| string.cpp:302:7:302:8 | s3 | string.cpp:290:17:290:22 | call to source |
+| string.cpp:311:9:311:12 | call to data | string.cpp:308:16:308:21 | call to source |
+| string.cpp:322:9:322:14 | call to substr | string.cpp:319:16:319:21 | call to source |
 | structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
 | structlikeclass.cpp:36:8:36:9 | s2 | structlikeclass.cpp:30:24:30:29 | call to source |
 | structlikeclass.cpp:37:8:37:9 | s3 | structlikeclass.cpp:29:22:29:27 | call to source |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@ -57,6 +57,37 @@
 | string.cpp:171:8:171:9 | string.cpp:154:18:154:23 | AST only |
 | string.cpp:176:8:176:9 | string.cpp:174:13:174:18 | AST only |
 | string.cpp:184:8:184:10 | string.cpp:181:12:181:26 | AST only |
+| string.cpp:198:10:198:15 | string.cpp:190:17:190:22 | AST only |
+| string.cpp:199:7:199:8 | string.cpp:190:17:190:22 | AST only |
+| string.cpp:201:10:201:15 | string.cpp:191:11:191:25 | AST only |
+| string.cpp:202:7:202:8 | string.cpp:191:11:191:25 | AST only |
+| string.cpp:205:7:205:8 | string.cpp:193:17:193:22 | AST only |
+| string.cpp:219:10:219:15 | string.cpp:210:17:210:22 | AST only |
+| string.cpp:220:7:220:8 | string.cpp:210:17:210:22 | AST only |
+| string.cpp:223:10:223:15 | string.cpp:210:17:210:22 | AST only |
+| string.cpp:224:7:224:8 | string.cpp:210:17:210:22 | AST only |
+| string.cpp:227:10:227:15 | string.cpp:211:11:211:25 | AST only |
+| string.cpp:228:7:228:8 | string.cpp:211:11:211:25 | AST only |
+| string.cpp:242:10:242:16 | string.cpp:233:17:233:22 | AST only |
+| string.cpp:243:7:243:8 | string.cpp:233:17:233:22 | AST only |
+| string.cpp:246:10:246:16 | string.cpp:233:17:233:22 | AST only |
+| string.cpp:247:7:247:8 | string.cpp:233:17:233:22 | AST only |
+| string.cpp:250:10:250:16 | string.cpp:234:11:234:25 | AST only |
+| string.cpp:251:7:251:8 | string.cpp:234:11:234:25 | AST only |
+| string.cpp:264:7:264:8 | string.cpp:258:17:258:22 | AST only |
+| string.cpp:274:7:274:8 | string.cpp:269:17:269:22 | AST only |
+| string.cpp:276:7:276:8 | string.cpp:271:17:271:22 | AST only |
+| string.cpp:281:7:281:8 | string.cpp:269:17:269:22 | AST only |
+| string.cpp:282:7:282:8 | string.cpp:269:17:269:22 | AST only |
+| string.cpp:283:7:283:8 | string.cpp:271:17:271:22 | AST only |
+| string.cpp:284:7:284:8 | string.cpp:271:17:271:22 | AST only |
+| string.cpp:292:7:292:8 | string.cpp:288:17:288:22 | AST only |
+| string.cpp:293:7:293:8 | string.cpp:289:17:289:22 | AST only |
+| string.cpp:294:7:294:8 | string.cpp:290:17:290:22 | AST only |
+| string.cpp:300:7:300:8 | string.cpp:288:17:288:22 | AST only |
+| string.cpp:302:7:302:8 | string.cpp:290:17:290:22 | AST only |
+| string.cpp:311:9:311:12 | string.cpp:308:16:308:21 | AST only |
+| string.cpp:322:9:322:14 | string.cpp:319:16:319:21 | AST only |
 | structlikeclass.cpp:35:8:35:9 | structlikeclass.cpp:29:22:29:27 | AST only |
 | structlikeclass.cpp:36:8:36:9 | structlikeclass.cpp:30:24:30:29 | AST only |
 | structlikeclass.cpp:37:8:37:9 | structlikeclass.cpp:29:22:29:27 | AST only |
--- a/cpp/ql/test/library-tests/ir/ssa/ssa.cpp
+++ b/cpp/ql/test/library-tests/ir/ssa/ssa.cpp
@ -291,7 +291,7 @@ struct A {
 Point *NewAliasing(int x) {
  Point* p = new Point;
  Point* q = new Point;
-  int j = new A(new A(x))->i;
+  int j = (new A(new A(x)))->i;
  A* a = new A;
  return p;
 }
@ -310,4 +310,4 @@ class ThisAliasTest {
  void setX(int arg) {
    this->x = arg;
  }
-};
+};
--- a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/lowerBound.expected
+++ b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/lowerBound.expected
@ -98,7 +98,7 @@
 | test.c:150:25:150:26 | x3 | -2147483648 |
 | test.c:150:30:150:31 | c0 | -128 |
 | test.c:150:35:150:36 | s0 | 0 |
-| test.c:154:11:154:11 | x | -9223372036854776000 |
+| test.c:154:11:154:11 | x | -9223372036854775808 |
 | test.c:154:20:154:20 | x | 1 |
 | test.c:154:30:154:30 | x | 1 |
 | test.c:154:35:154:35 | x | 1 |
@ -492,7 +492,7 @@
 | test.c:478:3:478:4 | xy | 0 |
 | test.c:478:8:478:8 | x | 274177 |
 | test.c:478:12:478:12 | y | 67280421310721 |
-| test.c:479:10:479:11 | xy | 18446744073709552000 |
+| test.c:479:10:479:11 | xy | 18446744073709551616 |
 | test.c:483:7:483:8 | ui | 0 |
 | test.c:484:43:484:44 | ui | 10 |
 | test.c:484:48:484:49 | ui | 10 |
--- a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/test.c
+++ b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/test.c
@ -476,13 +476,13 @@ unsigned long mult_overflow() {
  x = 274177UL;
  y = 67280421310721UL;
  xy = x * y;
-  return xy; // BUG: lower bound should be <= 18446744073709551617UL
+  return xy; // BUG: upper bound should be >= 18446744073709551617UL
 }

 unsigned long mult_lower_bound(unsigned int ui, unsigned long ul) {
  if (ui >= 10) {
    unsigned long result = (unsigned long)ui * ui;
-    return result; // BUG: upper bound should be >= 18446744065119617025 (possibly a pretty-printing bug)
+    return result; // BUG: upper bound should be >= 18446744065119617025
  }
  if (ul >= 10) {
    unsigned long result = ul * ul;
--- a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/upperBound.expected
+++ b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/upperBound.expected
@ -73,10 +73,10 @@
 | test.c:105:5:105:5 | c | 127 |
 | test.c:106:9:106:9 | c | 127 |
 | test.c:109:9:109:9 | c | 127 |
-| test.c:119:10:119:10 | n | 18446744073709552000 |
-| test.c:124:11:124:15 | Start | 18446744073709552000 |
-| test.c:127:6:127:10 | Start | 18446744073709552000 |
-| test.c:127:15:127:20 | Length | 18446744073709552000 |
+| test.c:119:10:119:10 | n | 18446744073709551616 |
+| test.c:124:11:124:15 | Start | 18446744073709551616 |
+| test.c:127:6:127:10 | Start | 18446744073709551616 |
+| test.c:127:15:127:20 | Length | 18446744073709551616 |
 | test.c:135:22:135:22 | c | 127 |
 | test.c:137:20:137:20 | x | 0 |
 | test.c:138:11:138:11 | i | 2147483647 |
@ -98,9 +98,9 @@
 | test.c:150:25:150:26 | x3 | 2147483647 |
 | test.c:150:30:150:31 | c0 | 127 |
 | test.c:150:35:150:36 | s0 | 65535 |
-| test.c:154:11:154:11 | x | 9223372036854776000 |
-| test.c:154:20:154:20 | x | 9223372036854776000 |
-| test.c:154:30:154:30 | x | 9223372036854776000 |
+| test.c:154:11:154:11 | x | 9223372036854775808 |
+| test.c:154:20:154:20 | x | 9223372036854775808 |
+| test.c:154:30:154:30 | x | 9223372036854775808 |
 | test.c:154:35:154:35 | x | 2147483647 |
 | test.c:161:12:161:12 | a | 2147483647 |
 | test.c:161:17:161:17 | a | 2147483647 |
@ -481,26 +481,26 @@
 | test.c:461:5:461:9 | total | 506 |
 | test.c:461:14:461:14 | r | 253 |
 | test.c:464:10:464:14 | total | 759 |
-| test.c:469:3:469:3 | x | 18446744073709552000 |
-| test.c:469:7:469:7 | y | 18446744073709552000 |
-| test.c:470:3:470:4 | xy | 18446744073709552000 |
+| test.c:469:3:469:3 | x | 18446744073709551616 |
+| test.c:469:7:469:7 | y | 18446744073709551616 |
+| test.c:470:3:470:4 | xy | 18446744073709551616 |
 | test.c:470:8:470:8 | x | 1000000003 |
 | test.c:470:12:470:12 | y | 1000000003 |
 | test.c:471:10:471:11 | xy | 1000000006000000000 |
-| test.c:476:3:476:3 | x | 18446744073709552000 |
-| test.c:477:3:477:3 | y | 18446744073709552000 |
-| test.c:478:3:478:4 | xy | 18446744073709552000 |
+| test.c:476:3:476:3 | x | 18446744073709551616 |
+| test.c:477:3:477:3 | y | 18446744073709551616 |
+| test.c:478:3:478:4 | xy | 18446744073709551616 |
 | test.c:478:8:478:8 | x | 274177 |
 | test.c:478:12:478:12 | y | 67280421310721 |
-| test.c:479:10:479:11 | xy | 18446744073709552000 |
+| test.c:479:10:479:11 | xy | 18446744073709551616 |
 | test.c:483:7:483:8 | ui | 4294967295 |
 | test.c:484:43:484:44 | ui | 4294967295 |
 | test.c:484:48:484:49 | ui | 4294967295 |
-| test.c:485:12:485:17 | result | 18446744065119617000 |
-| test.c:487:7:487:8 | ul | 18446744073709552000 |
-| test.c:488:28:488:29 | ul | 18446744073709552000 |
-| test.c:488:33:488:34 | ul | 18446744073709552000 |
-| test.c:489:12:489:17 | result | 18446744073709552000 |
+| test.c:485:12:485:17 | result | 18446744065119617024 |
+| test.c:487:7:487:8 | ul | 18446744073709551616 |
+| test.c:488:28:488:29 | ul | 18446744073709551616 |
+| test.c:488:33:488:34 | ul | 18446744073709551616 |
+| test.c:489:12:489:17 | result | 18446744073709551616 |
 | test.c:495:7:495:8 | ui | 4294967295 |
 | test.c:495:19:495:20 | ui | 10 |
 | test.c:496:5:496:6 | ui | 10 |
--- a/Bugs/Arithmetic/PointlessComparison/PointlessComparison.expected
+++ b/Bugs/Arithmetic/PointlessComparison/PointlessComparison.expected
@ -43,8 +43,8 @@
 | PointlessComparison.c:383:6:383:17 | ... >= ... | Comparison is always false because ... & ... <= 2. |
 | PointlessComparison.c:388:10:388:21 | ... > ... | Comparison is always false because ... * ... <= 408. |
 | PointlessComparison.c:391:12:391:20 | ... < ... | Comparison is always false because ... * ... >= 6. |
-| PointlessComparison.c:414:7:414:16 | ... == ... | Comparison is always false because ... * ... >= 18446744073709552000. |
-| PointlessComparison.cpp:36:6:36:33 | ... >= ... | Comparison is always false because ... >> ... <= 9223372036854776000. |
+| PointlessComparison.c:414:7:414:16 | ... == ... | Comparison is always false because ... * ... >= 18446744073709551616. |
+| PointlessComparison.cpp:36:6:36:33 | ... >= ... | Comparison is always false because ... >> ... <= 9223372036854775808. |
 | PointlessComparison.cpp:41:6:41:29 | ... >= ... | Comparison is always false because ... >> ... <= 140737488355327.5. |
 | PointlessComparison.cpp:42:6:42:29 | ... >= ... | Comparison is always false because ... >> ... <= 140737488355327.5. |
 | PointlessComparison.cpp:43:6:43:29 | ... >= ... | Comparison is always true because ... >> ... >= 140737488355327.5. |
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@ -2354,7 +2354,7 @@ private predicate viableConstantBooleanParamArg(
  )
 }

-int accessPathLimit() { result = 3 }
+int accessPathLimit() { result = 5 }

 /**
 * Holds if `n` does not require a `PostUpdateNode` as it either cannot be
--- a/docs/ql-libraries/dataflow/dataflow.md
+++ b/docs/ql-libraries/dataflow/dataflow.md
@ -98,6 +98,10 @@ Recommendations:
  also work, but the upside of `use-use` steps is that sources defined in terms
  of variable reads just work out of the box. It also makes certain
  barrier-implementations simpler.
+* A predicate `DataFlowCallable Node::getEnclosingCallable()` is required, and in
+  order to ensure appropriate join-orders, it is important that the QL compiler knows
+  that this predicate is functional. It can therefore be necessary to enclose the body
+  of this predicate in a `unique` aggregate.

 The shared library does not use `localFlowStep` nor `localFlow` but users of
 `DataFlow.qll` may expect the existence of `DataFlow::localFlowStep` and
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
@ -78,15 +78,19 @@ class Node extends TNode {
    result = this.(ImplicitPostUpdateNode).getPreUpdateNode().getType()
  }

-  /** Gets the callable in which this node occurs. */
-  Callable getEnclosingCallable() {
+  private Callable getEnclosingCallableImpl() {
    result = this.asExpr().getEnclosingCallable() or
    result = this.asParameter().getCallable() or
    result = this.(ImplicitVarargsArray).getCall().getEnclosingCallable() or
    result = this.(InstanceParameterNode).getCallable() or
    result = this.(ImplicitInstanceAccess).getInstanceAccess().getEnclosingCallable() or
    result = this.(MallocNode).getClassInstanceExpr().getEnclosingCallable() or
-    result = this.(ImplicitPostUpdateNode).getPreUpdateNode().getEnclosingCallable()
+    result = this.(ImplicitPostUpdateNode).getPreUpdateNode().getEnclosingCallableImpl()
+  }
+
+  /** Gets the callable in which this node occurs. */
+  Callable getEnclosingCallable() {
+    result = unique(DataFlowCallable c | c = this.getEnclosingCallableImpl() | c)
  }

  private Type getImprovedTypeBound() {
--- a/javascript/extractor/src/com/semmle/js/extractor/ASTExtractor.java
+++ b/javascript/extractor/src/com/semmle/js/extractor/ASTExtractor.java
@ -669,7 +669,9 @@ public class ASTExtractor {
    public Label visit(Program nd, Context c) {
      contextManager.enterContainer(toplevelLabel);

-      isStrict = hasUseStrict(nd.getBody());
+      boolean prevIsStrict = isStrict;
+
+      isStrict = isStrict || hasUseStrict(nd.getBody());

      // Add platform-specific globals.
      scopeManager.addVariables(platform.getPredefinedGlobals());
@ -715,6 +717,8 @@ public class ASTExtractor {

      emitNodeSymbol(nd, toplevelLabel);

+      isStrict = prevIsStrict;
+
      return toplevelLabel;
    }

--- a/javascript/extractor/src/com/semmle/js/extractor/Main.java
+++ b/javascript/extractor/src/com/semmle/js/extractor/Main.java
@ -43,7 +43,7 @@ public class Main {
   * A version identifier that should be updated every time the extractor changes in such a way that
   * it may produce different tuples for the same file under the same {@link ExtractorConfig}.
   */
-  public static final String EXTRACTOR_VERSION = "2020-04-01";
+  public static final String EXTRACTOR_VERSION = "2020-08-18";

  public static final Pattern NEWLINE = Pattern.compile("\n");

--- a/javascript/extractor/tests/ts/output/trap/decorators.ts.trap
+++ b/javascript/extractor/tests/ts/output/trap/decorators.ts.trap
@ -311,10 +311,10 @@ scopenodes(#20001,#20112)
 scopenesting(#20112,#20000)
 isModule(#20001)
 isES2015Module(#20001)
-#20113=@"var;{fun};{#20112}"
-variables(#20113,"fun",#20112)
-#20114=@"var;{Class};{#20112}"
-variables(#20114,"Class",#20112)
+#20113=@"var;{Class};{#20112}"
+variables(#20113,"Class",#20112)
+#20114=@"var;{fun};{#20112}"
+variables(#20114,"fun",#20112)
 #20115=@"var;{Class2};{#20112}"
 variables(#20115,"Class2",#20112)
 #20116=@"local_type_name;{Class};{#20112}"
@ -347,7 +347,7 @@ hasLocation(#20123,#20037)
 enclosingStmt(#20123,#20118)
 exprContainers(#20123,#20001)
 literals("Class","Class",#20123)
-decl(#20123,#20114)
+decl(#20123,#20113)
 typedecl(#20123,#20116)
 #20124=*
 scopes(#20124,10)
@ -499,7 +499,7 @@ exprs(#20161,78,#20159,-1,"fun")
 hasLocation(#20161,#20086)
 exprContainers(#20161,#20159)
 literals("fun","fun",#20161)
-decl(#20161,#20113)
+decl(#20161,#20114)
 #20162=*
 scopes(#20162,1)
 scopenodes(#20159,#20162)
--- a/javascript/extractor/tests/ts/output/trap/export.ts.trap
+++ b/javascript/extractor/tests/ts/output/trap/export.ts.trap
@ -155,12 +155,12 @@ scopenodes(#20001,#20055)
 scopenesting(#20055,#20000)
 isModule(#20001)
 isES2015Module(#20001)
-#20056=@"var;{f};{#20055}"
-variables(#20056,"f",#20055)
-#20057=@"var;{foo};{#20055}"
-variables(#20057,"foo",#20055)
-#20058=@"var;{C};{#20055}"
-variables(#20058,"C",#20055)
+#20056=@"var;{foo};{#20055}"
+variables(#20056,"foo",#20055)
+#20057=@"var;{C};{#20055}"
+variables(#20057,"C",#20055)
+#20058=@"var;{f};{#20055}"
+variables(#20058,"f",#20055)
 #20059=@"local_type_name;{C};{#20055}"
 local_type_names(#20059,"C",#20055)
 #20060=*
@ -186,7 +186,7 @@ hasLocation(#20065,#20017)
 enclosingStmt(#20065,#20061)
 exprContainers(#20065,#20001)
 literals("foo","foo",#20065)
-decl(#20065,#20057)
+decl(#20065,#20056)
 #20066=*
 exprs(#20066,3,#20063,1,"42")
 hasLocation(#20066,#20021)
@ -209,7 +209,7 @@ hasLocation(#20070,#20029)
 enclosingStmt(#20070,#20068)
 exprContainers(#20070,#20001)
 literals("C","C",#20070)
-decl(#20070,#20058)
+decl(#20070,#20057)
 typedecl(#20070,#20059)
 #20071=*
 scopes(#20071,10)
@ -260,7 +260,7 @@ exprs(#20083,78,#20081,-1,"f")
 hasLocation(#20083,#20041)
 exprContainers(#20083,#20081)
 literals("f","f",#20083)
-decl(#20083,#20056)
+decl(#20083,#20058)
 #20084=*
 scopes(#20084,1)
 scopenodes(#20081,#20084)
--- a/javascript/ql/test/library-tests/CallGraphs/FullTest/non-strict.js
+++ b/javascript/ql/test/library-tests/CallGraphs/FullTest/non-strict.js
@ -0,0 +1,8 @@
+(function () {
+  if (true) {
+    function foo() {
+      return 3;
+    }
+  }
+  return foo(); // this resolves to `foo` above, because we have function-scope in non-strict mode.
+})();
--- a/javascript/ql/test/library-tests/CallGraphs/FullTest/strict.js
+++ b/javascript/ql/test/library-tests/CallGraphs/FullTest/strict.js
@ -0,0 +1,10 @@
+(function () {
+  if (true) {
+    function foo() {
+      return 3;
+    }
+  }
+  return foo(); // `foo` is not defined, because we are in strict-mode.
+})();
+
+export default 3; // strict-mode implied because ES2015 module.
--- a/javascript/ql/test/library-tests/CallGraphs/FullTest/strict2.js
+++ b/javascript/ql/test/library-tests/CallGraphs/FullTest/strict2.js
@ -0,0 +1,12 @@
+"use strict";
+(function () {
+  "use strict";
+  if (true) {
+    function foo() {
+      return 3;
+    }
+  }
+  return foo(); // `foo` is not defined, because we are in strict-mode.
+})();
+
+export default 3; // strict-mode implied because ES2015 module.
--- a/javascript/ql/test/library-tests/CallGraphs/FullTest/tests.expected
+++ b/javascript/ql/test/library-tests/CallGraphs/FullTest/tests.expected
@ -90,6 +90,11 @@ test_getAFunctionValue
 | m.js:3:1:3:16 | module.exports.f | m.js:1:13:1:25 | function() {} |
 | n.js:2:1:2:3 | m.f | m.js:1:13:1:25 | function() {} |
 | n.js:5:1:5:4 | m2.f | m2.js:2:6:2:18 | function() {} |
+| non-strict.js:1:1:8:2 | (functi ... ode.\\n}) | non-strict.js:1:2:8:1 | functio ... mode.\\n} |
+| non-strict.js:1:2:8:1 | functio ... mode.\\n} | non-strict.js:1:2:8:1 | functio ... mode.\\n} |
+| non-strict.js:3:5:5:5 | functio ... ;\\n    } | non-strict.js:3:5:5:5 | functio ... ;\\n    } |
+| non-strict.js:3:14:3:16 | foo | non-strict.js:3:5:5:5 | functio ... ;\\n    } |
+| non-strict.js:7:10:7:12 | foo | non-strict.js:3:5:5:5 | functio ... ;\\n    } |
 | protoclass.js:3:1:5:1 | functio ... it();\\n} | protoclass.js:3:1:5:1 | functio ... it();\\n} |
 | protoclass.js:3:10:3:10 | F | protoclass.js:3:1:5:1 | functio ... it();\\n} |
 | protoclass.js:4:3:4:11 | this.init | protoclass.js:7:20:11:1 | functio ...  m();\\n} |
@ -110,6 +115,12 @@ test_getAFunctionValue
 | reflection.js:7:1:7:3 | add | reflection.js:1:1:3:1 | functio ...  x+y;\\n} |
 | reflection.js:8:1:8:3 | add | reflection.js:1:1:3:1 | functio ...  x+y;\\n} |
 | reflection.js:8:1:8:9 | add.apply | reflection.js:5:15:5:39 | functio ... n 56; } |
+| strict2.js:2:1:10:2 | (functi ... ode.\\n}) | strict2.js:2:2:10:1 | functio ... mode.\\n} |
+| strict2.js:2:2:10:1 | functio ... mode.\\n} | strict2.js:2:2:10:1 | functio ... mode.\\n} |
+| strict2.js:5:5:7:5 | functio ... ;\\n    } | strict2.js:5:5:7:5 | functio ... ;\\n    } |
+| strict.js:1:1:8:2 | (functi ... ode.\\n}) | strict.js:1:2:8:1 | functio ... mode.\\n} |
+| strict.js:1:2:8:1 | functio ... mode.\\n} | strict.js:1:2:8:1 | functio ... mode.\\n} |
+| strict.js:3:5:5:5 | functio ... ;\\n    } | strict.js:3:5:5:5 | functio ... ;\\n    } |
 | tst3.js:1:1:1:22 | functio ... fn() {} | tst3.js:1:1:1:22 | functio ... fn() {} |
 | tst3.js:2:1:2:23 | functio ... n2() {} | tst3.js:2:1:2:23 | functio ... n2() {} |
 | tst.js:1:1:1:15 | function f() {} | tst.js:1:1:1:15 | function f() {} |
@ -225,6 +236,8 @@ test_getNumArgument
 | n.js:2:1:2:5 | m.f() | 0 |
 | n.js:4:10:4:24 | require('./m2') | 1 |
 | n.js:5:1:5:6 | m2.f() | 0 |
+| non-strict.js:1:1:8:4 | (functi ... e.\\n})() | 0 |
+| non-strict.js:7:10:7:14 | foo() | 0 |
 | protoclass.js:4:3:4:13 | this.init() | 0 |
 | protoclass.js:8:3:8:15 | this.method() | 0 |
 | protoclass.js:9:11:9:32 | this.me ... d(this) | 1 |
@ -233,6 +246,10 @@ test_getNumArgument
 | reflection.js:7:1:7:22 | add.cal ... 23, 19) | 3 |
 | reflection.js:7:1:7:22 | reflective call | 2 |
 | reflection.js:8:1:8:25 | add.app ... 3, 19]) | 2 |
+| strict2.js:2:1:10:4 | (functi ... e.\\n})() | 0 |
+| strict2.js:9:10:9:14 | foo() | 0 |
+| strict.js:1:1:8:4 | (functi ... e.\\n})() | 0 |
+| strict.js:7:10:7:14 | foo() | 0 |
 | tst.js:6:1:6:3 | f() | 0 |
 | tst.js:7:1:7:3 | g() | 0 |
 | tst.js:8:1:8:3 | h() | 0 |
@ -321,6 +338,8 @@ test_getCalleeNode
 | n.js:2:1:2:5 | m.f() | n.js:2:1:2:3 | m.f |
 | n.js:4:10:4:24 | require('./m2') | n.js:4:10:4:16 | require |
 | n.js:5:1:5:6 | m2.f() | n.js:5:1:5:4 | m2.f |
+| non-strict.js:1:1:8:4 | (functi ... e.\\n})() | non-strict.js:1:1:8:2 | (functi ... ode.\\n}) |
+| non-strict.js:7:10:7:14 | foo() | non-strict.js:7:10:7:12 | foo |
 | protoclass.js:4:3:4:13 | this.init() | protoclass.js:4:3:4:11 | this.init |
 | protoclass.js:8:3:8:15 | this.method() | protoclass.js:8:3:8:13 | this.method |
 | protoclass.js:9:11:9:32 | this.me ... d(this) | protoclass.js:9:11:9:26 | this.method.bind |
@ -330,6 +349,10 @@ test_getCalleeNode
 | reflection.js:7:1:7:22 | reflective call | reflection.js:7:1:7:3 | add |
 | reflection.js:8:1:8:25 | add.app ... 3, 19]) | reflection.js:8:1:8:9 | add.apply |
 | reflection.js:8:1:8:25 | reflective call | reflection.js:8:1:8:3 | add |
+| strict2.js:2:1:10:4 | (functi ... e.\\n})() | strict2.js:2:1:10:2 | (functi ... ode.\\n}) |
+| strict2.js:9:10:9:14 | foo() | strict2.js:9:10:9:12 | foo |
+| strict.js:1:1:8:4 | (functi ... e.\\n})() | strict.js:1:1:8:2 | (functi ... ode.\\n}) |
+| strict.js:7:10:7:14 | foo() | strict.js:7:10:7:12 | foo |
 | tst.js:6:1:6:3 | f() | tst.js:6:1:6:1 | f |
 | tst.js:7:1:7:3 | g() | tst.js:7:1:7:1 | g |
 | tst.js:8:1:8:3 | h() | tst.js:8:1:8:1 | h |
@ -408,11 +431,15 @@ test_getACallee
 | m.js:3:1:3:18 | module.exports.f() | m.js:1:13:1:25 | function() {} |
 | n.js:2:1:2:5 | m.f() | m.js:1:13:1:25 | function() {} |
 | n.js:5:1:5:6 | m2.f() | m2.js:2:6:2:18 | function() {} |
+| non-strict.js:1:1:8:4 | (functi ... e.\\n})() | non-strict.js:1:2:8:1 | functio ... mode.\\n} |
+| non-strict.js:7:10:7:14 | foo() | non-strict.js:3:5:5:5 | functio ... ;\\n    } |
 | protoclass.js:4:3:4:13 | this.init() | protoclass.js:7:20:11:1 | functio ...  m();\\n} |
 | protoclass.js:8:3:8:15 | this.method() | protoclass.js:13:22:13:34 | function() {} |
 | reflection.js:7:1:7:22 | reflective call | reflection.js:1:1:3:1 | functio ...  x+y;\\n} |
 | reflection.js:8:1:8:25 | add.app ... 3, 19]) | reflection.js:5:15:5:39 | functio ... n 56; } |
 | reflection.js:8:1:8:25 | reflective call | reflection.js:1:1:3:1 | functio ...  x+y;\\n} |
+| strict2.js:2:1:10:4 | (functi ... e.\\n})() | strict2.js:2:2:10:1 | functio ... mode.\\n} |
+| strict.js:1:1:8:4 | (functi ... e.\\n})() | strict.js:1:2:8:1 | functio ... mode.\\n} |
 | tst.js:6:1:6:3 | f() | tst.js:1:1:1:15 | function f() {} |
 | tst.js:7:1:7:3 | g() | tst.js:2:9:2:21 | function() {} |
 | tst.js:8:1:8:3 | h() | tst.js:3:5:3:17 | function() {} |
@ -463,6 +490,7 @@ test_getCalleeName
 | n.js:2:1:2:5 | m.f() | f |
 | n.js:4:10:4:24 | require('./m2') | require |
 | n.js:5:1:5:6 | m2.f() | f |
+| non-strict.js:7:10:7:14 | foo() | foo |
 | protoclass.js:4:3:4:13 | this.init() | init |
 | protoclass.js:8:3:8:15 | this.method() | method |
 | protoclass.js:9:11:9:32 | this.me ... d(this) | bind |
@ -470,6 +498,8 @@ test_getCalleeName
 | reflection.js:4:5:4:12 | sneaky() | sneaky |
 | reflection.js:7:1:7:22 | add.cal ... 23, 19) | call |
 | reflection.js:8:1:8:25 | add.app ... 3, 19]) | apply |
+| strict2.js:9:10:9:14 | foo() | foo |
+| strict.js:7:10:7:14 | foo() | foo |
 | tst.js:6:1:6:3 | f() | f |
 | tst.js:7:1:7:3 | g() | g |
 | tst.js:8:1:8:3 | h() | h |