From 2235c19593986e096f45eba2369b98d09bf906c3 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 26 Aug 2020 13:14:27 +0100
Subject: [PATCH 01/13] C++: Add test cases for 'assign' and extra cases for
 'data'.

---
 .../dataflow/taint-tests/localTaint.expected  | 127 ++++++++++++++++++
 .../library-tests/dataflow/taint-tests/stl.h  |   2 +
 .../dataflow/taint-tests/string.cpp           |   9 ++
 .../dataflow/taint-tests/taint.expected       |   2 +
 .../dataflow/taint-tests/test_diff.expected   |   2 +
 .../dataflow/taint-tests/vector.cpp           |  55 +++++++-
 6 files changed, 194 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index df455e9bdaa5..2f5179c15edf 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -717,6 +717,19 @@
 | string.cpp:337:9:337:9 | a | string.cpp:337:10:337:10 | call to operator[] | TAINT |
 | string.cpp:337:9:337:9 | ref arg a | string.cpp:339:7:339:7 | a |  |
 | string.cpp:337:10:337:10 | call to operator[] | string.cpp:337:2:337:12 | ... = ... |  |
+| string.cpp:346:18:346:22 | 123 | string.cpp:346:18:346:23 | call to basic_string | TAINT |
+| string.cpp:346:18:346:23 | call to basic_string | string.cpp:348:2:348:4 | str |  |
+| string.cpp:346:18:346:23 | call to basic_string | string.cpp:349:7:349:9 | str |  |
+| string.cpp:346:18:346:23 | call to basic_string | string.cpp:350:7:350:9 | str |  |
+| string.cpp:348:2:348:4 | ref arg str | string.cpp:349:7:349:9 | str |  |
+| string.cpp:348:2:348:4 | ref arg str | string.cpp:350:7:350:9 | str |  |
+| string.cpp:348:2:348:4 | str | string.cpp:348:6:348:9 | call to data | TAINT |
+| string.cpp:348:2:348:14 | access to array [post update] | string.cpp:348:6:348:9 | call to data [inner post update] |  |
+| string.cpp:348:2:348:34 | ... = ... | string.cpp:348:2:348:14 | access to array [post update] |  |
+| string.cpp:348:6:348:9 | call to data | string.cpp:348:2:348:14 | access to array | TAINT |
+| string.cpp:348:13:348:13 | 1 | string.cpp:348:2:348:14 | access to array | TAINT |
+| string.cpp:348:18:348:32 | call to source | string.cpp:348:2:348:34 | ... = ... |  |
+| string.cpp:350:7:350:9 | str | string.cpp:350:11:350:14 | call to data | TAINT |
 | stringstream.cpp:13:20:13:22 | call to basic_stringstream | stringstream.cpp:16:2:16:4 | ss1 |  |
 | stringstream.cpp:13:20:13:22 | call to basic_stringstream | stringstream.cpp:22:7:22:9 | ss1 |  |
 | stringstream.cpp:13:20:13:22 | call to basic_stringstream | stringstream.cpp:27:7:27:9 | ss1 |  |
@@ -2209,3 +2222,117 @@
 | vector.cpp:212:8:212:9 | ref arg ff | vector.cpp:213:2:213:2 | ff |  |
 | vector.cpp:212:10:212:10 | call to operator[] [post update] | vector.cpp:212:8:212:9 | ref arg ff | TAINT |
 | vector.cpp:212:14:212:15 | vs | vector.cpp:212:16:212:16 | call to operator[] | TAINT |
+| vector.cpp:219:19:219:20 | call to vector | vector.cpp:221:2:221:3 | v1 |  |
+| vector.cpp:219:19:219:20 | call to vector | vector.cpp:225:7:225:8 | v1 |  |
+| vector.cpp:219:19:219:20 | call to vector | vector.cpp:233:13:233:14 | v1 |  |
+| vector.cpp:219:19:219:20 | call to vector | vector.cpp:233:25:233:26 | v1 |  |
+| vector.cpp:219:19:219:20 | call to vector | vector.cpp:247:1:247:1 | v1 |  |
+| vector.cpp:219:23:219:24 | call to vector | vector.cpp:222:2:222:3 | v2 |  |
+| vector.cpp:219:23:219:24 | call to vector | vector.cpp:226:7:226:8 | v2 |  |
+| vector.cpp:219:23:219:24 | call to vector | vector.cpp:247:1:247:1 | v2 |  |
+| vector.cpp:219:27:219:28 | call to vector | vector.cpp:223:2:223:3 | v3 |  |
+| vector.cpp:219:27:219:28 | call to vector | vector.cpp:227:7:227:8 | v3 |  |
+| vector.cpp:219:27:219:28 | call to vector | vector.cpp:234:13:234:14 | v3 |  |
+| vector.cpp:219:27:219:28 | call to vector | vector.cpp:234:25:234:26 | v3 |  |
+| vector.cpp:219:27:219:28 | call to vector | vector.cpp:235:8:235:9 | v3 |  |
+| vector.cpp:219:27:219:28 | call to vector | vector.cpp:247:1:247:1 | v3 |  |
+| vector.cpp:221:2:221:3 | ref arg v1 | vector.cpp:225:7:225:8 | v1 |  |
+| vector.cpp:221:2:221:3 | ref arg v1 | vector.cpp:233:13:233:14 | v1 |  |
+| vector.cpp:221:2:221:3 | ref arg v1 | vector.cpp:233:25:233:26 | v1 |  |
+| vector.cpp:221:2:221:3 | ref arg v1 | vector.cpp:247:1:247:1 | v1 |  |
+| vector.cpp:222:2:222:3 | ref arg v2 | vector.cpp:226:7:226:8 | v2 |  |
+| vector.cpp:222:2:222:3 | ref arg v2 | vector.cpp:247:1:247:1 | v2 |  |
+| vector.cpp:223:2:223:3 | ref arg v3 | vector.cpp:227:7:227:8 | v3 |  |
+| vector.cpp:223:2:223:3 | ref arg v3 | vector.cpp:234:13:234:14 | v3 |  |
+| vector.cpp:223:2:223:3 | ref arg v3 | vector.cpp:234:25:234:26 | v3 |  |
+| vector.cpp:223:2:223:3 | ref arg v3 | vector.cpp:235:8:235:9 | v3 |  |
+| vector.cpp:223:2:223:3 | ref arg v3 | vector.cpp:247:1:247:1 | v3 |  |
+| vector.cpp:223:15:223:20 | call to source | vector.cpp:223:2:223:3 | ref arg v3 | TAINT |
+| vector.cpp:225:7:225:8 | ref arg v1 | vector.cpp:233:13:233:14 | v1 |  |
+| vector.cpp:225:7:225:8 | ref arg v1 | vector.cpp:233:25:233:26 | v1 |  |
+| vector.cpp:225:7:225:8 | ref arg v1 | vector.cpp:247:1:247:1 | v1 |  |
+| vector.cpp:226:7:226:8 | ref arg v2 | vector.cpp:247:1:247:1 | v2 |  |
+| vector.cpp:227:7:227:8 | ref arg v3 | vector.cpp:234:13:234:14 | v3 |  |
+| vector.cpp:227:7:227:8 | ref arg v3 | vector.cpp:234:25:234:26 | v3 |  |
+| vector.cpp:227:7:227:8 | ref arg v3 | vector.cpp:235:8:235:9 | v3 |  |
+| vector.cpp:227:7:227:8 | ref arg v3 | vector.cpp:247:1:247:1 | v3 |  |
+| vector.cpp:230:20:230:21 | call to vector | vector.cpp:233:3:233:4 | v4 |  |
+| vector.cpp:230:20:230:21 | call to vector | vector.cpp:241:8:241:9 | v4 |  |
+| vector.cpp:230:20:230:21 | call to vector | vector.cpp:246:2:246:2 | v4 |  |
+| vector.cpp:230:24:230:25 | call to vector | vector.cpp:234:3:234:4 | v5 |  |
+| vector.cpp:230:24:230:25 | call to vector | vector.cpp:242:8:242:9 | v5 |  |
+| vector.cpp:230:24:230:25 | call to vector | vector.cpp:246:2:246:2 | v5 |  |
+| vector.cpp:230:28:230:29 | call to vector | vector.cpp:239:3:239:4 | v6 |  |
+| vector.cpp:230:28:230:29 | call to vector | vector.cpp:245:8:245:9 | v6 |  |
+| vector.cpp:230:28:230:29 | call to vector | vector.cpp:246:2:246:2 | v6 |  |
+| vector.cpp:233:3:233:4 | ref arg v4 | vector.cpp:241:8:241:9 | v4 |  |
+| vector.cpp:233:3:233:4 | ref arg v4 | vector.cpp:246:2:246:2 | v4 |  |
+| vector.cpp:233:13:233:14 | ref arg v1 | vector.cpp:233:25:233:26 | v1 |  |
+| vector.cpp:233:13:233:14 | ref arg v1 | vector.cpp:247:1:247:1 | v1 |  |
+| vector.cpp:233:25:233:26 | ref arg v1 | vector.cpp:247:1:247:1 | v1 |  |
+| vector.cpp:234:3:234:4 | ref arg v5 | vector.cpp:242:8:242:9 | v5 |  |
+| vector.cpp:234:3:234:4 | ref arg v5 | vector.cpp:246:2:246:2 | v5 |  |
+| vector.cpp:234:13:234:14 | ref arg v3 | vector.cpp:234:25:234:26 | v3 |  |
+| vector.cpp:234:13:234:14 | ref arg v3 | vector.cpp:235:8:235:9 | v3 |  |
+| vector.cpp:234:13:234:14 | ref arg v3 | vector.cpp:247:1:247:1 | v3 |  |
+| vector.cpp:234:25:234:26 | ref arg v3 | vector.cpp:235:8:235:9 | v3 |  |
+| vector.cpp:234:25:234:26 | ref arg v3 | vector.cpp:247:1:247:1 | v3 |  |
+| vector.cpp:235:8:235:9 | ref arg v3 | vector.cpp:247:1:247:1 | v3 |  |
+| vector.cpp:235:11:235:15 | call to begin | vector.cpp:235:3:235:17 | ... = ... |  |
+| vector.cpp:235:11:235:15 | call to begin | vector.cpp:236:3:236:4 | i1 |  |
+| vector.cpp:235:11:235:15 | call to begin | vector.cpp:237:8:237:9 | i1 |  |
+| vector.cpp:235:11:235:15 | call to begin | vector.cpp:239:13:239:14 | i1 |  |
+| vector.cpp:235:11:235:15 | call to begin | vector.cpp:243:8:243:9 | i1 |  |
+| vector.cpp:236:3:236:4 | ref arg i1 | vector.cpp:237:8:237:9 | i1 |  |
+| vector.cpp:236:3:236:4 | ref arg i1 | vector.cpp:239:13:239:14 | i1 |  |
+| vector.cpp:236:3:236:4 | ref arg i1 | vector.cpp:243:8:243:9 | i1 |  |
+| vector.cpp:237:8:237:9 | i1 | vector.cpp:237:3:237:9 | ... = ... |  |
+| vector.cpp:237:8:237:9 | i1 | vector.cpp:238:3:238:4 | i2 |  |
+| vector.cpp:237:8:237:9 | i1 | vector.cpp:239:17:239:18 | i2 |  |
+| vector.cpp:237:8:237:9 | i1 | vector.cpp:244:8:244:9 | i2 |  |
+| vector.cpp:238:3:238:4 | ref arg i2 | vector.cpp:239:17:239:18 | i2 |  |
+| vector.cpp:238:3:238:4 | ref arg i2 | vector.cpp:244:8:244:9 | i2 |  |
+| vector.cpp:239:3:239:4 | ref arg v6 | vector.cpp:245:8:245:9 | v6 |  |
+| vector.cpp:239:3:239:4 | ref arg v6 | vector.cpp:246:2:246:2 | v6 |  |
+| vector.cpp:241:8:241:9 | ref arg v4 | vector.cpp:246:2:246:2 | v4 |  |
+| vector.cpp:242:8:242:9 | ref arg v5 | vector.cpp:246:2:246:2 | v5 |  |
+| vector.cpp:245:8:245:9 | ref arg v6 | vector.cpp:246:2:246:2 | v6 |  |
+| vector.cpp:252:19:252:20 | call to vector | vector.cpp:254:2:254:3 | v1 |  |
+| vector.cpp:252:19:252:20 | call to vector | vector.cpp:255:7:255:8 | v1 |  |
+| vector.cpp:252:19:252:20 | call to vector | vector.cpp:256:7:256:8 | v1 |  |
+| vector.cpp:252:19:252:20 | call to vector | vector.cpp:257:7:257:8 | v1 |  |
+| vector.cpp:252:19:252:20 | call to vector | vector.cpp:263:1:263:1 | v1 |  |
+| vector.cpp:252:23:252:24 | call to vector | vector.cpp:259:4:259:5 | v2 |  |
+| vector.cpp:252:23:252:24 | call to vector | vector.cpp:260:7:260:8 | v2 |  |
+| vector.cpp:252:23:252:24 | call to vector | vector.cpp:261:7:261:8 | v2 |  |
+| vector.cpp:252:23:252:24 | call to vector | vector.cpp:262:7:262:8 | v2 |  |
+| vector.cpp:252:23:252:24 | call to vector | vector.cpp:263:1:263:1 | v2 |  |
+| vector.cpp:254:2:254:3 | ref arg v1 | vector.cpp:255:7:255:8 | v1 |  |
+| vector.cpp:254:2:254:3 | ref arg v1 | vector.cpp:256:7:256:8 | v1 |  |
+| vector.cpp:254:2:254:3 | ref arg v1 | vector.cpp:257:7:257:8 | v1 |  |
+| vector.cpp:254:2:254:3 | ref arg v1 | vector.cpp:263:1:263:1 | v1 |  |
+| vector.cpp:254:15:254:20 | call to source | vector.cpp:254:2:254:3 | ref arg v1 | TAINT |
+| vector.cpp:255:7:255:8 | ref arg v1 | vector.cpp:256:7:256:8 | v1 |  |
+| vector.cpp:255:7:255:8 | ref arg v1 | vector.cpp:257:7:257:8 | v1 |  |
+| vector.cpp:255:7:255:8 | ref arg v1 | vector.cpp:263:1:263:1 | v1 |  |
+| vector.cpp:256:7:256:8 | ref arg v1 | vector.cpp:257:7:257:8 | v1 |  |
+| vector.cpp:256:7:256:8 | ref arg v1 | vector.cpp:263:1:263:1 | v1 |  |
+| vector.cpp:257:7:257:8 | ref arg v1 | vector.cpp:263:1:263:1 | v1 |  |
+| vector.cpp:257:10:257:13 | call to data | vector.cpp:257:7:257:18 | access to array | TAINT |
+| vector.cpp:257:17:257:17 | 2 | vector.cpp:257:7:257:18 | access to array | TAINT |
+| vector.cpp:259:2:259:13 | * ... [post update] | vector.cpp:259:7:259:10 | call to data [inner post update] |  |
+| vector.cpp:259:2:259:32 | ... = ... | vector.cpp:259:2:259:13 | * ... [post update] |  |
+| vector.cpp:259:4:259:5 | ref arg v2 | vector.cpp:260:7:260:8 | v2 |  |
+| vector.cpp:259:4:259:5 | ref arg v2 | vector.cpp:261:7:261:8 | v2 |  |
+| vector.cpp:259:4:259:5 | ref arg v2 | vector.cpp:262:7:262:8 | v2 |  |
+| vector.cpp:259:4:259:5 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
+| vector.cpp:259:7:259:10 | call to data | vector.cpp:259:2:259:13 | * ... | TAINT |
+| vector.cpp:259:17:259:30 | call to source | vector.cpp:259:2:259:32 | ... = ... |  |
+| vector.cpp:260:7:260:8 | ref arg v2 | vector.cpp:261:7:261:8 | v2 |  |
+| vector.cpp:260:7:260:8 | ref arg v2 | vector.cpp:262:7:262:8 | v2 |  |
+| vector.cpp:260:7:260:8 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
+| vector.cpp:261:7:261:8 | ref arg v2 | vector.cpp:262:7:262:8 | v2 |  |
+| vector.cpp:261:7:261:8 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
+| vector.cpp:262:7:262:8 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
+| vector.cpp:262:10:262:13 | call to data | vector.cpp:262:7:262:18 | access to array | TAINT |
+| vector.cpp:262:17:262:17 | 2 | vector.cpp:262:7:262:18 | access to array | TAINT |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h b/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
index 46ac50fca8a3..77df0e91f99e 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
@@ -142,6 +142,8 @@ namespace std {
 
 		vector& operator=(const vector& x);
 		vector& operator=(vector&& x) noexcept/*(allocator_traits<Allocator>::propagate_on_container_move_assignment::value || allocator_traits<Allocator>::is_always_equal::value)*/;
+		template<class InputIterator> void assign(InputIterator first, InputIterator last);
+		void assign(size_type n, const T& u);
 
 		iterator begin() noexcept;
 		const_iterator begin() const noexcept;
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
index 8485479ad60f..b36d6f366914 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
@@ -340,3 +340,12 @@ void test_string_at()
 	sink(b); // tainted
 	sink(c); // tainted
 }
+
+void test_string_data_more()
+{
+	std::string str("123");
+
+	str.data()[1] = ns_char::source();
+	sink(str); // tainted [NOT DETECTED]
+	sink(str.data()); // tainted [NOT DETECTED]
+}
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
index 86201c0be98e..f96997714eca 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -237,3 +237,5 @@
 | vector.cpp:171:13:171:13 | call to operator[] | vector.cpp:170:14:170:19 | call to source |
 | vector.cpp:180:13:180:13 | call to operator[] | vector.cpp:179:14:179:19 | call to source |
 | vector.cpp:201:13:201:13 | call to operator[] | vector.cpp:200:14:200:19 | call to source |
+| vector.cpp:227:7:227:8 | v3 | vector.cpp:223:15:223:20 | call to source |
+| vector.cpp:255:7:255:8 | v1 | vector.cpp:254:15:254:20 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
index 33da9c346946..f61eeb6adf12 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -173,3 +173,5 @@
 | vector.cpp:171:13:171:13 | vector.cpp:170:14:170:19 | AST only |
 | vector.cpp:180:13:180:13 | vector.cpp:179:14:179:19 | AST only |
 | vector.cpp:201:13:201:13 | vector.cpp:200:14:200:19 | AST only |
+| vector.cpp:227:7:227:8 | vector.cpp:223:15:223:20 | AST only |
+| vector.cpp:255:7:255:8 | vector.cpp:254:15:254:20 | AST only |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
index e6b0a9059671..e271839aadd9 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -5,9 +5,9 @@ using namespace std;
 
 int source();
 
-namespace ns_char
+namespace ns_int
 {
-	char source();
+	int source();
 }
 
 void sink(int);
@@ -87,7 +87,7 @@ void test_element_taint(int x) {
 	{
 		const std::vector<int> &v8c = v8;
 		std::vector<int>::const_iterator it = v8c.begin();
-		v8.insert(it, 10, ns_char::source());
+		v8.insert(it, 10, ns_int::source());
 	}
 	sink(v8); // tainted [NOT DETECTED]
 	sink(v8.front()); // tainted [NOT DETECTED]
@@ -212,3 +212,52 @@ void test_nested_vectors()
 		sink(ff[0].vs[0]); // tainted [NOT DETECTED]
 	}
 }
+
+void sink(std::vector<int>::iterator &);
+
+void test_vector_assign() {
+	std::vector<int> v1, v2, v3;
+
+	v1.assign(100, 0);
+	v2.assign(100, ns_int::source());
+	v3.push_back(source());
+
+	sink(v1);
+	sink(v2); // tainted [NOT DETECTED]
+	sink(v3); // tainted
+
+	{
+		std::vector<int> v4, v5, v6;
+		std::vector<int>::iterator i1, i2;
+	
+		v4.assign(v1.begin(), v1.end());
+		v5.assign(v3.begin(), v3.end());
+		i1 = v3.begin();
+		i1++;
+		i2 = i1;
+		i2++;
+		v6.assign(i1, i2);
+
+		sink(v4);
+		sink(v5); // tainted [NOT DETECTED]
+		sink(i1); // tainted [NOT DETECTED]
+		sink(i2); // tainted [NOT DETECTED]
+		sink(v6); // tainted [NOT DETECTED]
+	}
+}
+
+void sink(int *);
+
+void test_data_more() {
+	std::vector<int> v1, v2;
+
+	v1.push_back(source());
+	sink(v1); // tainted
+	sink(v1.data()); // tainted [NOT DETECTED]
+	sink(v1.data()[2]); // tainted [NOT DETECTED]
+
+	*(v2.data()) = ns_int::source();
+	sink(v2); // tainted [NOT DETECTED]
+	sink(v2.data()); // tainted [NOT DETECTED]
+	sink(v2.data()[2]); // tainted [NOT DETECTED]
+}

From 6ae96baaf6940e7f02697febf505ffe3e5552a75 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 26 Aug 2020 14:48:10 +0100
Subject: [PATCH 02/13] C++: Model std::vector::data.

---
 .../cpp/models/implementations/StdContainer.qll     | 13 +++++++++++++
 .../dataflow/taint-tests/localTaint.expected        |  7 +++++++
 .../dataflow/taint-tests/taint.expected             |  2 ++
 .../dataflow/taint-tests/test_diff.expected         |  2 ++
 .../library-tests/dataflow/taint-tests/vector.cpp   |  4 ++--
 5 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
index 5325f411a0c8..23669894b2e5 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -33,6 +33,19 @@ class StdSequenceContainerConstructor extends Constructor, TaintFunction {
   }
 }
 
+/**
+ * The standard container function `data`.
+ */
+class StdSequenceContainerData extends TaintFunction {
+  StdSequenceContainerData() { this.hasQualifiedName("std", ["array", "vector"], "data") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from container itself (qualifier) to return value
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
+  }
+}
+
 /**
  * The standard container functions `push_back` and `push_front`.
  */
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index 2f5179c15edf..94499bf7df33 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -1864,6 +1864,7 @@
 | vector.cpp:74:2:74:3 | ref arg v6 | vector.cpp:75:7:75:8 | v6 |  |
 | vector.cpp:74:2:74:3 | ref arg v6 | vector.cpp:76:7:76:8 | v6 |  |
 | vector.cpp:74:2:74:3 | ref arg v6 | vector.cpp:101:1:101:1 | v6 |  |
+| vector.cpp:74:2:74:3 | v6 | vector.cpp:74:5:74:8 | call to data | TAINT |
 | vector.cpp:74:2:74:13 | access to array [post update] | vector.cpp:74:5:74:8 | call to data [inner post update] |  |
 | vector.cpp:74:2:74:24 | ... = ... | vector.cpp:74:2:74:13 | access to array [post update] |  |
 | vector.cpp:74:5:74:8 | call to data | vector.cpp:74:2:74:13 | access to array | TAINT |
@@ -1872,6 +1873,7 @@
 | vector.cpp:75:7:75:8 | ref arg v6 | vector.cpp:76:7:76:8 | v6 |  |
 | vector.cpp:75:7:75:8 | ref arg v6 | vector.cpp:101:1:101:1 | v6 |  |
 | vector.cpp:76:7:76:8 | ref arg v6 | vector.cpp:101:1:101:1 | v6 |  |
+| vector.cpp:76:7:76:8 | v6 | vector.cpp:76:10:76:13 | call to data | TAINT |
 | vector.cpp:76:10:76:13 | call to data | vector.cpp:76:7:76:18 | access to array | TAINT |
 | vector.cpp:76:17:76:17 | 2 | vector.cpp:76:7:76:18 | access to array | TAINT |
 | vector.cpp:79:33:79:34 | v7 | vector.cpp:80:41:80:43 | v7c |  |
@@ -2317,7 +2319,9 @@
 | vector.cpp:255:7:255:8 | ref arg v1 | vector.cpp:263:1:263:1 | v1 |  |
 | vector.cpp:256:7:256:8 | ref arg v1 | vector.cpp:257:7:257:8 | v1 |  |
 | vector.cpp:256:7:256:8 | ref arg v1 | vector.cpp:263:1:263:1 | v1 |  |
+| vector.cpp:256:7:256:8 | v1 | vector.cpp:256:10:256:13 | call to data | TAINT |
 | vector.cpp:257:7:257:8 | ref arg v1 | vector.cpp:263:1:263:1 | v1 |  |
+| vector.cpp:257:7:257:8 | v1 | vector.cpp:257:10:257:13 | call to data | TAINT |
 | vector.cpp:257:10:257:13 | call to data | vector.cpp:257:7:257:18 | access to array | TAINT |
 | vector.cpp:257:17:257:17 | 2 | vector.cpp:257:7:257:18 | access to array | TAINT |
 | vector.cpp:259:2:259:13 | * ... [post update] | vector.cpp:259:7:259:10 | call to data [inner post update] |  |
@@ -2326,6 +2330,7 @@
 | vector.cpp:259:4:259:5 | ref arg v2 | vector.cpp:261:7:261:8 | v2 |  |
 | vector.cpp:259:4:259:5 | ref arg v2 | vector.cpp:262:7:262:8 | v2 |  |
 | vector.cpp:259:4:259:5 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
+| vector.cpp:259:4:259:5 | v2 | vector.cpp:259:7:259:10 | call to data | TAINT |
 | vector.cpp:259:7:259:10 | call to data | vector.cpp:259:2:259:13 | * ... | TAINT |
 | vector.cpp:259:17:259:30 | call to source | vector.cpp:259:2:259:32 | ... = ... |  |
 | vector.cpp:260:7:260:8 | ref arg v2 | vector.cpp:261:7:261:8 | v2 |  |
@@ -2333,6 +2338,8 @@
 | vector.cpp:260:7:260:8 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
 | vector.cpp:261:7:261:8 | ref arg v2 | vector.cpp:262:7:262:8 | v2 |  |
 | vector.cpp:261:7:261:8 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
+| vector.cpp:261:7:261:8 | v2 | vector.cpp:261:10:261:13 | call to data | TAINT |
 | vector.cpp:262:7:262:8 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
+| vector.cpp:262:7:262:8 | v2 | vector.cpp:262:10:262:13 | call to data | TAINT |
 | vector.cpp:262:10:262:13 | call to data | vector.cpp:262:7:262:18 | access to array | TAINT |
 | vector.cpp:262:17:262:17 | 2 | vector.cpp:262:7:262:18 | access to array | TAINT |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
index f96997714eca..6d25dd432808 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -239,3 +239,5 @@
 | vector.cpp:201:13:201:13 | call to operator[] | vector.cpp:200:14:200:19 | call to source |
 | vector.cpp:227:7:227:8 | v3 | vector.cpp:223:15:223:20 | call to source |
 | vector.cpp:255:7:255:8 | v1 | vector.cpp:254:15:254:20 | call to source |
+| vector.cpp:256:10:256:13 | call to data | vector.cpp:254:15:254:20 | call to source |
+| vector.cpp:257:7:257:18 | access to array | vector.cpp:254:15:254:20 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
index f61eeb6adf12..3f7ad1936720 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -175,3 +175,5 @@
 | vector.cpp:201:13:201:13 | vector.cpp:200:14:200:19 | AST only |
 | vector.cpp:227:7:227:8 | vector.cpp:223:15:223:20 | AST only |
 | vector.cpp:255:7:255:8 | vector.cpp:254:15:254:20 | AST only |
+| vector.cpp:256:10:256:13 | vector.cpp:254:15:254:20 | AST only |
+| vector.cpp:257:7:257:18 | vector.cpp:254:15:254:20 | AST only |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
index e271839aadd9..990d360f60d7 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -253,8 +253,8 @@ void test_data_more() {
 
 	v1.push_back(source());
 	sink(v1); // tainted
-	sink(v1.data()); // tainted [NOT DETECTED]
-	sink(v1.data()[2]); // tainted [NOT DETECTED]
+	sink(v1.data()); // tainted
+	sink(v1.data()[2]); // tainted
 
 	*(v2.data()) = ns_int::source();
 	sink(v2); // tainted [NOT DETECTED]

From fbff44ea45ee2910cd7cc3637e8ecf0515bcbb8a Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 26 Aug 2020 15:37:11 +0100
Subject: [PATCH 03/13] C++: Add reverse taint as well.

---
 .../code/cpp/models/implementations/StdContainer.qll   |  5 +++++
 .../dataflow/taint-tests/localTaint.expected           |  4 ++++
 .../library-tests/dataflow/taint-tests/taint.expected  |  5 +++++
 .../dataflow/taint-tests/test_diff.expected            |  5 +++++
 .../test/library-tests/dataflow/taint-tests/vector.cpp | 10 +++++-----
 5 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
index 23669894b2e5..b5ce32c3a4f9 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -43,6 +43,11 @@ class StdSequenceContainerData extends TaintFunction {
     // flow from container itself (qualifier) to return value
     input.isQualifierObject() and
     output.isReturnValueDeref()
+    or
+    // reverse flow from returned reference to the qualifier (for writes to
+    // `data`)
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
   }
 }
 
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index 94499bf7df33..184eb126f2c6 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -1868,6 +1868,7 @@
 | vector.cpp:74:2:74:13 | access to array [post update] | vector.cpp:74:5:74:8 | call to data [inner post update] |  |
 | vector.cpp:74:2:74:24 | ... = ... | vector.cpp:74:2:74:13 | access to array [post update] |  |
 | vector.cpp:74:5:74:8 | call to data | vector.cpp:74:2:74:13 | access to array | TAINT |
+| vector.cpp:74:5:74:8 | call to data [inner post update] | vector.cpp:74:2:74:3 | ref arg v6 | TAINT |
 | vector.cpp:74:12:74:12 | 2 | vector.cpp:74:2:74:13 | access to array | TAINT |
 | vector.cpp:74:17:74:22 | call to source | vector.cpp:74:2:74:24 | ... = ... |  |
 | vector.cpp:75:7:75:8 | ref arg v6 | vector.cpp:76:7:76:8 | v6 |  |
@@ -2320,6 +2321,7 @@
 | vector.cpp:256:7:256:8 | ref arg v1 | vector.cpp:257:7:257:8 | v1 |  |
 | vector.cpp:256:7:256:8 | ref arg v1 | vector.cpp:263:1:263:1 | v1 |  |
 | vector.cpp:256:7:256:8 | v1 | vector.cpp:256:10:256:13 | call to data | TAINT |
+| vector.cpp:256:10:256:13 | ref arg call to data | vector.cpp:256:7:256:8 | ref arg v1 | TAINT |
 | vector.cpp:257:7:257:8 | ref arg v1 | vector.cpp:263:1:263:1 | v1 |  |
 | vector.cpp:257:7:257:8 | v1 | vector.cpp:257:10:257:13 | call to data | TAINT |
 | vector.cpp:257:10:257:13 | call to data | vector.cpp:257:7:257:18 | access to array | TAINT |
@@ -2332,6 +2334,7 @@
 | vector.cpp:259:4:259:5 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
 | vector.cpp:259:4:259:5 | v2 | vector.cpp:259:7:259:10 | call to data | TAINT |
 | vector.cpp:259:7:259:10 | call to data | vector.cpp:259:2:259:13 | * ... | TAINT |
+| vector.cpp:259:7:259:10 | call to data [inner post update] | vector.cpp:259:4:259:5 | ref arg v2 | TAINT |
 | vector.cpp:259:17:259:30 | call to source | vector.cpp:259:2:259:32 | ... = ... |  |
 | vector.cpp:260:7:260:8 | ref arg v2 | vector.cpp:261:7:261:8 | v2 |  |
 | vector.cpp:260:7:260:8 | ref arg v2 | vector.cpp:262:7:262:8 | v2 |  |
@@ -2339,6 +2342,7 @@
 | vector.cpp:261:7:261:8 | ref arg v2 | vector.cpp:262:7:262:8 | v2 |  |
 | vector.cpp:261:7:261:8 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
 | vector.cpp:261:7:261:8 | v2 | vector.cpp:261:10:261:13 | call to data | TAINT |
+| vector.cpp:261:10:261:13 | ref arg call to data | vector.cpp:261:7:261:8 | ref arg v2 | TAINT |
 | vector.cpp:262:7:262:8 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
 | vector.cpp:262:7:262:8 | v2 | vector.cpp:262:10:262:13 | call to data | TAINT |
 | vector.cpp:262:10:262:13 | call to data | vector.cpp:262:7:262:18 | access to array | TAINT |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
index 6d25dd432808..4f1ad1659806 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -218,6 +218,8 @@
 | vector.cpp:70:7:70:8 | v5 | vector.cpp:69:15:69:20 | call to source |
 | vector.cpp:71:10:71:14 | call to front | vector.cpp:69:15:69:20 | call to source |
 | vector.cpp:72:10:72:13 | call to back | vector.cpp:69:15:69:20 | call to source |
+| vector.cpp:75:7:75:8 | v6 | vector.cpp:74:17:74:22 | call to source |
+| vector.cpp:76:7:76:18 | access to array | vector.cpp:74:17:74:22 | call to source |
 | vector.cpp:97:7:97:8 | v9 | vector.cpp:96:13:96:18 | call to source |
 | vector.cpp:98:10:98:11 | call to at | vector.cpp:96:13:96:18 | call to source |
 | vector.cpp:99:10:99:11 | call to at | vector.cpp:96:13:96:18 | call to source |
@@ -241,3 +243,6 @@
 | vector.cpp:255:7:255:8 | v1 | vector.cpp:254:15:254:20 | call to source |
 | vector.cpp:256:10:256:13 | call to data | vector.cpp:254:15:254:20 | call to source |
 | vector.cpp:257:7:257:18 | access to array | vector.cpp:254:15:254:20 | call to source |
+| vector.cpp:260:7:260:8 | v2 | vector.cpp:259:17:259:30 | call to source |
+| vector.cpp:261:10:261:13 | call to data | vector.cpp:259:17:259:30 | call to source |
+| vector.cpp:262:7:262:18 | access to array | vector.cpp:259:17:259:30 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
index 3f7ad1936720..a612bbfabd80 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -153,6 +153,8 @@
 | vector.cpp:70:7:70:8 | vector.cpp:69:15:69:20 | AST only |
 | vector.cpp:71:10:71:14 | vector.cpp:69:15:69:20 | AST only |
 | vector.cpp:72:10:72:13 | vector.cpp:69:15:69:20 | AST only |
+| vector.cpp:75:7:75:8 | vector.cpp:74:17:74:22 | AST only |
+| vector.cpp:76:7:76:18 | vector.cpp:74:17:74:22 | AST only |
 | vector.cpp:97:7:97:8 | vector.cpp:96:13:96:18 | AST only |
 | vector.cpp:98:10:98:11 | vector.cpp:96:13:96:18 | AST only |
 | vector.cpp:99:10:99:11 | vector.cpp:96:13:96:18 | AST only |
@@ -177,3 +179,6 @@
 | vector.cpp:255:7:255:8 | vector.cpp:254:15:254:20 | AST only |
 | vector.cpp:256:10:256:13 | vector.cpp:254:15:254:20 | AST only |
 | vector.cpp:257:7:257:18 | vector.cpp:254:15:254:20 | AST only |
+| vector.cpp:260:7:260:8 | vector.cpp:259:17:259:30 | AST only |
+| vector.cpp:261:10:261:13 | vector.cpp:259:17:259:30 | AST only |
+| vector.cpp:262:7:262:18 | vector.cpp:259:17:259:30 | AST only |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
index 990d360f60d7..b1b65062294f 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -72,8 +72,8 @@ void test_element_taint(int x) {
 	sink(v5.back()); // tainted
 
 	v6.data()[2] = source();
-	sink(v6); // tainted [NOT DETECTED]
-	sink(v6.data()[2]); // tainted [NOT DETECTED]
+	sink(v6); // tainted
+	sink(v6.data()[2]); // tainted
 
 	{
 		const std::vector<int> &v7c = v7; // (workaround because our iterators don't convert to const_iterator)
@@ -257,7 +257,7 @@ void test_data_more() {
 	sink(v1.data()[2]); // tainted
 
 	*(v2.data()) = ns_int::source();
-	sink(v2); // tainted [NOT DETECTED]
-	sink(v2.data()); // tainted [NOT DETECTED]
-	sink(v2.data()[2]); // tainted [NOT DETECTED]
+	sink(v2); // tainted
+	sink(v2.data()); // tainted
+	sink(v2.data()[2]); // tainted
 }

From fbac4ce44f5313bd3341837a048f2d36d7524b64 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 26 Aug 2020 18:10:15 +0100
Subject: [PATCH 04/13] C++: Split StdStringCStr and allow reverse flow on
 data.

---
 .../cpp/models/implementations/StdString.qll  | 22 +++++++++++++++++--
 .../dataflow/taint-tests/localTaint.expected  |  1 +
 .../dataflow/taint-tests/string.cpp           |  4 ++--
 .../dataflow/taint-tests/taint.expected       |  2 ++
 .../dataflow/taint-tests/test_diff.expected   |  2 ++
 5 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
index 5261285cf3c7..880b7db981ba 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
@@ -8,10 +8,10 @@ class StdBasicString extends TemplateClass {
 }
 
 /**
- * The `std::string` functions `c_str` and  `data`.
+ * The `std::string` function `c_str`.
  */
 class StdStringCStr extends TaintFunction {
-  StdStringCStr() { this.hasQualifiedName("std", "basic_string", ["c_str", "data"]) }
+  StdStringCStr() { this.hasQualifiedName("std", "basic_string", "c_str") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from string itself (qualifier) to return value
@@ -20,6 +20,24 @@ class StdStringCStr extends TaintFunction {
   }
 }
 
+/**
+ * The `std::string` function `data`.
+ */
+class StdStringData extends TaintFunction {
+  StdStringData() { this.hasQualifiedName("std", "basic_string", "data") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from string itself (qualifier) to return value
+    input.isQualifierObject() and
+    output.isReturnValue()
+    or
+    // reverse flow from returned reference to the qualifier (for writes to
+    // `data`)
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
+  }
+}
+
 /**
  * The `std::string` function `operator+`.
  */
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index 184eb126f2c6..d3382de9ea3e 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -727,6 +727,7 @@
 | string.cpp:348:2:348:14 | access to array [post update] | string.cpp:348:6:348:9 | call to data [inner post update] |  |
 | string.cpp:348:2:348:34 | ... = ... | string.cpp:348:2:348:14 | access to array [post update] |  |
 | string.cpp:348:6:348:9 | call to data | string.cpp:348:2:348:14 | access to array | TAINT |
+| string.cpp:348:6:348:9 | call to data [inner post update] | string.cpp:348:2:348:4 | ref arg str | TAINT |
 | string.cpp:348:13:348:13 | 1 | string.cpp:348:2:348:14 | access to array | TAINT |
 | string.cpp:348:18:348:32 | call to source | string.cpp:348:2:348:34 | ... = ... |  |
 | string.cpp:350:7:350:9 | str | string.cpp:350:11:350:14 | call to data | TAINT |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
index b36d6f366914..118a4bcd1a92 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
@@ -346,6 +346,6 @@ void test_string_data_more()
 	std::string str("123");
 
 	str.data()[1] = ns_char::source();
-	sink(str); // tainted [NOT DETECTED]
-	sink(str.data()); // tainted [NOT DETECTED]
+	sink(str); // tainted
+	sink(str.data()); // tainted
 }
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
index 4f1ad1659806..60f25289d070 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -94,6 +94,8 @@
 | string.cpp:339:7:339:7 | a | string.cpp:335:9:335:23 | call to source |
 | string.cpp:340:7:340:7 | b | string.cpp:336:12:336:26 | call to source |
 | string.cpp:341:7:341:7 | c | string.cpp:335:9:335:23 | call to source |
+| string.cpp:349:7:349:9 | str | string.cpp:348:18:348:32 | call to source |
+| string.cpp:350:11:350:14 | call to data | string.cpp:348:18:348:32 | call to source |
 | structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
 | structlikeclass.cpp:36:8:36:9 | s2 | structlikeclass.cpp:30:24:30:29 | call to source |
 | structlikeclass.cpp:37:8:37:9 | s3 | structlikeclass.cpp:29:22:29:27 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
index a612bbfabd80..b39d64ea90eb 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -91,6 +91,8 @@
 | string.cpp:339:7:339:7 | string.cpp:335:9:335:23 | AST only |
 | string.cpp:340:7:340:7 | string.cpp:336:12:336:26 | AST only |
 | string.cpp:341:7:341:7 | string.cpp:335:9:335:23 | AST only |
+| string.cpp:349:7:349:9 | string.cpp:348:18:348:32 | AST only |
+| string.cpp:350:11:350:14 | string.cpp:348:18:348:32 | AST only |
 | structlikeclass.cpp:35:8:35:9 | structlikeclass.cpp:29:22:29:27 | AST only |
 | structlikeclass.cpp:36:8:36:9 | structlikeclass.cpp:30:24:30:29 | AST only |
 | structlikeclass.cpp:37:8:37:9 | structlikeclass.cpp:29:22:29:27 | AST only |

From 0952fb9777da98702093b6c915f418ea58bb92e7 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 26 Aug 2020 18:32:46 +0100
Subject: [PATCH 05/13] C++: Minor correction in one of the string models.

---
 .../src/semmle/code/cpp/models/implementations/StdString.qll  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
index 880b7db981ba..7ed73e59a211 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
@@ -16,7 +16,7 @@ class StdStringCStr extends TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from string itself (qualifier) to return value
     input.isQualifierObject() and
-    output.isReturnValue()
+    output.isReturnValueDeref()
   }
 }
 
@@ -29,7 +29,7 @@ class StdStringData extends TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from string itself (qualifier) to return value
     input.isQualifierObject() and
-    output.isReturnValue()
+    output.isReturnValueDeref()
     or
     // reverse flow from returned reference to the qualifier (for writes to
     // `data`)

From 111da4c35203f170f20e60c5f8030c7f79fc08f8 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 26 Aug 2020 18:42:24 +0100
Subject: [PATCH 06/13] C++: Add a model of std::vector::assign.

---
 .../models/implementations/StdContainer.qll   | 26 +++++++++++++++++++
 .../dataflow/taint-tests/localTaint.expected  |  4 +++
 .../dataflow/taint-tests/taint.expected       |  1 +
 .../dataflow/taint-tests/test_diff.expected   |  1 +
 .../dataflow/taint-tests/vector.cpp           |  2 +-
 5 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
index b5ce32c3a4f9..bee2ab4974c9 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -88,6 +88,32 @@ class StdSequenceContainerFrontBack extends TaintFunction {
   }
 }
 
+/**
+ * The standard container function `assign`.
+ */
+class StdSequenceContainerAssign extends TaintFunction {
+  StdSequenceContainerAssign() {
+    this.hasQualifiedName("std", ["vector", "deque", "list", "forward_list"], "assign")
+  }
+
+  /**
+   * Gets the index of a parameter to this function that is a reference to the
+   * value type of the container.
+   */
+  int getAValueTypeParameterIndex() {
+    getParameter(result).getUnspecifiedType() = getDeclaringType().getTemplateArgument(0) // i.e. the `T` of this `std::vector<T>`
+    or
+    getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
+      getDeclaringType().getTemplateArgument(0)
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from parameter to string itself (qualifier) and return value
+    input.isParameterDeref(getAValueTypeParameterIndex()) and
+    output.isQualifierObject()
+  }
+}
+
 /**
  * The standard container `swap` functions.
  */
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index d3382de9ea3e..ee5b8deddcbb 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -2244,8 +2244,12 @@
 | vector.cpp:221:2:221:3 | ref arg v1 | vector.cpp:233:13:233:14 | v1 |  |
 | vector.cpp:221:2:221:3 | ref arg v1 | vector.cpp:233:25:233:26 | v1 |  |
 | vector.cpp:221:2:221:3 | ref arg v1 | vector.cpp:247:1:247:1 | v1 |  |
+| vector.cpp:221:12:221:14 | 100 | vector.cpp:221:2:221:3 | ref arg v1 | TAINT |
+| vector.cpp:221:17:221:17 | 0 | vector.cpp:221:2:221:3 | ref arg v1 | TAINT |
 | vector.cpp:222:2:222:3 | ref arg v2 | vector.cpp:226:7:226:8 | v2 |  |
 | vector.cpp:222:2:222:3 | ref arg v2 | vector.cpp:247:1:247:1 | v2 |  |
+| vector.cpp:222:12:222:14 | 100 | vector.cpp:222:2:222:3 | ref arg v2 | TAINT |
+| vector.cpp:222:17:222:30 | call to source | vector.cpp:222:2:222:3 | ref arg v2 | TAINT |
 | vector.cpp:223:2:223:3 | ref arg v3 | vector.cpp:227:7:227:8 | v3 |  |
 | vector.cpp:223:2:223:3 | ref arg v3 | vector.cpp:234:13:234:14 | v3 |  |
 | vector.cpp:223:2:223:3 | ref arg v3 | vector.cpp:234:25:234:26 | v3 |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
index 60f25289d070..daaadcfe6f14 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -241,6 +241,7 @@
 | vector.cpp:171:13:171:13 | call to operator[] | vector.cpp:170:14:170:19 | call to source |
 | vector.cpp:180:13:180:13 | call to operator[] | vector.cpp:179:14:179:19 | call to source |
 | vector.cpp:201:13:201:13 | call to operator[] | vector.cpp:200:14:200:19 | call to source |
+| vector.cpp:226:7:226:8 | v2 | vector.cpp:222:17:222:30 | call to source |
 | vector.cpp:227:7:227:8 | v3 | vector.cpp:223:15:223:20 | call to source |
 | vector.cpp:255:7:255:8 | v1 | vector.cpp:254:15:254:20 | call to source |
 | vector.cpp:256:10:256:13 | call to data | vector.cpp:254:15:254:20 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
index b39d64ea90eb..eb5167415cbc 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -177,6 +177,7 @@
 | vector.cpp:171:13:171:13 | vector.cpp:170:14:170:19 | AST only |
 | vector.cpp:180:13:180:13 | vector.cpp:179:14:179:19 | AST only |
 | vector.cpp:201:13:201:13 | vector.cpp:200:14:200:19 | AST only |
+| vector.cpp:226:7:226:8 | vector.cpp:222:17:222:30 | AST only |
 | vector.cpp:227:7:227:8 | vector.cpp:223:15:223:20 | AST only |
 | vector.cpp:255:7:255:8 | vector.cpp:254:15:254:20 | AST only |
 | vector.cpp:256:10:256:13 | vector.cpp:254:15:254:20 | AST only |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
index b1b65062294f..4f2c3168269a 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -223,7 +223,7 @@ void test_vector_assign() {
 	v3.push_back(source());
 
 	sink(v1);
-	sink(v2); // tainted [NOT DETECTED]
+	sink(v2); // tainted
 	sink(v3); // tainted
 
 	{

From a5a3078b58a4429c81fdf7480487baf0e1fd394b Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 27 Aug 2020 11:52:07 +0100
Subject: [PATCH 07/13] C++: Add a test case using a typedef int.

---
 .../dataflow/taint-tests/localTaint.expected  | 268 ++++++++++--------
 .../dataflow/taint-tests/taint.expected       |  18 +-
 .../dataflow/taint-tests/test_diff.expected   |  18 +-
 .../dataflow/taint-tests/vector.cpp           |  21 ++
 4 files changed, 183 insertions(+), 142 deletions(-)

diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index ee5b8deddcbb..70e7ce3952c9 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -316,6 +316,7 @@
 | stl.h:137:30:137:40 | call to allocator | stl.h:137:21:137:41 | noexcept(...) | TAINT |
 | stl.h:137:30:137:40 | call to allocator | stl.h:137:21:137:41 | noexcept(...) | TAINT |
 | stl.h:137:30:137:40 | call to allocator | stl.h:137:21:137:41 | noexcept(...) | TAINT |
+| stl.h:137:30:137:40 | call to allocator | stl.h:137:21:137:41 | noexcept(...) | TAINT |
 | stl.h:137:53:137:63 | 0 | stl.h:137:46:137:64 | (no string representation) | TAINT |
 | string.cpp:24:12:24:17 | call to source | string.cpp:28:7:28:7 | a |  |
 | string.cpp:25:16:25:20 | 123 | string.cpp:25:16:25:21 | call to basic_string | TAINT |
@@ -2226,129 +2227,144 @@
 | vector.cpp:212:8:212:9 | ref arg ff | vector.cpp:213:2:213:2 | ff |  |
 | vector.cpp:212:10:212:10 | call to operator[] [post update] | vector.cpp:212:8:212:9 | ref arg ff | TAINT |
 | vector.cpp:212:14:212:15 | vs | vector.cpp:212:16:212:16 | call to operator[] | TAINT |
-| vector.cpp:219:19:219:20 | call to vector | vector.cpp:221:2:221:3 | v1 |  |
-| vector.cpp:219:19:219:20 | call to vector | vector.cpp:225:7:225:8 | v1 |  |
-| vector.cpp:219:19:219:20 | call to vector | vector.cpp:233:13:233:14 | v1 |  |
-| vector.cpp:219:19:219:20 | call to vector | vector.cpp:233:25:233:26 | v1 |  |
-| vector.cpp:219:19:219:20 | call to vector | vector.cpp:247:1:247:1 | v1 |  |
-| vector.cpp:219:23:219:24 | call to vector | vector.cpp:222:2:222:3 | v2 |  |
-| vector.cpp:219:23:219:24 | call to vector | vector.cpp:226:7:226:8 | v2 |  |
-| vector.cpp:219:23:219:24 | call to vector | vector.cpp:247:1:247:1 | v2 |  |
-| vector.cpp:219:27:219:28 | call to vector | vector.cpp:223:2:223:3 | v3 |  |
-| vector.cpp:219:27:219:28 | call to vector | vector.cpp:227:7:227:8 | v3 |  |
-| vector.cpp:219:27:219:28 | call to vector | vector.cpp:234:13:234:14 | v3 |  |
-| vector.cpp:219:27:219:28 | call to vector | vector.cpp:234:25:234:26 | v3 |  |
-| vector.cpp:219:27:219:28 | call to vector | vector.cpp:235:8:235:9 | v3 |  |
-| vector.cpp:219:27:219:28 | call to vector | vector.cpp:247:1:247:1 | v3 |  |
-| vector.cpp:221:2:221:3 | ref arg v1 | vector.cpp:225:7:225:8 | v1 |  |
-| vector.cpp:221:2:221:3 | ref arg v1 | vector.cpp:233:13:233:14 | v1 |  |
-| vector.cpp:221:2:221:3 | ref arg v1 | vector.cpp:233:25:233:26 | v1 |  |
-| vector.cpp:221:2:221:3 | ref arg v1 | vector.cpp:247:1:247:1 | v1 |  |
-| vector.cpp:221:12:221:14 | 100 | vector.cpp:221:2:221:3 | ref arg v1 | TAINT |
-| vector.cpp:221:17:221:17 | 0 | vector.cpp:221:2:221:3 | ref arg v1 | TAINT |
-| vector.cpp:222:2:222:3 | ref arg v2 | vector.cpp:226:7:226:8 | v2 |  |
-| vector.cpp:222:2:222:3 | ref arg v2 | vector.cpp:247:1:247:1 | v2 |  |
-| vector.cpp:222:12:222:14 | 100 | vector.cpp:222:2:222:3 | ref arg v2 | TAINT |
-| vector.cpp:222:17:222:30 | call to source | vector.cpp:222:2:222:3 | ref arg v2 | TAINT |
-| vector.cpp:223:2:223:3 | ref arg v3 | vector.cpp:227:7:227:8 | v3 |  |
-| vector.cpp:223:2:223:3 | ref arg v3 | vector.cpp:234:13:234:14 | v3 |  |
-| vector.cpp:223:2:223:3 | ref arg v3 | vector.cpp:234:25:234:26 | v3 |  |
-| vector.cpp:223:2:223:3 | ref arg v3 | vector.cpp:235:8:235:9 | v3 |  |
-| vector.cpp:223:2:223:3 | ref arg v3 | vector.cpp:247:1:247:1 | v3 |  |
-| vector.cpp:223:15:223:20 | call to source | vector.cpp:223:2:223:3 | ref arg v3 | TAINT |
-| vector.cpp:225:7:225:8 | ref arg v1 | vector.cpp:233:13:233:14 | v1 |  |
-| vector.cpp:225:7:225:8 | ref arg v1 | vector.cpp:233:25:233:26 | v1 |  |
-| vector.cpp:225:7:225:8 | ref arg v1 | vector.cpp:247:1:247:1 | v1 |  |
-| vector.cpp:226:7:226:8 | ref arg v2 | vector.cpp:247:1:247:1 | v2 |  |
-| vector.cpp:227:7:227:8 | ref arg v3 | vector.cpp:234:13:234:14 | v3 |  |
-| vector.cpp:227:7:227:8 | ref arg v3 | vector.cpp:234:25:234:26 | v3 |  |
-| vector.cpp:227:7:227:8 | ref arg v3 | vector.cpp:235:8:235:9 | v3 |  |
-| vector.cpp:227:7:227:8 | ref arg v3 | vector.cpp:247:1:247:1 | v3 |  |
-| vector.cpp:230:20:230:21 | call to vector | vector.cpp:233:3:233:4 | v4 |  |
-| vector.cpp:230:20:230:21 | call to vector | vector.cpp:241:8:241:9 | v4 |  |
-| vector.cpp:230:20:230:21 | call to vector | vector.cpp:246:2:246:2 | v4 |  |
-| vector.cpp:230:24:230:25 | call to vector | vector.cpp:234:3:234:4 | v5 |  |
-| vector.cpp:230:24:230:25 | call to vector | vector.cpp:242:8:242:9 | v5 |  |
-| vector.cpp:230:24:230:25 | call to vector | vector.cpp:246:2:246:2 | v5 |  |
-| vector.cpp:230:28:230:29 | call to vector | vector.cpp:239:3:239:4 | v6 |  |
-| vector.cpp:230:28:230:29 | call to vector | vector.cpp:245:8:245:9 | v6 |  |
-| vector.cpp:230:28:230:29 | call to vector | vector.cpp:246:2:246:2 | v6 |  |
-| vector.cpp:233:3:233:4 | ref arg v4 | vector.cpp:241:8:241:9 | v4 |  |
-| vector.cpp:233:3:233:4 | ref arg v4 | vector.cpp:246:2:246:2 | v4 |  |
-| vector.cpp:233:13:233:14 | ref arg v1 | vector.cpp:233:25:233:26 | v1 |  |
-| vector.cpp:233:13:233:14 | ref arg v1 | vector.cpp:247:1:247:1 | v1 |  |
-| vector.cpp:233:25:233:26 | ref arg v1 | vector.cpp:247:1:247:1 | v1 |  |
-| vector.cpp:234:3:234:4 | ref arg v5 | vector.cpp:242:8:242:9 | v5 |  |
-| vector.cpp:234:3:234:4 | ref arg v5 | vector.cpp:246:2:246:2 | v5 |  |
-| vector.cpp:234:13:234:14 | ref arg v3 | vector.cpp:234:25:234:26 | v3 |  |
-| vector.cpp:234:13:234:14 | ref arg v3 | vector.cpp:235:8:235:9 | v3 |  |
-| vector.cpp:234:13:234:14 | ref arg v3 | vector.cpp:247:1:247:1 | v3 |  |
-| vector.cpp:234:25:234:26 | ref arg v3 | vector.cpp:235:8:235:9 | v3 |  |
-| vector.cpp:234:25:234:26 | ref arg v3 | vector.cpp:247:1:247:1 | v3 |  |
-| vector.cpp:235:8:235:9 | ref arg v3 | vector.cpp:247:1:247:1 | v3 |  |
-| vector.cpp:235:11:235:15 | call to begin | vector.cpp:235:3:235:17 | ... = ... |  |
-| vector.cpp:235:11:235:15 | call to begin | vector.cpp:236:3:236:4 | i1 |  |
-| vector.cpp:235:11:235:15 | call to begin | vector.cpp:237:8:237:9 | i1 |  |
-| vector.cpp:235:11:235:15 | call to begin | vector.cpp:239:13:239:14 | i1 |  |
-| vector.cpp:235:11:235:15 | call to begin | vector.cpp:243:8:243:9 | i1 |  |
-| vector.cpp:236:3:236:4 | ref arg i1 | vector.cpp:237:8:237:9 | i1 |  |
-| vector.cpp:236:3:236:4 | ref arg i1 | vector.cpp:239:13:239:14 | i1 |  |
-| vector.cpp:236:3:236:4 | ref arg i1 | vector.cpp:243:8:243:9 | i1 |  |
-| vector.cpp:237:8:237:9 | i1 | vector.cpp:237:3:237:9 | ... = ... |  |
-| vector.cpp:237:8:237:9 | i1 | vector.cpp:238:3:238:4 | i2 |  |
-| vector.cpp:237:8:237:9 | i1 | vector.cpp:239:17:239:18 | i2 |  |
-| vector.cpp:237:8:237:9 | i1 | vector.cpp:244:8:244:9 | i2 |  |
-| vector.cpp:238:3:238:4 | ref arg i2 | vector.cpp:239:17:239:18 | i2 |  |
-| vector.cpp:238:3:238:4 | ref arg i2 | vector.cpp:244:8:244:9 | i2 |  |
-| vector.cpp:239:3:239:4 | ref arg v6 | vector.cpp:245:8:245:9 | v6 |  |
-| vector.cpp:239:3:239:4 | ref arg v6 | vector.cpp:246:2:246:2 | v6 |  |
-| vector.cpp:241:8:241:9 | ref arg v4 | vector.cpp:246:2:246:2 | v4 |  |
-| vector.cpp:242:8:242:9 | ref arg v5 | vector.cpp:246:2:246:2 | v5 |  |
-| vector.cpp:245:8:245:9 | ref arg v6 | vector.cpp:246:2:246:2 | v6 |  |
-| vector.cpp:252:19:252:20 | call to vector | vector.cpp:254:2:254:3 | v1 |  |
-| vector.cpp:252:19:252:20 | call to vector | vector.cpp:255:7:255:8 | v1 |  |
-| vector.cpp:252:19:252:20 | call to vector | vector.cpp:256:7:256:8 | v1 |  |
-| vector.cpp:252:19:252:20 | call to vector | vector.cpp:257:7:257:8 | v1 |  |
-| vector.cpp:252:19:252:20 | call to vector | vector.cpp:263:1:263:1 | v1 |  |
-| vector.cpp:252:23:252:24 | call to vector | vector.cpp:259:4:259:5 | v2 |  |
-| vector.cpp:252:23:252:24 | call to vector | vector.cpp:260:7:260:8 | v2 |  |
-| vector.cpp:252:23:252:24 | call to vector | vector.cpp:261:7:261:8 | v2 |  |
-| vector.cpp:252:23:252:24 | call to vector | vector.cpp:262:7:262:8 | v2 |  |
-| vector.cpp:252:23:252:24 | call to vector | vector.cpp:263:1:263:1 | v2 |  |
-| vector.cpp:254:2:254:3 | ref arg v1 | vector.cpp:255:7:255:8 | v1 |  |
-| vector.cpp:254:2:254:3 | ref arg v1 | vector.cpp:256:7:256:8 | v1 |  |
-| vector.cpp:254:2:254:3 | ref arg v1 | vector.cpp:257:7:257:8 | v1 |  |
-| vector.cpp:254:2:254:3 | ref arg v1 | vector.cpp:263:1:263:1 | v1 |  |
-| vector.cpp:254:15:254:20 | call to source | vector.cpp:254:2:254:3 | ref arg v1 | TAINT |
-| vector.cpp:255:7:255:8 | ref arg v1 | vector.cpp:256:7:256:8 | v1 |  |
-| vector.cpp:255:7:255:8 | ref arg v1 | vector.cpp:257:7:257:8 | v1 |  |
-| vector.cpp:255:7:255:8 | ref arg v1 | vector.cpp:263:1:263:1 | v1 |  |
-| vector.cpp:256:7:256:8 | ref arg v1 | vector.cpp:257:7:257:8 | v1 |  |
-| vector.cpp:256:7:256:8 | ref arg v1 | vector.cpp:263:1:263:1 | v1 |  |
-| vector.cpp:256:7:256:8 | v1 | vector.cpp:256:10:256:13 | call to data | TAINT |
-| vector.cpp:256:10:256:13 | ref arg call to data | vector.cpp:256:7:256:8 | ref arg v1 | TAINT |
-| vector.cpp:257:7:257:8 | ref arg v1 | vector.cpp:263:1:263:1 | v1 |  |
-| vector.cpp:257:7:257:8 | v1 | vector.cpp:257:10:257:13 | call to data | TAINT |
-| vector.cpp:257:10:257:13 | call to data | vector.cpp:257:7:257:18 | access to array | TAINT |
-| vector.cpp:257:17:257:17 | 2 | vector.cpp:257:7:257:18 | access to array | TAINT |
-| vector.cpp:259:2:259:13 | * ... [post update] | vector.cpp:259:7:259:10 | call to data [inner post update] |  |
-| vector.cpp:259:2:259:32 | ... = ... | vector.cpp:259:2:259:13 | * ... [post update] |  |
-| vector.cpp:259:4:259:5 | ref arg v2 | vector.cpp:260:7:260:8 | v2 |  |
-| vector.cpp:259:4:259:5 | ref arg v2 | vector.cpp:261:7:261:8 | v2 |  |
-| vector.cpp:259:4:259:5 | ref arg v2 | vector.cpp:262:7:262:8 | v2 |  |
-| vector.cpp:259:4:259:5 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
-| vector.cpp:259:4:259:5 | v2 | vector.cpp:259:7:259:10 | call to data | TAINT |
-| vector.cpp:259:7:259:10 | call to data | vector.cpp:259:2:259:13 | * ... | TAINT |
-| vector.cpp:259:7:259:10 | call to data [inner post update] | vector.cpp:259:4:259:5 | ref arg v2 | TAINT |
-| vector.cpp:259:17:259:30 | call to source | vector.cpp:259:2:259:32 | ... = ... |  |
-| vector.cpp:260:7:260:8 | ref arg v2 | vector.cpp:261:7:261:8 | v2 |  |
-| vector.cpp:260:7:260:8 | ref arg v2 | vector.cpp:262:7:262:8 | v2 |  |
-| vector.cpp:260:7:260:8 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
-| vector.cpp:261:7:261:8 | ref arg v2 | vector.cpp:262:7:262:8 | v2 |  |
-| vector.cpp:261:7:261:8 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
-| vector.cpp:261:7:261:8 | v2 | vector.cpp:261:10:261:13 | call to data | TAINT |
-| vector.cpp:261:10:261:13 | ref arg call to data | vector.cpp:261:7:261:8 | ref arg v2 | TAINT |
-| vector.cpp:262:7:262:8 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
-| vector.cpp:262:7:262:8 | v2 | vector.cpp:262:10:262:13 | call to data | TAINT |
-| vector.cpp:262:10:262:13 | call to data | vector.cpp:262:7:262:18 | access to array | TAINT |
-| vector.cpp:262:17:262:17 | 2 | vector.cpp:262:7:262:18 | access to array | TAINT |
+| vector.cpp:229:19:229:20 | call to vector | vector.cpp:231:2:231:3 | v1 |  |
+| vector.cpp:229:19:229:20 | call to vector | vector.cpp:235:7:235:8 | v1 |  |
+| vector.cpp:229:19:229:20 | call to vector | vector.cpp:243:13:243:14 | v1 |  |
+| vector.cpp:229:19:229:20 | call to vector | vector.cpp:243:25:243:26 | v1 |  |
+| vector.cpp:229:19:229:20 | call to vector | vector.cpp:268:1:268:1 | v1 |  |
+| vector.cpp:229:23:229:24 | call to vector | vector.cpp:232:2:232:3 | v2 |  |
+| vector.cpp:229:23:229:24 | call to vector | vector.cpp:236:7:236:8 | v2 |  |
+| vector.cpp:229:23:229:24 | call to vector | vector.cpp:268:1:268:1 | v2 |  |
+| vector.cpp:229:27:229:28 | call to vector | vector.cpp:233:2:233:3 | v3 |  |
+| vector.cpp:229:27:229:28 | call to vector | vector.cpp:237:7:237:8 | v3 |  |
+| vector.cpp:229:27:229:28 | call to vector | vector.cpp:244:13:244:14 | v3 |  |
+| vector.cpp:229:27:229:28 | call to vector | vector.cpp:244:25:244:26 | v3 |  |
+| vector.cpp:229:27:229:28 | call to vector | vector.cpp:245:8:245:9 | v3 |  |
+| vector.cpp:229:27:229:28 | call to vector | vector.cpp:268:1:268:1 | v3 |  |
+| vector.cpp:231:2:231:3 | ref arg v1 | vector.cpp:235:7:235:8 | v1 |  |
+| vector.cpp:231:2:231:3 | ref arg v1 | vector.cpp:243:13:243:14 | v1 |  |
+| vector.cpp:231:2:231:3 | ref arg v1 | vector.cpp:243:25:243:26 | v1 |  |
+| vector.cpp:231:2:231:3 | ref arg v1 | vector.cpp:268:1:268:1 | v1 |  |
+| vector.cpp:231:12:231:14 | 100 | vector.cpp:231:2:231:3 | ref arg v1 | TAINT |
+| vector.cpp:231:17:231:17 | 0 | vector.cpp:231:2:231:3 | ref arg v1 | TAINT |
+| vector.cpp:232:2:232:3 | ref arg v2 | vector.cpp:236:7:236:8 | v2 |  |
+| vector.cpp:232:2:232:3 | ref arg v2 | vector.cpp:268:1:268:1 | v2 |  |
+| vector.cpp:232:12:232:14 | 100 | vector.cpp:232:2:232:3 | ref arg v2 | TAINT |
+| vector.cpp:232:17:232:30 | call to source | vector.cpp:232:2:232:3 | ref arg v2 | TAINT |
+| vector.cpp:233:2:233:3 | ref arg v3 | vector.cpp:237:7:237:8 | v3 |  |
+| vector.cpp:233:2:233:3 | ref arg v3 | vector.cpp:244:13:244:14 | v3 |  |
+| vector.cpp:233:2:233:3 | ref arg v3 | vector.cpp:244:25:244:26 | v3 |  |
+| vector.cpp:233:2:233:3 | ref arg v3 | vector.cpp:245:8:245:9 | v3 |  |
+| vector.cpp:233:2:233:3 | ref arg v3 | vector.cpp:268:1:268:1 | v3 |  |
+| vector.cpp:233:15:233:20 | call to source | vector.cpp:233:2:233:3 | ref arg v3 | TAINT |
+| vector.cpp:235:7:235:8 | ref arg v1 | vector.cpp:243:13:243:14 | v1 |  |
+| vector.cpp:235:7:235:8 | ref arg v1 | vector.cpp:243:25:243:26 | v1 |  |
+| vector.cpp:235:7:235:8 | ref arg v1 | vector.cpp:268:1:268:1 | v1 |  |
+| vector.cpp:236:7:236:8 | ref arg v2 | vector.cpp:268:1:268:1 | v2 |  |
+| vector.cpp:237:7:237:8 | ref arg v3 | vector.cpp:244:13:244:14 | v3 |  |
+| vector.cpp:237:7:237:8 | ref arg v3 | vector.cpp:244:25:244:26 | v3 |  |
+| vector.cpp:237:7:237:8 | ref arg v3 | vector.cpp:245:8:245:9 | v3 |  |
+| vector.cpp:237:7:237:8 | ref arg v3 | vector.cpp:268:1:268:1 | v3 |  |
+| vector.cpp:240:20:240:21 | call to vector | vector.cpp:243:3:243:4 | v4 |  |
+| vector.cpp:240:20:240:21 | call to vector | vector.cpp:251:8:251:9 | v4 |  |
+| vector.cpp:240:20:240:21 | call to vector | vector.cpp:256:2:256:2 | v4 |  |
+| vector.cpp:240:24:240:25 | call to vector | vector.cpp:244:3:244:4 | v5 |  |
+| vector.cpp:240:24:240:25 | call to vector | vector.cpp:252:8:252:9 | v5 |  |
+| vector.cpp:240:24:240:25 | call to vector | vector.cpp:256:2:256:2 | v5 |  |
+| vector.cpp:240:28:240:29 | call to vector | vector.cpp:249:3:249:4 | v6 |  |
+| vector.cpp:240:28:240:29 | call to vector | vector.cpp:255:8:255:9 | v6 |  |
+| vector.cpp:240:28:240:29 | call to vector | vector.cpp:256:2:256:2 | v6 |  |
+| vector.cpp:243:3:243:4 | ref arg v4 | vector.cpp:251:8:251:9 | v4 |  |
+| vector.cpp:243:3:243:4 | ref arg v4 | vector.cpp:256:2:256:2 | v4 |  |
+| vector.cpp:243:13:243:14 | ref arg v1 | vector.cpp:243:25:243:26 | v1 |  |
+| vector.cpp:243:13:243:14 | ref arg v1 | vector.cpp:268:1:268:1 | v1 |  |
+| vector.cpp:243:25:243:26 | ref arg v1 | vector.cpp:268:1:268:1 | v1 |  |
+| vector.cpp:244:3:244:4 | ref arg v5 | vector.cpp:252:8:252:9 | v5 |  |
+| vector.cpp:244:3:244:4 | ref arg v5 | vector.cpp:256:2:256:2 | v5 |  |
+| vector.cpp:244:13:244:14 | ref arg v3 | vector.cpp:244:25:244:26 | v3 |  |
+| vector.cpp:244:13:244:14 | ref arg v3 | vector.cpp:245:8:245:9 | v3 |  |
+| vector.cpp:244:13:244:14 | ref arg v3 | vector.cpp:268:1:268:1 | v3 |  |
+| vector.cpp:244:25:244:26 | ref arg v3 | vector.cpp:245:8:245:9 | v3 |  |
+| vector.cpp:244:25:244:26 | ref arg v3 | vector.cpp:268:1:268:1 | v3 |  |
+| vector.cpp:245:8:245:9 | ref arg v3 | vector.cpp:268:1:268:1 | v3 |  |
+| vector.cpp:245:11:245:15 | call to begin | vector.cpp:245:3:245:17 | ... = ... |  |
+| vector.cpp:245:11:245:15 | call to begin | vector.cpp:246:3:246:4 | i1 |  |
+| vector.cpp:245:11:245:15 | call to begin | vector.cpp:247:8:247:9 | i1 |  |
+| vector.cpp:245:11:245:15 | call to begin | vector.cpp:249:13:249:14 | i1 |  |
+| vector.cpp:245:11:245:15 | call to begin | vector.cpp:253:8:253:9 | i1 |  |
+| vector.cpp:246:3:246:4 | ref arg i1 | vector.cpp:247:8:247:9 | i1 |  |
+| vector.cpp:246:3:246:4 | ref arg i1 | vector.cpp:249:13:249:14 | i1 |  |
+| vector.cpp:246:3:246:4 | ref arg i1 | vector.cpp:253:8:253:9 | i1 |  |
+| vector.cpp:247:8:247:9 | i1 | vector.cpp:247:3:247:9 | ... = ... |  |
+| vector.cpp:247:8:247:9 | i1 | vector.cpp:248:3:248:4 | i2 |  |
+| vector.cpp:247:8:247:9 | i1 | vector.cpp:249:17:249:18 | i2 |  |
+| vector.cpp:247:8:247:9 | i1 | vector.cpp:254:8:254:9 | i2 |  |
+| vector.cpp:248:3:248:4 | ref arg i2 | vector.cpp:249:17:249:18 | i2 |  |
+| vector.cpp:248:3:248:4 | ref arg i2 | vector.cpp:254:8:254:9 | i2 |  |
+| vector.cpp:249:3:249:4 | ref arg v6 | vector.cpp:255:8:255:9 | v6 |  |
+| vector.cpp:249:3:249:4 | ref arg v6 | vector.cpp:256:2:256:2 | v6 |  |
+| vector.cpp:251:8:251:9 | ref arg v4 | vector.cpp:256:2:256:2 | v4 |  |
+| vector.cpp:252:8:252:9 | ref arg v5 | vector.cpp:256:2:256:2 | v5 |  |
+| vector.cpp:255:8:255:9 | ref arg v6 | vector.cpp:256:2:256:2 | v6 |  |
+| vector.cpp:259:22:259:23 | call to vector | vector.cpp:262:3:262:4 | v7 |  |
+| vector.cpp:259:22:259:23 | call to vector | vector.cpp:265:8:265:9 | v7 |  |
+| vector.cpp:259:22:259:23 | call to vector | vector.cpp:267:2:267:2 | v7 |  |
+| vector.cpp:260:24:260:25 | call to vector | vector.cpp:263:3:263:4 | v8 |  |
+| vector.cpp:260:24:260:25 | call to vector | vector.cpp:266:8:266:9 | v8 |  |
+| vector.cpp:260:24:260:25 | call to vector | vector.cpp:267:2:267:2 | v8 |  |
+| vector.cpp:262:3:262:4 | ref arg v7 | vector.cpp:265:8:265:9 | v7 |  |
+| vector.cpp:262:3:262:4 | ref arg v7 | vector.cpp:267:2:267:2 | v7 |  |
+| vector.cpp:262:13:262:15 | 100 | vector.cpp:262:3:262:4 | ref arg v7 | TAINT |
+| vector.cpp:262:18:262:31 | call to source | vector.cpp:262:3:262:4 | ref arg v7 | TAINT |
+| vector.cpp:263:3:263:4 | ref arg v8 | vector.cpp:266:8:266:9 | v8 |  |
+| vector.cpp:263:3:263:4 | ref arg v8 | vector.cpp:267:2:267:2 | v8 |  |
+| vector.cpp:263:18:263:35 | call to source | vector.cpp:263:3:263:4 | ref arg v8 | TAINT |
+| vector.cpp:265:8:265:9 | ref arg v7 | vector.cpp:267:2:267:2 | v7 |  |
+| vector.cpp:266:8:266:9 | ref arg v8 | vector.cpp:267:2:267:2 | v8 |  |
+| vector.cpp:273:19:273:20 | call to vector | vector.cpp:275:2:275:3 | v1 |  |
+| vector.cpp:273:19:273:20 | call to vector | vector.cpp:276:7:276:8 | v1 |  |
+| vector.cpp:273:19:273:20 | call to vector | vector.cpp:277:7:277:8 | v1 |  |
+| vector.cpp:273:19:273:20 | call to vector | vector.cpp:278:7:278:8 | v1 |  |
+| vector.cpp:273:19:273:20 | call to vector | vector.cpp:284:1:284:1 | v1 |  |
+| vector.cpp:273:23:273:24 | call to vector | vector.cpp:280:4:280:5 | v2 |  |
+| vector.cpp:273:23:273:24 | call to vector | vector.cpp:281:7:281:8 | v2 |  |
+| vector.cpp:273:23:273:24 | call to vector | vector.cpp:282:7:282:8 | v2 |  |
+| vector.cpp:273:23:273:24 | call to vector | vector.cpp:283:7:283:8 | v2 |  |
+| vector.cpp:273:23:273:24 | call to vector | vector.cpp:284:1:284:1 | v2 |  |
+| vector.cpp:275:2:275:3 | ref arg v1 | vector.cpp:276:7:276:8 | v1 |  |
+| vector.cpp:275:2:275:3 | ref arg v1 | vector.cpp:277:7:277:8 | v1 |  |
+| vector.cpp:275:2:275:3 | ref arg v1 | vector.cpp:278:7:278:8 | v1 |  |
+| vector.cpp:275:2:275:3 | ref arg v1 | vector.cpp:284:1:284:1 | v1 |  |
+| vector.cpp:275:15:275:20 | call to source | vector.cpp:275:2:275:3 | ref arg v1 | TAINT |
+| vector.cpp:276:7:276:8 | ref arg v1 | vector.cpp:277:7:277:8 | v1 |  |
+| vector.cpp:276:7:276:8 | ref arg v1 | vector.cpp:278:7:278:8 | v1 |  |
+| vector.cpp:276:7:276:8 | ref arg v1 | vector.cpp:284:1:284:1 | v1 |  |
+| vector.cpp:277:7:277:8 | ref arg v1 | vector.cpp:278:7:278:8 | v1 |  |
+| vector.cpp:277:7:277:8 | ref arg v1 | vector.cpp:284:1:284:1 | v1 |  |
+| vector.cpp:277:7:277:8 | v1 | vector.cpp:277:10:277:13 | call to data | TAINT |
+| vector.cpp:277:10:277:13 | ref arg call to data | vector.cpp:277:7:277:8 | ref arg v1 | TAINT |
+| vector.cpp:278:7:278:8 | ref arg v1 | vector.cpp:284:1:284:1 | v1 |  |
+| vector.cpp:278:7:278:8 | v1 | vector.cpp:278:10:278:13 | call to data | TAINT |
+| vector.cpp:278:10:278:13 | call to data | vector.cpp:278:7:278:18 | access to array | TAINT |
+| vector.cpp:278:17:278:17 | 2 | vector.cpp:278:7:278:18 | access to array | TAINT |
+| vector.cpp:280:2:280:13 | * ... [post update] | vector.cpp:280:7:280:10 | call to data [inner post update] |  |
+| vector.cpp:280:2:280:32 | ... = ... | vector.cpp:280:2:280:13 | * ... [post update] |  |
+| vector.cpp:280:4:280:5 | ref arg v2 | vector.cpp:281:7:281:8 | v2 |  |
+| vector.cpp:280:4:280:5 | ref arg v2 | vector.cpp:282:7:282:8 | v2 |  |
+| vector.cpp:280:4:280:5 | ref arg v2 | vector.cpp:283:7:283:8 | v2 |  |
+| vector.cpp:280:4:280:5 | ref arg v2 | vector.cpp:284:1:284:1 | v2 |  |
+| vector.cpp:280:4:280:5 | v2 | vector.cpp:280:7:280:10 | call to data | TAINT |
+| vector.cpp:280:7:280:10 | call to data | vector.cpp:280:2:280:13 | * ... | TAINT |
+| vector.cpp:280:7:280:10 | call to data [inner post update] | vector.cpp:280:4:280:5 | ref arg v2 | TAINT |
+| vector.cpp:280:17:280:30 | call to source | vector.cpp:280:2:280:32 | ... = ... |  |
+| vector.cpp:281:7:281:8 | ref arg v2 | vector.cpp:282:7:282:8 | v2 |  |
+| vector.cpp:281:7:281:8 | ref arg v2 | vector.cpp:283:7:283:8 | v2 |  |
+| vector.cpp:281:7:281:8 | ref arg v2 | vector.cpp:284:1:284:1 | v2 |  |
+| vector.cpp:282:7:282:8 | ref arg v2 | vector.cpp:283:7:283:8 | v2 |  |
+| vector.cpp:282:7:282:8 | ref arg v2 | vector.cpp:284:1:284:1 | v2 |  |
+| vector.cpp:282:7:282:8 | v2 | vector.cpp:282:10:282:13 | call to data | TAINT |
+| vector.cpp:282:10:282:13 | ref arg call to data | vector.cpp:282:7:282:8 | ref arg v2 | TAINT |
+| vector.cpp:283:7:283:8 | ref arg v2 | vector.cpp:284:1:284:1 | v2 |  |
+| vector.cpp:283:7:283:8 | v2 | vector.cpp:283:10:283:13 | call to data | TAINT |
+| vector.cpp:283:10:283:13 | call to data | vector.cpp:283:7:283:18 | access to array | TAINT |
+| vector.cpp:283:17:283:17 | 2 | vector.cpp:283:7:283:18 | access to array | TAINT |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
index daaadcfe6f14..c82a1134c7fb 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -241,11 +241,13 @@
 | vector.cpp:171:13:171:13 | call to operator[] | vector.cpp:170:14:170:19 | call to source |
 | vector.cpp:180:13:180:13 | call to operator[] | vector.cpp:179:14:179:19 | call to source |
 | vector.cpp:201:13:201:13 | call to operator[] | vector.cpp:200:14:200:19 | call to source |
-| vector.cpp:226:7:226:8 | v2 | vector.cpp:222:17:222:30 | call to source |
-| vector.cpp:227:7:227:8 | v3 | vector.cpp:223:15:223:20 | call to source |
-| vector.cpp:255:7:255:8 | v1 | vector.cpp:254:15:254:20 | call to source |
-| vector.cpp:256:10:256:13 | call to data | vector.cpp:254:15:254:20 | call to source |
-| vector.cpp:257:7:257:18 | access to array | vector.cpp:254:15:254:20 | call to source |
-| vector.cpp:260:7:260:8 | v2 | vector.cpp:259:17:259:30 | call to source |
-| vector.cpp:261:10:261:13 | call to data | vector.cpp:259:17:259:30 | call to source |
-| vector.cpp:262:7:262:18 | access to array | vector.cpp:259:17:259:30 | call to source |
+| vector.cpp:236:7:236:8 | v2 | vector.cpp:232:17:232:30 | call to source |
+| vector.cpp:237:7:237:8 | v3 | vector.cpp:233:15:233:20 | call to source |
+| vector.cpp:265:8:265:9 | v7 | vector.cpp:262:18:262:31 | call to source |
+| vector.cpp:266:8:266:9 | v8 | vector.cpp:263:18:263:35 | call to source |
+| vector.cpp:276:7:276:8 | v1 | vector.cpp:275:15:275:20 | call to source |
+| vector.cpp:277:10:277:13 | call to data | vector.cpp:275:15:275:20 | call to source |
+| vector.cpp:278:7:278:18 | access to array | vector.cpp:275:15:275:20 | call to source |
+| vector.cpp:281:7:281:8 | v2 | vector.cpp:280:17:280:30 | call to source |
+| vector.cpp:282:10:282:13 | call to data | vector.cpp:280:17:280:30 | call to source |
+| vector.cpp:283:7:283:18 | access to array | vector.cpp:280:17:280:30 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
index eb5167415cbc..e909d08e97e3 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -177,11 +177,13 @@
 | vector.cpp:171:13:171:13 | vector.cpp:170:14:170:19 | AST only |
 | vector.cpp:180:13:180:13 | vector.cpp:179:14:179:19 | AST only |
 | vector.cpp:201:13:201:13 | vector.cpp:200:14:200:19 | AST only |
-| vector.cpp:226:7:226:8 | vector.cpp:222:17:222:30 | AST only |
-| vector.cpp:227:7:227:8 | vector.cpp:223:15:223:20 | AST only |
-| vector.cpp:255:7:255:8 | vector.cpp:254:15:254:20 | AST only |
-| vector.cpp:256:10:256:13 | vector.cpp:254:15:254:20 | AST only |
-| vector.cpp:257:7:257:18 | vector.cpp:254:15:254:20 | AST only |
-| vector.cpp:260:7:260:8 | vector.cpp:259:17:259:30 | AST only |
-| vector.cpp:261:10:261:13 | vector.cpp:259:17:259:30 | AST only |
-| vector.cpp:262:7:262:18 | vector.cpp:259:17:259:30 | AST only |
+| vector.cpp:236:7:236:8 | vector.cpp:232:17:232:30 | AST only |
+| vector.cpp:237:7:237:8 | vector.cpp:233:15:233:20 | AST only |
+| vector.cpp:265:8:265:9 | vector.cpp:262:18:262:31 | AST only |
+| vector.cpp:266:8:266:9 | vector.cpp:263:18:263:35 | AST only |
+| vector.cpp:276:7:276:8 | vector.cpp:275:15:275:20 | AST only |
+| vector.cpp:277:10:277:13 | vector.cpp:275:15:275:20 | AST only |
+| vector.cpp:278:7:278:18 | vector.cpp:275:15:275:20 | AST only |
+| vector.cpp:281:7:281:8 | vector.cpp:280:17:280:30 | AST only |
+| vector.cpp:282:10:282:13 | vector.cpp:280:17:280:30 | AST only |
+| vector.cpp:283:7:283:18 | vector.cpp:280:17:280:30 | AST only |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
index 4f2c3168269a..bb1c6ef5dcf5 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -215,6 +215,16 @@ void test_nested_vectors()
 
 void sink(std::vector<int>::iterator &);
 
+typedef int myInt;
+typedef float myFloat;
+
+namespace ns_myFloat
+{
+	myFloat source();
+}
+
+void sink(std::vector<myFloat> &);
+
 void test_vector_assign() {
 	std::vector<int> v1, v2, v3;
 
@@ -244,6 +254,17 @@ void test_vector_assign() {
 		sink(i2); // tainted [NOT DETECTED]
 		sink(v6); // tainted [NOT DETECTED]
 	}
+
+	{
+		std::vector<myInt> v7;
+		std::vector<myFloat> v8;
+
+		v7.assign(100, ns_int::source());
+		v8.assign(100, ns_myFloat::source());
+
+		sink(v7); // tainted
+		sink(v8); // tainted
+	}
 }
 
 void sink(int *);

From 816b8abd7cf8d3963fe8cc2f768a08b0b1f57acb Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 27 Aug 2020 13:42:11 +0100
Subject: [PATCH 08/13] C++: Add a test case using a const int *.

---
 .../dataflow/taint-tests/localTaint.expected  | 289 +++++++++---------
 .../dataflow/taint-tests/taint.expected       |  20 +-
 .../dataflow/taint-tests/test_diff.expected   |  20 +-
 .../dataflow/taint-tests/vector.cpp           |   9 +
 4 files changed, 177 insertions(+), 161 deletions(-)

diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index 70e7ce3952c9..198c1e914baa 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -317,6 +317,7 @@
 | stl.h:137:30:137:40 | call to allocator | stl.h:137:21:137:41 | noexcept(...) | TAINT |
 | stl.h:137:30:137:40 | call to allocator | stl.h:137:21:137:41 | noexcept(...) | TAINT |
 | stl.h:137:30:137:40 | call to allocator | stl.h:137:21:137:41 | noexcept(...) | TAINT |
+| stl.h:137:30:137:40 | call to allocator | stl.h:137:21:137:41 | noexcept(...) | TAINT |
 | stl.h:137:53:137:63 | 0 | stl.h:137:46:137:64 | (no string representation) | TAINT |
 | string.cpp:24:12:24:17 | call to source | string.cpp:28:7:28:7 | a |  |
 | string.cpp:25:16:25:20 | 123 | string.cpp:25:16:25:21 | call to basic_string | TAINT |
@@ -2227,144 +2228,150 @@
 | vector.cpp:212:8:212:9 | ref arg ff | vector.cpp:213:2:213:2 | ff |  |
 | vector.cpp:212:10:212:10 | call to operator[] [post update] | vector.cpp:212:8:212:9 | ref arg ff | TAINT |
 | vector.cpp:212:14:212:15 | vs | vector.cpp:212:16:212:16 | call to operator[] | TAINT |
-| vector.cpp:229:19:229:20 | call to vector | vector.cpp:231:2:231:3 | v1 |  |
-| vector.cpp:229:19:229:20 | call to vector | vector.cpp:235:7:235:8 | v1 |  |
-| vector.cpp:229:19:229:20 | call to vector | vector.cpp:243:13:243:14 | v1 |  |
-| vector.cpp:229:19:229:20 | call to vector | vector.cpp:243:25:243:26 | v1 |  |
-| vector.cpp:229:19:229:20 | call to vector | vector.cpp:268:1:268:1 | v1 |  |
-| vector.cpp:229:23:229:24 | call to vector | vector.cpp:232:2:232:3 | v2 |  |
-| vector.cpp:229:23:229:24 | call to vector | vector.cpp:236:7:236:8 | v2 |  |
-| vector.cpp:229:23:229:24 | call to vector | vector.cpp:268:1:268:1 | v2 |  |
-| vector.cpp:229:27:229:28 | call to vector | vector.cpp:233:2:233:3 | v3 |  |
-| vector.cpp:229:27:229:28 | call to vector | vector.cpp:237:7:237:8 | v3 |  |
-| vector.cpp:229:27:229:28 | call to vector | vector.cpp:244:13:244:14 | v3 |  |
-| vector.cpp:229:27:229:28 | call to vector | vector.cpp:244:25:244:26 | v3 |  |
-| vector.cpp:229:27:229:28 | call to vector | vector.cpp:245:8:245:9 | v3 |  |
-| vector.cpp:229:27:229:28 | call to vector | vector.cpp:268:1:268:1 | v3 |  |
-| vector.cpp:231:2:231:3 | ref arg v1 | vector.cpp:235:7:235:8 | v1 |  |
-| vector.cpp:231:2:231:3 | ref arg v1 | vector.cpp:243:13:243:14 | v1 |  |
-| vector.cpp:231:2:231:3 | ref arg v1 | vector.cpp:243:25:243:26 | v1 |  |
-| vector.cpp:231:2:231:3 | ref arg v1 | vector.cpp:268:1:268:1 | v1 |  |
-| vector.cpp:231:12:231:14 | 100 | vector.cpp:231:2:231:3 | ref arg v1 | TAINT |
-| vector.cpp:231:17:231:17 | 0 | vector.cpp:231:2:231:3 | ref arg v1 | TAINT |
-| vector.cpp:232:2:232:3 | ref arg v2 | vector.cpp:236:7:236:8 | v2 |  |
-| vector.cpp:232:2:232:3 | ref arg v2 | vector.cpp:268:1:268:1 | v2 |  |
-| vector.cpp:232:12:232:14 | 100 | vector.cpp:232:2:232:3 | ref arg v2 | TAINT |
-| vector.cpp:232:17:232:30 | call to source | vector.cpp:232:2:232:3 | ref arg v2 | TAINT |
-| vector.cpp:233:2:233:3 | ref arg v3 | vector.cpp:237:7:237:8 | v3 |  |
-| vector.cpp:233:2:233:3 | ref arg v3 | vector.cpp:244:13:244:14 | v3 |  |
-| vector.cpp:233:2:233:3 | ref arg v3 | vector.cpp:244:25:244:26 | v3 |  |
-| vector.cpp:233:2:233:3 | ref arg v3 | vector.cpp:245:8:245:9 | v3 |  |
-| vector.cpp:233:2:233:3 | ref arg v3 | vector.cpp:268:1:268:1 | v3 |  |
-| vector.cpp:233:15:233:20 | call to source | vector.cpp:233:2:233:3 | ref arg v3 | TAINT |
-| vector.cpp:235:7:235:8 | ref arg v1 | vector.cpp:243:13:243:14 | v1 |  |
-| vector.cpp:235:7:235:8 | ref arg v1 | vector.cpp:243:25:243:26 | v1 |  |
-| vector.cpp:235:7:235:8 | ref arg v1 | vector.cpp:268:1:268:1 | v1 |  |
-| vector.cpp:236:7:236:8 | ref arg v2 | vector.cpp:268:1:268:1 | v2 |  |
-| vector.cpp:237:7:237:8 | ref arg v3 | vector.cpp:244:13:244:14 | v3 |  |
-| vector.cpp:237:7:237:8 | ref arg v3 | vector.cpp:244:25:244:26 | v3 |  |
-| vector.cpp:237:7:237:8 | ref arg v3 | vector.cpp:245:8:245:9 | v3 |  |
-| vector.cpp:237:7:237:8 | ref arg v3 | vector.cpp:268:1:268:1 | v3 |  |
-| vector.cpp:240:20:240:21 | call to vector | vector.cpp:243:3:243:4 | v4 |  |
-| vector.cpp:240:20:240:21 | call to vector | vector.cpp:251:8:251:9 | v4 |  |
-| vector.cpp:240:20:240:21 | call to vector | vector.cpp:256:2:256:2 | v4 |  |
-| vector.cpp:240:24:240:25 | call to vector | vector.cpp:244:3:244:4 | v5 |  |
-| vector.cpp:240:24:240:25 | call to vector | vector.cpp:252:8:252:9 | v5 |  |
-| vector.cpp:240:24:240:25 | call to vector | vector.cpp:256:2:256:2 | v5 |  |
-| vector.cpp:240:28:240:29 | call to vector | vector.cpp:249:3:249:4 | v6 |  |
-| vector.cpp:240:28:240:29 | call to vector | vector.cpp:255:8:255:9 | v6 |  |
-| vector.cpp:240:28:240:29 | call to vector | vector.cpp:256:2:256:2 | v6 |  |
-| vector.cpp:243:3:243:4 | ref arg v4 | vector.cpp:251:8:251:9 | v4 |  |
-| vector.cpp:243:3:243:4 | ref arg v4 | vector.cpp:256:2:256:2 | v4 |  |
-| vector.cpp:243:13:243:14 | ref arg v1 | vector.cpp:243:25:243:26 | v1 |  |
-| vector.cpp:243:13:243:14 | ref arg v1 | vector.cpp:268:1:268:1 | v1 |  |
-| vector.cpp:243:25:243:26 | ref arg v1 | vector.cpp:268:1:268:1 | v1 |  |
-| vector.cpp:244:3:244:4 | ref arg v5 | vector.cpp:252:8:252:9 | v5 |  |
-| vector.cpp:244:3:244:4 | ref arg v5 | vector.cpp:256:2:256:2 | v5 |  |
-| vector.cpp:244:13:244:14 | ref arg v3 | vector.cpp:244:25:244:26 | v3 |  |
-| vector.cpp:244:13:244:14 | ref arg v3 | vector.cpp:245:8:245:9 | v3 |  |
-| vector.cpp:244:13:244:14 | ref arg v3 | vector.cpp:268:1:268:1 | v3 |  |
-| vector.cpp:244:25:244:26 | ref arg v3 | vector.cpp:245:8:245:9 | v3 |  |
-| vector.cpp:244:25:244:26 | ref arg v3 | vector.cpp:268:1:268:1 | v3 |  |
-| vector.cpp:245:8:245:9 | ref arg v3 | vector.cpp:268:1:268:1 | v3 |  |
-| vector.cpp:245:11:245:15 | call to begin | vector.cpp:245:3:245:17 | ... = ... |  |
-| vector.cpp:245:11:245:15 | call to begin | vector.cpp:246:3:246:4 | i1 |  |
-| vector.cpp:245:11:245:15 | call to begin | vector.cpp:247:8:247:9 | i1 |  |
-| vector.cpp:245:11:245:15 | call to begin | vector.cpp:249:13:249:14 | i1 |  |
-| vector.cpp:245:11:245:15 | call to begin | vector.cpp:253:8:253:9 | i1 |  |
-| vector.cpp:246:3:246:4 | ref arg i1 | vector.cpp:247:8:247:9 | i1 |  |
-| vector.cpp:246:3:246:4 | ref arg i1 | vector.cpp:249:13:249:14 | i1 |  |
-| vector.cpp:246:3:246:4 | ref arg i1 | vector.cpp:253:8:253:9 | i1 |  |
-| vector.cpp:247:8:247:9 | i1 | vector.cpp:247:3:247:9 | ... = ... |  |
-| vector.cpp:247:8:247:9 | i1 | vector.cpp:248:3:248:4 | i2 |  |
-| vector.cpp:247:8:247:9 | i1 | vector.cpp:249:17:249:18 | i2 |  |
-| vector.cpp:247:8:247:9 | i1 | vector.cpp:254:8:254:9 | i2 |  |
-| vector.cpp:248:3:248:4 | ref arg i2 | vector.cpp:249:17:249:18 | i2 |  |
-| vector.cpp:248:3:248:4 | ref arg i2 | vector.cpp:254:8:254:9 | i2 |  |
-| vector.cpp:249:3:249:4 | ref arg v6 | vector.cpp:255:8:255:9 | v6 |  |
-| vector.cpp:249:3:249:4 | ref arg v6 | vector.cpp:256:2:256:2 | v6 |  |
-| vector.cpp:251:8:251:9 | ref arg v4 | vector.cpp:256:2:256:2 | v4 |  |
-| vector.cpp:252:8:252:9 | ref arg v5 | vector.cpp:256:2:256:2 | v5 |  |
-| vector.cpp:255:8:255:9 | ref arg v6 | vector.cpp:256:2:256:2 | v6 |  |
-| vector.cpp:259:22:259:23 | call to vector | vector.cpp:262:3:262:4 | v7 |  |
-| vector.cpp:259:22:259:23 | call to vector | vector.cpp:265:8:265:9 | v7 |  |
-| vector.cpp:259:22:259:23 | call to vector | vector.cpp:267:2:267:2 | v7 |  |
-| vector.cpp:260:24:260:25 | call to vector | vector.cpp:263:3:263:4 | v8 |  |
-| vector.cpp:260:24:260:25 | call to vector | vector.cpp:266:8:266:9 | v8 |  |
-| vector.cpp:260:24:260:25 | call to vector | vector.cpp:267:2:267:2 | v8 |  |
-| vector.cpp:262:3:262:4 | ref arg v7 | vector.cpp:265:8:265:9 | v7 |  |
-| vector.cpp:262:3:262:4 | ref arg v7 | vector.cpp:267:2:267:2 | v7 |  |
-| vector.cpp:262:13:262:15 | 100 | vector.cpp:262:3:262:4 | ref arg v7 | TAINT |
-| vector.cpp:262:18:262:31 | call to source | vector.cpp:262:3:262:4 | ref arg v7 | TAINT |
-| vector.cpp:263:3:263:4 | ref arg v8 | vector.cpp:266:8:266:9 | v8 |  |
-| vector.cpp:263:3:263:4 | ref arg v8 | vector.cpp:267:2:267:2 | v8 |  |
-| vector.cpp:263:18:263:35 | call to source | vector.cpp:263:3:263:4 | ref arg v8 | TAINT |
-| vector.cpp:265:8:265:9 | ref arg v7 | vector.cpp:267:2:267:2 | v7 |  |
-| vector.cpp:266:8:266:9 | ref arg v8 | vector.cpp:267:2:267:2 | v8 |  |
-| vector.cpp:273:19:273:20 | call to vector | vector.cpp:275:2:275:3 | v1 |  |
-| vector.cpp:273:19:273:20 | call to vector | vector.cpp:276:7:276:8 | v1 |  |
-| vector.cpp:273:19:273:20 | call to vector | vector.cpp:277:7:277:8 | v1 |  |
-| vector.cpp:273:19:273:20 | call to vector | vector.cpp:278:7:278:8 | v1 |  |
-| vector.cpp:273:19:273:20 | call to vector | vector.cpp:284:1:284:1 | v1 |  |
-| vector.cpp:273:23:273:24 | call to vector | vector.cpp:280:4:280:5 | v2 |  |
-| vector.cpp:273:23:273:24 | call to vector | vector.cpp:281:7:281:8 | v2 |  |
-| vector.cpp:273:23:273:24 | call to vector | vector.cpp:282:7:282:8 | v2 |  |
-| vector.cpp:273:23:273:24 | call to vector | vector.cpp:283:7:283:8 | v2 |  |
-| vector.cpp:273:23:273:24 | call to vector | vector.cpp:284:1:284:1 | v2 |  |
-| vector.cpp:275:2:275:3 | ref arg v1 | vector.cpp:276:7:276:8 | v1 |  |
-| vector.cpp:275:2:275:3 | ref arg v1 | vector.cpp:277:7:277:8 | v1 |  |
-| vector.cpp:275:2:275:3 | ref arg v1 | vector.cpp:278:7:278:8 | v1 |  |
-| vector.cpp:275:2:275:3 | ref arg v1 | vector.cpp:284:1:284:1 | v1 |  |
-| vector.cpp:275:15:275:20 | call to source | vector.cpp:275:2:275:3 | ref arg v1 | TAINT |
-| vector.cpp:276:7:276:8 | ref arg v1 | vector.cpp:277:7:277:8 | v1 |  |
-| vector.cpp:276:7:276:8 | ref arg v1 | vector.cpp:278:7:278:8 | v1 |  |
-| vector.cpp:276:7:276:8 | ref arg v1 | vector.cpp:284:1:284:1 | v1 |  |
-| vector.cpp:277:7:277:8 | ref arg v1 | vector.cpp:278:7:278:8 | v1 |  |
-| vector.cpp:277:7:277:8 | ref arg v1 | vector.cpp:284:1:284:1 | v1 |  |
-| vector.cpp:277:7:277:8 | v1 | vector.cpp:277:10:277:13 | call to data | TAINT |
-| vector.cpp:277:10:277:13 | ref arg call to data | vector.cpp:277:7:277:8 | ref arg v1 | TAINT |
-| vector.cpp:278:7:278:8 | ref arg v1 | vector.cpp:284:1:284:1 | v1 |  |
-| vector.cpp:278:7:278:8 | v1 | vector.cpp:278:10:278:13 | call to data | TAINT |
-| vector.cpp:278:10:278:13 | call to data | vector.cpp:278:7:278:18 | access to array | TAINT |
-| vector.cpp:278:17:278:17 | 2 | vector.cpp:278:7:278:18 | access to array | TAINT |
-| vector.cpp:280:2:280:13 | * ... [post update] | vector.cpp:280:7:280:10 | call to data [inner post update] |  |
-| vector.cpp:280:2:280:32 | ... = ... | vector.cpp:280:2:280:13 | * ... [post update] |  |
-| vector.cpp:280:4:280:5 | ref arg v2 | vector.cpp:281:7:281:8 | v2 |  |
-| vector.cpp:280:4:280:5 | ref arg v2 | vector.cpp:282:7:282:8 | v2 |  |
-| vector.cpp:280:4:280:5 | ref arg v2 | vector.cpp:283:7:283:8 | v2 |  |
-| vector.cpp:280:4:280:5 | ref arg v2 | vector.cpp:284:1:284:1 | v2 |  |
-| vector.cpp:280:4:280:5 | v2 | vector.cpp:280:7:280:10 | call to data | TAINT |
-| vector.cpp:280:7:280:10 | call to data | vector.cpp:280:2:280:13 | * ... | TAINT |
-| vector.cpp:280:7:280:10 | call to data [inner post update] | vector.cpp:280:4:280:5 | ref arg v2 | TAINT |
-| vector.cpp:280:17:280:30 | call to source | vector.cpp:280:2:280:32 | ... = ... |  |
-| vector.cpp:281:7:281:8 | ref arg v2 | vector.cpp:282:7:282:8 | v2 |  |
-| vector.cpp:281:7:281:8 | ref arg v2 | vector.cpp:283:7:283:8 | v2 |  |
-| vector.cpp:281:7:281:8 | ref arg v2 | vector.cpp:284:1:284:1 | v2 |  |
-| vector.cpp:282:7:282:8 | ref arg v2 | vector.cpp:283:7:283:8 | v2 |  |
-| vector.cpp:282:7:282:8 | ref arg v2 | vector.cpp:284:1:284:1 | v2 |  |
-| vector.cpp:282:7:282:8 | v2 | vector.cpp:282:10:282:13 | call to data | TAINT |
-| vector.cpp:282:10:282:13 | ref arg call to data | vector.cpp:282:7:282:8 | ref arg v2 | TAINT |
-| vector.cpp:283:7:283:8 | ref arg v2 | vector.cpp:284:1:284:1 | v2 |  |
-| vector.cpp:283:7:283:8 | v2 | vector.cpp:283:10:283:13 | call to data | TAINT |
-| vector.cpp:283:10:283:13 | call to data | vector.cpp:283:7:283:18 | access to array | TAINT |
-| vector.cpp:283:17:283:17 | 2 | vector.cpp:283:7:283:18 | access to array | TAINT |
+| vector.cpp:235:19:235:20 | call to vector | vector.cpp:237:2:237:3 | v1 |  |
+| vector.cpp:235:19:235:20 | call to vector | vector.cpp:241:7:241:8 | v1 |  |
+| vector.cpp:235:19:235:20 | call to vector | vector.cpp:249:13:249:14 | v1 |  |
+| vector.cpp:235:19:235:20 | call to vector | vector.cpp:249:25:249:26 | v1 |  |
+| vector.cpp:235:19:235:20 | call to vector | vector.cpp:277:1:277:1 | v1 |  |
+| vector.cpp:235:23:235:24 | call to vector | vector.cpp:238:2:238:3 | v2 |  |
+| vector.cpp:235:23:235:24 | call to vector | vector.cpp:242:7:242:8 | v2 |  |
+| vector.cpp:235:23:235:24 | call to vector | vector.cpp:277:1:277:1 | v2 |  |
+| vector.cpp:235:27:235:28 | call to vector | vector.cpp:239:2:239:3 | v3 |  |
+| vector.cpp:235:27:235:28 | call to vector | vector.cpp:243:7:243:8 | v3 |  |
+| vector.cpp:235:27:235:28 | call to vector | vector.cpp:250:13:250:14 | v3 |  |
+| vector.cpp:235:27:235:28 | call to vector | vector.cpp:250:25:250:26 | v3 |  |
+| vector.cpp:235:27:235:28 | call to vector | vector.cpp:251:8:251:9 | v3 |  |
+| vector.cpp:235:27:235:28 | call to vector | vector.cpp:277:1:277:1 | v3 |  |
+| vector.cpp:237:2:237:3 | ref arg v1 | vector.cpp:241:7:241:8 | v1 |  |
+| vector.cpp:237:2:237:3 | ref arg v1 | vector.cpp:249:13:249:14 | v1 |  |
+| vector.cpp:237:2:237:3 | ref arg v1 | vector.cpp:249:25:249:26 | v1 |  |
+| vector.cpp:237:2:237:3 | ref arg v1 | vector.cpp:277:1:277:1 | v1 |  |
+| vector.cpp:237:12:237:14 | 100 | vector.cpp:237:2:237:3 | ref arg v1 | TAINT |
+| vector.cpp:237:17:237:17 | 0 | vector.cpp:237:2:237:3 | ref arg v1 | TAINT |
+| vector.cpp:238:2:238:3 | ref arg v2 | vector.cpp:242:7:242:8 | v2 |  |
+| vector.cpp:238:2:238:3 | ref arg v2 | vector.cpp:277:1:277:1 | v2 |  |
+| vector.cpp:238:12:238:14 | 100 | vector.cpp:238:2:238:3 | ref arg v2 | TAINT |
+| vector.cpp:238:17:238:30 | call to source | vector.cpp:238:2:238:3 | ref arg v2 | TAINT |
+| vector.cpp:239:2:239:3 | ref arg v3 | vector.cpp:243:7:243:8 | v3 |  |
+| vector.cpp:239:2:239:3 | ref arg v3 | vector.cpp:250:13:250:14 | v3 |  |
+| vector.cpp:239:2:239:3 | ref arg v3 | vector.cpp:250:25:250:26 | v3 |  |
+| vector.cpp:239:2:239:3 | ref arg v3 | vector.cpp:251:8:251:9 | v3 |  |
+| vector.cpp:239:2:239:3 | ref arg v3 | vector.cpp:277:1:277:1 | v3 |  |
+| vector.cpp:239:15:239:20 | call to source | vector.cpp:239:2:239:3 | ref arg v3 | TAINT |
+| vector.cpp:241:7:241:8 | ref arg v1 | vector.cpp:249:13:249:14 | v1 |  |
+| vector.cpp:241:7:241:8 | ref arg v1 | vector.cpp:249:25:249:26 | v1 |  |
+| vector.cpp:241:7:241:8 | ref arg v1 | vector.cpp:277:1:277:1 | v1 |  |
+| vector.cpp:242:7:242:8 | ref arg v2 | vector.cpp:277:1:277:1 | v2 |  |
+| vector.cpp:243:7:243:8 | ref arg v3 | vector.cpp:250:13:250:14 | v3 |  |
+| vector.cpp:243:7:243:8 | ref arg v3 | vector.cpp:250:25:250:26 | v3 |  |
+| vector.cpp:243:7:243:8 | ref arg v3 | vector.cpp:251:8:251:9 | v3 |  |
+| vector.cpp:243:7:243:8 | ref arg v3 | vector.cpp:277:1:277:1 | v3 |  |
+| vector.cpp:246:20:246:21 | call to vector | vector.cpp:249:3:249:4 | v4 |  |
+| vector.cpp:246:20:246:21 | call to vector | vector.cpp:257:8:257:9 | v4 |  |
+| vector.cpp:246:20:246:21 | call to vector | vector.cpp:262:2:262:2 | v4 |  |
+| vector.cpp:246:24:246:25 | call to vector | vector.cpp:250:3:250:4 | v5 |  |
+| vector.cpp:246:24:246:25 | call to vector | vector.cpp:258:8:258:9 | v5 |  |
+| vector.cpp:246:24:246:25 | call to vector | vector.cpp:262:2:262:2 | v5 |  |
+| vector.cpp:246:28:246:29 | call to vector | vector.cpp:255:3:255:4 | v6 |  |
+| vector.cpp:246:28:246:29 | call to vector | vector.cpp:261:8:261:9 | v6 |  |
+| vector.cpp:246:28:246:29 | call to vector | vector.cpp:262:2:262:2 | v6 |  |
+| vector.cpp:249:3:249:4 | ref arg v4 | vector.cpp:257:8:257:9 | v4 |  |
+| vector.cpp:249:3:249:4 | ref arg v4 | vector.cpp:262:2:262:2 | v4 |  |
+| vector.cpp:249:13:249:14 | ref arg v1 | vector.cpp:249:25:249:26 | v1 |  |
+| vector.cpp:249:13:249:14 | ref arg v1 | vector.cpp:277:1:277:1 | v1 |  |
+| vector.cpp:249:25:249:26 | ref arg v1 | vector.cpp:277:1:277:1 | v1 |  |
+| vector.cpp:250:3:250:4 | ref arg v5 | vector.cpp:258:8:258:9 | v5 |  |
+| vector.cpp:250:3:250:4 | ref arg v5 | vector.cpp:262:2:262:2 | v5 |  |
+| vector.cpp:250:13:250:14 | ref arg v3 | vector.cpp:250:25:250:26 | v3 |  |
+| vector.cpp:250:13:250:14 | ref arg v3 | vector.cpp:251:8:251:9 | v3 |  |
+| vector.cpp:250:13:250:14 | ref arg v3 | vector.cpp:277:1:277:1 | v3 |  |
+| vector.cpp:250:25:250:26 | ref arg v3 | vector.cpp:251:8:251:9 | v3 |  |
+| vector.cpp:250:25:250:26 | ref arg v3 | vector.cpp:277:1:277:1 | v3 |  |
+| vector.cpp:251:8:251:9 | ref arg v3 | vector.cpp:277:1:277:1 | v3 |  |
+| vector.cpp:251:11:251:15 | call to begin | vector.cpp:251:3:251:17 | ... = ... |  |
+| vector.cpp:251:11:251:15 | call to begin | vector.cpp:252:3:252:4 | i1 |  |
+| vector.cpp:251:11:251:15 | call to begin | vector.cpp:253:8:253:9 | i1 |  |
+| vector.cpp:251:11:251:15 | call to begin | vector.cpp:255:13:255:14 | i1 |  |
+| vector.cpp:251:11:251:15 | call to begin | vector.cpp:259:8:259:9 | i1 |  |
+| vector.cpp:252:3:252:4 | ref arg i1 | vector.cpp:253:8:253:9 | i1 |  |
+| vector.cpp:252:3:252:4 | ref arg i1 | vector.cpp:255:13:255:14 | i1 |  |
+| vector.cpp:252:3:252:4 | ref arg i1 | vector.cpp:259:8:259:9 | i1 |  |
+| vector.cpp:253:8:253:9 | i1 | vector.cpp:253:3:253:9 | ... = ... |  |
+| vector.cpp:253:8:253:9 | i1 | vector.cpp:254:3:254:4 | i2 |  |
+| vector.cpp:253:8:253:9 | i1 | vector.cpp:255:17:255:18 | i2 |  |
+| vector.cpp:253:8:253:9 | i1 | vector.cpp:260:8:260:9 | i2 |  |
+| vector.cpp:254:3:254:4 | ref arg i2 | vector.cpp:255:17:255:18 | i2 |  |
+| vector.cpp:254:3:254:4 | ref arg i2 | vector.cpp:260:8:260:9 | i2 |  |
+| vector.cpp:255:3:255:4 | ref arg v6 | vector.cpp:261:8:261:9 | v6 |  |
+| vector.cpp:255:3:255:4 | ref arg v6 | vector.cpp:262:2:262:2 | v6 |  |
+| vector.cpp:257:8:257:9 | ref arg v4 | vector.cpp:262:2:262:2 | v4 |  |
+| vector.cpp:258:8:258:9 | ref arg v5 | vector.cpp:262:2:262:2 | v5 |  |
+| vector.cpp:261:8:261:9 | ref arg v6 | vector.cpp:262:2:262:2 | v6 |  |
+| vector.cpp:265:22:265:23 | call to vector | vector.cpp:269:3:269:4 | v7 |  |
+| vector.cpp:265:22:265:23 | call to vector | vector.cpp:273:8:273:9 | v7 |  |
+| vector.cpp:265:22:265:23 | call to vector | vector.cpp:276:2:276:2 | v7 |  |
+| vector.cpp:266:24:266:25 | call to vector | vector.cpp:270:3:270:4 | v8 |  |
+| vector.cpp:266:24:266:25 | call to vector | vector.cpp:274:8:274:9 | v8 |  |
+| vector.cpp:266:24:266:25 | call to vector | vector.cpp:276:2:276:2 | v8 |  |
+| vector.cpp:267:28:267:29 | call to vector | vector.cpp:271:3:271:4 | v9 |  |
+| vector.cpp:267:28:267:29 | call to vector | vector.cpp:275:8:275:9 | v9 |  |
+| vector.cpp:267:28:267:29 | call to vector | vector.cpp:276:2:276:2 | v9 |  |
+| vector.cpp:269:3:269:4 | ref arg v7 | vector.cpp:273:8:273:9 | v7 |  |
+| vector.cpp:269:3:269:4 | ref arg v7 | vector.cpp:276:2:276:2 | v7 |  |
+| vector.cpp:269:13:269:15 | 100 | vector.cpp:269:3:269:4 | ref arg v7 | TAINT |
+| vector.cpp:269:18:269:31 | call to source | vector.cpp:269:3:269:4 | ref arg v7 | TAINT |
+| vector.cpp:270:3:270:4 | ref arg v8 | vector.cpp:274:8:274:9 | v8 |  |
+| vector.cpp:270:3:270:4 | ref arg v8 | vector.cpp:276:2:276:2 | v8 |  |
+| vector.cpp:270:18:270:35 | call to source | vector.cpp:270:3:270:4 | ref arg v8 | TAINT |
+| vector.cpp:271:3:271:4 | ref arg v9 | vector.cpp:275:8:275:9 | v9 |  |
+| vector.cpp:271:3:271:4 | ref arg v9 | vector.cpp:276:2:276:2 | v9 |  |
+| vector.cpp:273:8:273:9 | ref arg v7 | vector.cpp:276:2:276:2 | v7 |  |
+| vector.cpp:274:8:274:9 | ref arg v8 | vector.cpp:276:2:276:2 | v8 |  |
+| vector.cpp:275:8:275:9 | ref arg v9 | vector.cpp:276:2:276:2 | v9 |  |
+| vector.cpp:282:19:282:20 | call to vector | vector.cpp:284:2:284:3 | v1 |  |
+| vector.cpp:282:19:282:20 | call to vector | vector.cpp:285:7:285:8 | v1 |  |
+| vector.cpp:282:19:282:20 | call to vector | vector.cpp:286:7:286:8 | v1 |  |
+| vector.cpp:282:19:282:20 | call to vector | vector.cpp:287:7:287:8 | v1 |  |
+| vector.cpp:282:19:282:20 | call to vector | vector.cpp:293:1:293:1 | v1 |  |
+| vector.cpp:282:23:282:24 | call to vector | vector.cpp:289:4:289:5 | v2 |  |
+| vector.cpp:282:23:282:24 | call to vector | vector.cpp:290:7:290:8 | v2 |  |
+| vector.cpp:282:23:282:24 | call to vector | vector.cpp:291:7:291:8 | v2 |  |
+| vector.cpp:282:23:282:24 | call to vector | vector.cpp:292:7:292:8 | v2 |  |
+| vector.cpp:282:23:282:24 | call to vector | vector.cpp:293:1:293:1 | v2 |  |
+| vector.cpp:284:2:284:3 | ref arg v1 | vector.cpp:285:7:285:8 | v1 |  |
+| vector.cpp:284:2:284:3 | ref arg v1 | vector.cpp:286:7:286:8 | v1 |  |
+| vector.cpp:284:2:284:3 | ref arg v1 | vector.cpp:287:7:287:8 | v1 |  |
+| vector.cpp:284:2:284:3 | ref arg v1 | vector.cpp:293:1:293:1 | v1 |  |
+| vector.cpp:284:15:284:20 | call to source | vector.cpp:284:2:284:3 | ref arg v1 | TAINT |
+| vector.cpp:285:7:285:8 | ref arg v1 | vector.cpp:286:7:286:8 | v1 |  |
+| vector.cpp:285:7:285:8 | ref arg v1 | vector.cpp:287:7:287:8 | v1 |  |
+| vector.cpp:285:7:285:8 | ref arg v1 | vector.cpp:293:1:293:1 | v1 |  |
+| vector.cpp:286:7:286:8 | ref arg v1 | vector.cpp:287:7:287:8 | v1 |  |
+| vector.cpp:286:7:286:8 | ref arg v1 | vector.cpp:293:1:293:1 | v1 |  |
+| vector.cpp:286:7:286:8 | v1 | vector.cpp:286:10:286:13 | call to data | TAINT |
+| vector.cpp:286:10:286:13 | ref arg call to data | vector.cpp:286:7:286:8 | ref arg v1 | TAINT |
+| vector.cpp:287:7:287:8 | ref arg v1 | vector.cpp:293:1:293:1 | v1 |  |
+| vector.cpp:287:7:287:8 | v1 | vector.cpp:287:10:287:13 | call to data | TAINT |
+| vector.cpp:287:10:287:13 | call to data | vector.cpp:287:7:287:18 | access to array | TAINT |
+| vector.cpp:287:17:287:17 | 2 | vector.cpp:287:7:287:18 | access to array | TAINT |
+| vector.cpp:289:2:289:13 | * ... [post update] | vector.cpp:289:7:289:10 | call to data [inner post update] |  |
+| vector.cpp:289:2:289:32 | ... = ... | vector.cpp:289:2:289:13 | * ... [post update] |  |
+| vector.cpp:289:4:289:5 | ref arg v2 | vector.cpp:290:7:290:8 | v2 |  |
+| vector.cpp:289:4:289:5 | ref arg v2 | vector.cpp:291:7:291:8 | v2 |  |
+| vector.cpp:289:4:289:5 | ref arg v2 | vector.cpp:292:7:292:8 | v2 |  |
+| vector.cpp:289:4:289:5 | ref arg v2 | vector.cpp:293:1:293:1 | v2 |  |
+| vector.cpp:289:4:289:5 | v2 | vector.cpp:289:7:289:10 | call to data | TAINT |
+| vector.cpp:289:7:289:10 | call to data | vector.cpp:289:2:289:13 | * ... | TAINT |
+| vector.cpp:289:7:289:10 | call to data [inner post update] | vector.cpp:289:4:289:5 | ref arg v2 | TAINT |
+| vector.cpp:289:17:289:30 | call to source | vector.cpp:289:2:289:32 | ... = ... |  |
+| vector.cpp:290:7:290:8 | ref arg v2 | vector.cpp:291:7:291:8 | v2 |  |
+| vector.cpp:290:7:290:8 | ref arg v2 | vector.cpp:292:7:292:8 | v2 |  |
+| vector.cpp:290:7:290:8 | ref arg v2 | vector.cpp:293:1:293:1 | v2 |  |
+| vector.cpp:291:7:291:8 | ref arg v2 | vector.cpp:292:7:292:8 | v2 |  |
+| vector.cpp:291:7:291:8 | ref arg v2 | vector.cpp:293:1:293:1 | v2 |  |
+| vector.cpp:291:7:291:8 | v2 | vector.cpp:291:10:291:13 | call to data | TAINT |
+| vector.cpp:291:10:291:13 | ref arg call to data | vector.cpp:291:7:291:8 | ref arg v2 | TAINT |
+| vector.cpp:292:7:292:8 | ref arg v2 | vector.cpp:293:1:293:1 | v2 |  |
+| vector.cpp:292:7:292:8 | v2 | vector.cpp:292:10:292:13 | call to data | TAINT |
+| vector.cpp:292:10:292:13 | call to data | vector.cpp:292:7:292:18 | access to array | TAINT |
+| vector.cpp:292:17:292:17 | 2 | vector.cpp:292:7:292:18 | access to array | TAINT |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
index c82a1134c7fb..ed1931820438 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -241,13 +241,13 @@
 | vector.cpp:171:13:171:13 | call to operator[] | vector.cpp:170:14:170:19 | call to source |
 | vector.cpp:180:13:180:13 | call to operator[] | vector.cpp:179:14:179:19 | call to source |
 | vector.cpp:201:13:201:13 | call to operator[] | vector.cpp:200:14:200:19 | call to source |
-| vector.cpp:236:7:236:8 | v2 | vector.cpp:232:17:232:30 | call to source |
-| vector.cpp:237:7:237:8 | v3 | vector.cpp:233:15:233:20 | call to source |
-| vector.cpp:265:8:265:9 | v7 | vector.cpp:262:18:262:31 | call to source |
-| vector.cpp:266:8:266:9 | v8 | vector.cpp:263:18:263:35 | call to source |
-| vector.cpp:276:7:276:8 | v1 | vector.cpp:275:15:275:20 | call to source |
-| vector.cpp:277:10:277:13 | call to data | vector.cpp:275:15:275:20 | call to source |
-| vector.cpp:278:7:278:18 | access to array | vector.cpp:275:15:275:20 | call to source |
-| vector.cpp:281:7:281:8 | v2 | vector.cpp:280:17:280:30 | call to source |
-| vector.cpp:282:10:282:13 | call to data | vector.cpp:280:17:280:30 | call to source |
-| vector.cpp:283:7:283:18 | access to array | vector.cpp:280:17:280:30 | call to source |
+| vector.cpp:242:7:242:8 | v2 | vector.cpp:238:17:238:30 | call to source |
+| vector.cpp:243:7:243:8 | v3 | vector.cpp:239:15:239:20 | call to source |
+| vector.cpp:273:8:273:9 | v7 | vector.cpp:269:18:269:31 | call to source |
+| vector.cpp:274:8:274:9 | v8 | vector.cpp:270:18:270:35 | call to source |
+| vector.cpp:285:7:285:8 | v1 | vector.cpp:284:15:284:20 | call to source |
+| vector.cpp:286:10:286:13 | call to data | vector.cpp:284:15:284:20 | call to source |
+| vector.cpp:287:7:287:18 | access to array | vector.cpp:284:15:284:20 | call to source |
+| vector.cpp:290:7:290:8 | v2 | vector.cpp:289:17:289:30 | call to source |
+| vector.cpp:291:10:291:13 | call to data | vector.cpp:289:17:289:30 | call to source |
+| vector.cpp:292:7:292:18 | access to array | vector.cpp:289:17:289:30 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
index e909d08e97e3..c92595c49ab8 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -177,13 +177,13 @@
 | vector.cpp:171:13:171:13 | vector.cpp:170:14:170:19 | AST only |
 | vector.cpp:180:13:180:13 | vector.cpp:179:14:179:19 | AST only |
 | vector.cpp:201:13:201:13 | vector.cpp:200:14:200:19 | AST only |
-| vector.cpp:236:7:236:8 | vector.cpp:232:17:232:30 | AST only |
-| vector.cpp:237:7:237:8 | vector.cpp:233:15:233:20 | AST only |
-| vector.cpp:265:8:265:9 | vector.cpp:262:18:262:31 | AST only |
-| vector.cpp:266:8:266:9 | vector.cpp:263:18:263:35 | AST only |
-| vector.cpp:276:7:276:8 | vector.cpp:275:15:275:20 | AST only |
-| vector.cpp:277:10:277:13 | vector.cpp:275:15:275:20 | AST only |
-| vector.cpp:278:7:278:18 | vector.cpp:275:15:275:20 | AST only |
-| vector.cpp:281:7:281:8 | vector.cpp:280:17:280:30 | AST only |
-| vector.cpp:282:10:282:13 | vector.cpp:280:17:280:30 | AST only |
-| vector.cpp:283:7:283:18 | vector.cpp:280:17:280:30 | AST only |
+| vector.cpp:242:7:242:8 | vector.cpp:238:17:238:30 | AST only |
+| vector.cpp:243:7:243:8 | vector.cpp:239:15:239:20 | AST only |
+| vector.cpp:273:8:273:9 | vector.cpp:269:18:269:31 | AST only |
+| vector.cpp:274:8:274:9 | vector.cpp:270:18:270:35 | AST only |
+| vector.cpp:285:7:285:8 | vector.cpp:284:15:284:20 | AST only |
+| vector.cpp:286:10:286:13 | vector.cpp:284:15:284:20 | AST only |
+| vector.cpp:287:7:287:18 | vector.cpp:284:15:284:20 | AST only |
+| vector.cpp:290:7:290:8 | vector.cpp:289:17:289:30 | AST only |
+| vector.cpp:291:10:291:13 | vector.cpp:289:17:289:30 | AST only |
+| vector.cpp:292:7:292:18 | vector.cpp:289:17:289:30 | AST only |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
index bb1c6ef5dcf5..1105ad12f969 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -223,7 +223,13 @@ namespace ns_myFloat
 	myFloat source();
 }
 
+namespace ns_ci_ptr
+{
+	const int *source();
+}
+
 void sink(std::vector<myFloat> &);
+void sink(std::vector<const int *> &);
 
 void test_vector_assign() {
 	std::vector<int> v1, v2, v3;
@@ -258,12 +264,15 @@ void test_vector_assign() {
 	{
 		std::vector<myInt> v7;
 		std::vector<myFloat> v8;
+		std::vector<const int *> v9;
 
 		v7.assign(100, ns_int::source());
 		v8.assign(100, ns_myFloat::source());
+		v9.assign(100, ns_ci_ptr::source());
 
 		sink(v7); // tainted
 		sink(v8); // tainted
+		sink(v9); // tainted [NOT DETECTED]
 	}
 }
 

From 865d91de805e00337751903dec7167bd3aa8b7ef Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 27 Aug 2020 15:04:00 +0100
Subject: [PATCH 09/13] C++: Fix getAValueTypeParameterIndex().

---
 .../semmle/code/cpp/models/implementations/StdContainer.qll   | 4 ++--
 .../library-tests/dataflow/taint-tests/localTaint.expected    | 1 +
 cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected | 1 +
 .../library-tests/dataflow/taint-tests/test_diff.expected     | 1 +
 cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp     | 2 +-
 5 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
index bee2ab4974c9..ac5b8e55485b 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -101,10 +101,10 @@ class StdSequenceContainerAssign extends TaintFunction {
    * value type of the container.
    */
   int getAValueTypeParameterIndex() {
-    getParameter(result).getUnspecifiedType() = getDeclaringType().getTemplateArgument(0) // i.e. the `T` of this `std::vector<T>`
+    getParameter(result).getUnspecifiedType() = getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
     or
     getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
-      getDeclaringType().getTemplateArgument(0)
+      getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index 198c1e914baa..36f2638b451e 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -2325,6 +2325,7 @@
 | vector.cpp:270:18:270:35 | call to source | vector.cpp:270:3:270:4 | ref arg v8 | TAINT |
 | vector.cpp:271:3:271:4 | ref arg v9 | vector.cpp:275:8:275:9 | v9 |  |
 | vector.cpp:271:3:271:4 | ref arg v9 | vector.cpp:276:2:276:2 | v9 |  |
+| vector.cpp:271:18:271:34 | call to source | vector.cpp:271:3:271:4 | ref arg v9 | TAINT |
 | vector.cpp:273:8:273:9 | ref arg v7 | vector.cpp:276:2:276:2 | v7 |  |
 | vector.cpp:274:8:274:9 | ref arg v8 | vector.cpp:276:2:276:2 | v8 |  |
 | vector.cpp:275:8:275:9 | ref arg v9 | vector.cpp:276:2:276:2 | v9 |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
index ed1931820438..df1c8c21210d 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -245,6 +245,7 @@
 | vector.cpp:243:7:243:8 | v3 | vector.cpp:239:15:239:20 | call to source |
 | vector.cpp:273:8:273:9 | v7 | vector.cpp:269:18:269:31 | call to source |
 | vector.cpp:274:8:274:9 | v8 | vector.cpp:270:18:270:35 | call to source |
+| vector.cpp:275:8:275:9 | v9 | vector.cpp:271:18:271:34 | call to source |
 | vector.cpp:285:7:285:8 | v1 | vector.cpp:284:15:284:20 | call to source |
 | vector.cpp:286:10:286:13 | call to data | vector.cpp:284:15:284:20 | call to source |
 | vector.cpp:287:7:287:18 | access to array | vector.cpp:284:15:284:20 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
index c92595c49ab8..b312fb0b71b0 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -181,6 +181,7 @@
 | vector.cpp:243:7:243:8 | vector.cpp:239:15:239:20 | AST only |
 | vector.cpp:273:8:273:9 | vector.cpp:269:18:269:31 | AST only |
 | vector.cpp:274:8:274:9 | vector.cpp:270:18:270:35 | AST only |
+| vector.cpp:275:8:275:9 | vector.cpp:271:18:271:34 | AST only |
 | vector.cpp:285:7:285:8 | vector.cpp:284:15:284:20 | AST only |
 | vector.cpp:286:10:286:13 | vector.cpp:284:15:284:20 | AST only |
 | vector.cpp:287:7:287:18 | vector.cpp:284:15:284:20 | AST only |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
index 1105ad12f969..9c295fbe541d 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -272,7 +272,7 @@ void test_vector_assign() {
 
 		sink(v7); // tainted
 		sink(v8); // tainted
-		sink(v9); // tainted [NOT DETECTED]
+		sink(v9); // tainted
 	}
 }
 

From 071b303ea06e13cb00751bec080a05670531dc03 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 27 Aug 2020 15:17:04 +0100
Subject: [PATCH 10/13] C++: Make the other versions consistent with this.

---
 .../code/cpp/models/implementations/StdContainer.qll |  2 +-
 .../code/cpp/models/implementations/StdString.qll    | 12 ++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
index ac5b8e55485b..6091f9f6395e 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -23,7 +23,7 @@ class StdSequenceContainerConstructor extends Constructor, TaintFunction {
    */
   int getAValueTypeParameterIndex() {
     getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
-      getDeclaringType().getTemplateArgument(0) // i.e. the `T` of this `std::vector<T>`
+      getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
index 7ed73e59a211..2910f068be9c 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
@@ -71,17 +71,17 @@ class StdStringAppend extends TaintFunction {
    * Gets the index of a parameter to this function that is a string (or
    * character).
    */
-  int getAStringParameter() {
+  int getAStringParameterIndex() {
     getParameter(result).getType() instanceof PointerType or
     getParameter(result).getType() instanceof ReferenceType or
-    getParameter(result).getType() = getDeclaringType().getTemplateArgument(0) // i.e. `std::basic_string::CharT`
+    getParameter(result).getUnspecifiedType() = getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. `std::basic_string::CharT`
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from string and parameter to string (qualifier) and return value
     (
       input.isQualifierObject() or
-      input.isParameterDeref(getAStringParameter())
+      input.isParameterDeref(getAStringParameterIndex())
     ) and
     (
       output.isQualifierObject() or
@@ -100,15 +100,15 @@ class StdStringAssign extends TaintFunction {
    * Gets the index of a parameter to this function that is a string (or
    * character).
    */
-  int getAStringParameter() {
+  int getAStringParameterIndex() {
     getParameter(result).getType() instanceof PointerType or
     getParameter(result).getType() instanceof ReferenceType or
-    getParameter(result).getType() = getDeclaringType().getTemplateArgument(0) // i.e. `std::basic_string::CharT`
+    getParameter(result).getUnspecifiedType() = getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. `std::basic_string::CharT`
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from parameter to string itself (qualifier) and return value
-    input.isParameterDeref(getAStringParameter()) and
+    input.isParameterDeref(getAStringParameterIndex()) and
     (
       output.isQualifierObject() or
       output.isReturnValueDeref()

From 927a4faa5829f52b96b4637cc30a7acf3c6c36cd Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 27 Aug 2020 15:40:07 +0100
Subject: [PATCH 11/13] C++: Remove the non-reference case that we shouldn't
 need.

---
 .../semmle/code/cpp/models/implementations/StdContainer.qll | 4 +---
 .../library-tests/dataflow/taint-tests/localTaint.expected  | 6 ------
 .../test/library-tests/dataflow/taint-tests/taint.expected  | 2 --
 .../library-tests/dataflow/taint-tests/test_diff.expected   | 2 --
 4 files changed, 1 insertion(+), 13 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
index 6091f9f6395e..06daa9126d1e 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -101,10 +101,8 @@ class StdSequenceContainerAssign extends TaintFunction {
    * value type of the container.
    */
   int getAValueTypeParameterIndex() {
-    getParameter(result).getUnspecifiedType() = getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
-    or
     getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
-      getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType()
+      getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index 36f2638b451e..ebd0beddf0df 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -2246,12 +2246,8 @@
 | vector.cpp:237:2:237:3 | ref arg v1 | vector.cpp:249:13:249:14 | v1 |  |
 | vector.cpp:237:2:237:3 | ref arg v1 | vector.cpp:249:25:249:26 | v1 |  |
 | vector.cpp:237:2:237:3 | ref arg v1 | vector.cpp:277:1:277:1 | v1 |  |
-| vector.cpp:237:12:237:14 | 100 | vector.cpp:237:2:237:3 | ref arg v1 | TAINT |
-| vector.cpp:237:17:237:17 | 0 | vector.cpp:237:2:237:3 | ref arg v1 | TAINT |
 | vector.cpp:238:2:238:3 | ref arg v2 | vector.cpp:242:7:242:8 | v2 |  |
 | vector.cpp:238:2:238:3 | ref arg v2 | vector.cpp:277:1:277:1 | v2 |  |
-| vector.cpp:238:12:238:14 | 100 | vector.cpp:238:2:238:3 | ref arg v2 | TAINT |
-| vector.cpp:238:17:238:30 | call to source | vector.cpp:238:2:238:3 | ref arg v2 | TAINT |
 | vector.cpp:239:2:239:3 | ref arg v3 | vector.cpp:243:7:243:8 | v3 |  |
 | vector.cpp:239:2:239:3 | ref arg v3 | vector.cpp:250:13:250:14 | v3 |  |
 | vector.cpp:239:2:239:3 | ref arg v3 | vector.cpp:250:25:250:26 | v3 |  |
@@ -2318,8 +2314,6 @@
 | vector.cpp:267:28:267:29 | call to vector | vector.cpp:276:2:276:2 | v9 |  |
 | vector.cpp:269:3:269:4 | ref arg v7 | vector.cpp:273:8:273:9 | v7 |  |
 | vector.cpp:269:3:269:4 | ref arg v7 | vector.cpp:276:2:276:2 | v7 |  |
-| vector.cpp:269:13:269:15 | 100 | vector.cpp:269:3:269:4 | ref arg v7 | TAINT |
-| vector.cpp:269:18:269:31 | call to source | vector.cpp:269:3:269:4 | ref arg v7 | TAINT |
 | vector.cpp:270:3:270:4 | ref arg v8 | vector.cpp:274:8:274:9 | v8 |  |
 | vector.cpp:270:3:270:4 | ref arg v8 | vector.cpp:276:2:276:2 | v8 |  |
 | vector.cpp:270:18:270:35 | call to source | vector.cpp:270:3:270:4 | ref arg v8 | TAINT |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
index df1c8c21210d..ae9d740e3f01 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -241,9 +241,7 @@
 | vector.cpp:171:13:171:13 | call to operator[] | vector.cpp:170:14:170:19 | call to source |
 | vector.cpp:180:13:180:13 | call to operator[] | vector.cpp:179:14:179:19 | call to source |
 | vector.cpp:201:13:201:13 | call to operator[] | vector.cpp:200:14:200:19 | call to source |
-| vector.cpp:242:7:242:8 | v2 | vector.cpp:238:17:238:30 | call to source |
 | vector.cpp:243:7:243:8 | v3 | vector.cpp:239:15:239:20 | call to source |
-| vector.cpp:273:8:273:9 | v7 | vector.cpp:269:18:269:31 | call to source |
 | vector.cpp:274:8:274:9 | v8 | vector.cpp:270:18:270:35 | call to source |
 | vector.cpp:275:8:275:9 | v9 | vector.cpp:271:18:271:34 | call to source |
 | vector.cpp:285:7:285:8 | v1 | vector.cpp:284:15:284:20 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
index b312fb0b71b0..51ceb9e46c20 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -177,9 +177,7 @@
 | vector.cpp:171:13:171:13 | vector.cpp:170:14:170:19 | AST only |
 | vector.cpp:180:13:180:13 | vector.cpp:179:14:179:19 | AST only |
 | vector.cpp:201:13:201:13 | vector.cpp:200:14:200:19 | AST only |
-| vector.cpp:242:7:242:8 | vector.cpp:238:17:238:30 | AST only |
 | vector.cpp:243:7:243:8 | vector.cpp:239:15:239:20 | AST only |
-| vector.cpp:273:8:273:9 | vector.cpp:269:18:269:31 | AST only |
 | vector.cpp:274:8:274:9 | vector.cpp:270:18:270:35 | AST only |
 | vector.cpp:275:8:275:9 | vector.cpp:271:18:271:34 | AST only |
 | vector.cpp:285:7:285:8 | vector.cpp:284:15:284:20 | AST only |

From 208cd4c888bf262279c38a50134dbf0a63f9b850 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 27 Aug 2020 15:54:27 +0100
Subject: [PATCH 12/13] C++: Fix assign in the test stl.h.

---
 .../dataflow/taint-tests/localTaint.expected      | 15 +++++++++------
 .../test/library-tests/dataflow/taint-tests/stl.h |  8 ++++++--
 .../dataflow/taint-tests/taint.expected           |  2 ++
 .../dataflow/taint-tests/test_diff.expected       |  2 ++
 4 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index ebd0beddf0df..7ac47152937a 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -313,12 +313,12 @@
 | movableclass.cpp:65:13:65:18 | call to source | movableclass.cpp:65:13:65:20 | call to MyMovableClass | TAINT |
 | movableclass.cpp:65:13:65:20 | call to MyMovableClass | movableclass.cpp:65:8:65:9 | ref arg s3 | TAINT |
 | movableclass.cpp:65:13:65:20 | call to MyMovableClass | movableclass.cpp:65:11:65:11 | call to operator= | TAINT |
-| stl.h:137:30:137:40 | call to allocator | stl.h:137:21:137:41 | noexcept(...) | TAINT |
-| stl.h:137:30:137:40 | call to allocator | stl.h:137:21:137:41 | noexcept(...) | TAINT |
-| stl.h:137:30:137:40 | call to allocator | stl.h:137:21:137:41 | noexcept(...) | TAINT |
-| stl.h:137:30:137:40 | call to allocator | stl.h:137:21:137:41 | noexcept(...) | TAINT |
-| stl.h:137:30:137:40 | call to allocator | stl.h:137:21:137:41 | noexcept(...) | TAINT |
-| stl.h:137:53:137:63 | 0 | stl.h:137:46:137:64 | (no string representation) | TAINT |
+| stl.h:139:30:139:40 | call to allocator | stl.h:139:21:139:41 | noexcept(...) | TAINT |
+| stl.h:139:30:139:40 | call to allocator | stl.h:139:21:139:41 | noexcept(...) | TAINT |
+| stl.h:139:30:139:40 | call to allocator | stl.h:139:21:139:41 | noexcept(...) | TAINT |
+| stl.h:139:30:139:40 | call to allocator | stl.h:139:21:139:41 | noexcept(...) | TAINT |
+| stl.h:139:30:139:40 | call to allocator | stl.h:139:21:139:41 | noexcept(...) | TAINT |
+| stl.h:139:53:139:63 | 0 | stl.h:139:46:139:64 | (no string representation) | TAINT |
 | string.cpp:24:12:24:17 | call to source | string.cpp:28:7:28:7 | a |  |
 | string.cpp:25:16:25:20 | 123 | string.cpp:25:16:25:21 | call to basic_string | TAINT |
 | string.cpp:25:16:25:21 | call to basic_string | string.cpp:29:7:29:7 | b |  |
@@ -2246,8 +2246,10 @@
 | vector.cpp:237:2:237:3 | ref arg v1 | vector.cpp:249:13:249:14 | v1 |  |
 | vector.cpp:237:2:237:3 | ref arg v1 | vector.cpp:249:25:249:26 | v1 |  |
 | vector.cpp:237:2:237:3 | ref arg v1 | vector.cpp:277:1:277:1 | v1 |  |
+| vector.cpp:237:17:237:17 | 0 | vector.cpp:237:2:237:3 | ref arg v1 | TAINT |
 | vector.cpp:238:2:238:3 | ref arg v2 | vector.cpp:242:7:242:8 | v2 |  |
 | vector.cpp:238:2:238:3 | ref arg v2 | vector.cpp:277:1:277:1 | v2 |  |
+| vector.cpp:238:17:238:30 | call to source | vector.cpp:238:2:238:3 | ref arg v2 | TAINT |
 | vector.cpp:239:2:239:3 | ref arg v3 | vector.cpp:243:7:243:8 | v3 |  |
 | vector.cpp:239:2:239:3 | ref arg v3 | vector.cpp:250:13:250:14 | v3 |  |
 | vector.cpp:239:2:239:3 | ref arg v3 | vector.cpp:250:25:250:26 | v3 |  |
@@ -2314,6 +2316,7 @@
 | vector.cpp:267:28:267:29 | call to vector | vector.cpp:276:2:276:2 | v9 |  |
 | vector.cpp:269:3:269:4 | ref arg v7 | vector.cpp:273:8:273:9 | v7 |  |
 | vector.cpp:269:3:269:4 | ref arg v7 | vector.cpp:276:2:276:2 | v7 |  |
+| vector.cpp:269:18:269:31 | call to source | vector.cpp:269:3:269:4 | ref arg v7 | TAINT |
 | vector.cpp:270:3:270:4 | ref arg v8 | vector.cpp:274:8:274:9 | v8 |  |
 | vector.cpp:270:3:270:4 | ref arg v8 | vector.cpp:276:2:276:2 | v8 |  |
 | vector.cpp:270:18:270:35 | call to source | vector.cpp:270:3:270:4 | ref arg v8 | TAINT |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h b/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
index 77df0e91f99e..e9a27670c2f4 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
@@ -11,12 +11,14 @@ namespace std
 
 	struct ptrdiff_t;
 
-	template <class iterator_category,
+	template <class Category,
 			  class value_type,
 			  class difference_type = ptrdiff_t,
 			  class pointer_type = value_type*,
 			  class reference_type = value_type&>
 	struct iterator {
+		typedef Category iterator_category;
+
 		iterator &operator++();
 		iterator operator++(int);
 		bool operator==(iterator other) const;
@@ -142,7 +144,9 @@ namespace std {
 
 		vector& operator=(const vector& x);
 		vector& operator=(vector&& x) noexcept/*(allocator_traits<Allocator>::propagate_on_container_move_assignment::value || allocator_traits<Allocator>::is_always_equal::value)*/;
-		template<class InputIterator> void assign(InputIterator first, InputIterator last);
+		template<class InputIterator, class IteratorCategory = typename InputIterator::iterator_category> void assign(InputIterator first, InputIterator last);
+			// use of `iterator_category` makes sure InputIterator is (probably) an iterator, and not an `int` or
+			// similar that should match a different overload (SFINAE).
 		void assign(size_type n, const T& u);
 
 		iterator begin() noexcept;
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
index ae9d740e3f01..df1c8c21210d 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -241,7 +241,9 @@
 | vector.cpp:171:13:171:13 | call to operator[] | vector.cpp:170:14:170:19 | call to source |
 | vector.cpp:180:13:180:13 | call to operator[] | vector.cpp:179:14:179:19 | call to source |
 | vector.cpp:201:13:201:13 | call to operator[] | vector.cpp:200:14:200:19 | call to source |
+| vector.cpp:242:7:242:8 | v2 | vector.cpp:238:17:238:30 | call to source |
 | vector.cpp:243:7:243:8 | v3 | vector.cpp:239:15:239:20 | call to source |
+| vector.cpp:273:8:273:9 | v7 | vector.cpp:269:18:269:31 | call to source |
 | vector.cpp:274:8:274:9 | v8 | vector.cpp:270:18:270:35 | call to source |
 | vector.cpp:275:8:275:9 | v9 | vector.cpp:271:18:271:34 | call to source |
 | vector.cpp:285:7:285:8 | v1 | vector.cpp:284:15:284:20 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
index 51ceb9e46c20..b312fb0b71b0 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -177,7 +177,9 @@
 | vector.cpp:171:13:171:13 | vector.cpp:170:14:170:19 | AST only |
 | vector.cpp:180:13:180:13 | vector.cpp:179:14:179:19 | AST only |
 | vector.cpp:201:13:201:13 | vector.cpp:200:14:200:19 | AST only |
+| vector.cpp:242:7:242:8 | vector.cpp:238:17:238:30 | AST only |
 | vector.cpp:243:7:243:8 | vector.cpp:239:15:239:20 | AST only |
+| vector.cpp:273:8:273:9 | vector.cpp:269:18:269:31 | AST only |
 | vector.cpp:274:8:274:9 | vector.cpp:270:18:270:35 | AST only |
 | vector.cpp:275:8:275:9 | vector.cpp:271:18:271:34 | AST only |
 | vector.cpp:285:7:285:8 | vector.cpp:284:15:284:20 | AST only |

From 9b3da1f6c79ca1a614e1af9615d5aa5cfd02bd96 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 27 Aug 2020 16:55:45 +0100
Subject: [PATCH 13/13] C++: Autoformat.

---
 .../semmle/code/cpp/models/implementations/StdString.qll    | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
index 2910f068be9c..56151e8043e5 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
@@ -74,7 +74,8 @@ class StdStringAppend extends TaintFunction {
   int getAStringParameterIndex() {
     getParameter(result).getType() instanceof PointerType or
     getParameter(result).getType() instanceof ReferenceType or
-    getParameter(result).getUnspecifiedType() = getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. `std::basic_string::CharT`
+    getParameter(result).getUnspecifiedType() =
+      getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. `std::basic_string::CharT`
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -103,7 +104,8 @@ class StdStringAssign extends TaintFunction {
   int getAStringParameterIndex() {
     getParameter(result).getType() instanceof PointerType or
     getParameter(result).getType() instanceof ReferenceType or
-    getParameter(result).getUnspecifiedType() = getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. `std::basic_string::CharT`
+    getParameter(result).getUnspecifiedType() =
+      getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. `std::basic_string::CharT`
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {