Merge branch 'main' into redsun82/rust-mad

2025-12-16 16:53:25 +01:00 · 2025-06-11 16:39:10 +02:00
parent 5f474a7185 fbcd9eaf09
commit 051704e59d
1104 changed files with 33004 additions and 12030 deletions
--- a/.github/workflows/validate-change-notes.yml
+++ b/.github/workflows/validate-change-notes.yml
@@ -31,4 +31,4 @@ jobs:
      - name: Fail if there are any errors with existing change notes
        run: |
-          codeql pack release --groups cpp,csharp,java,javascript,python,ruby,-examples,-test,-experimental
+          codeql pack release --groups actions,cpp,csharp,go,java,javascript,python,ruby,shared,swift -examples,-test,-experimental
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,3 +1,11 @@
 ## 0.4.11
 No user-facing changes.
 ## 0.4.10
 No user-facing changes.
 ## 0.4.9
 No user-facing changes.
--- a/actions/ql/lib/change-notes/2025-06-09-bash-parsing-performance.md
+++ b/actions/ql/lib/change-notes/2025-06-09-bash-parsing-performance.md
@@ -0,0 +1,6 @@
 ---
 category: minorAnalysis
 ---
 * Fixed performance issues in the parsing of Bash scripts in workflow files,
  which led to out-of-disk errors when analysing certain workflow files with
  complex interpolations of shell commands or quoted strings.
--- a/actions/ql/lib/change-notes/released/0.4.10.md
+++ b/actions/ql/lib/change-notes/released/0.4.10.md
@@ -0,0 +1,3 @@
 ## 0.4.10
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.11.md
+++ b/actions/ql/lib/change-notes/released/0.4.11.md
@@ -0,0 +1,3 @@
 ## 0.4.11
 No user-facing changes.
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.9
+lastReleaseVersion: 0.4.11
--- a/actions/ql/lib/codeql/actions/Ast.qll
+++ b/actions/ql/lib/codeql/actions/Ast.qll
@@ -50,8 +50,8 @@ class Expression extends AstNode instanceof ExpressionImpl {
  string getNormalizedExpression() { result = normalizeExpr(expression) }
 }
-/** A common class for `env` in workflow, job or step. */
+/** An `env` in workflow, job or step. */
-abstract class Env extends AstNode instanceof EnvImpl {
+class Env extends AstNode instanceof EnvImpl {
  /** Gets an environment variable value given its name. */
  ScalarValueImpl getEnvVarValue(string name) { result = super.getEnvVarValue(name) }
--- a/actions/ql/lib/codeql/actions/Bash.qll
+++ b/actions/ql/lib/codeql/actions/Bash.qll
@@ -8,35 +8,64 @@ class BashShellScript extends ShellScript {
    )
  }
-  private string lineProducer(int i) {
+  /**
-    result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", i)
+   * Gets the line at 0-based index `lineIndex` within this shell script,
   * assuming newlines as separators.
   */
  private string lineProducer(int lineIndex) {
    result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", lineIndex)
  }
-  private predicate cmdSubstitutionReplacement(string cmdSubs, string id, int k) {
+  private predicate cmdSubstitutionReplacement(string command, string id, int lineIndex) {
-    exists(string line | line = this.lineProducer(k) |
+    this.commandInSubstitution(lineIndex, command, id)
-      exists(int i, int j |
+    or
-        cmdSubs =
+    this.commandInBackticks(lineIndex, command, id)
-          // $() cmd substitution
+  }
-          line.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", i, j)
+
-              .regexpReplaceAll("^\\$\\(", "")
+  /**
-              .regexpReplaceAll("\\)$", "") and
+   * Holds if there is a command substitution `$(command)` in
-        id = "cmdsubs:" + k + ":" + i + ":" + j
+   * the line at `lineIndex` in the shell script,
-      )
+   * and `id` is a unique identifier for this command.
-      or
+   */
-      exists(int i, int j |
+  private predicate commandInSubstitution(int lineIndex, string command, string id) {
-        // `...` cmd substitution
+    exists(int occurrenceIndex, int occurrenceOffset |
-        cmdSubs =
+      command =
-          line.regexpFind("\\`[^\\`]+\\`", i, j)
+        // Look for the command inside a $(...) command substitution
-              .regexpReplaceAll("^\\`", "")
+        this.lineProducer(lineIndex)
-              .regexpReplaceAll("\\`$", "") and
+            .regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", occurrenceIndex,
-        id = "cmd:" + k + ":" + i + ":" + j
+              occurrenceOffset)
-      )
+            // trim starting $( - TODO do this in first regex
            .regexpReplaceAll("^\\$\\(", "")
            // trim ending ) - TODO do this in first regex
            .regexpReplaceAll("\\)$", "") and
      id = "cmdsubs:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
    )
  }
-  private predicate rankedCmdSubstitutionReplacements(int i, string old, string new) {
+  /**
-    old = rank[i](string old2 | this.cmdSubstitutionReplacement(old2, _, _) | old2) and
+   * Holds if `command` is a command in backticks `` `...` `` in
-    this.cmdSubstitutionReplacement(old, new, _)
+   * the line at `lineIndex` in the shell script,
   * and `id` is a unique identifier for this command.
   */
  private predicate commandInBackticks(int lineIndex, string command, string id) {
    exists(int occurrenceIndex, int occurrenceOffset |
      command =
        this.lineProducer(lineIndex)
            .regexpFind("\\`[^\\`]+\\`", occurrenceIndex, occurrenceOffset)
            // trim leading backtick - TODO do this in first regex
            .regexpReplaceAll("^\\`", "")
            // trim trailing backtick - TODO do this in first regex
            .regexpReplaceAll("\\`$", "") and
      id = "cmd:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
    )
  }
  private predicate rankedCmdSubstitutionReplacements(int i, string command, string commandId) {
    // rank commands by their unique IDs
    commandId = rank[i](string c, string id | this.cmdSubstitutionReplacement(c, id, _) | id) and
    // since we cannot output (command, ID) tuples from the rank operation,
    // we need to work out the specific command associated with the resulting ID
    this.cmdSubstitutionReplacement(command, commandId, _)
  }
  private predicate doReplaceCmdSubstitutions(int line, int round, string old, string new) {
@@ -64,31 +93,56 @@ class BashShellScript extends ShellScript {
    this.cmdSubstitutionReplacement(result, _, i)
  }
  /**
   * Holds if `quotedStr` is a string in double quotes in
   * the line at `lineIndex` in the shell script,
   * and `id` is a unique identifier for this quoted string.
   */
  private predicate doubleQuotedString(int lineIndex, string quotedStr, string id) {
    exists(int occurrenceIndex, int occurrenceOffset |
      // double quoted string
      quotedStr =
        this.cmdSubstitutedLineProducer(lineIndex)
            .regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", occurrenceIndex, occurrenceOffset) and
      id =
        "qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
          quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
    )
  }
  /**
   * Holds if `quotedStr` is a string in single quotes in
   * the line at `lineIndex` in the shell script,
   * and `id` is a unique identifier for this quoted string.
   */
  private predicate singleQuotedString(int lineIndex, string quotedStr, string id) {
    exists(int occurrenceIndex, int occurrenceOffset |
      // single quoted string
      quotedStr =
        this.cmdSubstitutedLineProducer(lineIndex)
            .regexpFind("'((?:\\\\.|[^'\\\\])*)'", occurrenceIndex, occurrenceOffset) and
      id =
        "qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
          quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
    )
  }
  private predicate quotedStringReplacement(string quotedStr, string id) {
-    exists(string line, int k | line = this.cmdSubstitutedLineProducer(k) |
+    exists(int lineIndex |
-      exists(int i, int j |
+      this.doubleQuotedString(lineIndex, quotedStr, id)
        // double quoted string
        quotedStr = line.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", i, j) and
        id =
          "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
            quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
      )
      or
-      exists(int i, int j |
+      this.singleQuotedString(lineIndex, quotedStr, id)
        // single quoted string
        quotedStr = line.regexpFind("'((?:\\\\.|[^'\\\\])*)'", i, j) and
        id =
          "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
            quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
      )
    ) and
    // Only do this for strings that might otherwise disrupt subsequent parsing
    quotedStr.regexpMatch("[\"'].*[$\n\r'\"" + Bash::separator() + "].*[\"']")
  }
-  private predicate rankedQuotedStringReplacements(int i, string old, string new) {
+  private predicate rankedQuotedStringReplacements(int i, string quotedString, string quotedStringId) {
-    old = rank[i](string old2 | this.quotedStringReplacement(old2, _) | old2) and
+    // rank quoted strings by their nearly-unique IDs
-    this.quotedStringReplacement(old, new)
+    quotedStringId = rank[i](string s, string id | this.quotedStringReplacement(s, id) | id) and
    // since we cannot output (string, ID) tuples from the rank operation,
    // we need to work out the specific string associated with the resulting ID
    this.quotedStringReplacement(quotedString, quotedStringId)
  }
  private predicate doReplaceQuotedStrings(int line, int round, string old, string new) {
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.10-dev
+version: 0.4.12-dev
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,3 +1,13 @@
 ## 0.6.3
 No user-facing changes.
 ## 0.6.2
 ### Minor Analysis Improvements
 * The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.
 ## 0.6.1
 No user-facing changes.
--- a/actions/ql/src/change-notes/2025-05-14-minimal-permission-for-add-to-project.md
+++ b/actions/ql/src/change-notes/2025-05-14-minimal-permission-for-add-to-project.md
@@ -1,4 +1,5 @@
---
+## 0.6.2
-category: minorAnalysis
+
---
+### Minor Analysis Improvements
 * The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.
--- a/actions/ql/src/change-notes/released/0.6.3.md
+++ b/actions/ql/src/change-notes/released/0.6.3.md
@@ -0,0 +1,3 @@
 ## 0.6.3
 No user-facing changes.
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.1
+lastReleaseVersion: 0.6.3
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.2-dev
+version: 0.6.4-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/interpolation.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/interpolation.yml
@@ -0,0 +1,81 @@
 name: Workflow with complex interpolation
 on: 
  workflow_dispatch:
    inputs:
      choice-a:
        required: true
        type: choice
        description: choice-a
        default: a1
        options: 
        - a1
        - a2
        - a3
      string-b:
        required: false
        type: string
        description: string-b
      string-c:
        required: false
        type: string
        description: string-c
      list-d:
        required: true
        type: string
        default: d1 d2
        description: list-d whitespace separated
      list-e:
        required: false
        type: string
        description: list-e whitespace separated
      choice-f:
        required: true
        type: choice
        description: choice-f
        options: 
        - false
        - true
 env:
  DRY_TEST: false
  B: ${{ github.event.inputs.string-b }}
 jobs:
  job:
    runs-on: ubuntu-latest
    steps:
    - name: Produce values
      id: produce-values
      run: |
        echo "region=region" >> $GITHUB_OUTPUT
        echo "zone=zone" >> $GITHUB_OUTPUT
    - name: Step with complex interpolation
      id: complex
      env:
        CHOICE_A: ${{ github.event.inputs.choice-a }}
        STRING_B: ${{ github.event.inputs.string-b }}
        STRING_C: ${{ github.event.inputs.string-c }}
        LIST_D: ${{ github.event.inputs.list-d }}
        LIST_E: ${{ github.event.inputs.list-e }}
        CHOICE_F: ${{ github.event.inputs.choice-f }}
        REGION: ${{ steps.produce-values.outputs.region }}
        ZONE: ${{ steps.produce-values.outputs.zone }}
        DRY_TEST_JSON: ${{ fromJSON(env.DRY_TEST) }}
        FUNCTION_NAME: my-function
        USER_EMAIL: 'example@example.com'
        TYPE: type
        RANGE: '0-100'
      run: |
        comma_separated_list_d=$(echo "${LIST_D}" | sed "s/ /\",\"/g")
        comma_separated_list_e=$(echo "${LIST_E}" | sed "s/ /\",\"/g")
        c1=$(echo "${STRING_C}" | cut -d "-" -f 1)
        c2=$(echo "${STRING_C}" | cut -d "-" -f 2)
        # Similar commands that use JSON payloads with string interpolation.
        response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":"","listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
        response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":["'"${comma_separated_list_d}"'"],"listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
        response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":["'"${comma_separated_list_d}"'"],"listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
        response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":["'"${comma_separated_list_d}"'"],"listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
        response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":"","listE":["'"${comma_separated_list_e}"'"],"dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
      shell: bash
--- a/cpp/bulk_generation_targets.yml
+++ b/cpp/bulk_generation_targets.yml
@@ -0,0 +1,10 @@
 language: cpp
 strategy: dca
 destination: cpp/ql/lib/ext/generated
 targets:
 - name: openssl
  with-sinks: false
  with-sources: false
 - name: sqlite
  with-sinks: false
  with-sources: false
--- a/cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/builtintypes.ql
+++ b/cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/builtintypes.ql
@@ -0,0 +1,9 @@
 class BuiltinType extends @builtintype {
  string toString() { none() }
 }
 from BuiltinType id, string name, int kind, int new_kind, int size, int sign, int alignment
 where
  builtintypes(id, name, kind, size, sign, alignment) and
  if kind = 62 then new_kind = 1 else new_kind = kind
 select id, name, new_kind, size, sign, alignment
--- a/cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/old.dbscheme
+++ b/cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/old.dbscheme
--- a/cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/upgrade.properties
+++ b/cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/upgrade.properties
@@ -0,0 +1,3 @@
 description: Support __mfp8 type
 compatibility: backwards
 builtintypes.rel: run builtintypes.qlo
--- a/cpp/misc/bulk_generation_targets.json
+++ b/cpp/misc/bulk_generation_targets.json
@@ -1,9 +0,0 @@
 {
  "strategy": "dca",
  "language": "cpp",
  "targets": [
      { "name": "openssl", "with-sources": false, "with-sinks": false },
      { "name": "sqlite", "with-sources": false, "with-sinks": false }
  ],
  "destination": "cpp/ql/lib/ext/generated"
 }
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,33 @@
 ## 5.1.0
 ### New Features
 * Added a predicate `getReferencedMember` to `UsingDeclarationEntry`, which yields a member depending on a type template parameter.
 ## 5.0.0
 ### Breaking Changes
 * Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
 * Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
 * Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
 * Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
 * Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
 * Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
 ### New Features
 * Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
 * Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
 * Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
 * Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
 * Added support for `wmain` as part of the ArgvSource model.
 ### Bug Fixes
 * Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
 * Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.
 ## 4.3.1
 ### Bug Fixes
--- a/cpp/ql/lib/change-notes/2025-05-15-class-aggregate-literals.md
+++ b/cpp/ql/lib/change-notes/2025-05-15-class-aggregate-literals.md
@@ -1,4 +0,0 @@
 ---
 category: fix
 ---
 * Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.
--- a/cpp/ql/lib/change-notes/2025-05-16-array-aggregate-literals.md
+++ b/cpp/ql/lib/change-notes/2025-05-16-array-aggregate-literals.md
@@ -1,4 +0,0 @@
 ---
 category: fix
 ---
 * Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
--- a/cpp/ql/lib/change-notes/2025-05-16-wmain-support.md
+++ b/cpp/ql/lib/change-notes/2025-05-16-wmain-support.md
@@ -1,4 +0,0 @@
 ---
 category: feature
 ---
 * Added support for `wmain` as part of the ArgvSource model.
--- a/cpp/ql/lib/change-notes/2025-05-18-2025-May-outdated-deprecations.md
+++ b/cpp/ql/lib/change-notes/2025-05-18-2025-May-outdated-deprecations.md
@@ -1,9 +0,0 @@
 ---
 category: breaking
 ---
 * Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
 * Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
 * Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
 * Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
 * Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
 * Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
--- a/cpp/ql/lib/change-notes/2025-05-23-windows-sources.md
+++ b/cpp/ql/lib/change-notes/2025-05-23-windows-sources.md
@@ -1,6 +0,0 @@
 ---
 category: feature
 ---
 * Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
 * Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
 * Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
--- a/cpp/ql/lib/change-notes/2025-05-27-windows-sources-2.md
+++ b/cpp/ql/lib/change-notes/2025-05-27-windows-sources-2.md
@@ -1,4 +0,0 @@
 ---
 category: feature
 ---
 * Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
--- a/cpp/ql/lib/change-notes/released/5.0.0.md
+++ b/cpp/ql/lib/change-notes/released/5.0.0.md
@@ -0,0 +1,23 @@
 ## 5.0.0
 ### Breaking Changes
 * Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
 * Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
 * Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
 * Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
 * Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
 * Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
 ### New Features
 * Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
 * Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
 * Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
 * Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
 * Added support for `wmain` as part of the ArgvSource model.
 ### Bug Fixes
 * Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
 * Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.
--- a/cpp/ql/lib/change-notes/2025-05-28-using-template.md
+++ b/cpp/ql/lib/change-notes/2025-05-28-using-template.md
@@ -1,4 +1,5 @@
---
+## 5.1.0
-category: feature
+
---
+### New Features
 * Added a predicate `getReferencedMember` to `UsingDeclarationEntry`, which yields a member depending on a type template parameter.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 4.3.1
+lastReleaseVersion: 5.1.0
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 4.3.2-dev
+version: 5.1.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/Type.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Type.qll
@@ -839,6 +839,9 @@ private predicate floatingPointTypeMapping(
  or
  // _Complex _Float128
  kind = 61 and base = 2 and domain = TComplexDomain() and realKind = 49 and extended = false
  or
  // __mfp8
  kind = 62 and base = 2 and domain = TRealDomain() and realKind = 62 and extended = false
 }
 /**
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme
@@ -691,6 +691,7 @@ case @builtintype.kind of
 | 59 = @complex_std_float64   // _Complex _Float64
 | 60 = @complex_float64x      // _Complex _Float64x
 | 61 = @complex_std_float128  // _Complex _Float128
 | 62 = @mfp8                  // __mfp8
 ;
 builtintypes(
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
--- a/cpp/ql/lib/upgrades/9a7c3c14c1076f64b871719117a558733d987b48/old.dbscheme
+++ b/cpp/ql/lib/upgrades/9a7c3c14c1076f64b871719117a558733d987b48/old.dbscheme
--- a/cpp/ql/lib/upgrades/9a7c3c14c1076f64b871719117a558733d987b48/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/upgrades/9a7c3c14c1076f64b871719117a558733d987b48/semmlecode.cpp.dbscheme
--- a/cpp/ql/lib/upgrades/9a7c3c14c1076f64b871719117a558733d987b48/upgrade.properties
+++ b/cpp/ql/lib/upgrades/9a7c3c14c1076f64b871719117a558733d987b48/upgrade.properties
@@ -0,0 +1,2 @@
 description: Support __mfp8 type
 compatibility: full
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,13 @@
 ## 1.4.2
 No user-facing changes.
 ## 1.4.1
 ### Minor Analysis Improvements
 * Added flow model for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
 ## 1.4.0
 ### Query Metadata Changes
--- a/cpp/ql/src/change-notes/2025-05-14-openssl-sqlite-models.md
+++ b/cpp/ql/src/change-notes/2025-05-14-openssl-sqlite-models.md
@@ -1,4 +1,5 @@
---
+## 1.4.1
-category: minorAnalysis
+
---
+### Minor Analysis Improvements
-* Added flow model for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
+
 * Added flow model for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
--- a/cpp/ql/src/change-notes/released/1.4.2.md
+++ b/cpp/ql/src/change-notes/released/1.4.2.md
@@ -0,0 +1,3 @@
 ## 1.4.2
 No user-facing changes.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.4.0
+lastReleaseVersion: 1.4.2
--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -98,8 +98,8 @@ private predicate exprReleases(Expr e, Expr released, string kind) {
      e.(FunctionCall).getTarget() = f or
      e.(FunctionCall).getTarget().(MemberFunction).getAnOverridingFunction+() = f
    ) and
-    access = f.getParameter(arg).getAnAccess() and
+    access = f.getParameter(pragma[only_bind_into](arg)).getAnAccess() and
-    e.(FunctionCall).getArgument(arg) = released and
+    e.(FunctionCall).getArgument(pragma[only_bind_into](arg)) = released and
    exprReleases(_,
      pragma[only_bind_into](exprOrDereference(globalValueNumber(access).getAnExpr())), kind)
  )
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.4.1-dev
+version: 1.4.3-dev
 groups:
  - cpp
  - queries
--- a/cpp/ql/test/examples/expressions/PrintAST.expected
+++ b/cpp/ql/test/examples/expressions/PrintAST.expected
@@ -324,7 +324,7 @@ Conversion3.cpp:
 #    2|               getExpr(): [CStyleCast] (int)...
 #    2|                   Conversion = [IntegralConversion] integral conversion
 #    2|                   Type = [IntType] int
-#    2|                   Value = [CStyleCast] 1
+#    2|                   Value = [CStyleCast] 5
 #    2|                   ValueCategory = prvalue
 #    2|           getRightOperand().getFullyConverted(): [ParenthesisExpr] (...)
 #    2|               Type = [IntType] int
--- a/cpp/ql/test/library-tests/funcdname/funcdname.expected
+++ b/cpp/ql/test/library-tests/funcdname/funcdname.expected
@@ -1,2 +1,2 @@
 | Bar::(unnamed namespace)::B | Bar::<unnamed>::B |
-| Foo::(unnamed namespace)::A | _ZN3Foo37_GLOBAL__N__13_funcdname_cpp_?AEv |
+| Foo::(unnamed namespace)::A | _ZN35_INTERNAL_13_funcdname_cpp_?Foo37_GLOBAL__N__13_funcdname_cpp_?AEv |
--- a/cpp/ql/test/library-tests/funcdname/funcdname.ql
+++ b/cpp/ql/test/library-tests/funcdname/funcdname.ql
@@ -2,4 +2,8 @@ import cpp
 from Function f, ReturnStmt r
 where r.getEnclosingFunction() = f
-select f.getQualifiedName(), r.getExpr().getValue().regexpReplaceAll("_[0-9a-f]+AEv$", "_?AEv")
+select f.getQualifiedName(),
  r.getExpr()
      .getValue()
      .regexpReplaceAll("_[0-9a-f]+AEv$", "_?AEv")
      .regexpReplaceAll("cpp_[0-9a-f]+Foo37_", "cpp_?Foo37_")
--- a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
+++ b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
@@ -58,6 +58,77 @@
 #-----|         Type = [LongType] unsigned long
 #-----|     getParameter(1): [Parameter] (unnamed parameter 1)
 #-----|         Type = [ScopedEnum] align_val_t
 arm.cpp:
 #    6| [TopLevelFunction] uint8x8_t vadd_u8(uint8x8_t, uint8x8_t)
 #    6|   <params>: 
 #    6|     getParameter(0): [Parameter] a
 #    6|         Type = [CTypedefType] uint8x8_t
 #    6|     getParameter(1): [Parameter] b
 #    6|         Type = [CTypedefType] uint8x8_t
 #    6|   getEntryPoint(): [BlockStmt] { ... }
 #    7|     getStmt(0): [ReturnStmt] return ...
 #    7|       getExpr(): [AddExpr] ... + ...
 #    7|           Type = [GNUVectorType] __attribute((neon_vector_type(8))) unsigned char
 #    7|           ValueCategory = prvalue
 #    7|         getLeftOperand(): [VariableAccess] a
 #    7|             Type = [CTypedefType] uint8x8_t
 #    7|             ValueCategory = prvalue(load)
 #    7|         getRightOperand(): [VariableAccess] b
 #    7|             Type = [CTypedefType] uint8x8_t
 #    7|             ValueCategory = prvalue(load)
 #   12| [TopLevelFunction] uint16x8_t __builtin_aarch64_uaddlv8qi_uuu(uint8x8_t, uint8x8_t)
 #   12|   <params>: 
 #   12|     getParameter(0): [Parameter] (unnamed parameter 0)
 #   12|         Type = [CTypedefType] uint8x8_t
 #   12|     getParameter(1): [Parameter] (unnamed parameter 1)
 #   12|         Type = [CTypedefType] uint8x8_t
 #   14| [TopLevelFunction] uint16x8_t vaddl_u8(uint8x8_t, uint8x8_t)
 #   14|   <params>: 
 #   14|     getParameter(0): [Parameter] a
 #   14|         Type = [CTypedefType] uint8x8_t
 #   14|     getParameter(1): [Parameter] b
 #   14|         Type = [CTypedefType] uint8x8_t
 #   14|   getEntryPoint(): [BlockStmt] { ... }
 #   15|     getStmt(0): [ReturnStmt] return ...
 #   15|       getExpr(): [FunctionCall] call to __builtin_aarch64_uaddlv8qi_uuu
 #   15|           Type = [CTypedefType] uint16x8_t
 #   15|           ValueCategory = prvalue
 #   15|         getArgument(0): [VariableAccess] a
 #   15|             Type = [CTypedefType] uint8x8_t
 #   15|             ValueCategory = prvalue(load)
 #   15|         getArgument(1): [VariableAccess] b
 #   15|             Type = [CTypedefType] uint8x8_t
 #   15|             ValueCategory = prvalue(load)
 #   18| [TopLevelFunction] uint16x8_t arm_add(uint8x8_t, uint8x8_t)
 #   18|   <params>: 
 #   18|     getParameter(0): [Parameter] a
 #   18|         Type = [CTypedefType] uint8x8_t
 #   18|     getParameter(1): [Parameter] b
 #   18|         Type = [CTypedefType] uint8x8_t
 #   18|   getEntryPoint(): [BlockStmt] { ... }
 #   19|     getStmt(0): [DeclStmt] declaration
 #   19|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of c
 #   19|           Type = [CTypedefType] uint8x8_t
 #   19|         getVariable().getInitializer(): [Initializer] initializer for c
 #   19|           getExpr(): [FunctionCall] call to vadd_u8
 #   19|               Type = [CTypedefType] uint8x8_t
 #   19|               ValueCategory = prvalue
 #   19|             getArgument(0): [VariableAccess] a
 #   19|                 Type = [CTypedefType] uint8x8_t
 #   19|                 ValueCategory = prvalue(load)
 #   19|             getArgument(1): [VariableAccess] b
 #   19|                 Type = [CTypedefType] uint8x8_t
 #   19|                 ValueCategory = prvalue(load)
 #   20|     getStmt(1): [ReturnStmt] return ...
 #   20|       getExpr(): [FunctionCall] call to vaddl_u8
 #   20|           Type = [CTypedefType] uint16x8_t
 #   20|           ValueCategory = prvalue
 #   20|         getArgument(0): [VariableAccess] a
 #   20|             Type = [CTypedefType] uint8x8_t
 #   20|             ValueCategory = prvalue(load)
 #   20|         getArgument(1): [VariableAccess] c
 #   20|             Type = [CTypedefType] uint8x8_t
 #   20|             ValueCategory = prvalue(load)
 bad_asts.cpp:
 #    5| [CopyAssignmentOperator] Bad::S& Bad::S::operator=(Bad::S const&)
 #    5|   <params>: 
@@ -23814,11 +23885,11 @@ ir.cpp:
 # 2692|                   Conversion = [IntegralConversion] integral conversion
 # 2692|                   Type = [LongType] unsigned long
 # 2692|                   ValueCategory = prvalue
-#-----|           getExpr().getFullyConverted(): [CStyleCast] (int)...
+# 2692|           getExpr().getFullyConverted(): [CStyleCast] (int)...
-#-----|               Conversion = [IntegralConversion] integral conversion
+# 2692|               Conversion = [IntegralConversion] integral conversion
-#-----|               Type = [IntType] int
+# 2692|               Type = [IntType] int
-#-----|               Value = [CStyleCast] 1
+# 2692|               Value = [CStyleCast] 1
-#-----|               ValueCategory = prvalue
+# 2692|               ValueCategory = prvalue
 # 2693|     getStmt(1): [ReturnStmt] return ...
 # 2693|       getExpr(): [VariableAccess] y
 # 2693|           Type = [IntType] int
--- a/cpp/ql/test/library-tests/ir/ir/aliased_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ir/aliased_ir.expected
@@ -1,3 +1,86 @@
 arm.cpp:
 #    6| uint8x8_t vadd_u8(uint8x8_t, uint8x8_t)
 #    6|   Block 0
 #    6|     v6_1(void)                                                    = EnterFunction            : 
 #    6|     m6_2(unknown)                                                 = AliasedDefinition        : 
 #    6|     m6_3(unknown)                                                 = InitializeNonLocal       : 
 #    6|     m6_4(unknown)                                                 = Chi                      : total:m6_2, partial:m6_3
 #    6|     r6_5(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a]       : 
 #    6|     m6_6(__attribute((neon_vector_type(8))) unsigned char)        = InitializeParameter[a]   : &:r6_5
 #    6|     r6_7(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b]       : 
 #    6|     m6_8(__attribute((neon_vector_type(8))) unsigned char)        = InitializeParameter[b]   : &:r6_7
 #    7|     r7_1(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[#return] : 
 #    7|     r7_2(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a]       : 
 #    7|     r7_3(__attribute((neon_vector_type(8))) unsigned char)        = Load[a]                  : &:r7_2, m6_6
 #    7|     r7_4(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b]       : 
 #    7|     r7_5(__attribute((neon_vector_type(8))) unsigned char)        = Load[b]                  : &:r7_4, m6_8
 #    7|     r7_6(__attribute((neon_vector_type(8))) unsigned char)        = Add                      : r7_3, r7_5
 #    7|     m7_7(__attribute((neon_vector_type(8))) unsigned char)        = Store[#return]           : &:r7_1, r7_6
 #    6|     r6_9(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[#return] : 
 #    6|     v6_10(void)                                                   = ReturnValue              : &:r6_9, m7_7
 #    6|     v6_11(void)                                                   = AliasedUse               : m6_3
 #    6|     v6_12(void)                                                   = ExitFunction             : 
 #   14| uint16x8_t vaddl_u8(uint8x8_t, uint8x8_t)
 #   14|   Block 0
 #   14|     v14_1(void)                                                     = EnterFunction                                    : 
 #   14|     m14_2(unknown)                                                  = AliasedDefinition                                : 
 #   14|     m14_3(unknown)                                                  = InitializeNonLocal                               : 
 #   14|     m14_4(unknown)                                                  = Chi                                              : total:m14_2, partial:m14_3
 #   14|     r14_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]                               : 
 #   14|     m14_6(__attribute((neon_vector_type(8))) unsigned char)         = InitializeParameter[a]                           : &:r14_5
 #   14|     r14_7(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]                               : 
 #   14|     m14_8(__attribute((neon_vector_type(8))) unsigned char)         = InitializeParameter[b]                           : &:r14_7
 #   15|     r15_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]                         : 
 #   15|     r15_2(glval<unknown>)                                           = FunctionAddress[__builtin_aarch64_uaddlv8qi_uuu] : 
 #   15|     r15_3(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]                               : 
 #   15|     r15_4(__attribute((neon_vector_type(8))) unsigned char)         = Load[a]                                          : &:r15_3, m14_6
 #   15|     r15_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]                               : 
 #   15|     r15_6(__attribute((neon_vector_type(8))) unsigned char)         = Load[b]                                          : &:r15_5, m14_8
 #   15|     r15_7(__attribute((neon_vector_type(8))) unsigned short)        = Call[__builtin_aarch64_uaddlv8qi_uuu]            : func:r15_2, 0:r15_4, 1:r15_6
 #   15|     m15_8(unknown)                                                  = ^CallSideEffect                                  : ~m14_4
 #   15|     m15_9(unknown)                                                  = Chi                                              : total:m14_4, partial:m15_8
 #   15|     m15_10(__attribute((neon_vector_type(8))) unsigned short)       = Store[#return]                                   : &:r15_1, r15_7
 #   14|     r14_9(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]                         : 
 #   14|     v14_10(void)                                                    = ReturnValue                                      : &:r14_9, m15_10
 #   14|     v14_11(void)                                                    = AliasedUse                                       : ~m15_9
 #   14|     v14_12(void)                                                    = ExitFunction                                     : 
 #   18| uint16x8_t arm_add(uint8x8_t, uint8x8_t)
 #   18|   Block 0
 #   18|     v18_1(void)                                                     = EnterFunction             : 
 #   18|     m18_2(unknown)                                                  = AliasedDefinition         : 
 #   18|     m18_3(unknown)                                                  = InitializeNonLocal        : 
 #   18|     m18_4(unknown)                                                  = Chi                       : total:m18_2, partial:m18_3
 #   18|     r18_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]        : 
 #   18|     m18_6(__attribute((neon_vector_type(8))) unsigned char)         = InitializeParameter[a]    : &:r18_5
 #   18|     r18_7(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]        : 
 #   18|     m18_8(__attribute((neon_vector_type(8))) unsigned char)         = InitializeParameter[b]    : &:r18_7
 #   19|     r19_1(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[c]        : 
 #   19|     r19_2(glval<unknown>)                                           = FunctionAddress[vadd_u8]  : 
 #   19|     r19_3(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]        : 
 #   19|     r19_4(__attribute((neon_vector_type(8))) unsigned char)         = Load[a]                   : &:r19_3, m18_6
 #   19|     r19_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]        : 
 #   19|     r19_6(__attribute((neon_vector_type(8))) unsigned char)         = Load[b]                   : &:r19_5, m18_8
 #   19|     r19_7(__attribute((neon_vector_type(8))) unsigned char)         = Call[vadd_u8]             : func:r19_2, 0:r19_4, 1:r19_6
 #   19|     m19_8(unknown)                                                  = ^CallSideEffect           : ~m18_4
 #   19|     m19_9(unknown)                                                  = Chi                       : total:m18_4, partial:m19_8
 #   19|     m19_10(__attribute((neon_vector_type(8))) unsigned char)        = Store[c]                  : &:r19_1, r19_7
 #   20|     r20_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]  : 
 #   20|     r20_2(glval<unknown>)                                           = FunctionAddress[vaddl_u8] : 
 #   20|     r20_3(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]        : 
 #   20|     r20_4(__attribute((neon_vector_type(8))) unsigned char)         = Load[a]                   : &:r20_3, m18_6
 #   20|     r20_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[c]        : 
 #   20|     r20_6(__attribute((neon_vector_type(8))) unsigned char)         = Load[c]                   : &:r20_5, m19_10
 #   20|     r20_7(__attribute((neon_vector_type(8))) unsigned short)        = Call[vaddl_u8]            : func:r20_2, 0:r20_4, 1:r20_6
 #   20|     m20_8(unknown)                                                  = ^CallSideEffect           : ~m19_9
 #   20|     m20_9(unknown)                                                  = Chi                       : total:m19_9, partial:m20_8
 #   20|     m20_10(__attribute((neon_vector_type(8))) unsigned short)       = Store[#return]            : &:r20_1, r20_7
 #   18|     r18_9(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]  : 
 #   18|     v18_10(void)                                                    = ReturnValue               : &:r18_9, m20_10
 #   18|     v18_11(void)                                                    = AliasedUse                : ~m20_9
 #   18|     v18_12(void)                                                    = ExitFunction              : 
 bad_asts.cpp:
 #    9| int Bad::S::MemberFunction<int 6>(int)
 #    9|   Block 0
@@ -19457,11 +19540,11 @@ ir.cpp:
 # 2691|     m2691_3(unknown)    = InitializeNonLocal       : 
 # 2691|     m2691_4(unknown)    = Chi                      : total:m2691_2, partial:m2691_3
 # 2692|     r2692_1(glval<int>) = VariableAddress[y]       : 
-#-----|     r0_1(int)           = Constant[1]              : 
+# 2692|     r2692_2(int)        = Constant[1]              : 
-#-----|     m0_2(int)           = Store[y]                 : &:r2692_1, r0_1
+# 2692|     m2692_3(int)        = Store[y]                 : &:r2692_1, r2692_2
 # 2693|     r2693_1(glval<int>) = VariableAddress[#return] : 
 # 2693|     r2693_2(glval<int>) = VariableAddress[y]       : 
-# 2693|     r2693_3(int)        = Load[y]                  : &:r2693_2, m0_2
+# 2693|     r2693_3(int)        = Load[y]                  : &:r2693_2, m2692_3
 # 2693|     m2693_4(int)        = Store[#return]           : &:r2693_1, r2693_3
 # 2691|     r2691_5(glval<int>) = VariableAddress[#return] : 
 # 2691|     v2691_6(void)       = ReturnValue              : &:r2691_5, m2693_4
--- a/cpp/ql/test/library-tests/ir/ir/arm.cpp
+++ b/cpp/ql/test/library-tests/ir/ir/arm.cpp
@@ -0,0 +1,21 @@
 // semmle-extractor-options: --edg --target --edg linux_arm64
 typedef __Uint8x8_t uint8x8_t;
 typedef __Uint16x8_t uint16x8_t;
 uint8x8_t vadd_u8(uint8x8_t a, uint8x8_t b) {
  return a + b;
 }
 // Workaround: the frontend only exposes this when the arm_neon.h
 // header is encountered.
 uint16x8_t __builtin_aarch64_uaddlv8qi_uuu(uint8x8_t, uint8x8_t);
 uint16x8_t vaddl_u8(uint8x8_t a, uint8x8_t b) {
  return __builtin_aarch64_uaddlv8qi_uuu (a, b);
 }
 uint16x8_t arm_add(uint8x8_t a, uint8x8_t b) {
  uint8x8_t c = vadd_u8(a, b);
  return vaddl_u8(a, c);
 }
--- a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
@@ -1,3 +1,80 @@
 arm.cpp:
 #    6| uint8x8_t vadd_u8(uint8x8_t, uint8x8_t)
 #    6|   Block 0
 #    6|     v6_1(void)                                                    = EnterFunction            : 
 #    6|     mu6_2(unknown)                                                = AliasedDefinition        : 
 #    6|     mu6_3(unknown)                                                = InitializeNonLocal       : 
 #    6|     r6_4(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a]       : 
 #    6|     mu6_5(__attribute((neon_vector_type(8))) unsigned char)       = InitializeParameter[a]   : &:r6_4
 #    6|     r6_6(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b]       : 
 #    6|     mu6_7(__attribute((neon_vector_type(8))) unsigned char)       = InitializeParameter[b]   : &:r6_6
 #    7|     r7_1(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[#return] : 
 #    7|     r7_2(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[a]       : 
 #    7|     r7_3(__attribute((neon_vector_type(8))) unsigned char)        = Load[a]                  : &:r7_2, ~m?
 #    7|     r7_4(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[b]       : 
 #    7|     r7_5(__attribute((neon_vector_type(8))) unsigned char)        = Load[b]                  : &:r7_4, ~m?
 #    7|     r7_6(__attribute((neon_vector_type(8))) unsigned char)        = Add                      : r7_3, r7_5
 #    7|     mu7_7(__attribute((neon_vector_type(8))) unsigned char)       = Store[#return]           : &:r7_1, r7_6
 #    6|     r6_8(glval<__attribute((neon_vector_type(8))) unsigned char>) = VariableAddress[#return] : 
 #    6|     v6_9(void)                                                    = ReturnValue              : &:r6_8, ~m?
 #    6|     v6_10(void)                                                   = AliasedUse               : ~m?
 #    6|     v6_11(void)                                                   = ExitFunction             : 
 #   14| uint16x8_t vaddl_u8(uint8x8_t, uint8x8_t)
 #   14|   Block 0
 #   14|     v14_1(void)                                                     = EnterFunction                                    : 
 #   14|     mu14_2(unknown)                                                 = AliasedDefinition                                : 
 #   14|     mu14_3(unknown)                                                 = InitializeNonLocal                               : 
 #   14|     r14_4(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]                               : 
 #   14|     mu14_5(__attribute((neon_vector_type(8))) unsigned char)        = InitializeParameter[a]                           : &:r14_4
 #   14|     r14_6(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]                               : 
 #   14|     mu14_7(__attribute((neon_vector_type(8))) unsigned char)        = InitializeParameter[b]                           : &:r14_6
 #   15|     r15_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]                         : 
 #   15|     r15_2(glval<unknown>)                                           = FunctionAddress[__builtin_aarch64_uaddlv8qi_uuu] : 
 #   15|     r15_3(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]                               : 
 #   15|     r15_4(__attribute((neon_vector_type(8))) unsigned char)         = Load[a]                                          : &:r15_3, ~m?
 #   15|     r15_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]                               : 
 #   15|     r15_6(__attribute((neon_vector_type(8))) unsigned char)         = Load[b]                                          : &:r15_5, ~m?
 #   15|     r15_7(__attribute((neon_vector_type(8))) unsigned short)        = Call[__builtin_aarch64_uaddlv8qi_uuu]            : func:r15_2, 0:r15_4, 1:r15_6
 #   15|     mu15_8(unknown)                                                 = ^CallSideEffect                                  : ~m?
 #   15|     mu15_9(__attribute((neon_vector_type(8))) unsigned short)       = Store[#return]                                   : &:r15_1, r15_7
 #   14|     r14_8(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]                         : 
 #   14|     v14_9(void)                                                     = ReturnValue                                      : &:r14_8, ~m?
 #   14|     v14_10(void)                                                    = AliasedUse                                       : ~m?
 #   14|     v14_11(void)                                                    = ExitFunction                                     : 
 #   18| uint16x8_t arm_add(uint8x8_t, uint8x8_t)
 #   18|   Block 0
 #   18|     v18_1(void)                                                     = EnterFunction             : 
 #   18|     mu18_2(unknown)                                                 = AliasedDefinition         : 
 #   18|     mu18_3(unknown)                                                 = InitializeNonLocal        : 
 #   18|     r18_4(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]        : 
 #   18|     mu18_5(__attribute((neon_vector_type(8))) unsigned char)        = InitializeParameter[a]    : &:r18_4
 #   18|     r18_6(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]        : 
 #   18|     mu18_7(__attribute((neon_vector_type(8))) unsigned char)        = InitializeParameter[b]    : &:r18_6
 #   19|     r19_1(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[c]        : 
 #   19|     r19_2(glval<unknown>)                                           = FunctionAddress[vadd_u8]  : 
 #   19|     r19_3(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]        : 
 #   19|     r19_4(__attribute((neon_vector_type(8))) unsigned char)         = Load[a]                   : &:r19_3, ~m?
 #   19|     r19_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[b]        : 
 #   19|     r19_6(__attribute((neon_vector_type(8))) unsigned char)         = Load[b]                   : &:r19_5, ~m?
 #   19|     r19_7(__attribute((neon_vector_type(8))) unsigned char)         = Call[vadd_u8]             : func:r19_2, 0:r19_4, 1:r19_6
 #   19|     mu19_8(unknown)                                                 = ^CallSideEffect           : ~m?
 #   19|     mu19_9(__attribute((neon_vector_type(8))) unsigned char)        = Store[c]                  : &:r19_1, r19_7
 #   20|     r20_1(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]  : 
 #   20|     r20_2(glval<unknown>)                                           = FunctionAddress[vaddl_u8] : 
 #   20|     r20_3(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[a]        : 
 #   20|     r20_4(__attribute((neon_vector_type(8))) unsigned char)         = Load[a]                   : &:r20_3, ~m?
 #   20|     r20_5(glval<__attribute((neon_vector_type(8))) unsigned char>)  = VariableAddress[c]        : 
 #   20|     r20_6(__attribute((neon_vector_type(8))) unsigned char)         = Load[c]                   : &:r20_5, ~m?
 #   20|     r20_7(__attribute((neon_vector_type(8))) unsigned short)        = Call[vaddl_u8]            : func:r20_2, 0:r20_4, 1:r20_6
 #   20|     mu20_8(unknown)                                                 = ^CallSideEffect           : ~m?
 #   20|     mu20_9(__attribute((neon_vector_type(8))) unsigned short)       = Store[#return]            : &:r20_1, r20_7
 #   18|     r18_8(glval<__attribute((neon_vector_type(8))) unsigned short>) = VariableAddress[#return]  : 
 #   18|     v18_9(void)                                                     = ReturnValue               : &:r18_8, ~m?
 #   18|     v18_10(void)                                                    = AliasedUse                : ~m?
 #   18|     v18_11(void)                                                    = ExitFunction              : 
 bad_asts.cpp:
 #    9| int Bad::S::MemberFunction<int 6>(int)
 #    9|   Block 0
@@ -17775,8 +17852,8 @@ ir.cpp:
 # 2691|     mu2691_2(unknown)   = AliasedDefinition        : 
 # 2691|     mu2691_3(unknown)   = InitializeNonLocal       : 
 # 2692|     r2692_1(glval<int>) = VariableAddress[y]       : 
-#-----|     r0_1(int)           = Constant[1]              : 
+# 2692|     r2692_2(int)        = Constant[1]              : 
-#-----|     mu0_2(int)          = Store[y]                 : &:r2692_1, r0_1
+# 2692|     mu2692_3(int)       = Store[y]                 : &:r2692_1, r2692_2
 # 2693|     r2693_1(glval<int>) = VariableAddress[#return] : 
 # 2693|     r2693_2(glval<int>) = VariableAddress[y]       : 
 # 2693|     r2693_3(int)        = Load[y]                  : &:r2693_2, ~m?
--- a/cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp
+++ b/cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp
@@ -1011,10 +1011,10 @@ void test_overflow() {
  range(x); // $ range===2147483647
  const int y = 256;
  range(y); // $ range===256
-  if ((x + y) <= 512) {
+  if ((x + y) <= 512) { // $ overflow=+
    range(x); // $ range===2147483647
    range(y); // $ range===256
-    range(x + y); // $ range===-2147483393
+    range(x + y); // $ range=<=2147483903 overflow=+
  }
 }
--- a/cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected
+++ b/cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected
@@ -1,4 +1,10 @@
 uniqueEnclosingCallable
 | builtin.c:14:3:14:16 | ... * ... | Node should have one enclosing callable but has 0. |
 | builtin.c:14:3:14:16 | sizeof(int) | Node should have one enclosing callable but has 0. |
 | builtin.c:14:10:14:10 | 4 | Node should have one enclosing callable but has 0. |
 | builtin.c:15:3:15:16 | ... * ... | Node should have one enclosing callable but has 0. |
 | builtin.c:15:3:15:16 | sizeof(int) | Node should have one enclosing callable but has 0. |
 | builtin.c:15:10:15:10 | 4 | Node should have one enclosing callable but has 0. |
 | enum.c:2:6:2:6 | 1 | Node should have one enclosing callable but has 0. |
 | enum.c:2:6:2:10 | ... + ... | Node should have one enclosing callable but has 0. |
 | enum.c:2:10:2:10 | 1 | Node should have one enclosing callable but has 0. |
--- a/cpp/ql/test/library-tests/templates/nontype_instantiations/general/test.expected
+++ b/cpp/ql/test/library-tests/templates/nontype_instantiations/general/test.expected
@@ -1,13 +1,13 @@
-| test.cpp:3:8:3:8 | C<1> | 0 | int | test.cpp:5:25:5:25 | 1 | 1 |
+| test.cpp:3:8:3:8 | C<1> | 0 | int | test.cpp:6:3:6:6 | one1 | 1 |
-| test.cpp:3:8:3:8 | C<2> | 0 | int | file://:0:0:0:0 | 2 | 2 |
+| test.cpp:3:8:3:8 | C<2> | 0 | int | test.cpp:7:3:7:13 | ... + ... | 2 |
 | test.cpp:3:8:3:8 | C<x> | 0 | int | file://:0:0:0:0 | x | x |
 | test.cpp:10:8:10:8 | D<T, X> | 0 | <none> | test.cpp:9:19:9:19 | T | <none> |
 | test.cpp:10:8:10:8 | D<T, X> | 1 | T | file://:0:0:0:0 | X | X |
 | test.cpp:10:8:10:8 | D<int, 2> | 0 | <none> | file://:0:0:0:0 | int | <none> |
 | test.cpp:10:8:10:8 | D<int, 2> | 1 | int | test.cpp:12:8:12:8 | 2 | 2 |
 | test.cpp:10:8:10:8 | D<long, 2L> | 0 | <none> | file://:0:0:0:0 | long | <none> |
-| test.cpp:10:8:10:8 | D<long, 2L> | 1 | long | file://:0:0:0:0 | 2 | 2 |
+| test.cpp:10:8:10:8 | D<long, 2L> | 1 | long | test.cpp:13:9:13:9 | 2 | 2 |
 | test.cpp:16:8:16:8 | E<T, X> | 0 | <none> | test.cpp:15:19:15:19 | T | <none> |
 | test.cpp:16:8:16:8 | E<T, X> | 1 | T * | file://:0:0:0:0 | X | X |
 | test.cpp:16:8:16:8 | E<int, (int *)nullptr> | 0 | <none> | file://:0:0:0:0 | int | <none> |
-| test.cpp:16:8:16:8 | E<int, (int *)nullptr> | 1 | int * | file://:0:0:0:0 | 0 | 0 |
+| test.cpp:16:8:16:8 | E<int, (int *)nullptr> | 1 | int * | test.cpp:18:8:18:14 | 0 | 0 |
--- a/cpp/ql/test/library-tests/templates/type_instantiations/types.expected
+++ b/cpp/ql/test/library-tests/templates/type_instantiations/types.expected
@@ -25,6 +25,7 @@
 | file://:0:0:0:0 | __float128 |
 | file://:0:0:0:0 | __fp16 |
 | file://:0:0:0:0 | __int128 |
 | file://:0:0:0:0 | __mfp8 |
 | file://:0:0:0:0 | __va_list_tag |
 | file://:0:0:0:0 | __va_list_tag & |
 | file://:0:0:0:0 | __va_list_tag && |
--- a/cpp/ql/test/library-tests/type_sizes/type_sizes.expected
+++ b/cpp/ql/test/library-tests/type_sizes/type_sizes.expected
@@ -46,6 +46,7 @@
 | file://:0:0:0:0 | __float128 | 16 |
 | file://:0:0:0:0 | __fp16 | 2 |
 | file://:0:0:0:0 | __int128 | 16 |
 | file://:0:0:0:0 | __mfp8 | 1 |
 | file://:0:0:0:0 | __va_list_tag | 24 |
 | file://:0:0:0:0 | __va_list_tag & | 8 |
 | file://:0:0:0:0 | __va_list_tag && | 8 |
--- a/cpp/ql/test/library-tests/unspecified_type/types/unspecified_type.expected
+++ b/cpp/ql/test/library-tests/unspecified_type/types/unspecified_type.expected
@@ -27,6 +27,7 @@
 | file://:0:0:0:0 | __float128 | __float128 |
 | file://:0:0:0:0 | __fp16 | __fp16 |
 | file://:0:0:0:0 | __int128 | __int128 |
 | file://:0:0:0:0 | __mfp8 | __mfp8 |
 | file://:0:0:0:0 | __va_list_tag & | __va_list_tag & |
 | file://:0:0:0:0 | __va_list_tag && | __va_list_tag && |
 | file://:0:0:0:0 | auto | auto |
--- a/cpp/ql/test/library-tests/variables/variables/types.expected
+++ b/cpp/ql/test/library-tests/variables/variables/types.expected
@@ -26,6 +26,7 @@
 | __float128 | Float128Type |  |  |  |  |
 | __fp16 | BinaryFloatingPointType, RealNumberType |  |  |  |  |
 | __int128 | Int128Type |  |  |  |  |
 | __mfp8 | BinaryFloatingPointType, RealNumberType |  |  |  |  |
 | __va_list_tag | DirectAccessHolder, MetricClass, Struct, StructLikeClass |  |  |  |  |
 | __va_list_tag & | LValueReferenceType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection |  | __va_list_tag |  |  |
 | __va_list_tag && | PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection, RValueReferenceType |  | __va_list_tag |  |  |
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,11 @@
 ## 1.7.42
 No user-facing changes.
 ## 1.7.41
 No user-facing changes.
 ## 1.7.40
 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.41.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.41.md
@@ -0,0 +1,3 @@
 ## 1.7.41
 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.42.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.42.md
@@ -0,0 +1,3 @@
 ## 1.7.42
 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.40
+lastReleaseVersion: 1.7.42
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.41-dev
+version: 1.7.43-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,11 @@
 ## 1.7.42
 No user-facing changes.
 ## 1.7.41
 No user-facing changes.
 ## 1.7.40
 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.41.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.41.md
@@ -0,0 +1,3 @@
 ## 1.7.41
 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.42.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.42.md
@@ -0,0 +1,3 @@
 ## 1.7.42
 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.40
+lastReleaseVersion: 1.7.42
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.41-dev
+version: 1.7.43-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/integration-tests/posix/query-suite/csharp-code-quality.qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/csharp-code-quality.qls.expected
@@ -11,6 +11,7 @@ ql/csharp/ql/src/Likely Bugs/EqualityCheckOnFloats.ql
 ql/csharp/ql/src/Likely Bugs/ReferenceEqualsOnValueTypes.ql
 ql/csharp/ql/src/Likely Bugs/SelfAssignment.ql
 ql/csharp/ql/src/Likely Bugs/UncheckedCastInEquals.ql
 ql/csharp/ql/src/Performance/StringConcatenationInLoop.ql
 ql/csharp/ql/src/Performance/UseTryGetValue.ql
 ql/csharp/ql/src/Useless code/DefaultToString.ql
 ql/csharp/ql/src/Useless code/IntGetHashCode.ql
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,3 +1,13 @@
 ## 5.1.8
 No user-facing changes.
 ## 5.1.7
 ### Minor Analysis Improvements
 * The generated Models as Data (MaD) models for .NET 9 Runtime have been updated and are now more precise (due to a recent model generator improvement).
 ## 5.1.6
 No user-facing changes.
--- a/csharp/ql/lib/change-notes/2025-05-14-dotnet-models.md
+++ b/csharp/ql/lib/change-notes/2025-05-14-dotnet-models.md
@@ -1,4 +1,5 @@
---
+## 5.1.7
-category: minorAnalysis
+
---
+### Minor Analysis Improvements
 * The generated Models as Data (MaD) models for .NET 9 Runtime have been updated and are now more precise (due to a recent model generator improvement).
--- a/csharp/ql/lib/change-notes/released/5.1.8.md
+++ b/csharp/ql/lib/change-notes/released/5.1.8.md
@@ -0,0 +1,3 @@
 ## 5.1.8
 No user-facing changes.
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.1.6
+lastReleaseVersion: 5.1.8
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.1.7-dev
+version: 5.1.9-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,3 +1,16 @@
 ## 1.2.2
 No user-facing changes.
 ## 1.2.1
 ### Minor Analysis Improvements
 * The precision of the query `cs/missed-readonly-modifier` has been improved. Some false positives related to static fields and struct type fields have been removed.
 * The queries `cs/password-in-configuration`, `cs/hardcoded-credentials` and `cs/hardcoded-connection-string-credentials` have been removed from all query suites.
 * The precision of the query `cs/gethashcode-is-not-defined` has been improved (false negative reduction). Calls to more methods (and indexers) that rely on the invariant `e1.Equals(e2)` implies `e1.GetHashCode() == e2.GetHashCode()` are taken into account.
 * The precision of the query `cs/uncontrolled-format-string` has been improved (false negative reduction). Calls to `System.Text.CompositeFormat.Parse` are now considered a format like method call.
 ## 1.2.0
 ### Query Metadata Changes
--- a/csharp/ql/src/Performance/StringConcatenationInLoop.ql
+++ b/csharp/ql/src/Performance/StringConcatenationInLoop.ql
@@ -7,6 +7,7 @@
 * @id cs/string-concatenation-in-loop
 * @tags efficiency
 *       maintainability
 *       quality
 */
 import csharp
--- a/csharp/ql/src/change-notes/2025-04-10-uncontrolled-format-string.md
+++ b/csharp/ql/src/change-notes/2025-04-10-uncontrolled-format-string.md
@@ -1,4 +0,0 @@
 ---
 category: minorAnalysis
 ---
 * The precision of the query `cs/uncontrolled-format-string` has been improved (false negative reduction). Calls to `System.Text.CompositeFormat.Parse` are now considered a format like method call.
--- a/csharp/ql/src/change-notes/2025-05-15-gethashcode-is-not-defined.md
+++ b/csharp/ql/src/change-notes/2025-05-15-gethashcode-is-not-defined.md
@@ -1,4 +0,0 @@
 ---
 category: minorAnalysis
 ---
 * The precision of the query `cs/gethashcode-is-not-defined` has been improved (false negative reduction). Calls to more methods (and indexers) that rely on the invariant `e1.Equals(e2)` implies `e1.GetHashCode() == e2.GetHashCode()` are taken into account.
--- a/csharp/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
+++ b/csharp/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
@@ -1,4 +0,0 @@
 ---
 category: minorAnalysis
 ---
 * The queries `cs/password-in-configuration`, `cs/hardcoded-credentials` and `cs/hardcoded-connection-string-credentials` have been removed from all query suites.
--- a/csharp/ql/src/change-notes/2025-05-22-missed-readonly-modifier.md
+++ b/csharp/ql/src/change-notes/2025-05-22-missed-readonly-modifier.md
@@ -1,4 +0,0 @@
 ---
 category: minorAnalysis
 ---
 * The precision of the query `cs/missed-readonly-modifier` has been improved. Some false positives related to static fields and struct type fields have been removed.
--- a/csharp/ql/src/change-notes/released/1.2.1.md
+++ b/csharp/ql/src/change-notes/released/1.2.1.md
@@ -0,0 +1,8 @@
 ## 1.2.1
 ### Minor Analysis Improvements
 * The precision of the query `cs/missed-readonly-modifier` has been improved. Some false positives related to static fields and struct type fields have been removed.
 * The queries `cs/password-in-configuration`, `cs/hardcoded-credentials` and `cs/hardcoded-connection-string-credentials` have been removed from all query suites.
 * The precision of the query `cs/gethashcode-is-not-defined` has been improved (false negative reduction). Calls to more methods (and indexers) that rely on the invariant `e1.Equals(e2)` implies `e1.GetHashCode() == e2.GetHashCode()` are taken into account.
 * The precision of the query `cs/uncontrolled-format-string` has been improved (false negative reduction). Calls to `System.Text.CompositeFormat.Parse` are now considered a format like method call.
--- a/csharp/ql/src/change-notes/released/1.2.2.md
+++ b/csharp/ql/src/change-notes/released/1.2.2.md
@@ -0,0 +1,3 @@
 ## 1.2.2
 No user-facing changes.
--- a/csharp/ql/src/codeql-pack.release.yml
+++ b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.2.0
+lastReleaseVersion: 1.2.2
--- a/csharp/ql/src/codeql-suites/csharp-security-and-quality.qls
+++ b/csharp/ql/src/codeql-suites/csharp-security-and-quality.qls
@@ -1,4 +1,143 @@
 - description: Security-and-quality queries for C#
 - queries: .
- apply: security-and-quality-selectors.yml
+- include:
-  from: codeql/suite-helpers
+    kind:
    - problem
    - path-problem
    precision:
    - high
    - very-high
    tags contain:
    - security
 - include:
    kind:
    - problem
    - path-problem
    precision: medium
    problem.severity:
    - error
    - warning
    tags contain:
    - security
 - include:
    id:
      - cs/asp/response-write
      - cs/call-to-gc
      - cs/call-to-object-tostring
      - cs/call-to-obsolete-method
      - cs/call-to-unmanaged-code
      - cs/cast-from-abstract-to-concrete-collection
      - cs/cast-of-this-to-type-parameter
      - cs/catch-nullreferenceexception
      - cs/catch-of-all-exceptions
      - cs/chained-type-tests
      - cs/class-implements-icloneable
      - cs/class-missing-equals
      - cs/class-name-comparison
      - cs/class-name-matches-base-class
      - cs/coalesce-of-identical-expressions
      - cs/comparison-of-identical-expressions
      - cs/complex-block
      - cs/complex-condition
      - cs/constant-comparison
      - cs/constant-condition
      - cs/coupled-types
      - cs/dereferenced-value-is-always-null
      - cs/dereferenced-value-may-be-null
      - cs/dispose-not-called-on-throw
      - cs/downcast-of-this
      - cs/empty-block
      - cs/empty-catch-block
      - cs/empty-collection
      - cs/empty-lock-statement
      - cs/equality-on-floats
      - cs/equals-on-arrays
      - cs/equals-on-unrelated-types
      - cs/equals-uses-as
      - cs/equals-uses-is
      - cs/expose-implementation
      - cs/field-masks-base-field
      - cs/gethashcode-is-not-defined
      - cs/impossible-array-cast
      - cs/inconsistent-compareto-and-equals
      - cs/inconsistent-equals-and-gethashcode
      - cs/inconsistent-lock-sequence
      - cs/index-out-of-bounds
      - cs/inefficient-containskey
      - cs/invalid-dynamic-call
      - cs/invalid-string-formatting
      - cs/linq/inconsistent-enumeration
      - cs/linq/missed-all
      - cs/linq/missed-cast
      - cs/linq/missed-oftype
      - cs/linq/missed-select
      - cs/linq/missed-where
      - cs/linq/useless-select
      - cs/local-not-disposed
      - cs/local-shadows-member
      - cs/lock-this
      - cs/locked-wait
      - cs/loss-of-precision
      - cs/mishandling-japanese-era
      - cs/misleading-indentation
      - cs/missed-readonly-modifier
      - cs/missed-ternary-operator
      - cs/missed-using-statement
      - cs/nested-if-statements
      - cs/nested-loops-with-same-variable
      - cs/non-short-circuit
      - cs/null-argument-to-equals
      - cs/path-combine
      - cs/recursive-equals-call
      - cs/recursive-operator-equals-call
      - cs/reference-equality-on-valuetypes
      - cs/reference-equality-with-object
      - cs/rethrown-exception-variable
      - cs/self-assignment
      - cs/simplifiable-boolean-expression
      - cs/static-field-written-by-instance
      - cs/string-concatenation-in-loop
      - cs/stringbuilder-creation-in-loop
      - cs/stringbuilder-initialized-with-character
      - cs/test-for-negative-container-size
      - cs/too-many-ref-parameters
      - cs/type-test-of-this
      - cs/unchecked-cast-in-equals
      - cs/unmanaged-code
      - cs/unsafe-double-checked-lock
      - cs/unsafe-sync-on-field
      - cs/unsafe-year-construction
      - cs/unsynchronized-getter
      - cs/unsynchronized-static-access
      - cs/unused-collection
      - cs/unused-label
      - cs/unused-property-value
      - cs/useless-assignment-to-local
      - cs/useless-cast-to-self
      - cs/useless-gethashcode-call
      - cs/useless-if-statement
      - cs/useless-tostring-call
      - cs/useless-type-test
      - cs/useless-upcast
      - cs/virtual-call-in-constructor
      - cs/wrong-compareto-signature
      - cs/wrong-equals-signature
      - cs/xmldoc/missing-summary
 - include:
    kind:
    - diagnostic
 - include:
    kind:
    - metric
    tags contain:
    - summary
 - exclude:
    deprecated: //
 - exclude:
    query path:
      - /^experimental\/.*/
      - Metrics/Summaries/FrameworkCoverage.ql
 - exclude:
    tags contain:
      - modeleditor
      - modelgenerator
--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.2.1-dev
+version: 1.2.3-dev
 groups:
  - csharp
  - queries
--- a/docs/codeql/reusables/supported-versions-compilers.rst
+++ b/docs/codeql/reusables/supported-versions-compilers.rst
@@ -4,9 +4,9 @@
   :stub-columns: 1
   Language,Variants,Compilers,Extensions
-   C/C++,"C89, C99, C11, C17, C23, C++98, C++03, C++11, C++14, C++17, C++20, C++23 [1]_ [2]_ [3]_","Clang (including clang-cl [4]_ and armclang) extensions (up to Clang 17.0),
+   C/C++,"C89, C99, C11, C17, C23, C++98, C++03, C++11, C++14, C++17, C++20, C++23 [1]_ [2]_ [3]_","Clang (including clang-cl [4]_ and armclang) extensions (up to Clang 19.1.0),
-   GNU extensions (up to GCC 13.2),
+   GNU extensions (up to GCC 15.0),
   Microsoft extensions (up to VS 2022),
--- a/go/documentation/library-coverage/coverage.csv
+++ b/go/documentation/library-coverage/coverage.csv
@@ -5,6 +5,7 @@ archive/zip,,,6,,,,,,,,,,,,,,,,,,,,,,,6,
 bufio,,,17,,,,,,,,,,,,,,,,,,,,,,,17,
 bytes,,,43,,,,,,,,,,,,,,,,,,,,,,,43,
 clevergo.tech/clevergo,1,,,,,,,,,,,,,,,,,1,,,,,,,,,
 cloud.google.com/go/bigquery,1,,,,,,,,,,,,,,1,,,,,,,,,,,,
 compress/bzip2,,,1,,,,,,,,,,,,,,,,,,,,,,,1,
 compress/flate,,,4,,,,,,,,,,,,,,,,,,,,,,,4,
 compress/gzip,,,3,,,,,,,,,,,,,,,,,,,,,,,3,
--- a/go/documentation/library-coverage/coverage.rst
+++ b/go/documentation/library-coverage/coverage.rst
@@ -37,6 +37,7 @@ Go framework & library support
   `XPath <https://github.com/antchfx/xpath>`_,``github.com/antchfx/xpath*``,,,4
   `appleboy/gin-jwt <https://github.com/appleboy/gin-jwt>`_,``github.com/appleboy/gin-jwt*``,,,1
   `beego <https://beego.me/>`_,"``github.com/astaxie/beego*``, ``github.com/beego/beego*``",102,63,213
   `bigquery <https://pkg.go.dev/cloud.google.com/go/bigquery>`_,``cloud.google.com/go/bigquery*``,,,1
   `chi <https://go-chi.io/>`_,``github.com/go-chi/chi*``,3,,
   `cristalhq/jwt <https://github.com/cristalhq/jwt>`_,``github.com/cristalhq/jwt*``,,,1
   `env <https://github.com/caarlos0/env>`_,``github.com/caarlos0/env*``,5,2,
@@ -53,7 +54,7 @@ Go framework & library support
   `goproxy <https://github.com/elazarl/goproxy>`_,``github.com/elazarl/goproxy*``,2,2,2
   `gorilla/mux <https://github.com/gorilla/mux>`_,``github.com/gorilla/mux*``,1,,
   `gorilla/websocket <https://github.com/gorilla/websocket>`_,``github.com/gorilla/websocket*``,3,,
-   `gorqlite <https://github.com/rqlite/gorqlite>`_,"``github.com/raindog308/gorqlite*``, ``github.com/rqlite/gorqlite*``",16,4,48
+   `gorqlite <https://github.com/rqlite/gorqlite>`_,"``github.com/raindog308/gorqlite*``, ``github.com/rqlite/gorqlite*``, ``github.com/kanikanema/gorqlite*``",24,6,72
   `goxpath <https://github.com/ChrisTrenkamp/goxpath/wiki>`_,``github.com/ChrisTrenkamp/goxpath*``,,,3
   `htmlquery <https://github.com/antchfx/htmlquery>`_,``github.com/antchfx/htmlquery*``,,,4
   `json-iterator <https://github.com/json-iterator/go>`_,``github.com/json-iterator/go*``,,4,
@@ -73,6 +74,5 @@ Go framework & library support
   `xpathparser <https://github.com/santhosh-tekuri/xpathparser>`_,``github.com/santhosh-tekuri/xpathparser*``,,,2
   `yaml <https://gopkg.in/yaml.v3>`_,``gopkg.in/yaml*``,,9,
   `zap <https://go.uber.org/zap>`_,``go.uber.org/zap*``,,11,33
-   Others,``github.com/kanikanema/gorqlite``,8,2,24
+   Totals,,688,1069,1557
   Totals,,688,1069,1556
--- a/go/documentation/library-coverage/frameworks.csv
+++ b/go/documentation/library-coverage/frameworks.csv
@@ -3,6 +3,7 @@ Standard library,https://pkg.go.dev/std, archive/* bufio bytes cmp compress/* co
 appleboy/gin-jwt,https://github.com/appleboy/gin-jwt,github.com/appleboy/gin-jwt*
 Afero,https://github.com/spf13/afero,github.com/spf13/afero*
 beego,https://beego.me/,github.com/astaxie/beego* github.com/beego/beego*
 bigquery,https://pkg.go.dev/cloud.google.com/go/bigquery,cloud.google.com/go/bigquery*
 Bun,https://bun.uptrace.dev/,github.com/uptrace/bun*
 CleverGo,https://github.com/clevergo/clevergo,clevergo.tech/clevergo* github.com/clevergo/clevergo*
 Couchbase official client(gocb),https://github.com/couchbase/gocb,github.com/couchbase/gocb* gopkg.in/couchbase/gocb*
@@ -35,7 +36,7 @@ golang.org/x/net,https://pkg.go.dev/golang.org/x/net,golang.org/x/net*
 goproxy,https://github.com/elazarl/goproxy,github.com/elazarl/goproxy*
 gorilla/mux,https://github.com/gorilla/mux,github.com/gorilla/mux*
 gorilla/websocket,https://github.com/gorilla/websocket,github.com/gorilla/websocket*
-gorqlite,https://github.com/rqlite/gorqlite,github.com/raindog308/gorqlite* github.com/rqlite/gorqlite*
+gorqlite,https://github.com/rqlite/gorqlite,github.com/raindog308/gorqlite* github.com/rqlite/gorqlite* github.com/kanikanema/gorqlite*
 goxpath,https://github.com/ChrisTrenkamp/goxpath/wiki,github.com/ChrisTrenkamp/goxpath*
 htmlquery,https://github.com/antchfx/htmlquery,github.com/antchfx/htmlquery*
 Iris,https://www.iris-go.com/,github.com/kataras/iris*
--- a/go/extractor/go.mod
+++ b/go/extractor/go.mod
@@ -9,8 +9,8 @@ toolchain go1.24.0
 // when adding or removing dependencies, run
 //    bazel mod tidy
 require (
-	golang.org/x/mod v0.24.0
+	golang.org/x/mod v0.25.0
-	golang.org/x/tools v0.33.0
+	golang.org/x/tools v0.34.0
 )
-require golang.org/x/sync v0.14.0 // indirect
+require golang.org/x/sync v0.15.0 // indirect
--- a/go/extractor/go.sum
+++ b/go/extractor/go.sum
@@ -1,8 +1,8 @@
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
-golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
-golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
-golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
-golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
+golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
-golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
+golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
--- a/go/ql/consistency-queries/CHANGELOG.md
+++ b/go/ql/consistency-queries/CHANGELOG.md
@@ -1,3 +1,11 @@
 ## 1.0.25
 No user-facing changes.
 ## 1.0.24
 No user-facing changes.
 ## 1.0.23
 No user-facing changes.
--- a/go/ql/consistency-queries/change-notes/released/1.0.24.md
+++ b/go/ql/consistency-queries/change-notes/released/1.0.24.md
@@ -0,0 +1,3 @@
 ## 1.0.24
 No user-facing changes.
--- a/go/ql/consistency-queries/change-notes/released/1.0.25.md
+++ b/go/ql/consistency-queries/change-notes/released/1.0.25.md
@@ -0,0 +1,3 @@
 ## 1.0.25
 No user-facing changes.
--- a/go/ql/consistency-queries/codeql-pack.release.yml
+++ b/go/ql/consistency-queries/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.23
+lastReleaseVersion: 1.0.25
--- a/go/ql/consistency-queries/qlpack.yml
+++ b/go/ql/consistency-queries/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.24-dev
+version: 1.0.26-dev
 groups:
  - go
  - queries
--- a/go/ql/integration-tests/query-suite/go-code-scanning.qls.expected
+++ b/go/ql/integration-tests/query-suite/go-code-scanning.qls.expected
@@ -8,6 +8,7 @@ ql/go/ql/src/Security/CWE-022/TaintedPath.ql
 ql/go/ql/src/Security/CWE-022/UnsafeUnzipSymlink.ql
 ql/go/ql/src/Security/CWE-022/ZipSlip.ql
 ql/go/ql/src/Security/CWE-078/CommandInjection.ql
 ql/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
 ql/go/ql/src/Security/CWE-079/ReflectedXss.ql
 ql/go/ql/src/Security/CWE-089/SqlInjection.ql
 ql/go/ql/src/Security/CWE-089/StringBreak.ql
--- a/go/ql/integration-tests/query-suite/go-security-and-quality.qls.expected
+++ b/go/ql/integration-tests/query-suite/go-security-and-quality.qls.expected
@@ -30,6 +30,7 @@ ql/go/ql/src/Security/CWE-022/TaintedPath.ql
 ql/go/ql/src/Security/CWE-022/UnsafeUnzipSymlink.ql
 ql/go/ql/src/Security/CWE-022/ZipSlip.ql
 ql/go/ql/src/Security/CWE-078/CommandInjection.ql
 ql/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
 ql/go/ql/src/Security/CWE-079/ReflectedXss.ql
 ql/go/ql/src/Security/CWE-089/SqlInjection.ql
 ql/go/ql/src/Security/CWE-089/StringBreak.ql
--- a/go/ql/integration-tests/query-suite/go-security-extended.qls.expected
+++ b/go/ql/integration-tests/query-suite/go-security-extended.qls.expected
@@ -8,6 +8,7 @@ ql/go/ql/src/Security/CWE-022/TaintedPath.ql
 ql/go/ql/src/Security/CWE-022/UnsafeUnzipSymlink.ql
 ql/go/ql/src/Security/CWE-022/ZipSlip.ql
 ql/go/ql/src/Security/CWE-078/CommandInjection.ql
 ql/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
 ql/go/ql/src/Security/CWE-079/ReflectedXss.ql
 ql/go/ql/src/Security/CWE-089/SqlInjection.ql
 ql/go/ql/src/Security/CWE-089/StringBreak.ql
--- a/go/ql/integration-tests/query-suite/not_included_in_qls.expected
+++ b/go/ql/integration-tests/query-suite/not_included_in_qls.expected
@@ -21,7 +21,6 @@ ql/go/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql
 ql/go/ql/src/experimental/CWE-525/WebCacheDeception.ql
 ql/go/ql/src/experimental/CWE-74/DsnInjection.ql
 ql/go/ql/src/experimental/CWE-74/DsnInjectionLocal.ql
 ql/go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql
 ql/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.ql
 ql/go/ql/src/experimental/CWE-840/ConditionalBypass.ql
 ql/go/ql/src/experimental/CWE-918/SSRF.ql
--- a/Show More
+++ b/Show More
`@@ -1,2 +1,2 @@`
	`---`	`---`
	`lastReleaseVersion: 0.4.9`	`lastReleaseVersion: 0.4.11`
		`@@ -0,0 +1,2 @@`
							`description: Support __mfp8 type`
							`compatibility: full`
`@@ -1,2 +1,2 @@`
	`\| Bar::(unnamed namespace)::B \| Bar::<unnamed>::B \|`	`\| Bar::(unnamed namespace)::B \| Bar::<unnamed>::B \|`
	`\| Foo::(unnamed namespace)::A \| _ZN3Foo37_GLOBAL__N__13_funcdname_cpp_?AEv \|`	`\| Foo::(unnamed namespace)::A \| _ZN35_INTERNAL_13_funcdname_cpp_?Foo37_GLOBAL__N__13_funcdname_cpp_?AEv \|`