C++: Reorganize the data flow change note

This groups the change notes that concern the `DataFlow` library and
clarifies the change notes that concern the two different
`TaintTracking` libraries.

change-notes/1.22/analysis-cpp.md

@@ -17,19 +17,22 @@ The following changes in version 1.22 affect C/C++ analysis in all applications.
 
 ## Changes to QL libraries
 
+- The data flow library (`semmle.code.cpp.dataflow.DataFlow`) has had the
+  following improvements, all of which benefit the taint tracking library
+  (`semmle.code.cpp.dataflow.TaintTracking`) as well.
+  - The possibility of specifying barrier edges using
+    `isBarrierEdge`/`isSanitizerEdge` in data-flow and taint-tracking
+    configurations has been replaced with the option of specifying in- and
+    out-barriers on nodes by overriding `isBarrierIn`/`isSanitizerIn` and
+    `isBarrierOut`/`isSanitizerOut`. This should be simpler to use effectively,
+    as it does not require knowledge about the actual edges used internally by
+    the library.
+  - The library now models data flow through `std::swap`.
+  - Recursion through the `DataFlow` library is now always a compile error. Such recursion has been deprecated since release 1.16 in March 2018. If one `DataFlow::Configuration` needs to depend on the results of another, switch one of them to use one of the `DataFlow2` through `DataFlow4` libraries.
+- In the `semmle.code.cpp.dataflow.TaintTracking` library, the second copy of `Configuration` has been renamed from `TaintTracking::Configuration2` to `TaintTracking2::Configuration`, and the old name is now deprecated. Import `semmle.code.cpp.dataflow.TaintTracking2` to access the new name.
+- The `semmle.code.cpp.security.TaintTracking` library now considers a pointer difference calculation as blocking taint flow.
 - The predicate `Variable.getAnAssignedValue()` now reports assignments to fields resulting from aggregate initialization (` = {...}`).
 - The predicate `TypeMention.toString()` has been simplified to always return the string "`type mention`".  This may improve performance when using `Element.toString()` or its descendants.
-- The `semmle.code.cpp.security.TaintTracking` library now considers a pointer difference calculation as blocking taint flow.
-- The second copy of the interprocedural `TaintTracking` library has been renamed from `TaintTracking::Configuration2` to `TaintTracking2::Configuration`, and the old name is now deprecated. Import `semmle.code.cpp.dataflow.TaintTracking2` to access the new name.
 - Fixed the `LocalScopeVariableReachability.qll` library's handling of loops where the entry condition is always true on first entry, and where there is more than one control flow path through the loop condition. This change increases the accuracy of the `LocalScopeVariableReachability.qll` library and queries that depend on it.
-- The `semmle.code.cpp.models` library now models data flow through `std::swap`.
 - There is a new `Variable.isThreadLocal()` predicate. It can be used to tell whether a variable is `thread_local`.
-- Recursion through the `DataFlow` library is now always a compile error. Such recursion has been deprecated since release 1.16 in March 2018. If one `DataFlow::Configuration` needs to depend on the results of another, switch one of them to use one of the `DataFlow2` through `DataFlow4` libraries.
-- The possibility of specifying barrier edges using
-  `isBarrierEdge`/`isSanitizerEdge` in data-flow and taint-tracking
-  configurations has been replaced with the option of specifying in- and
-  out-barriers on nodes by overriding `isBarrierIn`/`isSanitizerIn` and
-  `isBarrierOut`/`isSanitizerOut`. This should be simpler to use effectively,
-  as it does not require knowledge about the actual edges used internally by
-  the library.
 - C/C++ code examples have been added to QLDoc comments on many more classes in the QL libraries.