Merge branch 'main' into rdmarsh2/ir-global-vars

2026-05-02 12:15:17 +02:00 · 2022-03-21 16:13:40 -04:00
parent 32e128d207 6c18e1d7ac
commit 23e9963a19
436 changed files with 23082 additions and 5200 deletions
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.0.11
+
+### Minor Analysis Improvements
+
+* Many queries now support structured bindings, as structured bindings are now handled in the IR translation.
+
 ## 0.0.10

 ### New Features
@@ -6,6 +12,7 @@

 ## 0.0.9

+
 ## 0.0.8

 ### Deprecated APIs
--- a/cpp/ql/lib/DefaultOptions.qll
+++ b/cpp/ql/lib/DefaultOptions.qll
@@ -54,11 +54,13 @@ class Options extends string {
   *
   * By default, this holds for `exit`, `_exit`, `abort`, `__assert_fail`,
   * `longjmp`, `__builtin_unreachable` and any function with a
-   * `noreturn` attribute.
+   * `noreturn` attribute or specifier.
   */
  predicate exits(Function f) {
    f.getAnAttribute().hasName("noreturn")
    or
+    f.getASpecifier().hasName("noreturn")
+    or
    f.hasGlobalOrStdName([
        "exit", "_exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
      ])
--- a/cpp/ql/lib/Options.qll
+++ b/cpp/ql/lib/Options.qll
@@ -39,7 +39,7 @@ class CustomOptions extends Options {
   *
   * By default, this holds for `exit`, `_exit`, `abort`, `__assert_fail`,
   * `longjmp`, `error`, `__builtin_unreachable` and any function with a
-   * `noreturn` attribute.
+   * `noreturn` attribute or specifier.
   */
  override predicate exits(Function f) { Options.super.exits(f) }

--- a/cpp/ql/lib/change-notes/2022-03-10-template-implicit-copy.md
+++ b/cpp/ql/lib/change-notes/2022-03-10-template-implicit-copy.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* `hasImplicitCopyConstructor` and `hasImplicitCopyAssignmentOperator` now correctly handle implicitly-deleted operators in templates.
--- a/cpp/ql/lib/change-notes/2022-03-14-c11-noreturn.md
+++ b/cpp/ql/lib/change-notes/2022-03-14-c11-noreturn.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* `DefaultOptions::exits` now holds for C11 functions with the `_Noreturn` or `noreturn` specifier.
--- a/cpp/ql/lib/change-notes/2022-03-14-flow-state-barriers.md
+++ b/cpp/ql/lib/change-notes/2022-03-14-flow-state-barriers.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.
--- a/cpp/ql/lib/change-notes/2022-02-24-structured-bindings-in-ir.md
+++ b/cpp/ql/lib/change-notes/2022-02-24-structured-bindings-in-ir.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 0.0.11
+
+### Minor Analysis Improvements
+
 * Many queries now support structured bindings, as structured bindings are now handled in the IR translation.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.10
+lastReleaseVersion: 0.0.11
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.0.11-dev
+version: 0.0.12-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/Class.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Class.qll
@@ -251,6 +251,16 @@ class Class extends UserType {
    not this.implicitCopyConstructorDeleted() and
    forall(CopyConstructor cc | cc = this.getAMemberFunction() |
      cc.isCompilerGenerated() and not cc.isDeleted()
+    ) and
+    (
+      not this instanceof ClassTemplateInstantiation
+      or
+      this.(ClassTemplateInstantiation).getTemplate().hasImplicitCopyConstructor()
+    ) and
+    (
+      not this instanceof PartialClassTemplateSpecialization
+      or
+      this.(PartialClassTemplateSpecialization).getPrimaryTemplate().hasImplicitCopyConstructor()
    )
  }

@@ -266,6 +276,18 @@ class Class extends UserType {
    not this.implicitCopyAssignmentOperatorDeleted() and
    forall(CopyAssignmentOperator ca | ca = this.getAMemberFunction() |
      ca.isCompilerGenerated() and not ca.isDeleted()
+    ) and
+    (
+      not this instanceof ClassTemplateInstantiation
+      or
+      this.(ClassTemplateInstantiation).getTemplate().hasImplicitCopyAssignmentOperator()
+    ) and
+    (
+      not this instanceof PartialClassTemplateSpecialization
+      or
+      this.(PartialClassTemplateSpecialization)
+          .getPrimaryTemplate()
+          .hasImplicitCopyAssignmentOperator()
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/Specifier.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Specifier.qll
@@ -38,7 +38,7 @@ class FunctionSpecifier extends Specifier {

 /**
 * A C/C++ storage class specifier: `auto`, `register`, `static`, `extern`,
- * or `mutable".
+ * or `mutable`.
 */
 class StorageClassSpecifier extends Specifier {
  StorageClassSpecifier() { this.hasName(["auto", "register", "static", "extern", "mutable"]) }
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll
@@ -447,26 +447,6 @@ private predicate skipInitializer(Initializer init) {
  )
 }

-/**
- * Holds if `e` is an expression in a static initializer that must be evaluated
- * at run time. This predicate computes "is non-const" instead of "is const" in
- * order to avoid recursion through forall.
- */
-private predicate runtimeExprInStaticInitializer(Expr e) {
-  inStaticInitializer(e) and
-  if e instanceof AggregateLiteral
-  then runtimeExprInStaticInitializer(e.getAChild())
-  else not e.getFullyConverted().isConstant()
-}
-
-/** Holds if `e` is part of the initializer of a local static variable. */
-private predicate inStaticInitializer(Expr e) {
-  exists(LocalVariable local |
-    local.isStatic() and
-    e.getParent+() = local.getInitializer()
-  )
-}
-
 /**
 * Gets the `i`th child of `n` in control-flow order, where the `i`-indexes are
 * contiguous, and the first index is 0.
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -87,12 +87,30 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
  /**
   * Holds if the additional flow step from `node1` to `node2` must be taken
   * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {

 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }

 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }

 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
   * Holds if `node` can be the first node in a maximal subsequence of local
   * flow steps in a dataflow path.
   */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
    Stage2::revFlow(node, state, config) and
    (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
      node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
    )
  }

@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
      additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
    )
    or
    Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
   */
  pragma[nomagic]
  private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
  ) {
    not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
    (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
      (
        localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
        preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
        or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
        preservesValue = false and
        t = node2.getDataFlowType()
      ) and
      node1 != node2 and
      cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
      or
      exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
          pragma[only_bind_into](config), cc) and
        localFlowStepNodeCand1(mid, node2, config) and
        not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
      )
      or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
        not mid instanceof FlowCheckNode and
        preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
      )
    )
  }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
    AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
  ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
  }
 }

@@ -2695,10 +2769,10 @@ private module Stage4 {

  bindingset[node, cc, config]
  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
  }

  private predicate localStep(
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -87,12 +87,30 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
  /**
   * Holds if the additional flow step from `node1` to `node2` must be taken
   * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {

 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }

 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }

 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
   * Holds if `node` can be the first node in a maximal subsequence of local
   * flow steps in a dataflow path.
   */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
    Stage2::revFlow(node, state, config) and
    (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
      node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
    )
  }

@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
      additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
    )
    or
    Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
   */
  pragma[nomagic]
  private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
  ) {
    not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
    (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
      (
        localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
        preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
        or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
        preservesValue = false and
        t = node2.getDataFlowType()
      ) and
      node1 != node2 and
      cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
      or
      exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
          pragma[only_bind_into](config), cc) and
        localFlowStepNodeCand1(mid, node2, config) and
        not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
      )
      or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
        not mid instanceof FlowCheckNode and
        preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
      )
    )
  }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
    AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
  ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
  }
 }

@@ -2695,10 +2769,10 @@ private module Stage4 {

  bindingset[node, cc, config]
  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
  }

  private predicate localStep(
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -87,12 +87,30 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
  /**
   * Holds if the additional flow step from `node1` to `node2` must be taken
   * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {

 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }

 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }

 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
   * Holds if `node` can be the first node in a maximal subsequence of local
   * flow steps in a dataflow path.
   */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
    Stage2::revFlow(node, state, config) and
    (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
      node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
    )
  }

@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
      additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
    )
    or
    Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
   */
  pragma[nomagic]
  private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
  ) {
    not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
    (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
      (
        localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
        preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
        or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
        preservesValue = false and
        t = node2.getDataFlowType()
      ) and
      node1 != node2 and
      cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
      or
      exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
          pragma[only_bind_into](config), cc) and
        localFlowStepNodeCand1(mid, node2, config) and
        not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
      )
      or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
        not mid instanceof FlowCheckNode and
        preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
      )
    )
  }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
    AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
  ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
  }
 }

@@ -2695,10 +2769,10 @@ private module Stage4 {

  bindingset[node, cc, config]
  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
  }

  private predicate localStep(
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -87,12 +87,30 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
  /**
   * Holds if the additional flow step from `node1` to `node2` must be taken
   * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {

 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }

 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }

 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
   * Holds if `node` can be the first node in a maximal subsequence of local
   * flow steps in a dataflow path.
   */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
    Stage2::revFlow(node, state, config) and
    (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
      node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
    )
  }

@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
      additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
    )
    or
    Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
   */
  pragma[nomagic]
  private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
  ) {
    not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
    (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
      (
        localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
        preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
        or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
        preservesValue = false and
        t = node2.getDataFlowType()
      ) and
      node1 != node2 and
      cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
      or
      exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
          pragma[only_bind_into](config), cc) and
        localFlowStepNodeCand1(mid, node2, config) and
        not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
      )
      or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
        not mid instanceof FlowCheckNode and
        preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
      )
    )
  }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
    AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
  ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
  }
 }

@@ -2695,10 +2769,10 @@ private module Stage4 {

  bindingset[node, cc, config]
  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
  }

  private predicate localStep(
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -87,12 +87,30 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
  /**
   * Holds if the additional flow step from `node1` to `node2` must be taken
   * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {

 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }

 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }

 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
   * Holds if `node` can be the first node in a maximal subsequence of local
   * flow steps in a dataflow path.
   */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
    Stage2::revFlow(node, state, config) and
    (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
      node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
    )
  }

@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
      additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
    )
    or
    Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
   */
  pragma[nomagic]
  private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
  ) {
    not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
    (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
      (
        localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
        preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
        or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
        preservesValue = false and
        t = node2.getDataFlowType()
      ) and
      node1 != node2 and
      cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
      or
      exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
          pragma[only_bind_into](config), cc) and
        localFlowStepNodeCand1(mid, node2, config) and
        not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
      )
      or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
        not mid instanceof FlowCheckNode and
        preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
      )
    )
  }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
    AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
  ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
  }
 }

@@ -2695,10 +2769,10 @@ private module Stage4 {

  bindingset[node, cc, config]
  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
  }

  private predicate localStep(
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -109,6 +109,16 @@ abstract class Configuration extends DataFlow::Configuration {
  /** Holds if taint propagation into `node` is prohibited. */
  predicate isSanitizerIn(DataFlow::Node node) { none() }

+  /**
+   * Holds if taint propagation into `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerIn(node, state)
+  }
+
  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }

  /** Holds if taint propagation out of `node` is prohibited. */
@@ -116,6 +126,16 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

+  /**
+   * Holds if taint propagation out of `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerOut(node, state)
+  }
+
  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

@@ -123,6 +143,16 @@ abstract class Configuration extends DataFlow::Configuration {
    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
  }

+  /**
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited
+   * when the flow state is `state`.
+   */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    this.isSanitizerGuard(guard, state)
+  }
+
  /**
   * Holds if the additional taint propagation step from `node1` to `node2`
   * must be taken into account in the analysis.
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -109,6 +109,16 @@ abstract class Configuration extends DataFlow::Configuration {
  /** Holds if taint propagation into `node` is prohibited. */
  predicate isSanitizerIn(DataFlow::Node node) { none() }

+  /**
+   * Holds if taint propagation into `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerIn(node, state)
+  }
+
  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }

  /** Holds if taint propagation out of `node` is prohibited. */
@@ -116,6 +126,16 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

+  /**
+   * Holds if taint propagation out of `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerOut(node, state)
+  }
+
  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

@@ -123,6 +143,16 @@ abstract class Configuration extends DataFlow::Configuration {
    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
  }

+  /**
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited
+   * when the flow state is `state`.
+   */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    this.isSanitizerGuard(guard, state)
+  }
+
  /**
   * Holds if the additional taint propagation step from `node1` to `node2`
   * must be taken into account in the analysis.
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -87,12 +87,30 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
  /**
   * Holds if the additional flow step from `node1` to `node2` must be taken
   * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {

 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }

 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }

 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
   * Holds if `node` can be the first node in a maximal subsequence of local
   * flow steps in a dataflow path.
   */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
    Stage2::revFlow(node, state, config) and
    (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
      node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
    )
  }

@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
      additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
    )
    or
    Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
   */
  pragma[nomagic]
  private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
  ) {
    not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
    (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
      (
        localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
        preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
        or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
        preservesValue = false and
        t = node2.getDataFlowType()
      ) and
      node1 != node2 and
      cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
      or
      exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
          pragma[only_bind_into](config), cc) and
        localFlowStepNodeCand1(mid, node2, config) and
        not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
      )
      or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
        not mid instanceof FlowCheckNode and
        preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
      )
    )
  }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
    AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
  ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
  }
 }

@@ -2695,10 +2769,10 @@ private module Stage4 {

  bindingset[node, cc, config]
  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
  }

  private predicate localStep(
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -87,12 +87,30 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
  /**
   * Holds if the additional flow step from `node1` to `node2` must be taken
   * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {

 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }

 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }

 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
   * Holds if `node` can be the first node in a maximal subsequence of local
   * flow steps in a dataflow path.
   */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
    Stage2::revFlow(node, state, config) and
    (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
      node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
    )
  }

@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
      additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
    )
    or
    Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
   */
  pragma[nomagic]
  private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
  ) {
    not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
    (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
      (
        localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
        preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
        or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
        preservesValue = false and
        t = node2.getDataFlowType()
      ) and
      node1 != node2 and
      cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
      or
      exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
          pragma[only_bind_into](config), cc) and
        localFlowStepNodeCand1(mid, node2, config) and
        not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
      )
      or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
        not mid instanceof FlowCheckNode and
        preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
      )
    )
  }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
    AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
  ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
  }
 }

@@ -2695,10 +2769,10 @@ private module Stage4 {

  bindingset[node, cc, config]
  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
  }

  private predicate localStep(
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -87,12 +87,30 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
  /**
   * Holds if the additional flow step from `node1` to `node2` must be taken
   * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {

 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }

 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }

 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
   * Holds if `node` can be the first node in a maximal subsequence of local
   * flow steps in a dataflow path.
   */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
    Stage2::revFlow(node, state, config) and
    (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
      node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
    )
  }

@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
      additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
    )
    or
    Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
   */
  pragma[nomagic]
  private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
  ) {
    not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
    (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
      (
        localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
        preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
        or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
        preservesValue = false and
        t = node2.getDataFlowType()
      ) and
      node1 != node2 and
      cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
      or
      exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
          pragma[only_bind_into](config), cc) and
        localFlowStepNodeCand1(mid, node2, config) and
        not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
      )
      or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
        not mid instanceof FlowCheckNode and
        preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
      )
    )
  }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
    AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
  ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
  }
 }

@@ -2695,10 +2769,10 @@ private module Stage4 {

  bindingset[node, cc, config]
  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
  }

  private predicate localStep(
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -87,12 +87,30 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
  /**
   * Holds if the additional flow step from `node1` to `node2` must be taken
   * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {

 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }

 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }

 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
   * Holds if `node` can be the first node in a maximal subsequence of local
   * flow steps in a dataflow path.
   */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
    Stage2::revFlow(node, state, config) and
    (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
      node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
    )
  }

@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
      additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
    )
    or
    Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
   */
  pragma[nomagic]
  private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
  ) {
    not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
    (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
      (
        localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
        preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
        or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
        preservesValue = false and
        t = node2.getDataFlowType()
      ) and
      node1 != node2 and
      cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
      or
      exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
          pragma[only_bind_into](config), cc) and
        localFlowStepNodeCand1(mid, node2, config) and
        not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
      )
      or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
        not mid instanceof FlowCheckNode and
        preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
      )
    )
  }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
    AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
  ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
  }
 }

@@ -2695,10 +2769,10 @@ private module Stage4 {

  bindingset[node, cc, config]
  private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
    result =
      getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
  }

  private predicate localStep(
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll
@@ -287,20 +287,6 @@ private module SsaDefReaches {
    )
  }

-  /**
-   * Holds if the SSA definition of `v` at `def` reaches uncertain SSA definition
-   * `redef` in the same basic block, without crossing another SSA definition of `v`.
-   */
-  predicate ssaDefReachesUncertainDefWithinBlock(
-    SourceVariable v, Definition def, UncertainWriteDefinition redef
-  ) {
-    exists(BasicBlock bb, int rnk, int i |
-      ssaDefReachesRank(bb, def, rnk, v) and
-      rnk = ssaRefRank(bb, i, v, SsaDef()) - 1 and
-      redef.definesAt(v, bb, i)
-    )
-  }
-
  /**
   * Same as `ssaRefRank()`, but restricted to a particular SSA definition `def`.
   */
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -109,6 +109,16 @@ abstract class Configuration extends DataFlow::Configuration {
  /** Holds if taint propagation into `node` is prohibited. */
  predicate isSanitizerIn(DataFlow::Node node) { none() }

+  /**
+   * Holds if taint propagation into `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerIn(node, state)
+  }
+
  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }

  /** Holds if taint propagation out of `node` is prohibited. */
@@ -116,6 +126,16 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

+  /**
+   * Holds if taint propagation out of `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerOut(node, state)
+  }
+
  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

@@ -123,6 +143,16 @@ abstract class Configuration extends DataFlow::Configuration {
    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
  }

+  /**
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited
+   * when the flow state is `state`.
+   */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    this.isSanitizerGuard(guard, state)
+  }
+
  /**
   * Holds if the additional taint propagation step from `node1` to `node2`
   * must be taken into account in the analysis.
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -109,6 +109,16 @@ abstract class Configuration extends DataFlow::Configuration {
  /** Holds if taint propagation into `node` is prohibited. */
  predicate isSanitizerIn(DataFlow::Node node) { none() }

+  /**
+   * Holds if taint propagation into `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerIn(node, state)
+  }
+
  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }

  /** Holds if taint propagation out of `node` is prohibited. */
@@ -116,6 +126,16 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

+  /**
+   * Holds if taint propagation out of `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerOut(node, state)
+  }
+
  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

@@ -123,6 +143,16 @@ abstract class Configuration extends DataFlow::Configuration {
    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
  }

+  /**
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited
+   * when the flow state is `state`.
+   */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    this.isSanitizerGuard(guard, state)
+  }
+
  /**
   * Holds if the additional taint propagation step from `node1` to `node2`
   * must be taken into account in the analysis.
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
@@ -109,6 +109,16 @@ abstract class Configuration extends DataFlow::Configuration {
  /** Holds if taint propagation into `node` is prohibited. */
  predicate isSanitizerIn(DataFlow::Node node) { none() }

+  /**
+   * Holds if taint propagation into `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerIn(node, state)
+  }
+
  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }

  /** Holds if taint propagation out of `node` is prohibited. */
@@ -116,6 +126,16 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

+  /**
+   * Holds if taint propagation out of `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerOut(node, state)
+  }
+
  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

@@ -123,6 +143,16 @@ abstract class Configuration extends DataFlow::Configuration {
    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
  }

+  /**
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited
+   * when the flow state is `state`.
+   */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    this.isSanitizerGuard(guard, state)
+  }
+
  /**
   * Holds if the additional taint propagation step from `node1` to `node2`
   * must be taken into account in the analysis.
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/DominanceInternal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/DominanceInternal.qll
@@ -1,7 +1,5 @@
 private import ReachableBlock as Reachability

-private module ReachabilityGraph = Reachability::Graph;
-
 module Graph {
  import Reachability::Graph

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/DominanceInternal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/DominanceInternal.qll
@@ -1,7 +1,5 @@
 private import ReachableBlock as Reachability

-private module ReachabilityGraph = Reachability::Graph;
-
 module Graph {
  import Reachability::Graph

--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,24 @@
+## 0.0.11
+
+### Breaking Changes
+
+* The deprecated queries `cpp/duplicate-block`, `cpp/duplicate-function`, `cpp/duplicate-class`, `cpp/duplicate-file`, `cpp/mostly-duplicate-function`,`cpp/similar-file`, `cpp/duplicated-lines-in-files` have been removed.
+
+### Deprecated Predicates and Classes
+
+* The predicates and classes in the `CodeDuplication` library have been deprecated.
+
+### New Queries
+
+* A new query titled "Use of expired stack-address" (`cpp/using-expired-stack-address`) has been added.
+  This query finds accesses to expired stack-allocated memory that escaped via a global variable.
+* A new `cpp/insufficient-key-size` query has been added to the default query suite for C/C++. The query finds uses of certain cryptographic algorithms where the key size is too small to provide adequate encryption strength.
+
+### Minor Analysis Improvements
+
+* The "Failure to use HTTPS URLs" (`cpp/non-https-url`) has been improved reducing false positive results, and its precision has been increased to 'high'.
+* The `cpp/system-data-exposure` query has been modernized and has converted to a `path-problem` query. There are now fewer false positive results.
+
 ## 0.0.10

 ### Deprecated Classes
--- a/cpp/ql/src/Critical/OverflowDestination.ql
+++ b/cpp/ql/src/Critical/OverflowDestination.ql
@@ -2,7 +2,7 @@
 * @name Copy function using source size
 * @description Calling a copy operation with a size derived from the source
 *              buffer instead of the destination buffer may result in a buffer overflow.
- * @kind problem
+ * @kind path-problem
 * @id cpp/overflow-destination
 * @problem.severity warning
 * @security-severity 9.3
@@ -14,7 +14,10 @@
 */

 import cpp
-import semmle.code.cpp.security.TaintTracking
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import semmle.code.cpp.controlflow.IRGuards
+import semmle.code.cpp.security.FlowSources
+import DataFlow::PathGraph

 /**
 * Holds if `fc` is a call to a copy operation where the size argument contains
@@ -27,9 +30,9 @@ predicate sourceSized(FunctionCall fc, Expr src) {
  fc.getTarget().hasGlobalOrStdName(["strncpy", "strncat", "memcpy", "memmove"]) and
  exists(Expr dest, Expr size, Variable v |
    fc.getArgument(0) = dest and
-    fc.getArgument(1) = src and
+    fc.getArgument(1).getFullyConverted() = src and
    fc.getArgument(2) = size and
-    src = v.getAnAccess() and
+    src = v.getAnAccess().getFullyConverted() and
    size.getAChild+() = v.getAnAccess() and
    // exception: `dest` is also referenced in the size argument
    not exists(Variable other |
@@ -45,9 +48,49 @@ predicate sourceSized(FunctionCall fc, Expr src) {
  )
 }

-from FunctionCall fc, Expr vuln, Expr taintSource
+predicate readsVariable(LoadInstruction load, Variable var) {
+  load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
+}
+
+predicate hasUpperBoundsCheck(Variable var) {
+  exists(RelationalOperation oper, VariableAccess access |
+    oper.getAnOperand() = access and
+    access.getTarget() = var and
+    // Comparing to 0 is not an upper bound check
+    not oper.getAnOperand().getValue() = "0"
+  )
+}
+
+predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Variable checkedVar) {
+  readsVariable(node.asInstruction(), checkedVar) and
+  any(IRGuardCondition guard).ensuresEq(access, _, _, node.asInstruction().getBlock(), true)
+}
+
+class OverflowDestinationConfig extends TaintTracking::Configuration {
+  OverflowDestinationConfig() { this = "OverflowDestinationConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof FlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sourceSized(_, sink.asConvertedExpr()) }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    exists(Variable checkedVar |
+      readsVariable(node.asInstruction(), checkedVar) and
+      hasUpperBoundsCheck(checkedVar)
+    )
+    or
+    exists(Variable checkedVar, Operand access |
+      readsVariable(access.getDef(), checkedVar) and
+      nodeIsBarrierEqualityCandidate(node, access, checkedVar)
+    )
+  }
+}
+
+from
+  FunctionCall fc, OverflowDestinationConfig conf, DataFlow::PathNode source,
+  DataFlow::PathNode sink
 where
-  sourceSized(fc, vuln) and
-  tainted(taintSource, vuln)
-select fc,
+  conf.hasFlowPath(source, sink) and
+  sourceSized(fc, sink.getNode().asConvertedExpr())
+select fc, source, sink,
  "To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size."
--- a/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
@@ -3,18 +3,22 @@
 * @description Accessing an array without first checking
 *              that the index is within the bounds of the array can
 *              cause undefined behavior and can also be a security risk.
- * @kind problem
+ * @kind path-problem
 * @id cpp/unclear-array-index-validation
 * @problem.severity warning
 * @security-severity 8.8
+ * @precision low
 * @tags security
 *       external/cwe/cwe-129
 */

 import cpp
-import semmle.code.cpp.controlflow.Guards
-private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
-import semmle.code.cpp.security.TaintTracking
+import semmle.code.cpp.controlflow.IRGuards
+import semmle.code.cpp.security.FlowSources
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
+import DataFlow::PathGraph
+import semmle.code.cpp.security.Security

 predicate hasUpperBound(VariableAccess offsetExpr) {
  exists(BasicBlock controlled, StackVariable offsetVar, SsaDefinition def |
@@ -32,11 +36,92 @@ predicate linearBoundControls(BasicBlock controlled, SsaDefinition def, StackVar
  )
 }

-from Expr origin, ArrayExpr arrayExpr, VariableAccess offsetExpr
+predicate readsVariable(LoadInstruction load, Variable var) {
+  load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
+}
+
+predicate hasUpperBoundsCheck(Variable var) {
+  exists(RelationalOperation oper, VariableAccess access |
+    oper.getAnOperand() = access and
+    access.getTarget() = var and
+    // Comparing to 0 is not an upper bound check
+    not oper.getAnOperand().getValue() = "0"
+  )
+}
+
+predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Variable checkedVar) {
+  readsVariable(node.asInstruction(), checkedVar) and
+  any(IRGuardCondition guard).ensuresEq(access, _, _, node.asInstruction().getBlock(), true)
+}
+
+predicate isFlowSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }
+
+predicate predictableInstruction(Instruction instr) {
+  instr instanceof ConstantInstruction
+  or
+  instr instanceof StringConstantInstruction
+  or
+  // This could be a conversion on a string literal
+  predictableInstruction(instr.(UnaryInstruction).getUnary())
+}
+
+class ImproperArrayIndexValidationConfig extends TaintTracking::Configuration {
+  ImproperArrayIndexValidationConfig() { this = "ImproperArrayIndexValidationConfig" }
+
+  override predicate isSource(DataFlow::Node source) { isFlowSource(source, _) }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    hasUpperBound(node.asExpr())
+    or
+    // These barriers are ported from `DefaultTaintTracking` because this query is quite noisy
+    // otherwise.
+    exists(Variable checkedVar |
+      readsVariable(node.asInstruction(), checkedVar) and
+      hasUpperBoundsCheck(checkedVar)
+    )
+    or
+    exists(Variable checkedVar, Operand access |
+      readsVariable(access.getDef(), checkedVar) and
+      nodeIsBarrierEqualityCandidate(node, access, checkedVar)
+    )
+    or
+    // Don't use dataflow into binary instructions if both operands are unpredictable
+    exists(BinaryInstruction iTo |
+      iTo = node.asInstruction() and
+      not predictableInstruction(iTo.getLeft()) and
+      not predictableInstruction(iTo.getRight()) and
+      // propagate taint from either the pointer or the offset, regardless of predictability
+      not iTo instanceof PointerArithmeticInstruction
+    )
+    or
+    // don't use dataflow through calls to pure functions if two or more operands
+    // are unpredictable
+    exists(Instruction iFrom1, Instruction iFrom2, CallInstruction iTo |
+      iTo = node.asInstruction() and
+      isPureFunction(iTo.getStaticCallTarget().getName()) and
+      iFrom1 = iTo.getAnArgument() and
+      iFrom2 = iTo.getAnArgument() and
+      not predictableInstruction(iFrom1) and
+      not predictableInstruction(iFrom2) and
+      iFrom1 != iFrom2
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(ArrayExpr arrayExpr, VariableAccess offsetExpr |
+      offsetExpr = arrayExpr.getArrayOffset() and
+      sink.asExpr() = offsetExpr and
+      not hasUpperBound(offsetExpr)
+    )
+  }
+}
+
+from
+  ImproperArrayIndexValidationConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink,
+  string sourceType
 where
-  tainted(origin, offsetExpr) and
-  offsetExpr = arrayExpr.getArrayOffset() and
-  not hasUpperBound(offsetExpr)
-select offsetExpr,
+  conf.hasFlowPath(source, sink) and
+  isFlowSource(source.getNode(), sourceType)
+select sink.getNode(), source, sink,
  "$@ flows to here and is used in an array indexing expression, potentially causing an invalid access.",
-  origin, "User-provided value"
+  source.getNode(), sourceType
--- a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
@@ -15,55 +15,89 @@

 import cpp
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
-import semmle.code.cpp.security.TaintTracking
-import TaintedWithPath
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import semmle.code.cpp.ir.IR
+import semmle.code.cpp.controlflow.IRGuards
+import semmle.code.cpp.security.FlowSources
+import DataFlow::PathGraph

 /**
 * Holds if `alloc` is an allocation, and `tainted` is a child of it that is a
 * taint sink.
 */
-predicate allocSink(Expr alloc, Expr tainted) {
-  isAllocationExpr(alloc) and
-  tainted = alloc.getAChild() and
-  tainted.getUnspecifiedType() instanceof IntegralType
-}
-
-class TaintedAllocationSizeConfiguration extends TaintTrackingConfiguration {
-  override predicate isSink(Element tainted) { allocSink(_, tainted) }
-
-  override predicate isBarrier(Expr e) {
-    super.isBarrier(e)
-    or
-    // There can be two separate reasons for `convertedExprMightOverflow` not holding:
-    // 1. `e` really cannot overflow.
-    // 2. `e` isn't analyzable.
-    // If we didn't rule out case 2 we would place barriers on anything that isn't analyzable.
-    (
-      e instanceof UnaryArithmeticOperation or
-      e instanceof BinaryArithmeticOperation or
-      e instanceof AssignArithmeticOperation
-    ) and
-    not convertedExprMightOverflow(e)
-    or
-    // Subtracting two pointers is either well-defined (and the result will likely be small), or
-    // terribly undefined and dangerous. Here, we assume that the programmer has ensured that the
-    // result is well-defined (i.e., the two pointers point to the same object), and thus the result
-    // will likely be small.
-    e = any(PointerDiffExpr diff).getAnOperand()
-  }
-}
-
-predicate taintedAllocSize(
-  Expr source, Expr alloc, PathNode sourceNode, PathNode sinkNode, string taintCause
-) {
-  isUserInput(source, taintCause) and
-  exists(Expr tainted |
-    allocSink(alloc, tainted) and
-    taintedWithPath(source, tainted, sourceNode, sinkNode)
+predicate allocSink(Expr alloc, DataFlow::Node sink) {
+  exists(Expr e | e = sink.asConvertedExpr() |
+    isAllocationExpr(alloc) and
+    e = alloc.getAChild() and
+    e.getUnspecifiedType() instanceof IntegralType
  )
 }

-from Expr source, Expr alloc, PathNode sourceNode, PathNode sinkNode, string taintCause
-where taintedAllocSize(source, alloc, sourceNode, sinkNode, taintCause)
-select alloc, sourceNode, sinkNode, "This allocation size is derived from $@ and might overflow",
-  source, "user input (" + taintCause + ")"
+predicate readsVariable(LoadInstruction load, Variable var) {
+  load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
+}
+
+predicate hasUpperBoundsCheck(Variable var) {
+  exists(RelationalOperation oper, VariableAccess access |
+    oper.getAnOperand() = access and
+    access.getTarget() = var and
+    // Comparing to 0 is not an upper bound check
+    not oper.getAnOperand().getValue() = "0"
+  )
+}
+
+predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Variable checkedVar) {
+  readsVariable(node.asInstruction(), checkedVar) and
+  any(IRGuardCondition guard).ensuresEq(access, _, _, node.asInstruction().getBlock(), true)
+}
+
+predicate isFlowSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }
+
+class TaintedAllocationSizeConfiguration extends TaintTracking::Configuration {
+  TaintedAllocationSizeConfiguration() { this = "TaintedAllocationSizeConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { isFlowSource(source, _) }
+
+  override predicate isSink(DataFlow::Node sink) { allocSink(_, sink) }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    exists(Expr e | e = node.asExpr() |
+      // There can be two separate reasons for `convertedExprMightOverflow` not holding:
+      // 1. `e` really cannot overflow.
+      // 2. `e` isn't analyzable.
+      // If we didn't rule out case 2 we would place barriers on anything that isn't analyzable.
+      (
+        e instanceof UnaryArithmeticOperation or
+        e instanceof BinaryArithmeticOperation or
+        e instanceof AssignArithmeticOperation
+      ) and
+      not convertedExprMightOverflow(e)
+      or
+      // Subtracting two pointers is either well-defined (and the result will likely be small), or
+      // terribly undefined and dangerous. Here, we assume that the programmer has ensured that the
+      // result is well-defined (i.e., the two pointers point to the same object), and thus the result
+      // will likely be small.
+      e = any(PointerDiffExpr diff).getAnOperand()
+    )
+    or
+    exists(Variable checkedVar |
+      readsVariable(node.asInstruction(), checkedVar) and
+      hasUpperBoundsCheck(checkedVar)
+    )
+    or
+    exists(Variable checkedVar, Operand access |
+      readsVariable(access.getDef(), checkedVar) and
+      nodeIsBarrierEqualityCandidate(node, access, checkedVar)
+    )
+  }
+}
+
+from
+  Expr alloc, DataFlow::PathNode source, DataFlow::PathNode sink, string taintCause,
+  TaintedAllocationSizeConfiguration conf
+where
+  isFlowSource(source.getNode(), taintCause) and
+  conf.hasFlowPath(source, sink) and
+  allocSink(alloc, sink.getNode())
+select alloc, source, sink, "This allocation size is derived from $@ and might overflow",
+  source.getNode(), "user input (" + taintCause + ")"
--- a/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
+++ b/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
@@ -3,6 +3,7 @@
 * @description Non-HTTPS connections can be intercepted by third parties.
 * @kind path-problem
 * @problem.severity warning
+ * @security-severity 8.1
 * @precision high
 * @id cpp/non-https-url
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
+++ b/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
@@ -4,6 +4,7 @@
 *              allow an attacker to compromise security.
 * @kind path-problem
 * @problem.severity error
+ * @security-severity 7.5
 * @precision high
 * @id cpp/insufficient-key-size
 * @tags security
--- a/cpp/ql/src/change-notes/2022-02-10-system-data-exposure.md
+++ b/cpp/ql/src/change-notes/2022-02-10-system-data-exposure.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `cpp/system-data-exposure` query has been modernized and has converted to a `path-problem` query. There are now fewer false positive results.
--- a/cpp/ql/src/change-notes/2022-02-16-insufficient-key-size.md
+++ b/cpp/ql/src/change-notes/2022-02-16-insufficient-key-size.md
@@ -1,4 +0,0 @@
---
-category: newQuery
---
-* A new `cpp/insufficient-key-size` query has been added to the default query suite for C/C++. The query finds uses of certain cryptographic algorithms where the key size is too small to provide adequate encryption strength.
--- a/cpp/ql/src/change-notes/2022-02-22-using-expired-stack-address.md
+++ b/cpp/ql/src/change-notes/2022-02-22-using-expired-stack-address.md
@@ -1,6 +0,0 @@
---
-category: newQuery
---
-
- A new query titled "Use of expired stack-address" (`cpp/using-expired-stack-address`) has been added.
-  This query finds accesses to expired stack-allocated memory that escaped via a global variable.
--- a/cpp/ql/src/change-notes/2022-02-24-non-https-url.md
+++ b/cpp/ql/src/change-notes/2022-02-24-non-https-url.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The "Failure to use HTTPS URLs" (`cpp/non-https-url`) has been improved reducing false positive results, and its precision has been increased to 'high'.
--- a/cpp/ql/src/change-notes/2022-03-08-code-duplication-deprecation.md
+++ b/cpp/ql/src/change-notes/2022-03-08-code-duplication-deprecation.md
@@ -1,4 +0,0 @@
---
-category: deprecated
---
-* The predicates and classes in the `CodeDuplication` library have been deprecated.
--- a/cpp/ql/src/change-notes/2022-03-08-code-duplication-queries.md
+++ b/cpp/ql/src/change-notes/2022-03-08-code-duplication-queries.md
@@ -1,4 +0,0 @@
---
-category: breaking
---
-* The deprecated queries `cpp/duplicate-block`, `cpp/duplicate-function`, `cpp/duplicate-class`, `cpp/duplicate-file`, `cpp/mostly-duplicate-function`,`cpp/similar-file`, `cpp/duplicated-lines-in-files` have been removed.
--- a/cpp/ql/src/change-notes/2022-03-10-port-three-queries-to-taint-tracking.md
+++ b/cpp/ql/src/change-notes/2022-03-10-port-three-queries-to-taint-tracking.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `cpp/overflow-destination`, `cpp/unclear-array-index-validation`, and `cpp/uncontrolled-allocation-size` queries have been modernized and converted to `path-problem` queries and provide more true positive results.
--- a/cpp/ql/src/change-notes/released/0.0.11.md
+++ b/cpp/ql/src/change-notes/released/0.0.11.md
@@ -0,0 +1,20 @@
+## 0.0.11
+
+### Breaking Changes
+
+* The deprecated queries `cpp/duplicate-block`, `cpp/duplicate-function`, `cpp/duplicate-class`, `cpp/duplicate-file`, `cpp/mostly-duplicate-function`,`cpp/similar-file`, `cpp/duplicated-lines-in-files` have been removed.
+
+### Deprecated Predicates and Classes
+
+* The predicates and classes in the `CodeDuplication` library have been deprecated.
+
+### New Queries
+
+* A new query titled "Use of expired stack-address" (`cpp/using-expired-stack-address`) has been added.
+  This query finds accesses to expired stack-allocated memory that escaped via a global variable.
+* A new `cpp/insufficient-key-size` query has been added to the default query suite for C/C++. The query finds uses of certain cryptographic algorithms where the key size is too small to provide adequate encryption strength.
+
+### Minor Analysis Improvements
+
+* The "Failure to use HTTPS URLs" (`cpp/non-https-url`) has been improved reducing false positive results, and its precision has been increased to 'high'.
+* The `cpp/system-data-exposure` query has been modernized and has converted to a `path-problem` query. There are now fewer false positive results.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.10
+lastReleaseVersion: 0.0.11
--- a/cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
@@ -13,30 +13,6 @@
 import cpp
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering

-/** Holds for a function `f` that has an argument at index `apos` used to read the file. */
-predicate numberArgumentRead(Function f, int apos) {
-  f.hasGlobalOrStdName("fgets") and apos = 2
-  or
-  f.hasGlobalOrStdName("fread") and apos = 3
-  or
-  f.hasGlobalOrStdName("read") and apos = 0
-  or
-  f.hasGlobalOrStdName("fscanf") and apos = 0
-}
-
-/** Holds for a function `f` that has an argument at index `apos` used to write to file */
-predicate numberArgumentWrite(Function f, int apos) {
-  f.hasGlobalOrStdName("fprintf") and apos = 0
-  or
-  f.hasGlobalOrStdName("fputs") and apos = 1
-  or
-  f.hasGlobalOrStdName("write") and apos = 0
-  or
-  f.hasGlobalOrStdName("fwrite") and apos = 3
-  or
-  f.hasGlobalOrStdName("fflush") and apos = 0
-}
-
 from FunctionCall fc, string msg
 where
  // search for functions for generating a name, without a guarantee of the absence of a file during the period of work with it.
@@ -59,54 +35,4 @@ where
  ) and
  msg =
    "Finding the name of a file that does not exist does not mean that it will not be exist at the next operation."
-  or
-  // finding places to work with a file without setting permissions, but with predictable names.
-  (
-    fc.getTarget().hasGlobalOrStdName("fopen") or
-    fc.getTarget().hasGlobalOrStdName("open")
-  ) and
-  fc.getNumberOfArguments() = 2 and
-  exists(FunctionCall fctmp, int i |
-    numberArgumentWrite(fctmp.getTarget(), i) and
-    globalValueNumber(fc) = globalValueNumber(fctmp.getArgument(i))
-  ) and
-  not exists(FunctionCall fctmp, int i |
-    numberArgumentRead(fctmp.getTarget(), i) and
-    globalValueNumber(fc) = globalValueNumber(fctmp.getArgument(i))
-  ) and
-  exists(FunctionCall fctmp |
-    (
-      fctmp.getTarget().hasGlobalOrStdName("strcat") or
-      fctmp.getTarget().hasGlobalOrStdName("strcpy")
-    ) and
-    globalValueNumber(fc.getArgument(0)) = globalValueNumber(fctmp.getAnArgument())
-    or
-    fctmp.getTarget().hasGlobalOrStdName("getenv") and
-    globalValueNumber(fc.getArgument(0)) = globalValueNumber(fctmp)
-    or
-    (
-      fctmp.getTarget().hasGlobalOrStdName("asprintf") or
-      fctmp.getTarget().hasGlobalOrStdName("vasprintf") or
-      fctmp.getTarget().hasGlobalOrStdName("xasprintf") or
-      fctmp.getTarget().hasGlobalOrStdName("xvasprintf ")
-    ) and
-    exists(Variable vrtmp |
-      vrtmp = fc.getArgument(0).(VariableAccess).getTarget() and
-      vrtmp = fctmp.getArgument(0).(AddressOfExpr).getAddressable() and
-      not vrtmp instanceof Field
-    )
-  ) and
-  not exists(FunctionCall fctmp |
-    (
-      fctmp.getTarget().hasGlobalOrStdName("umask") or
-      fctmp.getTarget().hasGlobalOrStdName("fchmod") or
-      fctmp.getTarget().hasGlobalOrStdName("chmod")
-    ) and
-    (
-      fc.getBasicBlock().getASuccessor*() = fctmp.getBasicBlock() or
-      fctmp.getBasicBlock().getASuccessor*() = fc.getBasicBlock()
-    )
-  ) and
-  msg =
-    "Creating a file for writing without evaluating its existence and setting permissions can be unsafe."
 select fc, msg
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.0.11-dev
+version: 0.0.12-dev
 groups: 
  - cpp
  - queries
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/InsecureTemporaryFile.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/InsecureTemporaryFile.expected
@@ -1,2 +1 @@
 | test.cpp:16:20:16:25 | call to tmpnam | Finding the name of a file that does not exist does not mean that it will not be exist at the next operation. |
-| test.cpp:42:8:42:12 | call to fopen | Creating a file for writing without evaluating its existence and setting permissions can be unsafe. |
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/test.cpp
@@ -39,7 +39,7 @@ int funcTest3()
  FILE *fp;
  char filename[80];
  strcat(filename, "/tmp/tmp.name");
-  fp = fopen(filename,"w"); // BAD
+  fp = fopen(filename,"w"); // BAD [NOT DETECTED]
  fprintf(fp,"%s\n","data to file");
  fclose(fp);
  return 0;
--- a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
+++ b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
@@ -12820,6 +12820,221 @@ ir.cpp:
 # 1668|                 Type = [IntType] int
 # 1668|                 ValueCategory = prvalue(load)
 # 1670|     getStmt(3): [ReturnStmt] return ...
+# 1672| [TopLevelFunction] void array_structured_binding_non_ref_init()
+# 1672|   <params>: 
+# 1672|   getEntryPoint(): [BlockStmt] { ... }
+# 1673|     getStmt(0): [DeclStmt] declaration
+# 1673|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of xs
+# 1673|           Type = [ArrayType] int[2]
+# 1673|         getVariable().getInitializer(): [Initializer] initializer for xs
+# 1673|           getExpr(): [ArrayAggregateLiteral] {...}
+# 1673|               Type = [ArrayType] int[2]
+# 1673|               ValueCategory = prvalue
+# 1673|             getElementExpr(0): [Literal] 1
+# 1673|                 Type = [IntType] int
+# 1673|                 Value = [Literal] 1
+# 1673|                 ValueCategory = prvalue
+# 1673|             getElementExpr(1): [Literal] 2
+# 1673|                 Type = [IntType] int
+# 1673|                 Value = [Literal] 2
+# 1673|                 ValueCategory = prvalue
+# 1674|     getStmt(1): [DeclStmt] declaration
+# 1674|       getDeclarationEntry(0): (no string representation)
+# 1674|           Type = [ArrayType] int[2]
+# 1674|         getVariable().getInitializer(): [Initializer] initializer for (unnamed local variable)
+# 1674|           getExpr(): (no string representation)
+# 1674|               Type = [ArrayType] int[2]
+# 1674|               ValueCategory = prvalue
+# 1674|       getDeclarationEntry(1): [VariableDeclarationEntry] definition of x0
+# 1674|           Type = [IntType] int
+#-----|         getVariable().getInitializer(): [Initializer] initializer for x0
+#-----|           getExpr(): [ArrayExpr] access to array
+#-----|               Type = [IntType] int
+#-----|               ValueCategory = lvalue
+#-----|             getArrayBase(): [VariableAccess] (unnamed local variable)
+#-----|                 Type = [ArrayType] int[2]
+#-----|                 ValueCategory = lvalue
+#-----|             getArrayOffset(): [Literal] 0
+#-----|                 Type = [LongType] unsigned long
+#-----|                 Value = [Literal] 0
+#-----|                 ValueCategory = prvalue
+#-----|             getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#-----|                 Type = [IntPointerType] int *
+#-----|                 ValueCategory = prvalue
+# 1674|       getDeclarationEntry(2): [VariableDeclarationEntry] definition of x1
+# 1674|           Type = [IntType] int
+#-----|         getVariable().getInitializer(): [Initializer] initializer for x1
+#-----|           getExpr(): [ArrayExpr] access to array
+#-----|               Type = [IntType] int
+#-----|               ValueCategory = lvalue
+#-----|             getArrayBase(): [VariableAccess] (unnamed local variable)
+#-----|                 Type = [ArrayType] int[2]
+#-----|                 ValueCategory = lvalue
+#-----|             getArrayOffset(): [Literal] 1
+#-----|                 Type = [LongType] unsigned long
+#-----|                 Value = [Literal] 1
+#-----|                 ValueCategory = prvalue
+#-----|             getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#-----|                 Type = [IntPointerType] int *
+#-----|                 ValueCategory = prvalue
+# 1675|     getStmt(2): [ReturnStmt] return ...
+# 1677| [CopyAssignmentOperator] CapturedLambdaMyObj& CapturedLambdaMyObj::operator=(CapturedLambdaMyObj const&)
+# 1677|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const CapturedLambdaMyObj &
+# 1677| [MoveAssignmentOperator] CapturedLambdaMyObj& CapturedLambdaMyObj::operator=(CapturedLambdaMyObj&&)
+# 1677|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] CapturedLambdaMyObj &&
+# 1677| [CopyConstructor] void CapturedLambdaMyObj::CapturedLambdaMyObj(CapturedLambdaMyObj const&)
+# 1677|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const CapturedLambdaMyObj &
+# 1677| [MoveConstructor] void CapturedLambdaMyObj::CapturedLambdaMyObj(CapturedLambdaMyObj&&)
+# 1677|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] CapturedLambdaMyObj &&
+# 1680| [Constructor] void CapturedLambdaMyObj::CapturedLambdaMyObj()
+# 1680|   <params>: 
+# 1680|   <initializations>: 
+# 1680|   getEntryPoint(): [BlockStmt] { ... }
+# 1680|     getStmt(0): [ReturnStmt] return ...
+# 1683| [TopLevelFunction] void captured_lambda(int, int&, int&&)
+# 1683|   <params>: 
+# 1683|     getParameter(0): [Parameter] x
+# 1683|         Type = [IntType] int
+# 1683|     getParameter(1): [Parameter] y
+# 1683|         Type = [LValueReferenceType] int &
+# 1683|     getParameter(2): [Parameter] z
+# 1683|         Type = [RValueReferenceType] int &&
+# 1684|   getEntryPoint(): [BlockStmt] { ... }
+# 1685|     getStmt(0): [DeclStmt] declaration
+# 1685|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of obj1
+# 1685|           Type = [LValueReferenceType] const CapturedLambdaMyObj &
+# 1685|         getVariable().getInitializer(): [Initializer] initializer for obj1
+# 1685|           getExpr(): [ConstructorCall] call to CapturedLambdaMyObj
+# 1685|               Type = [VoidType] void
+# 1685|               ValueCategory = prvalue
+# 1685|           getExpr().getFullyConverted(): [ReferenceToExpr] (reference to)
+# 1685|               Type = [LValueReferenceType] const CapturedLambdaMyObj &
+# 1685|               ValueCategory = prvalue
+# 1685|             getExpr(): [CStyleCast] (const CapturedLambdaMyObj)...
+# 1685|                 Conversion = [GlvalueConversion] glvalue conversion
+# 1685|                 Type = [SpecifiedType] const CapturedLambdaMyObj
+# 1685|                 ValueCategory = lvalue
+# 1685|               getExpr(): [TemporaryObjectExpr] temporary object
+# 1685|                   Type = [Class] CapturedLambdaMyObj
+# 1685|                   ValueCategory = lvalue
+# 1686|     getStmt(1): [DeclStmt] declaration
+# 1686|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of obj2
+# 1686|           Type = [Class] CapturedLambdaMyObj
+# 1686|         getVariable().getInitializer(): [Initializer] initializer for obj2
+# 1686|           getExpr(): [ConstructorCall] call to CapturedLambdaMyObj
+# 1686|               Type = [VoidType] void
+# 1686|               ValueCategory = prvalue
+# 1688|     getStmt(2): [DeclStmt] declaration
+# 1688|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of lambda_outer
+# 1688|           Type = [Closure,LocalClass] decltype([...](...){...})
+# 1688|         getVariable().getInitializer(): [Initializer] initializer for lambda_outer
+# 1688|           getExpr(): [LambdaExpression] [...](...){...}
+# 1688|               Type = [Closure,LocalClass] decltype([...](...){...})
+# 1688|               ValueCategory = prvalue
+# 1688|             getInitializer(): [ClassAggregateLiteral] {...}
+# 1688|                 Type = [Closure,LocalClass] decltype([...](...){...})
+# 1688|                 ValueCategory = prvalue
+# 1688|               getFieldExpr(obj1): [Literal] Unknown literal
+# 1688|                   Type = [SpecifiedType] const CapturedLambdaMyObj
+# 1688|                   ValueCategory = prvalue
+# 1688|               getFieldExpr(obj2): [Literal] Unknown literal
+# 1688|                   Type = [Class] CapturedLambdaMyObj
+# 1688|                   ValueCategory = prvalue
+# 1688|               getFieldExpr(x): [VariableAccess] x
+# 1688|                   Type = [IntType] int
+# 1688|                   ValueCategory = prvalue(load)
+# 1688|               getFieldExpr(y): [VariableAccess] y
+# 1688|                   Type = [LValueReferenceType] int &
+# 1688|                   ValueCategory = prvalue(load)
+# 1688|               getFieldExpr(z): [VariableAccess] z
+# 1688|                   Type = [RValueReferenceType] int &&
+# 1688|                   ValueCategory = prvalue(load)
+# 1690|               getFieldExpr(y).getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
+# 1690|                   Type = [IntType] int
+# 1690|                   ValueCategory = prvalue(load)
+# 1690|               getFieldExpr(z).getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
+# 1690|                   Type = [IntType] int
+# 1690|                   ValueCategory = prvalue(load)
+# 1691|     getStmt(3): [ReturnStmt] return ...
+# 1688| [CopyAssignmentOperator] (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)& (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator=((void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25) const&)
+# 1688|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const lambda [] type at line 1688, col. 25 &
+# 1688| [CopyConstructor] void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::(unnamed constructor)((void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25) const&)
+# 1688|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const lambda [] type at line 1688, col. 25 &
+# 1688| [MoveConstructor] void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::(unnamed constructor)((void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)&&)
+# 1688|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] lambda [] type at line 1688, col. 25 &&
+# 1688| [Constructor] void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::(unnamed constructor)()
+# 1688|   <params>: 
+# 1688| [ConstMemberFunction] void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const
+# 1688|   <params>: 
+# 1688|   getEntryPoint(): [BlockStmt] { ... }
+# 1689|     getStmt(0): [DeclStmt] declaration
+# 1689|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of lambda_inner
+# 1689|           Type = [Closure,LocalClass] decltype([...](...){...})
+# 1689|         getVariable().getInitializer(): [Initializer] initializer for lambda_inner
+# 1689|           getExpr(): [LambdaExpression] [...](...){...}
+# 1689|               Type = [Closure,LocalClass] decltype([...](...){...})
+# 1689|               ValueCategory = prvalue
+# 1689|             getInitializer(): [ClassAggregateLiteral] {...}
+# 1689|                 Type = [Closure,LocalClass] decltype([...](...){...})
+# 1689|                 ValueCategory = prvalue
+# 1689|               getFieldExpr(obj1): [Literal] Unknown literal
+# 1689|                   Type = [SpecifiedType] const CapturedLambdaMyObj
+# 1689|                   ValueCategory = prvalue
+# 1689|               getFieldExpr(obj2): [Literal] Unknown literal
+# 1689|                   Type = [Class] CapturedLambdaMyObj
+# 1689|                   ValueCategory = prvalue
+# 1689|               getFieldExpr(x): [PointerFieldAccess] x
+# 1689|                   Type = [IntType] int
+# 1689|                   ValueCategory = prvalue(load)
+# 1689|                 getQualifier(): [ThisExpr] this
+# 1689|                     Type = [PointerType] const lambda [] type at line 1688, col. 25 *
+# 1689|                     ValueCategory = prvalue(load)
+# 1689|               getFieldExpr(y): [PointerFieldAccess] y
+# 1689|                   Type = [IntType] int
+# 1689|                   ValueCategory = prvalue(load)
+# 1689|                 getQualifier(): [ThisExpr] this
+# 1689|                     Type = [PointerType] const lambda [] type at line 1688, col. 25 *
+# 1689|                     ValueCategory = prvalue(load)
+# 1689|               getFieldExpr(z): [PointerFieldAccess] z
+# 1689|                   Type = [IntType] int
+# 1689|                   ValueCategory = prvalue(load)
+# 1689|                 getQualifier(): [ThisExpr] this
+# 1689|                     Type = [PointerType] const lambda [] type at line 1688, col. 25 *
+# 1689|                     ValueCategory = prvalue(load)
+# 1690|     getStmt(1): [ReturnStmt] return ...
+# 1689| [CopyAssignmentOperator] (void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const)::(lambda [] type at line 1689, col. 29)& (void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const)::(lambda [] type at line 1689, col. 29)::operator=((void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const)::(lambda [] type at line 1689, col. 29) const&)
+# 1689|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const lambda [] type at line 1689, col. 29 &
+# 1689| [CopyConstructor] void (void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const)::(lambda [] type at line 1689, col. 29)::(unnamed constructor)((void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const)::(lambda [] type at line 1689, col. 29) const&)
+# 1689|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const lambda [] type at line 1689, col. 29 &
+# 1689| [MoveConstructor] void (void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const)::(lambda [] type at line 1689, col. 29)::(unnamed constructor)((void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const)::(lambda [] type at line 1689, col. 29)&&)
+# 1689|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] lambda [] type at line 1689, col. 29 &&
+# 1689| [Constructor] void (void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const)::(lambda [] type at line 1689, col. 29)::(unnamed constructor)()
+# 1689|   <params>: 
+# 1689| [ConstMemberFunction] void (void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const)::(lambda [] type at line 1689, col. 29)::operator()() const
+# 1689|   <params>: 
+# 1689|   getEntryPoint(): [BlockStmt] { ... }
+# 1689|     getStmt(0): [EmptyStmt] ;
+# 1689|     getStmt(1): [ReturnStmt] return ...
 perf-regression.cpp:
 #    4| [CopyAssignmentOperator] Big& Big::operator=(Big const&)
 #    4|   <params>: 
--- a/cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency.expected
+++ b/cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency.expected
@@ -4,12 +4,14 @@ duplicateOperand
 missingPhiOperand
 missingOperandType
 | ir.cpp:1038:12:1038:18 | ChiTotal | Operand 'ChiTotal' of instruction 'Chi' is missing a type in function '$@'. | ir.cpp:1038:6:1038:8 | (lambda [] type at line 1038, col. 12) lam | (lambda [] type at line 1038, col. 12) lam |
-| ir.cpp:1674:16:1674:16 | ChiTotal | Operand 'ChiTotal' of instruction 'Chi' is missing a type in function '$@'. | ir.cpp:1674:5:1674:12 | int global_2 | int global_2 |
-| ir.cpp:1676:22:1676:22 | ChiTotal | Operand 'ChiTotal' of instruction 'Chi' is missing a type in function '$@'. | ir.cpp:1676:11:1676:18 | int const global_3 | int const global_3 |
+| ir.cpp:1695:16:1695:16 | ChiTotal | Operand 'ChiTotal' of instruction 'Chi' is missing a type in function '$@'. | ir.cpp:1695:5:1695:12 | int global_2 | int global_2 |
+| ir.cpp:1697:22:1697:22 | ChiTotal | Operand 'ChiTotal' of instruction 'Chi' is missing a type in function '$@'. | ir.cpp:1697:11:1697:18 | int const global_3 | int const global_3 |
 | struct_init.cpp:10:7:10:9 | ChiTotal | Operand 'ChiTotal' of instruction 'Chi' is missing a type in function '$@'. | struct_init.cpp:9:13:9:25 | Info infos_in_file[] | Info infos_in_file[] |
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
+| ir.cpp:1688:24:1690:5 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1689:28:1689:54 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
@@ -25,8 +27,8 @@ notMarkedAsConflated
 wronglyMarkedAsConflated
 | ir.cpp:1038:12:1038:18 | Chi: [...](...){...} | Instruction 'Chi: [...](...){...}' should not be marked as having a conflated result in function '$@'. | ir.cpp:1038:6:1038:8 | (lambda [] type at line 1038, col. 12) lam | (lambda [] type at line 1038, col. 12) lam |
 | ir.cpp:1038:12:1038:18 | Chi: [...](...){...} | Instruction 'Chi: [...](...){...}' should not be marked as having a conflated result in function '$@'. | ir.cpp:1038:6:1038:8 | (lambda [] type at line 1038, col. 12) lam | (lambda [] type at line 1038, col. 12) lam |
-| ir.cpp:1674:16:1674:16 | Chi: 1 | Instruction 'Chi: 1' should not be marked as having a conflated result in function '$@'. | ir.cpp:1674:5:1674:12 | int global_2 | int global_2 |
-| ir.cpp:1676:22:1676:22 | Chi: 2 | Instruction 'Chi: 2' should not be marked as having a conflated result in function '$@'. | ir.cpp:1676:11:1676:18 | int const global_3 | int const global_3 |
+| ir.cpp:1695:16:1695:16 | Chi: 1 | Instruction 'Chi: 1' should not be marked as having a conflated result in function '$@'. | ir.cpp:1695:5:1695:12 | int global_2 | int global_2 |
+| ir.cpp:1697:22:1697:22 | Chi: 2 | Instruction 'Chi: 2' should not be marked as having a conflated result in function '$@'. | ir.cpp:1697:11:1697:18 | int const global_3 | int const global_3 |
 | struct_init.cpp:10:7:10:9 | Chi: array to pointer conversion | Instruction 'Chi: array to pointer conversion' should not be marked as having a conflated result in function '$@'. | struct_init.cpp:9:13:9:25 | Info infos_in_file[] | Info infos_in_file[] |
 | struct_init.cpp:10:12:10:19 | Chi: handler1 | Instruction 'Chi: handler1' should not be marked as having a conflated result in function '$@'. | struct_init.cpp:9:13:9:25 | Info infos_in_file[] | Info infos_in_file[] |
 | struct_init.cpp:11:7:11:9 | Chi: array to pointer conversion | Instruction 'Chi: array to pointer conversion' should not be marked as having a conflated result in function '$@'. | struct_init.cpp:9:13:9:25 | Info infos_in_file[] | Info infos_in_file[] |
--- a/cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.expected
+++ b/cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.expected
@@ -4,12 +4,14 @@ duplicateOperand
 missingPhiOperand
 missingOperandType
 | ir.cpp:1038:12:1038:18 | ChiTotal | Operand 'ChiTotal' of instruction 'Chi' is missing a type in function '$@'. | ir.cpp:1038:6:1038:8 | (lambda [] type at line 1038, col. 12) lam | (lambda [] type at line 1038, col. 12) lam |
-| ir.cpp:1674:16:1674:16 | ChiTotal | Operand 'ChiTotal' of instruction 'Chi' is missing a type in function '$@'. | ir.cpp:1674:5:1674:12 | int global_2 | int global_2 |
-| ir.cpp:1676:22:1676:22 | ChiTotal | Operand 'ChiTotal' of instruction 'Chi' is missing a type in function '$@'. | ir.cpp:1676:11:1676:18 | int const global_3 | int const global_3 |
+| ir.cpp:1695:16:1695:16 | ChiTotal | Operand 'ChiTotal' of instruction 'Chi' is missing a type in function '$@'. | ir.cpp:1695:5:1695:12 | int global_2 | int global_2 |
+| ir.cpp:1697:22:1697:22 | ChiTotal | Operand 'ChiTotal' of instruction 'Chi' is missing a type in function '$@'. | ir.cpp:1697:11:1697:18 | int const global_3 | int const global_3 |
 | struct_init.cpp:10:7:10:9 | ChiTotal | Operand 'ChiTotal' of instruction 'Chi' is missing a type in function '$@'. | struct_init.cpp:9:13:9:25 | Info infos_in_file[] | Info infos_in_file[] |
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
+| ir.cpp:1688:24:1690:5 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1689:28:1689:54 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
@@ -25,8 +27,8 @@ notMarkedAsConflated
 wronglyMarkedAsConflated
 | ir.cpp:1038:12:1038:18 | Chi: [...](...){...} | Instruction 'Chi: [...](...){...}' should not be marked as having a conflated result in function '$@'. | ir.cpp:1038:6:1038:8 | (lambda [] type at line 1038, col. 12) lam | (lambda [] type at line 1038, col. 12) lam |
 | ir.cpp:1038:12:1038:18 | Chi: [...](...){...} | Instruction 'Chi: [...](...){...}' should not be marked as having a conflated result in function '$@'. | ir.cpp:1038:6:1038:8 | (lambda [] type at line 1038, col. 12) lam | (lambda [] type at line 1038, col. 12) lam |
-| ir.cpp:1674:16:1674:16 | Chi: 1 | Instruction 'Chi: 1' should not be marked as having a conflated result in function '$@'. | ir.cpp:1674:5:1674:12 | int global_2 | int global_2 |
-| ir.cpp:1676:22:1676:22 | Chi: 2 | Instruction 'Chi: 2' should not be marked as having a conflated result in function '$@'. | ir.cpp:1676:11:1676:18 | int const global_3 | int const global_3 |
+| ir.cpp:1695:16:1695:16 | Chi: 1 | Instruction 'Chi: 1' should not be marked as having a conflated result in function '$@'. | ir.cpp:1695:5:1695:12 | int global_2 | int global_2 |
+| ir.cpp:1697:22:1697:22 | Chi: 2 | Instruction 'Chi: 2' should not be marked as having a conflated result in function '$@'. | ir.cpp:1697:11:1697:18 | int const global_3 | int const global_3 |
 | struct_init.cpp:10:7:10:9 | Chi: array to pointer conversion | Instruction 'Chi: array to pointer conversion' should not be marked as having a conflated result in function '$@'. | struct_init.cpp:9:13:9:25 | Info infos_in_file[] | Info infos_in_file[] |
 | struct_init.cpp:10:12:10:19 | Chi: handler1 | Instruction 'Chi: handler1' should not be marked as having a conflated result in function '$@'. | struct_init.cpp:9:13:9:25 | Info infos_in_file[] | Info infos_in_file[] |
 | struct_init.cpp:11:7:11:9 | Chi: array to pointer conversion | Instruction 'Chi: array to pointer conversion' should not be marked as having a conflated result in function '$@'. | struct_init.cpp:9:13:9:25 | Info infos_in_file[] | Info infos_in_file[] |
--- a/cpp/ql/test/library-tests/ir/ir/ir.cpp
+++ b/cpp/ql/test/library-tests/ir/ir/ir.cpp
@@ -1669,6 +1669,27 @@ void tuple_structured_binding_no_ref_get() {
    }
 }

+void array_structured_binding_non_ref_init() {
+    int xs[2] = {1, 2};
+    auto [x0, x1] = xs;
+}
+
+class CapturedLambdaMyObj
+{
+public:
+    CapturedLambdaMyObj() {}
+};
+
+void captured_lambda(int x, int &y, int &&z)
+{
+    const auto &obj1 = CapturedLambdaMyObj();
+    auto obj2 = CapturedLambdaMyObj();
+
+    auto lambda_outer = [obj1, obj2, x, y, z](){
+        auto lambda_inner = [obj1, obj2, x, y, z](){;};
+    };
+}
+
 int global_1;

 int global_2 = 1;
--- a/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
+++ b/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
@@ -7445,14 +7445,90 @@
 | ir.cpp:1668:17:1668:17 | Load | m1661_14 |
 | ir.cpp:1668:17:1668:17 | Load | ~m1666_6 |
 | ir.cpp:1668:17:1668:17 | StoreValue | r1668_4 |
-| ir.cpp:1674:5:1674:12 | Address | &:r1674_2 |
-| ir.cpp:1674:16:1674:16 | ChiPartial | partial:m1674_4 |
-| ir.cpp:1674:16:1674:16 | ChiTotal | total:~m? |
-| ir.cpp:1674:16:1674:16 | StoreValue | r1674_3 |
-| ir.cpp:1676:11:1676:18 | Address | &:r1676_2 |
-| ir.cpp:1676:22:1676:22 | ChiPartial | partial:m1676_4 |
-| ir.cpp:1676:22:1676:22 | ChiTotal | total:~m? |
-| ir.cpp:1676:22:1676:22 | StoreValue | r1676_3 |
+| ir.cpp:1672:6:1672:42 | ChiPartial | partial:m1672_3 |
+| ir.cpp:1672:6:1672:42 | ChiTotal | total:m1672_2 |
+| ir.cpp:1673:9:1673:10 | Address | &:r1673_1 |
+| ir.cpp:1673:9:1673:10 | Left | r1673_1 |
+| ir.cpp:1673:9:1673:10 | Left | r1673_1 |
+| ir.cpp:1673:16:1673:22 | Address | &:r1673_4 |
+| ir.cpp:1673:16:1673:22 | Address | &:r1673_9 |
+| ir.cpp:1673:16:1673:22 | Right | r1673_3 |
+| ir.cpp:1673:16:1673:22 | Right | r1673_8 |
+| ir.cpp:1673:18:1673:18 | ChiPartial | partial:m1673_6 |
+| ir.cpp:1673:18:1673:18 | ChiTotal | total:m1673_2 |
+| ir.cpp:1673:18:1673:18 | StoreValue | r1673_5 |
+| ir.cpp:1673:21:1673:21 | ChiPartial | partial:m1673_11 |
+| ir.cpp:1673:21:1673:21 | ChiTotal | total:m1673_7 |
+| ir.cpp:1673:21:1673:21 | StoreValue | r1673_10 |
+| ir.cpp:1680:5:1680:23 | Address | &:r1680_5 |
+| ir.cpp:1680:5:1680:23 | Address | &:r1680_5 |
+| ir.cpp:1680:5:1680:23 | Address | &:r1680_7 |
+| ir.cpp:1680:5:1680:23 | Address | &:r1680_7 |
+| ir.cpp:1680:5:1680:23 | ChiPartial | partial:m1680_3 |
+| ir.cpp:1680:5:1680:23 | ChiTotal | total:m1680_2 |
+| ir.cpp:1680:5:1680:23 | Load | m1680_6 |
+| ir.cpp:1680:5:1680:23 | SideEffect | m1680_3 |
+| ir.cpp:1680:5:1680:23 | SideEffect | m1680_8 |
+| ir.cpp:1683:6:1683:20 | ChiPartial | partial:m1683_3 |
+| ir.cpp:1683:6:1683:20 | ChiTotal | total:m1683_2 |
+| ir.cpp:1683:26:1683:26 | Address | &:r1683_5 |
+| ir.cpp:1683:34:1683:34 | Address | &:r1683_7 |
+| ir.cpp:1683:34:1683:34 | Address | &:r1683_7 |
+| ir.cpp:1683:34:1683:34 | Address | &:r1683_9 |
+| ir.cpp:1683:34:1683:34 | Load | m1683_8 |
+| ir.cpp:1683:43:1683:43 | Address | &:r1683_11 |
+| ir.cpp:1683:43:1683:43 | Address | &:r1683_11 |
+| ir.cpp:1683:43:1683:43 | Address | &:r1683_13 |
+| ir.cpp:1683:43:1683:43 | Load | m1683_12 |
+| ir.cpp:1685:17:1685:20 | Address | &:r1685_1 |
+| ir.cpp:1685:24:1685:44 | Address | &:r1685_2 |
+| ir.cpp:1685:24:1685:44 | Address | &:r1685_2 |
+| ir.cpp:1685:24:1685:44 | Arg(this) | this:r1685_2 |
+| ir.cpp:1685:24:1685:44 | CallTarget | func:r1685_4 |
+| ir.cpp:1685:24:1685:44 | ChiPartial | partial:m1685_6 |
+| ir.cpp:1685:24:1685:44 | ChiPartial | partial:m1685_8 |
+| ir.cpp:1685:24:1685:44 | ChiTotal | total:m1683_4 |
+| ir.cpp:1685:24:1685:44 | ChiTotal | total:m1685_3 |
+| ir.cpp:1685:24:1685:44 | SideEffect | ~m1683_4 |
+| ir.cpp:1685:24:1685:44 | StoreValue | r1685_11 |
+| ir.cpp:1685:24:1685:44 | Unary | r1685_2 |
+| ir.cpp:1685:24:1685:44 | Unary | r1685_10 |
+| ir.cpp:1686:10:1686:13 | Address | &:r1686_1 |
+| ir.cpp:1686:10:1686:13 | Address | &:r1686_1 |
+| ir.cpp:1686:10:1686:13 | Arg(this) | this:r1686_1 |
+| ir.cpp:1686:16:1686:37 | CallTarget | func:r1686_3 |
+| ir.cpp:1686:16:1686:37 | ChiPartial | partial:m1686_5 |
+| ir.cpp:1686:16:1686:37 | ChiPartial | partial:m1686_7 |
+| ir.cpp:1686:16:1686:37 | ChiTotal | total:m1685_7 |
+| ir.cpp:1686:16:1686:37 | ChiTotal | total:m1686_2 |
+| ir.cpp:1686:16:1686:37 | SideEffect | ~m1685_7 |
+| ir.cpp:1688:24:1690:5 | Address | &:r1688_2 |
+| ir.cpp:1688:24:1690:5 | Unary | r1688_2 |
+| ir.cpp:1688:46:1688:46 | Address | &:r1688_5 |
+| ir.cpp:1688:46:1688:46 | Address | &:r1688_5 |
+| ir.cpp:1688:46:1688:46 | Address | &:r1688_7 |
+| ir.cpp:1688:46:1688:46 | ChiPartial | partial:m1688_3 |
+| ir.cpp:1688:46:1688:46 | ChiTotal | total:m1688_2 |
+| ir.cpp:1688:46:1688:46 | Load | m1688_6 |
+| ir.cpp:1689:28:1689:54 | Address | &:r1689_2 |
+| ir.cpp:1689:28:1689:54 | Unary | r1689_2 |
+| ir.cpp:1689:50:1689:50 | Address | &:r1689_5 |
+| ir.cpp:1689:50:1689:50 | Address | &:r1689_5 |
+| ir.cpp:1689:50:1689:50 | Address | &:r1689_7 |
+| ir.cpp:1689:50:1689:50 | Address | &:r1689_7 |
+| ir.cpp:1689:50:1689:50 | ChiPartial | partial:m1689_3 |
+| ir.cpp:1689:50:1689:50 | ChiTotal | total:m1689_2 |
+| ir.cpp:1689:50:1689:50 | Load | m1689_6 |
+| ir.cpp:1689:50:1689:50 | SideEffect | m1689_3 |
+| ir.cpp:1689:50:1689:50 | SideEffect | m1689_8 |
+| ir.cpp:1695:5:1695:12 | Address | &:r1695_2 |
+| ir.cpp:1695:16:1695:16 | ChiPartial | partial:m1695_4 |
+| ir.cpp:1695:16:1695:16 | ChiTotal | total:~m? |
+| ir.cpp:1695:16:1695:16 | StoreValue | r1695_3 |
+| ir.cpp:1697:11:1697:18 | Address | &:r1697_2 |
+| ir.cpp:1697:22:1697:22 | ChiPartial | partial:m1697_4 |
+| ir.cpp:1697:22:1697:22 | ChiTotal | total:~m? |
+| ir.cpp:1697:22:1697:22 | StoreValue | r1697_3 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_7 |
--- a/cpp/ql/test/library-tests/ir/ir/raw_consistency.expected
+++ b/cpp/ql/test/library-tests/ir/ir/raw_consistency.expected
@@ -1,4 +1,9 @@
 missingOperand
+| ir.cpp:1674:21:1674:22 | Load: Unknown literal | Instruction 'Load' is missing an expected operand with tag 'Address' in function '$@'. | ir.cpp:1672:6:1672:42 | void array_structured_binding_non_ref_init() | void array_structured_binding_non_ref_init() |
+| ir.cpp:1688:24:1690:5 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:24:1690:5 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1689:28:1689:54 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
+| ir.cpp:1689:28:1689:54 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
 unexpectedOperand
 duplicateOperand
 missingPhiOperand
@@ -7,6 +12,10 @@ duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
 | ../../../include/memory.h:68:25:68:33 | CopyValue: (reference to) | Instruction 'CopyValue: (reference to)' has no successors in function '$@'. | ../../../include/memory.h:67:5:67:5 | void std::unique_ptr<int, std::default_delete<int>>::~unique_ptr() | void std::unique_ptr<int, std::default_delete<int>>::~unique_ptr() |
+| ir.cpp:1688:24:1690:5 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:24:1690:5 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1689:28:1689:54 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
+| ir.cpp:1689:28:1689:54 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
@@ -18,6 +27,26 @@ lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
 | ir.cpp:1486:8:1486:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() |
+| ir.cpp:1674:10:1674:10 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1672:6:1672:42 | void array_structured_binding_non_ref_init() | void array_structured_binding_non_ref_init() |
+| ir.cpp:1683:34:1683:34 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1683:43:1683:43 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:10:1688:21 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:24:1690:5 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:24:1690:5 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:24:1690:5 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:24:1690:5 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:24:1690:5 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:24:1690:5 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:24:1690:5 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:46:1688:46 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
+| ir.cpp:1689:14:1689:25 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
+| ir.cpp:1689:28:1689:54 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
+| ir.cpp:1689:28:1689:54 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
+| ir.cpp:1689:28:1689:54 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
+| ir.cpp:1689:28:1689:54 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
+| ir.cpp:1689:28:1689:54 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
+| ir.cpp:1689:28:1689:54 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
+| ir.cpp:1689:28:1689:54 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
 switchInstructionWithoutDefaultEdge
 notMarkedAsConflated
 wronglyMarkedAsConflated
--- a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
@@ -8679,25 +8679,204 @@ ir.cpp:
 # 1645|     v1645_5(void)                                     = AliasedUse                                      : ~m?
 # 1645|     v1645_6(void)                                     = ExitFunction                                    : 

-# 1672| int global_1
+# 1672| void array_structured_binding_non_ref_init()
+# 1672|   Block 0
+# 1672|     v1672_1(void)          = EnterFunction                             : 
+# 1672|     mu1672_2(unknown)      = AliasedDefinition                         : 
+# 1672|     mu1672_3(unknown)      = InitializeNonLocal                        : 
+# 1673|     r1673_1(glval<int[2]>) = VariableAddress[xs]                       : 
+# 1673|     mu1673_2(int[2])       = Uninitialized[xs]                         : &:r1673_1
+# 1673|     r1673_3(int)           = Constant[0]                               : 
+# 1673|     r1673_4(glval<int>)    = PointerAdd[4]                             : r1673_1, r1673_3
+# 1673|     r1673_5(int)           = Constant[1]                               : 
+# 1673|     mu1673_6(int)          = Store[?]                                  : &:r1673_4, r1673_5
+# 1673|     r1673_7(int)           = Constant[1]                               : 
+# 1673|     r1673_8(glval<int>)    = PointerAdd[4]                             : r1673_1, r1673_7
+# 1673|     r1673_9(int)           = Constant[2]                               : 
+# 1673|     mu1673_10(int)         = Store[?]                                  : &:r1673_8, r1673_9
+# 1674|     r1674_1(glval<int[2]>) = VariableAddress[(unnamed local variable)] : 

-# 1674| int global_2
-# 1674|   Block 0
-# 1674|     v1674_1(void)       = EnterFunction   : 
-# 1674|     r1674_2(glval<int>) = VariableAddress : 
-# 1674|     r1674_3(int)        = Constant[1]     : 
-# 1674|     mu1674_4(int)       = Store[?]        : &:r1674_2, r1674_3
-# 1674|     v1674_5(void)       = ReturnVoid      : 
-# 1674|     v1674_6(void)       = ExitFunction    : 
+# 1674|   Block 1
+# 1674|     r1674_2(int[2])       = Load                                      : ~m?
+# 1674|     mu1674_3(int[2])      = Store[(unnamed local variable)]           : &:r1674_1, r1674_2
+# 1674|     r1674_4(glval<int &>) = VariableAddress[x0]                       : 
+#-----|     r0_1(glval<int[2]>)   = VariableAddress[(unnamed local variable)] : 
+#-----|     r0_2(int *)           = Convert                                   : r0_1
+#-----|     r0_3(unsigned long)   = Constant[0]                               : 
+#-----|     r0_4(glval<int>)      = PointerAdd[4]                             : r0_2, r0_3
+#-----|     mu0_5(int &)          = Store[x0]                                 : &:r1674_4, r0_4
+# 1674|     r1674_5(glval<int &>) = VariableAddress[x1]                       : 
+#-----|     r0_6(glval<int[2]>)   = VariableAddress[(unnamed local variable)] : 
+#-----|     r0_7(int *)           = Convert                                   : r0_6
+#-----|     r0_8(unsigned long)   = Constant[1]                               : 
+#-----|     r0_9(glval<int>)      = PointerAdd[4]                             : r0_7, r0_8
+#-----|     mu0_10(int &)         = Store[x1]                                 : &:r1674_5, r0_9
+# 1675|     v1675_1(void)         = NoOp                                      : 
+# 1672|     v1672_4(void)         = ReturnVoid                                : 
+# 1672|     v1672_5(void)         = AliasedUse                                : ~m?
+# 1672|     v1672_6(void)         = ExitFunction                              : 

-# 1676| int const global_3
-# 1676|   Block 0
-# 1676|     v1676_1(void)       = EnterFunction   : 
-# 1676|     r1676_2(glval<int>) = VariableAddress : 
-# 1676|     r1676_3(int)        = Constant[2]     : 
-# 1676|     mu1676_4(int)       = Store[?]        : &:r1676_2, r1676_3
-# 1676|     v1676_5(void)       = ReturnVoid      : 
-# 1676|     v1676_6(void)       = ExitFunction    : 
+# 1680| void CapturedLambdaMyObj::CapturedLambdaMyObj()
+# 1680|   Block 0
+# 1680|     v1680_1(void)                        = EnterFunction                : 
+# 1680|     mu1680_2(unknown)                    = AliasedDefinition            : 
+# 1680|     mu1680_3(unknown)                    = InitializeNonLocal           : 
+# 1680|     r1680_4(glval<unknown>)              = VariableAddress[#this]       : 
+# 1680|     mu1680_5(glval<CapturedLambdaMyObj>) = InitializeParameter[#this]   : &:r1680_4
+# 1680|     r1680_6(glval<CapturedLambdaMyObj>)  = Load[#this]                  : &:r1680_4, ~m?
+# 1680|     mu1680_7(CapturedLambdaMyObj)        = InitializeIndirection[#this] : &:r1680_6
+# 1680|     v1680_8(void)                        = NoOp                         : 
+# 1680|     v1680_9(void)                        = ReturnIndirection[#this]     : &:r1680_6, ~m?
+# 1680|     v1680_10(void)                       = ReturnVoid                   : 
+# 1680|     v1680_11(void)                       = AliasedUse                   : ~m?
+# 1680|     v1680_12(void)                       = ExitFunction                 : 
+
+# 1683| void captured_lambda(int, int&, int&&)
+# 1683|   Block 0
+# 1683|     v1683_1(void)                             = EnterFunction                        : 
+# 1683|     mu1683_2(unknown)                         = AliasedDefinition                    : 
+# 1683|     mu1683_3(unknown)                         = InitializeNonLocal                   : 
+# 1683|     r1683_4(glval<int>)                       = VariableAddress[x]                   : 
+# 1683|     mu1683_5(int)                             = InitializeParameter[x]               : &:r1683_4
+# 1683|     r1683_6(glval<int &>)                     = VariableAddress[y]                   : 
+# 1683|     mu1683_7(int &)                           = InitializeParameter[y]               : &:r1683_6
+# 1683|     r1683_8(int &)                            = Load[y]                              : &:r1683_6, ~m?
+# 1683|     mu1683_9(unknown)                         = InitializeIndirection[y]             : &:r1683_8
+# 1683|     r1683_10(glval<int &&>)                   = VariableAddress[z]                   : 
+# 1683|     mu1683_11(int &&)                         = InitializeParameter[z]               : &:r1683_10
+# 1683|     r1683_12(int &&)                          = Load[z]                              : &:r1683_10, ~m?
+# 1683|     mu1683_13(unknown)                        = InitializeIndirection[z]             : &:r1683_12
+# 1685|     r1685_1(glval<CapturedLambdaMyObj &>)     = VariableAddress[obj1]                : 
+# 1685|     r1685_2(glval<CapturedLambdaMyObj>)       = VariableAddress[#temp1685:24]        : 
+# 1685|     mu1685_3(CapturedLambdaMyObj)             = Uninitialized[#temp1685:24]          : &:r1685_2
+# 1685|     r1685_4(glval<unknown>)                   = FunctionAddress[CapturedLambdaMyObj] : 
+# 1685|     v1685_5(void)                             = Call[CapturedLambdaMyObj]            : func:r1685_4, this:r1685_2
+# 1685|     mu1685_6(unknown)                         = ^CallSideEffect                      : ~m?
+# 1685|     mu1685_7(CapturedLambdaMyObj)             = ^IndirectMayWriteSideEffect[-1]      : &:r1685_2
+# 1685|     r1685_8(glval<CapturedLambdaMyObj>)       = Convert                              : r1685_2
+# 1685|     r1685_9(CapturedLambdaMyObj &)            = CopyValue                            : r1685_8
+# 1685|     mu1685_10(CapturedLambdaMyObj &)          = Store[obj1]                          : &:r1685_1, r1685_9
+# 1686|     r1686_1(glval<CapturedLambdaMyObj>)       = VariableAddress[obj2]                : 
+# 1686|     mu1686_2(CapturedLambdaMyObj)             = Uninitialized[obj2]                  : &:r1686_1
+# 1686|     r1686_3(glval<unknown>)                   = FunctionAddress[CapturedLambdaMyObj] : 
+# 1686|     v1686_4(void)                             = Call[CapturedLambdaMyObj]            : func:r1686_3, this:r1686_1
+# 1686|     mu1686_5(unknown)                         = ^CallSideEffect                      : ~m?
+# 1686|     mu1686_6(CapturedLambdaMyObj)             = ^IndirectMayWriteSideEffect[-1]      : &:r1686_1
+# 1688|     r1688_1(glval<decltype([...](...){...})>) = VariableAddress[lambda_outer]        : 
+# 1688|     r1688_2(glval<decltype([...](...){...})>) = VariableAddress[#temp1688:24]        : 
+# 1688|     mu1688_3(decltype([...](...){...}))       = Uninitialized[#temp1688:24]          : &:r1688_2
+# 1688|     r1688_4(glval<CapturedLambdaMyObj>)       = FieldAddress[obj1]                   : r1688_2
+
+# 1688|   Block 1
+# 1688|     mu1688_5(CapturedLambdaMyObj)       = Store[?]           : &:r1688_4
+# 1688|     r1688_6(glval<CapturedLambdaMyObj>) = FieldAddress[obj2] : r1688_2
+
+# 1688|   Block 2
+# 1688|     mu1688_7(CapturedLambdaMyObj)        = Store[?]             : &:r1688_6
+# 1688|     r1688_8(glval<int>)                  = FieldAddress[x]      : r1688_2
+# 1688|     r1688_9(glval<int>)                  = VariableAddress[x]   : 
+# 1688|     r1688_10(int)                        = Load[x]              : &:r1688_9, ~m?
+# 1688|     mu1688_11(int)                       = Store[?]             : &:r1688_8, r1688_10
+# 1688|     r1688_12(glval<int>)                 = FieldAddress[y]      : r1688_2
+# 1688|     r1688_13(glval<int &>)               = VariableAddress[y]   : 
+# 1688|     r1688_14(int &)                      = Load[y]              : &:r1688_13, ~m?
+# 1690|     r1690_1(int)                         = Load[?]              : &:r1688_14, ~m?
+# 1690|     mu1690_2(int)                        = Store[?]             : &:r1688_12, r1690_1
+# 1688|     r1688_15(glval<int>)                 = FieldAddress[z]      : r1688_2
+# 1688|     r1688_16(glval<int &&>)              = VariableAddress[z]   : 
+# 1688|     r1688_17(int &&)                     = Load[z]              : &:r1688_16, ~m?
+# 1690|     r1690_3(int)                         = Load[?]              : &:r1688_17, ~m?
+# 1690|     mu1690_4(int)                        = Store[?]             : &:r1688_15, r1690_3
+# 1688|     r1688_18(decltype([...](...){...}))  = Load[#temp1688:24]   : &:r1688_2, ~m?
+# 1688|     mu1688_19(decltype([...](...){...})) = Store[lambda_outer]  : &:r1688_1, r1688_18
+# 1691|     v1691_1(void)                        = NoOp                 : 
+# 1683|     v1683_14(void)                       = ReturnIndirection[y] : &:r1683_8, ~m?
+# 1683|     v1683_15(void)                       = ReturnIndirection[z] : &:r1683_12, ~m?
+# 1683|     v1683_16(void)                       = ReturnVoid           : 
+# 1683|     v1683_17(void)                       = AliasedUse           : ~m?
+# 1683|     v1683_18(void)                       = ExitFunction         : 
+
+# 1688| void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const
+# 1688|   Block 0
+# 1688|     v1688_1(void)                              = EnterFunction                 : 
+# 1688|     mu1688_2(unknown)                          = AliasedDefinition             : 
+# 1688|     mu1688_3(unknown)                          = InitializeNonLocal            : 
+# 1688|     r1688_4(glval<unknown>)                    = VariableAddress[#this]        : 
+# 1688|     mu1688_5(glval<decltype([...](...){...})>) = InitializeParameter[#this]    : &:r1688_4
+# 1688|     r1688_6(glval<decltype([...](...){...})>)  = Load[#this]                   : &:r1688_4, ~m?
+# 1688|     mu1688_7(decltype([...](...){...}))        = InitializeIndirection[#this]  : &:r1688_6
+# 1689|     r1689_1(glval<decltype([...](...){...})>)  = VariableAddress[lambda_inner] : 
+# 1689|     r1689_2(glval<decltype([...](...){...})>)  = VariableAddress[#temp1689:28] : 
+# 1689|     mu1689_3(decltype([...](...){...}))        = Uninitialized[#temp1689:28]   : &:r1689_2
+# 1689|     r1689_4(glval<CapturedLambdaMyObj>)        = FieldAddress[obj1]            : r1689_2
+
+# 1689|   Block 1
+# 1689|     mu1689_5(CapturedLambdaMyObj)       = Store[?]           : &:r1689_4
+# 1689|     r1689_6(glval<CapturedLambdaMyObj>) = FieldAddress[obj2] : r1689_2
+
+# 1689|   Block 2
+# 1689|     mu1689_7(CapturedLambdaMyObj)                    = Store[?]                 : &:r1689_6
+# 1689|     r1689_8(glval<int>)                              = FieldAddress[x]          : r1689_2
+# 1689|     r1689_9(glval<unknown>)                          = VariableAddress[#this]   : 
+# 1689|     r1689_10(lambda [] type at line 1688, col. 25 *) = Load[#this]              : &:r1689_9, ~m?
+# 1689|     r1689_11(glval<int>)                             = FieldAddress[x]          : r1689_10
+# 1689|     r1689_12(int)                                    = Load[?]                  : &:r1689_11, ~m?
+# 1689|     mu1689_13(int)                                   = Store[?]                 : &:r1689_8, r1689_12
+# 1689|     r1689_14(glval<int>)                             = FieldAddress[y]          : r1689_2
+# 1689|     r1689_15(glval<unknown>)                         = VariableAddress[#this]   : 
+# 1689|     r1689_16(lambda [] type at line 1688, col. 25 *) = Load[#this]              : &:r1689_15, ~m?
+# 1689|     r1689_17(glval<int>)                             = FieldAddress[y]          : r1689_16
+# 1689|     r1689_18(int)                                    = Load[?]                  : &:r1689_17, ~m?
+# 1689|     mu1689_19(int)                                   = Store[?]                 : &:r1689_14, r1689_18
+# 1689|     r1689_20(glval<int>)                             = FieldAddress[z]          : r1689_2
+# 1689|     r1689_21(glval<unknown>)                         = VariableAddress[#this]   : 
+# 1689|     r1689_22(lambda [] type at line 1688, col. 25 *) = Load[#this]              : &:r1689_21, ~m?
+# 1689|     r1689_23(glval<int>)                             = FieldAddress[z]          : r1689_22
+# 1689|     r1689_24(int)                                    = Load[?]                  : &:r1689_23, ~m?
+# 1689|     mu1689_25(int)                                   = Store[?]                 : &:r1689_20, r1689_24
+# 1689|     r1689_26(decltype([...](...){...}))              = Load[#temp1689:28]       : &:r1689_2, ~m?
+# 1689|     mu1689_27(decltype([...](...){...}))             = Store[lambda_inner]      : &:r1689_1, r1689_26
+# 1690|     v1690_1(void)                                    = NoOp                     : 
+# 1688|     v1688_8(void)                                    = ReturnIndirection[#this] : &:r1688_6, ~m?
+# 1688|     v1688_9(void)                                    = ReturnVoid               : 
+# 1688|     v1688_10(void)                                   = AliasedUse               : ~m?
+# 1688|     v1688_11(void)                                   = ExitFunction             : 
+
+# 1689| void (void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const)::(lambda [] type at line 1689, col. 29)::operator()() const
+# 1689|   Block 0
+# 1689|     v1689_1(void)                              = EnterFunction                : 
+# 1689|     mu1689_2(unknown)                          = AliasedDefinition            : 
+# 1689|     mu1689_3(unknown)                          = InitializeNonLocal           : 
+# 1689|     r1689_4(glval<unknown>)                    = VariableAddress[#this]       : 
+# 1689|     mu1689_5(glval<decltype([...](...){...})>) = InitializeParameter[#this]   : &:r1689_4
+# 1689|     r1689_6(glval<decltype([...](...){...})>)  = Load[#this]                  : &:r1689_4, ~m?
+# 1689|     mu1689_7(decltype([...](...){...}))        = InitializeIndirection[#this] : &:r1689_6
+# 1689|     v1689_8(void)                              = NoOp                         : 
+# 1689|     v1689_9(void)                              = NoOp                         : 
+# 1689|     v1689_10(void)                             = ReturnIndirection[#this]     : &:r1689_6, ~m?
+# 1689|     v1689_11(void)                             = ReturnVoid                   : 
+# 1689|     v1689_12(void)                             = AliasedUse                   : ~m?
+# 1689|     v1689_13(void)                             = ExitFunction                 : 
+
+# 1693| int global_1
+
+# 1695| int global_2
+# 1695|   Block 0
+# 1695|     v1695_1(void)       = EnterFunction   : 
+# 1695|     r1695_2(glval<int>) = VariableAddress : 
+# 1695|     r1695_3(int)        = Constant[1]     : 
+# 1695|     mu1695_4(int)       = Store[?]        : &:r1695_2, r1695_3
+# 1695|     v1695_5(void)       = ReturnVoid      : 
+# 1695|     v1695_6(void)       = ExitFunction    : 
+
+# 1697| int const global_3
+# 1697|   Block 0
+# 1697|     v1697_1(void)       = EnterFunction   : 
+# 1697|     r1697_2(glval<int>) = VariableAddress : 
+# 1697|     r1697_3(int)        = Constant[2]     : 
+# 1697|     mu1697_4(int)       = Store[?]        : &:r1697_2, r1697_3
+# 1697|     v1697_5(void)       = ReturnVoid      : 
+# 1697|     v1697_6(void)       = ExitFunction    : 

 perf-regression.cpp:
 #    6| void Big::Big()
--- a/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency.expected
+++ b/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency.expected
@@ -6,6 +6,8 @@ missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
+| ir.cpp:1688:24:1690:5 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1689:28:1689:54 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
--- a/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency_unsound.expected
+++ b/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency_unsound.expected
@@ -6,6 +6,8 @@ missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
+| ir.cpp:1688:24:1690:5 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1689:28:1689:54 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
--- a/cpp/ql/test/library-tests/special_members/generated_copy/assign.expected
+++ b/cpp/ql/test/library-tests/special_members/generated_copy/assign.expected
@@ -11,6 +11,7 @@
 | difference::Base | can | does NOT | have implicit copy assignment |
 | difference::OnlyAssign | can | does | have implicit copy assignment |
 | difference::OnlyCtor | can NOT | does NOT | have implicit copy assignment |
+| instantiated_explicit_ctor::Wrapper<int> | can | does | have implicit copy assignment |
 | moves::MoveAssign | can NOT | does NOT | have implicit copy assignment |
 | moves::MoveCtor | can NOT | does NOT | have implicit copy assignment |
 | private_cc::C | can | does NOT | have implicit copy assignment |
--- a/cpp/ql/test/library-tests/special_members/generated_copy/copy.cpp
+++ b/cpp/ql/test/library-tests/special_members/generated_copy/copy.cpp
@@ -131,3 +131,21 @@ namespace difference {
  class OnlyAssign : Base {
  };
 }
+
+namespace instantiated_explicit_ctor {
+  template<class T>
+  class Wrapper {
+  public:
+    Wrapper(Wrapper<T> &other) {
+      m_t = other.m_t;
+    }
+    
+    Wrapper() {
+      m_t = 0;
+    }
+  private:
+    T m_t;
+  };
+
+  Wrapper<int> wrapped_int;
+}
--- a/cpp/ql/test/library-tests/special_members/generated_copy/ctor.expected
+++ b/cpp/ql/test/library-tests/special_members/generated_copy/ctor.expected
@@ -11,6 +11,7 @@
 | difference::Base | can | does NOT | have implicit copy constructor |
 | difference::OnlyAssign | can NOT | does NOT | have implicit copy constructor |
 | difference::OnlyCtor | can | does | have implicit copy constructor |
+| instantiated_explicit_ctor::Wrapper<int> | can | does NOT | have implicit copy constructor |
 | moves::MoveAssign | can NOT | does NOT | have implicit copy constructor |
 | moves::MoveCtor | can NOT | does NOT | have implicit copy constructor |
 | private_cc::C | can | does NOT | have implicit copy constructor |
--- a/cpp/ql/test/library-tests/special_members/generated_copy/functions.expected
+++ b/cpp/ql/test/library-tests/special_members/generated_copy/functions.expected
@@ -86,5 +86,9 @@
 | copy.cpp:131:9:131:9 | OnlyAssign | deleted |  |
 | copy.cpp:131:9:131:9 | operator= |  |  |
 | copy.cpp:131:9:131:9 | operator= |  |  |
+| copy.cpp:137:9:137:9 | operator= |  |  |
+| copy.cpp:139:5:139:11 | Wrapper |  |  |
+| copy.cpp:143:5:143:5 | Wrapper |  |  |
+| copy.cpp:143:5:143:11 | Wrapper |  |  |
 | file://:0:0:0:0 | operator= |  |  |
 | file://:0:0:0:0 | operator= |  |  |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected
@@ -35,6 +35,41 @@ edges
 | test.cpp:142:11:142:17 | sprintf output argument | test.cpp:143:10:143:16 | command indirection |
 | test.cpp:142:31:142:33 | str indirection | test.cpp:142:11:142:17 | sprintf output argument |
 | test.cpp:142:31:142:33 | str indirection | test.cpp:142:11:142:17 | sprintf output argument |
+| test.cpp:174:9:174:16 | fread output argument | test.cpp:177:20:177:27 | filename indirection |
+| test.cpp:174:9:174:16 | fread output argument | test.cpp:178:22:178:26 | flags indirection |
+| test.cpp:174:9:174:16 | fread output argument | test.cpp:180:22:180:29 | filename indirection |
+| test.cpp:177:13:177:17 | strncat output argument | test.cpp:183:32:183:38 | command indirection |
+| test.cpp:177:20:177:27 | filename indirection | test.cpp:177:13:177:17 | strncat output argument |
+| test.cpp:177:20:177:27 | filename indirection | test.cpp:177:13:177:17 | strncat output argument |
+| test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | command indirection |
+| test.cpp:178:22:178:26 | flags indirection | test.cpp:178:13:178:19 | strncat output argument |
+| test.cpp:178:22:178:26 | flags indirection | test.cpp:178:13:178:19 | strncat output argument |
+| test.cpp:180:13:180:19 | strncat output argument | test.cpp:183:32:183:38 | command indirection |
+| test.cpp:180:22:180:29 | filename indirection | test.cpp:180:13:180:19 | strncat output argument |
+| test.cpp:180:22:180:29 | filename indirection | test.cpp:180:13:180:19 | strncat output argument |
+| test.cpp:186:47:186:54 | *filename | test.cpp:187:18:187:25 | filename indirection |
+| test.cpp:186:47:186:54 | *filename | test.cpp:188:20:188:24 | flags indirection |
+| test.cpp:186:47:186:54 | filename | test.cpp:187:18:187:25 | filename indirection |
+| test.cpp:186:47:186:54 | filename | test.cpp:188:20:188:24 | flags indirection |
+| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:11:188:17 | command [post update] |
+| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:11:188:17 | command [post update] |
+| test.cpp:187:18:187:25 | filename indirection | test.cpp:187:11:187:15 | strncat output argument |
+| test.cpp:187:18:187:25 | filename indirection | test.cpp:187:11:187:15 | strncat output argument |
+| test.cpp:188:11:188:17 | command [post update] | test.cpp:188:11:188:17 | command [post update] |
+| test.cpp:188:11:188:17 | command [post update] | test.cpp:196:10:196:16 | command [post update] |
+| test.cpp:188:11:188:17 | command [post update] | test.cpp:196:10:196:16 | command [post update] |
+| test.cpp:188:11:188:17 | command [post update] | test.cpp:205:10:205:16 | command [post update] |
+| test.cpp:188:11:188:17 | command [post update] | test.cpp:205:10:205:16 | command [post update] |
+| test.cpp:188:11:188:17 | strncat output argument | test.cpp:188:11:188:17 | command [post update] |
+| test.cpp:188:11:188:17 | strncat output argument | test.cpp:188:11:188:17 | command [post update] |
+| test.cpp:188:20:188:24 | flags indirection | test.cpp:188:11:188:17 | strncat output argument |
+| test.cpp:188:20:188:24 | flags indirection | test.cpp:188:11:188:17 | strncat output argument |
+| test.cpp:194:9:194:16 | fread output argument | test.cpp:196:26:196:33 | filename |
+| test.cpp:194:9:194:16 | fread output argument | test.cpp:196:26:196:33 | filename indirection |
+| test.cpp:196:10:196:16 | command [post update] | test.cpp:198:32:198:38 | command indirection |
+| test.cpp:196:26:196:33 | filename | test.cpp:186:47:186:54 | filename |
+| test.cpp:196:26:196:33 | filename indirection | test.cpp:186:47:186:54 | *filename |
+| test.cpp:205:10:205:16 | command [post update] | test.cpp:207:32:207:38 | command indirection |
 nodes
 | test.cpp:16:20:16:23 | argv | semmle.label | argv |
 | test.cpp:22:13:22:20 | sprintf output argument | semmle.label | sprintf output argument |
@@ -72,6 +107,29 @@ nodes
 | test.cpp:142:11:142:17 | sprintf output argument | semmle.label | sprintf output argument |
 | test.cpp:142:31:142:33 | str indirection | semmle.label | str indirection |
 | test.cpp:143:10:143:16 | command indirection | semmle.label | command indirection |
+| test.cpp:174:9:174:16 | fread output argument | semmle.label | fread output argument |
+| test.cpp:177:13:177:17 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:177:20:177:27 | filename indirection | semmle.label | filename indirection |
+| test.cpp:178:13:178:19 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:178:22:178:26 | flags indirection | semmle.label | flags indirection |
+| test.cpp:180:13:180:19 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:180:22:180:29 | filename indirection | semmle.label | filename indirection |
+| test.cpp:183:32:183:38 | command indirection | semmle.label | command indirection |
+| test.cpp:186:47:186:54 | *filename | semmle.label | *filename |
+| test.cpp:186:47:186:54 | filename | semmle.label | filename |
+| test.cpp:187:11:187:15 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:187:18:187:25 | filename indirection | semmle.label | filename indirection |
+| test.cpp:188:11:188:17 | command [post update] | semmle.label | command [post update] |
+| test.cpp:188:11:188:17 | command [post update] | semmle.label | command [post update] |
+| test.cpp:188:11:188:17 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:188:20:188:24 | flags indirection | semmle.label | flags indirection |
+| test.cpp:194:9:194:16 | fread output argument | semmle.label | fread output argument |
+| test.cpp:196:10:196:16 | command [post update] | semmle.label | command [post update] |
+| test.cpp:196:26:196:33 | filename | semmle.label | filename |
+| test.cpp:196:26:196:33 | filename indirection | semmle.label | filename indirection |
+| test.cpp:198:32:198:38 | command indirection | semmle.label | command indirection |
+| test.cpp:205:10:205:16 | command [post update] | semmle.label | command [post update] |
+| test.cpp:207:32:207:38 | command indirection | semmle.label | command indirection |
 subpaths
 #select
 | test.cpp:23:12:23:19 | command1 | test.cpp:16:20:16:23 | argv | test.cpp:23:12:23:19 | command1 indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:16:20:16:23 | argv | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument |
@@ -83,3 +141,10 @@ subpaths
 | test.cpp:114:25:114:29 | call to c_str | test.cpp:113:20:113:25 | call to getenv | test.cpp:114:25:114:29 | call to c_str indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:113:20:113:25 | call to getenv | user input (an environment variable) | test.cpp:114:17:114:17 | Call | Call |
 | test.cpp:120:25:120:28 | call to data | test.cpp:119:20:119:25 | call to getenv | test.cpp:120:10:120:30 | call to data indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:119:20:119:25 | call to getenv | user input (an environment variable) | test.cpp:120:17:120:17 | Call | Call |
 | test.cpp:143:10:143:16 | command | test.cpp:140:9:140:11 | fread output argument | test.cpp:143:10:143:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:140:9:140:11 | fread output argument | user input (String read by fread) | test.cpp:142:11:142:17 | sprintf output argument | sprintf output argument |
+| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:174:9:174:16 | fread output argument | user input (String read by fread) | test.cpp:177:13:177:17 | strncat output argument | strncat output argument |
+| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:174:9:174:16 | fread output argument | user input (String read by fread) | test.cpp:178:13:178:19 | strncat output argument | strncat output argument |
+| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:174:9:174:16 | fread output argument | user input (String read by fread) | test.cpp:180:13:180:19 | strncat output argument | strncat output argument |
+| test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:194:9:194:16 | fread output argument | user input (String read by fread) | test.cpp:187:11:187:15 | strncat output argument | strncat output argument |
+| test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:194:9:194:16 | fread output argument | user input (String read by fread) | test.cpp:188:11:188:17 | strncat output argument | strncat output argument |
+| test.cpp:207:32:207:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:207:32:207:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:194:9:194:16 | fread output argument | user input (String read by fread) | test.cpp:187:11:187:15 | strncat output argument | strncat output argument |
+| test.cpp:207:32:207:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:207:32:207:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:194:9:194:16 | fread output argument | user input (String read by fread) | test.cpp:188:11:188:17 | strncat output argument | strncat output argument |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp
@@ -168,7 +168,43 @@ void test15(FILE *f) {
  system(command); // GOOD: the user string was converted to an integer and back
 }

+void test16(FILE *f, bool use_flags) {
+  // BAD: the user string is injected directly into a command
+  char command[1000] = "mv ", flags[1000] = "-R", filename[1000];
+  fread(filename, 1, 1000, f);

-// TODO: test for call context sensitivity at concatenation site
+  if (use_flags) {
+    strncat(flags, filename, 1000);
+    strncat(command, flags, 1000);
+  } else {
+    strncat(command, filename, 1000);
+  }
+
+  execl("/bin/sh", "sh", "-c", command);
+}
+
+void concat(char *command, char *flags, char *filename) {
+  strncat(flags, filename, 1000);
+  strncat(command, flags, 1000);
+}
+
+void test17(FILE *f) {
+  // BAD: the user string is injected directly into a command
+  char command[1000] = "mv ", flags[1000] = "-R", filename[1000];
+  fread(filename, 1, 1000, f);
+
+  concat(command, flags, filename);
+
+  execl("/bin/sh", "sh", "-c", command);
+}
+
+void test18() {
+  // GOOD [FALSE POSITIVE]
+  char command[1000] = "ls ", flags[1000] = "-l", filename[1000] = ".";
+
+  concat(command, flags, filename);
+
+  execl("/bin/sh", "sh", "-c", command);
+}

 // open question: do we want to report certain sources even when they're the start of the string?
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.expected
@@ -0,0 +1,4 @@
+edges
+nodes
+subpaths
+#select
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected
@@ -1,4 +1,43 @@
-| overflowdestination.cpp:30:2:30:8 | call to strncpy | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
-| overflowdestination.cpp:46:2:46:7 | call to memcpy | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
-| overflowdestination.cpp:53:2:53:7 | call to memcpy | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
-| overflowdestination.cpp:64:2:64:7 | call to memcpy | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
+edges
+| overflowdestination.cpp:27:9:27:12 | argv | overflowdestination.cpp:30:17:30:20 | (const char *)... |
+| overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | (const void *)... |
+| overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:50:52:50:54 | ReturnIndirection |
+| overflowdestination.cpp:50:52:50:54 | src | overflowdestination.cpp:53:15:53:17 | (const void *)... |
+| overflowdestination.cpp:57:52:57:54 | *src | overflowdestination.cpp:64:16:64:19 | (const void *)... |
+| overflowdestination.cpp:57:52:57:54 | src | overflowdestination.cpp:64:16:64:19 | (const void *)... |
+| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:75:30:75:32 | src |
+| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:75:30:75:32 | src indirection |
+| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:76:30:76:32 | src |
+| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:76:30:76:32 | src indirection |
+| overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | overflowdestination.cpp:76:30:76:32 | src |
+| overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | overflowdestination.cpp:76:30:76:32 | src indirection |
+| overflowdestination.cpp:75:30:75:32 | src | overflowdestination.cpp:50:52:50:54 | src |
+| overflowdestination.cpp:75:30:75:32 | src indirection | overflowdestination.cpp:50:52:50:54 | *src |
+| overflowdestination.cpp:75:30:75:32 | src indirection | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument |
+| overflowdestination.cpp:76:30:76:32 | src | overflowdestination.cpp:57:52:57:54 | src |
+| overflowdestination.cpp:76:30:76:32 | src indirection | overflowdestination.cpp:57:52:57:54 | *src |
+nodes
+| overflowdestination.cpp:27:9:27:12 | argv | semmle.label | argv |
+| overflowdestination.cpp:30:17:30:20 | (const char *)... | semmle.label | (const char *)... |
+| overflowdestination.cpp:43:8:43:10 | fgets output argument | semmle.label | fgets output argument |
+| overflowdestination.cpp:46:15:46:17 | (const void *)... | semmle.label | (const void *)... |
+| overflowdestination.cpp:50:52:50:54 | *src | semmle.label | *src |
+| overflowdestination.cpp:50:52:50:54 | ReturnIndirection | semmle.label | ReturnIndirection |
+| overflowdestination.cpp:50:52:50:54 | src | semmle.label | src |
+| overflowdestination.cpp:53:15:53:17 | (const void *)... | semmle.label | (const void *)... |
+| overflowdestination.cpp:57:52:57:54 | *src | semmle.label | *src |
+| overflowdestination.cpp:57:52:57:54 | src | semmle.label | src |
+| overflowdestination.cpp:64:16:64:19 | (const void *)... | semmle.label | (const void *)... |
+| overflowdestination.cpp:73:8:73:10 | fgets output argument | semmle.label | fgets output argument |
+| overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | semmle.label | overflowdest_test2 output argument |
+| overflowdestination.cpp:75:30:75:32 | src | semmle.label | src |
+| overflowdestination.cpp:75:30:75:32 | src indirection | semmle.label | src indirection |
+| overflowdestination.cpp:76:30:76:32 | src | semmle.label | src |
+| overflowdestination.cpp:76:30:76:32 | src indirection | semmle.label | src indirection |
+subpaths
+| overflowdestination.cpp:75:30:75:32 | src indirection | overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:50:52:50:54 | ReturnIndirection | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument |
+#select
+| overflowdestination.cpp:30:2:30:8 | call to strncpy | overflowdestination.cpp:27:9:27:12 | argv | overflowdestination.cpp:30:17:30:20 | (const char *)... | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
+| overflowdestination.cpp:46:2:46:7 | call to memcpy | overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | (const void *)... | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
+| overflowdestination.cpp:53:2:53:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:53:15:53:17 | (const void *)... | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
+| overflowdestination.cpp:64:2:64:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:64:16:64:19 | (const void *)... | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected
@@ -1 +1,8 @@
-| CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | $@ flows to here and is used in an array indexing expression, potentially causing an invalid access. | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | inputBuffer | User-provided value |
+edges
+| CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data |
+nodes
+| CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | semmle.label | fgets output argument |
+| CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | semmle.label | data |
+subpaths
+#select
+| CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | $@ flows to here and is used in an array indexing expression, potentially causing an invalid access. | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | String read by fgets |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected
@@ -1,3 +1,26 @@
-| test1.c:18:16:18:16 | i | $@ flows to here and is used in an array indexing expression, potentially causing an invalid access. | test1.c:8:16:8:19 | argv | User-provided value |
-| test1.c:33:11:33:11 | i | $@ flows to here and is used in an array indexing expression, potentially causing an invalid access. | test1.c:8:16:8:19 | argv | User-provided value |
-| test1.c:53:15:53:15 | j | $@ flows to here and is used in an array indexing expression, potentially causing an invalid access. | test1.c:8:16:8:19 | argv | User-provided value |
+edges
+| test1.c:8:16:8:19 | argv | test1.c:9:9:9:9 | i |
+| test1.c:8:16:8:19 | argv | test1.c:11:9:11:9 | i |
+| test1.c:8:16:8:19 | argv | test1.c:13:9:13:9 | i |
+| test1.c:9:9:9:9 | i | test1.c:16:16:16:16 | i |
+| test1.c:11:9:11:9 | i | test1.c:32:16:32:16 | i |
+| test1.c:13:9:13:9 | i | test1.c:48:16:48:16 | i |
+| test1.c:16:16:16:16 | i | test1.c:18:16:18:16 | i |
+| test1.c:32:16:32:16 | i | test1.c:33:11:33:11 | i |
+| test1.c:48:16:48:16 | i | test1.c:53:15:53:15 | j |
+nodes
+| test1.c:8:16:8:19 | argv | semmle.label | argv |
+| test1.c:9:9:9:9 | i | semmle.label | i |
+| test1.c:11:9:11:9 | i | semmle.label | i |
+| test1.c:13:9:13:9 | i | semmle.label | i |
+| test1.c:16:16:16:16 | i | semmle.label | i |
+| test1.c:18:16:18:16 | i | semmle.label | i |
+| test1.c:32:16:32:16 | i | semmle.label | i |
+| test1.c:33:11:33:11 | i | semmle.label | i |
+| test1.c:48:16:48:16 | i | semmle.label | i |
+| test1.c:53:15:53:15 | j | semmle.label | j |
+subpaths
+#select
+| test1.c:18:16:18:16 | i | test1.c:8:16:8:19 | argv | test1.c:18:16:18:16 | i | $@ flows to here and is used in an array indexing expression, potentially causing an invalid access. | test1.c:8:16:8:19 | argv | a command-line argument |
+| test1.c:33:11:33:11 | i | test1.c:8:16:8:19 | argv | test1.c:33:11:33:11 | i | $@ flows to here and is used in an array indexing expression, potentially causing an invalid access. | test1.c:8:16:8:19 | argv | a command-line argument |
+| test1.c:53:15:53:15 | j | test1.c:8:16:8:19 | argv | test1.c:53:15:53:15 | j | $@ flows to here and is used in an array indexing expression, potentially causing an invalid access. | test1.c:8:16:8:19 | argv | a command-line argument |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
@@ -1,62 +1,20 @@
 edges
-| test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | (size_t)... |
-| test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | (size_t)... |
-| test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | tainted |
-| test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | tainted |
-| test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | tainted |
 | test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | tainted |
 | test.cpp:40:21:40:24 | argv | test.cpp:44:38:44:63 | ... * ... |
-| test.cpp:40:21:40:24 | argv | test.cpp:44:38:44:63 | ... * ... |
-| test.cpp:40:21:40:24 | argv | test.cpp:44:38:44:63 | ... * ... |
-| test.cpp:40:21:40:24 | argv | test.cpp:44:38:44:63 | ... * ... |
 | test.cpp:40:21:40:24 | argv | test.cpp:46:38:46:63 | ... + ... |
-| test.cpp:40:21:40:24 | argv | test.cpp:46:38:46:63 | ... + ... |
-| test.cpp:40:21:40:24 | argv | test.cpp:46:38:46:63 | ... + ... |
-| test.cpp:40:21:40:24 | argv | test.cpp:46:38:46:63 | ... + ... |
-| test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | (size_t)... |
-| test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | (size_t)... |
-| test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | size |
-| test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | size |
-| test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | size |
 | test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | size |
 | test.cpp:40:21:40:24 | argv | test.cpp:50:26:50:29 | size |
-| test.cpp:40:21:40:24 | argv | test.cpp:50:26:50:29 | size |
-| test.cpp:40:21:40:24 | argv | test.cpp:50:26:50:29 | size |
-| test.cpp:40:21:40:24 | argv | test.cpp:50:26:50:29 | size |
-| test.cpp:40:21:40:24 | argv | test.cpp:53:35:53:60 | ... * ... |
-| test.cpp:40:21:40:24 | argv | test.cpp:53:35:53:60 | ... * ... |
-| test.cpp:40:21:40:24 | argv | test.cpp:53:35:53:60 | ... * ... |
 | test.cpp:40:21:40:24 | argv | test.cpp:53:35:53:60 | ... * ... |
 | test.cpp:124:18:124:23 | call to getenv | test.cpp:128:24:128:41 | ... * ... |
-| test.cpp:124:18:124:23 | call to getenv | test.cpp:128:24:128:41 | ... * ... |
-| test.cpp:124:18:124:31 | (const char *)... | test.cpp:128:24:128:41 | ... * ... |
-| test.cpp:124:18:124:31 | (const char *)... | test.cpp:128:24:128:41 | ... * ... |
 | test.cpp:133:19:133:24 | call to getenv | test.cpp:135:10:135:27 | ... * ... |
-| test.cpp:133:19:133:24 | call to getenv | test.cpp:135:10:135:27 | ... * ... |
-| test.cpp:133:19:133:32 | (const char *)... | test.cpp:135:10:135:27 | ... * ... |
-| test.cpp:133:19:133:32 | (const char *)... | test.cpp:135:10:135:27 | ... * ... |
 | test.cpp:148:20:148:25 | call to getenv | test.cpp:152:11:152:28 | ... * ... |
-| test.cpp:148:20:148:25 | call to getenv | test.cpp:152:11:152:28 | ... * ... |
-| test.cpp:148:20:148:33 | (const char *)... | test.cpp:152:11:152:28 | ... * ... |
-| test.cpp:148:20:148:33 | (const char *)... | test.cpp:152:11:152:28 | ... * ... |
-| test.cpp:209:8:209:23 | ReturnValue | test.cpp:241:9:241:24 | call to get_tainted_size |
 | test.cpp:209:8:209:23 | ReturnValue | test.cpp:241:9:241:24 | call to get_tainted_size |
 | test.cpp:211:14:211:19 | call to getenv | test.cpp:209:8:209:23 | ReturnValue |
-| test.cpp:211:14:211:27 | (const char *)... | test.cpp:209:8:209:23 | ReturnValue |
-| test.cpp:224:23:224:23 | s | test.cpp:225:21:225:21 | s |
 | test.cpp:224:23:224:23 | s | test.cpp:225:21:225:21 | s |
 | test.cpp:230:21:230:21 | s | test.cpp:231:21:231:21 | s |
-| test.cpp:230:21:230:21 | s | test.cpp:231:21:231:21 | s |
-| test.cpp:237:24:237:29 | call to getenv | test.cpp:239:9:239:18 | (size_t)... |
-| test.cpp:237:24:237:29 | call to getenv | test.cpp:239:9:239:18 | local_size |
 | test.cpp:237:24:237:29 | call to getenv | test.cpp:239:9:239:18 | local_size |
 | test.cpp:237:24:237:29 | call to getenv | test.cpp:245:11:245:20 | local_size |
 | test.cpp:237:24:237:29 | call to getenv | test.cpp:247:10:247:19 | local_size |
-| test.cpp:237:24:237:37 | (const char *)... | test.cpp:239:9:239:18 | (size_t)... |
-| test.cpp:237:24:237:37 | (const char *)... | test.cpp:239:9:239:18 | local_size |
-| test.cpp:237:24:237:37 | (const char *)... | test.cpp:239:9:239:18 | local_size |
-| test.cpp:237:24:237:37 | (const char *)... | test.cpp:245:11:245:20 | local_size |
-| test.cpp:237:24:237:37 | (const char *)... | test.cpp:247:10:247:19 | local_size |
 | test.cpp:245:11:245:20 | local_size | test.cpp:224:23:224:23 | s |
 | test.cpp:247:10:247:19 | local_size | test.cpp:230:21:230:21 | s |
 | test.cpp:251:2:251:9 | (reference dereference) [post update] | test.cpp:289:17:289:20 | size [post update] |
@@ -64,112 +22,57 @@ edges
 | test.cpp:251:18:251:23 | call to getenv | test.cpp:251:2:251:9 | (reference dereference) [post update] |
 | test.cpp:251:18:251:23 | call to getenv | test.cpp:289:17:289:20 | size [post update] |
 | test.cpp:251:18:251:23 | call to getenv | test.cpp:305:18:305:21 | size [post update] |
-| test.cpp:251:18:251:31 | (const char *)... | test.cpp:251:2:251:9 | (reference dereference) [post update] |
-| test.cpp:251:18:251:31 | (const char *)... | test.cpp:289:17:289:20 | size [post update] |
-| test.cpp:251:18:251:31 | (const char *)... | test.cpp:305:18:305:21 | size [post update] |
 | test.cpp:259:20:259:25 | call to getenv | test.cpp:263:11:263:29 | ... * ... |
-| test.cpp:259:20:259:25 | call to getenv | test.cpp:263:11:263:29 | ... * ... |
-| test.cpp:259:20:259:33 | (const char *)... | test.cpp:263:11:263:29 | ... * ... |
-| test.cpp:259:20:259:33 | (const char *)... | test.cpp:263:11:263:29 | ... * ... |
-| test.cpp:289:17:289:20 | size [post update] | test.cpp:291:11:291:28 | ... * ... |
 | test.cpp:289:17:289:20 | size [post update] | test.cpp:291:11:291:28 | ... * ... |
 | test.cpp:305:18:305:21 | size [post update] | test.cpp:308:10:308:27 | ... * ... |
-| test.cpp:305:18:305:21 | size [post update] | test.cpp:308:10:308:27 | ... * ... |
-subpaths
 nodes
 | test.cpp:40:21:40:24 | argv | semmle.label | argv |
-| test.cpp:40:21:40:24 | argv | semmle.label | argv |
-| test.cpp:43:38:43:44 | (size_t)... | semmle.label | (size_t)... |
-| test.cpp:43:38:43:44 | (size_t)... | semmle.label | (size_t)... |
-| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
-| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
 | test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
 | test.cpp:44:38:44:63 | ... * ... | semmle.label | ... * ... |
-| test.cpp:44:38:44:63 | ... * ... | semmle.label | ... * ... |
-| test.cpp:44:38:44:63 | ... * ... | semmle.label | ... * ... |
 | test.cpp:46:38:46:63 | ... + ... | semmle.label | ... + ... |
-| test.cpp:46:38:46:63 | ... + ... | semmle.label | ... + ... |
-| test.cpp:46:38:46:63 | ... + ... | semmle.label | ... + ... |
-| test.cpp:49:32:49:35 | (size_t)... | semmle.label | (size_t)... |
-| test.cpp:49:32:49:35 | (size_t)... | semmle.label | (size_t)... |
-| test.cpp:49:32:49:35 | size | semmle.label | size |
-| test.cpp:49:32:49:35 | size | semmle.label | size |
 | test.cpp:49:32:49:35 | size | semmle.label | size |
 | test.cpp:50:26:50:29 | size | semmle.label | size |
-| test.cpp:50:26:50:29 | size | semmle.label | size |
-| test.cpp:50:26:50:29 | size | semmle.label | size |
-| test.cpp:53:35:53:60 | ... * ... | semmle.label | ... * ... |
-| test.cpp:53:35:53:60 | ... * ... | semmle.label | ... * ... |
 | test.cpp:53:35:53:60 | ... * ... | semmle.label | ... * ... |
 | test.cpp:124:18:124:23 | call to getenv | semmle.label | call to getenv |
-| test.cpp:124:18:124:31 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:128:24:128:41 | ... * ... | semmle.label | ... * ... |
-| test.cpp:128:24:128:41 | ... * ... | semmle.label | ... * ... |
 | test.cpp:128:24:128:41 | ... * ... | semmle.label | ... * ... |
 | test.cpp:133:19:133:24 | call to getenv | semmle.label | call to getenv |
-| test.cpp:133:19:133:32 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:135:10:135:27 | ... * ... | semmle.label | ... * ... |
-| test.cpp:135:10:135:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:135:10:135:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:148:20:148:25 | call to getenv | semmle.label | call to getenv |
-| test.cpp:148:20:148:33 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:152:11:152:28 | ... * ... | semmle.label | ... * ... |
-| test.cpp:152:11:152:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:152:11:152:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:209:8:209:23 | ReturnValue | semmle.label | ReturnValue |
 | test.cpp:211:14:211:19 | call to getenv | semmle.label | call to getenv |
-| test.cpp:211:14:211:27 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:224:23:224:23 | s | semmle.label | s |
 | test.cpp:225:21:225:21 | s | semmle.label | s |
-| test.cpp:225:21:225:21 | s | semmle.label | s |
-| test.cpp:225:21:225:21 | s | semmle.label | s |
 | test.cpp:230:21:230:21 | s | semmle.label | s |
 | test.cpp:231:21:231:21 | s | semmle.label | s |
-| test.cpp:231:21:231:21 | s | semmle.label | s |
-| test.cpp:231:21:231:21 | s | semmle.label | s |
 | test.cpp:237:24:237:29 | call to getenv | semmle.label | call to getenv |
-| test.cpp:237:24:237:37 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:239:9:239:18 | (size_t)... | semmle.label | (size_t)... |
-| test.cpp:239:9:239:18 | (size_t)... | semmle.label | (size_t)... |
 | test.cpp:239:9:239:18 | local_size | semmle.label | local_size |
-| test.cpp:239:9:239:18 | local_size | semmle.label | local_size |
-| test.cpp:239:9:239:18 | local_size | semmle.label | local_size |
-| test.cpp:241:9:241:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
-| test.cpp:241:9:241:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
 | test.cpp:241:9:241:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
 | test.cpp:245:11:245:20 | local_size | semmle.label | local_size |
 | test.cpp:247:10:247:19 | local_size | semmle.label | local_size |
 | test.cpp:251:2:251:9 | (reference dereference) [post update] | semmle.label | (reference dereference) [post update] |
-| test.cpp:251:2:251:9 | out_size [post update] | semmle.label | out_size [post update] |
 | test.cpp:251:18:251:23 | call to getenv | semmle.label | call to getenv |
-| test.cpp:251:18:251:31 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:259:20:259:25 | call to getenv | semmle.label | call to getenv |
-| test.cpp:259:20:259:33 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:263:11:263:29 | ... * ... | semmle.label | ... * ... |
-| test.cpp:263:11:263:29 | ... * ... | semmle.label | ... * ... |
 | test.cpp:263:11:263:29 | ... * ... | semmle.label | ... * ... |
 | test.cpp:289:17:289:20 | size [post update] | semmle.label | size [post update] |
 | test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
-| test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
-| test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:305:18:305:21 | size [post update] | semmle.label | size [post update] |
 | test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
-| test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
-| test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
+subpaths
 #select
-| test.cpp:43:31:43:36 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (argv) |
-| test.cpp:44:31:44:36 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (argv) |
-| test.cpp:46:31:46:36 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (argv) |
-| test.cpp:49:25:49:30 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (argv) |
-| test.cpp:50:17:50:30 | new[] | test.cpp:40:21:40:24 | argv | test.cpp:50:26:50:29 | size | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (argv) |
-| test.cpp:53:21:53:27 | call to realloc | test.cpp:40:21:40:24 | argv | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (argv) |
-| test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:23 | call to getenv | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:124:18:124:23 | call to getenv | user input (getenv) |
-| test.cpp:135:3:135:8 | call to malloc | test.cpp:133:19:133:24 | call to getenv | test.cpp:135:10:135:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:133:19:133:24 | call to getenv | user input (getenv) |
-| test.cpp:152:4:152:9 | call to malloc | test.cpp:148:20:148:25 | call to getenv | test.cpp:152:11:152:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:148:20:148:25 | call to getenv | user input (getenv) |
-| test.cpp:225:14:225:19 | call to malloc | test.cpp:237:24:237:29 | call to getenv | test.cpp:225:21:225:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:237:24:237:29 | call to getenv | user input (getenv) |
-| test.cpp:231:14:231:19 | call to malloc | test.cpp:237:24:237:29 | call to getenv | test.cpp:231:21:231:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:237:24:237:29 | call to getenv | user input (getenv) |
-| test.cpp:239:2:239:7 | call to malloc | test.cpp:237:24:237:29 | call to getenv | test.cpp:239:9:239:18 | local_size | This allocation size is derived from $@ and might overflow | test.cpp:237:24:237:29 | call to getenv | user input (getenv) |
-| test.cpp:241:2:241:7 | call to malloc | test.cpp:211:14:211:19 | call to getenv | test.cpp:241:9:241:24 | call to get_tainted_size | This allocation size is derived from $@ and might overflow | test.cpp:211:14:211:19 | call to getenv | user input (getenv) |
-| test.cpp:263:4:263:9 | call to malloc | test.cpp:259:20:259:25 | call to getenv | test.cpp:263:11:263:29 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:259:20:259:25 | call to getenv | user input (getenv) |
-| test.cpp:291:4:291:9 | call to malloc | test.cpp:251:18:251:23 | call to getenv | test.cpp:291:11:291:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:251:18:251:23 | call to getenv | user input (getenv) |
-| test.cpp:308:3:308:8 | call to malloc | test.cpp:251:18:251:23 | call to getenv | test.cpp:308:10:308:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:251:18:251:23 | call to getenv | user input (getenv) |
+| test.cpp:43:31:43:36 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (a command-line argument) |
+| test.cpp:44:31:44:36 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (a command-line argument) |
+| test.cpp:46:31:46:36 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (a command-line argument) |
+| test.cpp:49:25:49:30 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (a command-line argument) |
+| test.cpp:50:17:50:30 | new[] | test.cpp:40:21:40:24 | argv | test.cpp:50:26:50:29 | size | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (a command-line argument) |
+| test.cpp:53:21:53:27 | call to realloc | test.cpp:40:21:40:24 | argv | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (a command-line argument) |
+| test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:23 | call to getenv | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:124:18:124:23 | call to getenv | user input (an environment variable) |
+| test.cpp:135:3:135:8 | call to malloc | test.cpp:133:19:133:24 | call to getenv | test.cpp:135:10:135:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:133:19:133:24 | call to getenv | user input (an environment variable) |
+| test.cpp:152:4:152:9 | call to malloc | test.cpp:148:20:148:25 | call to getenv | test.cpp:152:11:152:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:148:20:148:25 | call to getenv | user input (an environment variable) |
+| test.cpp:225:14:225:19 | call to malloc | test.cpp:237:24:237:29 | call to getenv | test.cpp:225:21:225:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:237:24:237:29 | call to getenv | user input (an environment variable) |
+| test.cpp:231:14:231:19 | call to malloc | test.cpp:237:24:237:29 | call to getenv | test.cpp:231:21:231:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:237:24:237:29 | call to getenv | user input (an environment variable) |
+| test.cpp:239:2:239:7 | call to malloc | test.cpp:237:24:237:29 | call to getenv | test.cpp:239:9:239:18 | local_size | This allocation size is derived from $@ and might overflow | test.cpp:237:24:237:29 | call to getenv | user input (an environment variable) |
+| test.cpp:241:2:241:7 | call to malloc | test.cpp:211:14:211:19 | call to getenv | test.cpp:241:9:241:24 | call to get_tainted_size | This allocation size is derived from $@ and might overflow | test.cpp:211:14:211:19 | call to getenv | user input (an environment variable) |
+| test.cpp:263:4:263:9 | call to malloc | test.cpp:259:20:259:25 | call to getenv | test.cpp:263:11:263:29 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:259:20:259:25 | call to getenv | user input (an environment variable) |
+| test.cpp:291:4:291:9 | call to malloc | test.cpp:251:18:251:23 | call to getenv | test.cpp:291:11:291:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:251:18:251:23 | call to getenv | user input (an environment variable) |
+| test.cpp:308:3:308:8 | call to malloc | test.cpp:251:18:251:23 | call to getenv | test.cpp:308:10:308:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:251:18:251:23 | call to getenv | user input (an environment variable) |
--- a/cpp/ql/test/query-tests/jsf/4.13
+++ b/cpp/ql/test/query-tests/jsf/4.13
@@ -1,4 +1,4 @@
-
+// semmle-extractor-options: -std=c11
 int f1(void) {
    int x = 1;
    return 2;
@@ -99,3 +99,9 @@ int f14()
 {
 	__asm__("rdtsc"); // GOOD
 }
+
+_Noreturn void f15();
+
+int f16() {
+    f15(); // GOOD
+}
--- a/cpp/ql/test/query-tests/jsf/4.13
+++ b/cpp/ql/test/query-tests/jsf/4.13
@@ -1,4 +1,4 @@
-
+// semmle-extractor-options: -std=c++11
 class MyValue {
 public:
 	MyValue(int _val) : val(_val) {};
@@ -164,3 +164,9 @@ int g19(int x)

 	return x; // GOOD
 }
+
+[[noreturn]] void g20();
+
+int g21() {
+    g20(); // GOOD
+}