Merge pull request #13863 from aschackmull/dataflow/pack4

Dataflow: Move the shared library to a properly shared qlpack.

config/identical-files.json

@@ -1,24 +1,4 @@
 {
-  "DataFlow Java/C++/C#/Go/Python/Ruby/Swift": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlow.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlow.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlow.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlow.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/DataFlow.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlow.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlow.qll",
-    "swift/ql/lib/codeql/swift/dataflow/internal/DataFlow.qll"
-  ],
-  "DataFlowImpl Java/C++/C#/Go/Python/Ruby/Swift": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll",
-    "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl.qll"
-  ],
   "DataFlow Java/C++/C#/Go/Python/Ruby/Swift Legacy Configuration": [
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll",
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll",
@@ -53,16 +33,6 @@
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForPathname.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll"
   ],
-  "DataFlow Java/C++/C#/Go/Python/Ruby/Swift Common": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/DataFlowImplCommon.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplCommon.qll",
-    "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplCommon.qll"
-  ],
   "TaintTracking Java/C++/C#/Go/Python/Ruby/Swift": [
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTracking.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTracking.qll",

cpp/ql/lib/qlpack.yml

@@ -6,6 +6,7 @@ extractor: cpp
 library: true
 upgrades: upgrades
 dependencies:
+  codeql/dataflow: ${workspace}
   codeql/ssa: ${workspace}
   codeql/tutorial: ${workspace}
   codeql/util: ${workspace}

cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow.qll

@@ -26,6 +26,8 @@ import cpp
  * global (inter-procedural) data flow analyses.
  */
 deprecated module DataFlow {
-  import semmle.code.cpp.dataflow.internal.DataFlow
+  private import semmle.code.cpp.dataflow.internal.DataFlowImplSpecific
+  private import codeql.dataflow.DataFlow
+  import DataFlowMake<CppOldDataFlow>
   import semmle.code.cpp.dataflow.internal.DataFlowImpl1
 }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlow.qll

@@ -1,450 +0,0 @@
-/**
- * Provides an implementation of global (interprocedural) data flow. This file
- * re-exports the local (intraprocedural) data flow analysis from
- * `DataFlowImplSpecific::Public` and adds a global analysis, mainly exposed
- * through the `Global` and `GlobalWithState` modules.
- */
-
-private import DataFlowImplCommon
-private import DataFlowImplSpecific::Private
-import DataFlowImplSpecific::Public
-import DataFlowImplCommonPublic
-private import DataFlowImpl
-
-/** An input configuration for data flow. */
-signature module ConfigSig {
-  /**
-   * Holds if `source` is a relevant data flow source.
-   */
-  predicate isSource(Node source);
-
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  predicate isSink(Node sink);
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  default predicate isBarrier(Node node) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  default predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  default predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  default predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  default predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Holds if `node` should never be skipped over in the `PathGraph` and in path
-   * explanations.
-   */
-  default predicate neverSkip(Node node) {
-    isAdditionalFlowStep(node, _) or isAdditionalFlowStep(_, node)
-  }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  default int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  default FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `flowPath`. */
-  default predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `flowPath`. */
-  default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (as it is in a `path-problem` query).
-   */
-  default predicate includeHiddenNodes() { none() }
-}
-
-/** An input configuration for data flow using flow state. */
-signature module StateConfigSig {
-  bindingset[this]
-  class FlowState;
-
-  /**
-   * Holds if `source` is a relevant data flow source with the given initial
-   * `state`.
-   */
-  predicate isSource(Node source, FlowState state);
-
-  /**
-   * Holds if `sink` is a relevant data flow sink accepting `state`.
-   */
-  predicate isSink(Node sink, FlowState state);
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  default predicate isBarrier(Node node) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited when the flow state is
-   * `state`.
-   */
-  default predicate isBarrier(Node node, FlowState state) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  default predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  default predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  default predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  default predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
-    none()
-  }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  default predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Holds if `node` should never be skipped over in the `PathGraph` and in path
-   * explanations.
-   */
-  default predicate neverSkip(Node node) {
-    isAdditionalFlowStep(node, _) or
-    isAdditionalFlowStep(_, node) or
-    isAdditionalFlowStep(node, _, _, _) or
-    isAdditionalFlowStep(_, _, node, _)
-  }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  default int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  default FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `flowPath`. */
-  default predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `flowPath`. */
-  default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (as it is in a `path-problem` query).
-   */
-  default predicate includeHiddenNodes() { none() }
-}
-
-/**
- * Gets the exploration limit for `partialFlow` and `partialFlowRev`
- * measured in approximate number of interprocedural steps.
- */
-signature int explorationLimitSig();
-
-/**
- * The output of a global data flow computation.
- */
-signature module GlobalFlowSig {
-  /**
-   * A `Node` augmented with a call context (except for sinks) and an access path.
-   * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
-   */
-  class PathNode;
-
-  /**
-   * Holds if data can flow from `source` to `sink`.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  predicate flowPath(PathNode source, PathNode sink);
-
-  /**
-   * Holds if data can flow from `source` to `sink`.
-   */
-  predicate flow(Node source, Node sink);
-
-  /**
-   * Holds if data can flow from some source to `sink`.
-   */
-  predicate flowTo(Node sink);
-
-  /**
-   * Holds if data can flow from some source to `sink`.
-   */
-  predicate flowToExpr(DataFlowExpr sink);
-}
-
-/**
- * Constructs a global data flow computation.
- */
-module Global<ConfigSig Config> implements GlobalFlowSig {
-  private module C implements FullStateConfigSig {
-    import DefaultState<Config>
-    import Config
-  }
-
-  import Impl<C>
-}
-
-/** DEPRECATED: Use `Global` instead. */
-deprecated module Make<ConfigSig Config> implements GlobalFlowSig {
-  import Global<Config>
-}
-
-/**
- * Constructs a global data flow computation using flow state.
- */
-module GlobalWithState<StateConfigSig Config> implements GlobalFlowSig {
-  private module C implements FullStateConfigSig {
-    import Config
-  }
-
-  import Impl<C>
-}
-
-/** DEPRECATED: Use `GlobalWithState` instead. */
-deprecated module MakeWithState<StateConfigSig Config> implements GlobalFlowSig {
-  import GlobalWithState<Config>
-}
-
-signature class PathNodeSig {
-  /** Gets a textual representation of this element. */
-  string toString();
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  );
-
-  /** Gets the underlying `Node`. */
-  Node getNode();
-}
-
-signature module PathGraphSig<PathNodeSig PathNode> {
-  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  predicate edges(PathNode a, PathNode b);
-
-  /** Holds if `n` is a node in the graph of data flow path explanations. */
-  predicate nodes(PathNode n, string key, string val);
-
-  /**
-   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-   * `ret -> out` is summarized as the edge `arg -> out`.
-   */
-  predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out);
-}
-
-/**
- * Constructs a `PathGraph` from two `PathGraph`s by disjoint union.
- */
-module MergePathGraph<
-  PathNodeSig PathNode1, PathNodeSig PathNode2, PathGraphSig<PathNode1> Graph1,
-  PathGraphSig<PathNode2> Graph2>
-{
-  private newtype TPathNode =
-    TPathNode1(PathNode1 p) or
-    TPathNode2(PathNode2 p)
-
-  /** A node in a graph of path explanations that is formed by disjoint union of the two given graphs. */
-  class PathNode extends TPathNode {
-    /** Gets this as a projection on the first given `PathGraph`. */
-    PathNode1 asPathNode1() { this = TPathNode1(result) }
-
-    /** Gets this as a projection on the second given `PathGraph`. */
-    PathNode2 asPathNode2() { this = TPathNode2(result) }
-
-    /** Gets a textual representation of this element. */
-    string toString() {
-      result = this.asPathNode1().toString() or
-      result = this.asPathNode2().toString()
-    }
-
-    /**
-     * Holds if this element is at the specified location.
-     * The location spans column `startcolumn` of line `startline` to
-     * column `endcolumn` of line `endline` in file `filepath`.
-     * For more information, see
-     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-     */
-    predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      this.asPathNode1().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) or
-      this.asPathNode2().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    }
-
-    /** Gets the underlying `Node`. */
-    Node getNode() {
-      result = this.asPathNode1().getNode() or
-      result = this.asPathNode2().getNode()
-    }
-  }
-
-  /**
-   * Provides the query predicates needed to include a graph in a path-problem query.
-   */
-  module PathGraph implements PathGraphSig<PathNode> {
-    /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-    query predicate edges(PathNode a, PathNode b) {
-      Graph1::edges(a.asPathNode1(), b.asPathNode1()) or
-      Graph2::edges(a.asPathNode2(), b.asPathNode2())
-    }
-
-    /** Holds if `n` is a node in the graph of data flow path explanations. */
-    query predicate nodes(PathNode n, string key, string val) {
-      Graph1::nodes(n.asPathNode1(), key, val) or
-      Graph2::nodes(n.asPathNode2(), key, val)
-    }
-
-    /**
-     * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-     * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-     * `ret -> out` is summarized as the edge `arg -> out`.
-     */
-    query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-      Graph1::subpaths(arg.asPathNode1(), par.asPathNode1(), ret.asPathNode1(), out.asPathNode1()) or
-      Graph2::subpaths(arg.asPathNode2(), par.asPathNode2(), ret.asPathNode2(), out.asPathNode2())
-    }
-  }
-}
-
-/**
- * Constructs a `PathGraph` from three `PathGraph`s by disjoint union.
- */
-module MergePathGraph3<
-  PathNodeSig PathNode1, PathNodeSig PathNode2, PathNodeSig PathNode3,
-  PathGraphSig<PathNode1> Graph1, PathGraphSig<PathNode2> Graph2, PathGraphSig<PathNode3> Graph3>
-{
-  private module MergedInner = MergePathGraph<PathNode1, PathNode2, Graph1, Graph2>;
-
-  private module Merged =
-    MergePathGraph<MergedInner::PathNode, PathNode3, MergedInner::PathGraph, Graph3>;
-
-  /** A node in a graph of path explanations that is formed by disjoint union of the three given graphs. */
-  class PathNode instanceof Merged::PathNode {
-    /** Gets this as a projection on the first given `PathGraph`. */
-    PathNode1 asPathNode1() { result = super.asPathNode1().asPathNode1() }
-
-    /** Gets this as a projection on the second given `PathGraph`. */
-    PathNode2 asPathNode2() { result = super.asPathNode1().asPathNode2() }
-
-    /** Gets this as a projection on the third given `PathGraph`. */
-    PathNode3 asPathNode3() { result = super.asPathNode2() }
-
-    /** Gets a textual representation of this element. */
-    string toString() { result = super.toString() }
-
-    /**
-     * Holds if this element is at the specified location.
-     * The location spans column `startcolumn` of line `startline` to
-     * column `endcolumn` of line `endline` in file `filepath`.
-     * For more information, see
-     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-     */
-    predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    }
-
-    /** Gets the underlying `Node`. */
-    Node getNode() { result = super.getNode() }
-  }
-
-  /**
-   * Provides the query predicates needed to include a graph in a path-problem query.
-   */
-  module PathGraph implements PathGraphSig<PathNode> {
-    /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-    query predicate edges(PathNode a, PathNode b) { Merged::PathGraph::edges(a, b) }
-
-    /** Holds if `n` is a node in the graph of data flow path explanations. */
-    query predicate nodes(PathNode n, string key, string val) {
-      Merged::PathGraph::nodes(n, key, val)
-    }
-
-    /**
-     * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-     * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-     * `ret -> out` is summarized as the edge `arg -> out`.
-     */
-    query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-      Merged::PathGraph::subpaths(arg, par, ret, out)
-    }
-  }
-}

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowDispatch.qll

@@ -5,8 +5,8 @@ private import DataFlowUtil
 /**
  * Gets a function that might be called by `call`.
  */
-Function viableCallable(Call call) {
-  result = call.getTarget()
+Function viableCallable(DataFlowCall call) {
+  result = call.(Call).getTarget()
   or
   // If the target of the call does not have a body in the snapshot, it might
   // be because the target is just a header declaration, and the real target
@@ -58,13 +58,13 @@ private predicate functionSignature(Function f, string qualifiedName, int nparam
  * Holds if the set of viable implementations that can be called by `call`
  * might be improved by knowing the call context.
  */
-predicate mayBenefitFromCallContext(Call call, Function f) { none() }
+predicate mayBenefitFromCallContext(DataFlowCall call, Function f) { none() }
 
 /**
  * Gets a viable dispatch target of `call` in the context `ctx`. This is
  * restricted to those `call`s for which a context might make a difference.
  */
-Function viableImplInCallContext(Call call, Call ctx) { none() }
+Function viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) { none() }
 
 /** A parameter position represented by an integer. */
 class ParameterPosition extends int {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplSpecific.qll

@@ -1,6 +1,9 @@
 /**
  * Provides C++-specific definitions for use in the data flow library.
  */
+
+private import codeql.dataflow.DataFlowParameter
+
 module Private {
   import DataFlowPrivate
   import DataFlowDispatch
@@ -9,3 +12,10 @@ module Private {
 module Public {
   import DataFlowUtil
 }
+
+module CppOldDataFlow implements DataFlowParameter {
+  import Private
+  import Public
+
+  Node exprNode(DataFlowExpr e) { result = Public::exprNode(e) }
+}

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll

@@ -153,10 +153,11 @@ predicate jumpStep(Node n1, Node n2) { none() }
  * Thus, `node2` references an object with a field `f` that contains the
  * value of `node1`.
  */
-predicate storeStep(Node node1, Content f, PostUpdateNode node2) {
+predicate storeStep(Node node1, ContentSet f, Node node2) {
   exists(ClassAggregateLiteral aggr, Field field |
-    // The following line requires `node2` to be both an `ExprNode` and a
+    // The following lines requires `node2` to be both an `ExprNode` and a
     // `PostUpdateNode`, which means it must be an `ObjectInitializerNode`.
+    node2 instanceof PostUpdateNode and
     node2.asExpr() = aggr and
     f.(FieldContent).getField() = field and
     aggr.getAFieldExpr(field) = node1.asExpr()
@@ -167,12 +168,13 @@ predicate storeStep(Node node1, Content f, PostUpdateNode node2) {
       node1.asExpr() = a and
       a.getLValue() = fa
     ) and
-    node2.getPreUpdateNode().asExpr() = fa.getQualifier() and
+    node2.(PostUpdateNode).getPreUpdateNode().asExpr() = fa.getQualifier() and
     f.(FieldContent).getField() = fa.getTarget()
   )
   or
   exists(ConstructorFieldInit cfi |
-    node2.getPreUpdateNode().(PreConstructorInitThis).getConstructorFieldInit() = cfi and
+    node2.(PostUpdateNode).getPreUpdateNode().(PreConstructorInitThis).getConstructorFieldInit() =
+      cfi and
     f.(FieldContent).getField() = cfi.getTarget() and
     node1.asExpr() = cfi.getExpr()
   )
@@ -183,7 +185,7 @@ predicate storeStep(Node node1, Content f, PostUpdateNode node2) {
  * Thus, `node1` references an object with a field `f` whose value ends up in
  * `node2`.
  */
-predicate readStep(Node node1, Content f, Node node2) {
+predicate readStep(Node node1, ContentSet f, Node node2) {
   exists(FieldAccess fr |
     node1.asExpr() = fr.getQualifier() and
     fr.getTarget() = f.(FieldContent).getField() and
@@ -195,7 +197,7 @@ predicate readStep(Node node1, Content f, Node node2) {
 /**
  * Holds if values stored inside content `c` are cleared at node `n`.
  */
-predicate clearsContent(Node n, Content c) {
+predicate clearsContent(Node n, ContentSet c) {
   none() // stub implementation
 }
 
@@ -235,12 +237,6 @@ class CastNode extends Node {
   CastNode() { none() } // stub implementation
 }
 
-/**
- * Holds if `n` should never be skipped over in the `PathGraph` and in path
- * explanations.
- */
-predicate neverSkipInPathGraph(Node n) { none() }
-
 class DataFlowCallable = Function;
 
 class DataFlowExpr = Expr;
@@ -265,8 +261,6 @@ class DataFlowCall extends Expr instanceof Call {
 
 predicate isUnreachableInCall(Node n, DataFlowCall call) { none() } // stub implementation
 
-int accessPathLimit() { result = 5 }
-
 /**
  * Holds if access paths with `c` at their head always should be tracked at high
  * precision. This disables adaptive access path precision for such access paths.

cpp/ql/lib/semmle/code/cpp/dataflow/new/DataFlow.qll

@@ -26,6 +26,8 @@ import cpp
  * global (inter-procedural) data flow analyses.
  */
 module DataFlow {
-  import semmle.code.cpp.ir.dataflow.internal.DataFlow
+  private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
+  private import codeql.dataflow.DataFlow
+  import DataFlowMake<CppDataFlow>
   import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl1
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/DataFlow.qll

@@ -22,6 +22,8 @@
 import cpp
 
 module DataFlow {
-  import semmle.code.cpp.ir.dataflow.internal.DataFlow
+  private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
+  private import codeql.dataflow.DataFlow
+  import DataFlowMake<CppDataFlow>
   import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl1
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlow.qll

@@ -1,450 +0,0 @@
-/**
- * Provides an implementation of global (interprocedural) data flow. This file
- * re-exports the local (intraprocedural) data flow analysis from
- * `DataFlowImplSpecific::Public` and adds a global analysis, mainly exposed
- * through the `Global` and `GlobalWithState` modules.
- */
-
-private import DataFlowImplCommon
-private import DataFlowImplSpecific::Private
-import DataFlowImplSpecific::Public
-import DataFlowImplCommonPublic
-private import DataFlowImpl
-
-/** An input configuration for data flow. */
-signature module ConfigSig {
-  /**
-   * Holds if `source` is a relevant data flow source.
-   */
-  predicate isSource(Node source);
-
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  predicate isSink(Node sink);
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  default predicate isBarrier(Node node) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  default predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  default predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  default predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  default predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Holds if `node` should never be skipped over in the `PathGraph` and in path
-   * explanations.
-   */
-  default predicate neverSkip(Node node) {
-    isAdditionalFlowStep(node, _) or isAdditionalFlowStep(_, node)
-  }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  default int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  default FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `flowPath`. */
-  default predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `flowPath`. */
-  default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (as it is in a `path-problem` query).
-   */
-  default predicate includeHiddenNodes() { none() }
-}
-
-/** An input configuration for data flow using flow state. */
-signature module StateConfigSig {
-  bindingset[this]
-  class FlowState;
-
-  /**
-   * Holds if `source` is a relevant data flow source with the given initial
-   * `state`.
-   */
-  predicate isSource(Node source, FlowState state);
-
-  /**
-   * Holds if `sink` is a relevant data flow sink accepting `state`.
-   */
-  predicate isSink(Node sink, FlowState state);
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  default predicate isBarrier(Node node) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited when the flow state is
-   * `state`.
-   */
-  default predicate isBarrier(Node node, FlowState state) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  default predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  default predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  default predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  default predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
-    none()
-  }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  default predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Holds if `node` should never be skipped over in the `PathGraph` and in path
-   * explanations.
-   */
-  default predicate neverSkip(Node node) {
-    isAdditionalFlowStep(node, _) or
-    isAdditionalFlowStep(_, node) or
-    isAdditionalFlowStep(node, _, _, _) or
-    isAdditionalFlowStep(_, _, node, _)
-  }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  default int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  default FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `flowPath`. */
-  default predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `flowPath`. */
-  default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (as it is in a `path-problem` query).
-   */
-  default predicate includeHiddenNodes() { none() }
-}
-
-/**
- * Gets the exploration limit for `partialFlow` and `partialFlowRev`
- * measured in approximate number of interprocedural steps.
- */
-signature int explorationLimitSig();
-
-/**
- * The output of a global data flow computation.
- */
-signature module GlobalFlowSig {
-  /**
-   * A `Node` augmented with a call context (except for sinks) and an access path.
-   * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
-   */
-  class PathNode;
-
-  /**
-   * Holds if data can flow from `source` to `sink`.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  predicate flowPath(PathNode source, PathNode sink);
-
-  /**
-   * Holds if data can flow from `source` to `sink`.
-   */
-  predicate flow(Node source, Node sink);
-
-  /**
-   * Holds if data can flow from some source to `sink`.
-   */
-  predicate flowTo(Node sink);
-
-  /**
-   * Holds if data can flow from some source to `sink`.
-   */
-  predicate flowToExpr(DataFlowExpr sink);
-}
-
-/**
- * Constructs a global data flow computation.
- */
-module Global<ConfigSig Config> implements GlobalFlowSig {
-  private module C implements FullStateConfigSig {
-    import DefaultState<Config>
-    import Config
-  }
-
-  import Impl<C>
-}
-
-/** DEPRECATED: Use `Global` instead. */
-deprecated module Make<ConfigSig Config> implements GlobalFlowSig {
-  import Global<Config>
-}
-
-/**
- * Constructs a global data flow computation using flow state.
- */
-module GlobalWithState<StateConfigSig Config> implements GlobalFlowSig {
-  private module C implements FullStateConfigSig {
-    import Config
-  }
-
-  import Impl<C>
-}
-
-/** DEPRECATED: Use `GlobalWithState` instead. */
-deprecated module MakeWithState<StateConfigSig Config> implements GlobalFlowSig {
-  import GlobalWithState<Config>
-}
-
-signature class PathNodeSig {
-  /** Gets a textual representation of this element. */
-  string toString();
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  );
-
-  /** Gets the underlying `Node`. */
-  Node getNode();
-}
-
-signature module PathGraphSig<PathNodeSig PathNode> {
-  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  predicate edges(PathNode a, PathNode b);
-
-  /** Holds if `n` is a node in the graph of data flow path explanations. */
-  predicate nodes(PathNode n, string key, string val);
-
-  /**
-   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-   * `ret -> out` is summarized as the edge `arg -> out`.
-   */
-  predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out);
-}
-
-/**
- * Constructs a `PathGraph` from two `PathGraph`s by disjoint union.
- */
-module MergePathGraph<
-  PathNodeSig PathNode1, PathNodeSig PathNode2, PathGraphSig<PathNode1> Graph1,
-  PathGraphSig<PathNode2> Graph2>
-{
-  private newtype TPathNode =
-    TPathNode1(PathNode1 p) or
-    TPathNode2(PathNode2 p)
-
-  /** A node in a graph of path explanations that is formed by disjoint union of the two given graphs. */
-  class PathNode extends TPathNode {
-    /** Gets this as a projection on the first given `PathGraph`. */
-    PathNode1 asPathNode1() { this = TPathNode1(result) }
-
-    /** Gets this as a projection on the second given `PathGraph`. */
-    PathNode2 asPathNode2() { this = TPathNode2(result) }
-
-    /** Gets a textual representation of this element. */
-    string toString() {
-      result = this.asPathNode1().toString() or
-      result = this.asPathNode2().toString()
-    }
-
-    /**
-     * Holds if this element is at the specified location.
-     * The location spans column `startcolumn` of line `startline` to
-     * column `endcolumn` of line `endline` in file `filepath`.
-     * For more information, see
-     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-     */
-    predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      this.asPathNode1().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) or
-      this.asPathNode2().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    }
-
-    /** Gets the underlying `Node`. */
-    Node getNode() {
-      result = this.asPathNode1().getNode() or
-      result = this.asPathNode2().getNode()
-    }
-  }
-
-  /**
-   * Provides the query predicates needed to include a graph in a path-problem query.
-   */
-  module PathGraph implements PathGraphSig<PathNode> {
-    /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-    query predicate edges(PathNode a, PathNode b) {
-      Graph1::edges(a.asPathNode1(), b.asPathNode1()) or
-      Graph2::edges(a.asPathNode2(), b.asPathNode2())
-    }
-
-    /** Holds if `n` is a node in the graph of data flow path explanations. */
-    query predicate nodes(PathNode n, string key, string val) {
-      Graph1::nodes(n.asPathNode1(), key, val) or
-      Graph2::nodes(n.asPathNode2(), key, val)
-    }
-
-    /**
-     * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-     * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-     * `ret -> out` is summarized as the edge `arg -> out`.
-     */
-    query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-      Graph1::subpaths(arg.asPathNode1(), par.asPathNode1(), ret.asPathNode1(), out.asPathNode1()) or
-      Graph2::subpaths(arg.asPathNode2(), par.asPathNode2(), ret.asPathNode2(), out.asPathNode2())
-    }
-  }
-}
-
-/**
- * Constructs a `PathGraph` from three `PathGraph`s by disjoint union.
- */
-module MergePathGraph3<
-  PathNodeSig PathNode1, PathNodeSig PathNode2, PathNodeSig PathNode3,
-  PathGraphSig<PathNode1> Graph1, PathGraphSig<PathNode2> Graph2, PathGraphSig<PathNode3> Graph3>
-{
-  private module MergedInner = MergePathGraph<PathNode1, PathNode2, Graph1, Graph2>;
-
-  private module Merged =
-    MergePathGraph<MergedInner::PathNode, PathNode3, MergedInner::PathGraph, Graph3>;
-
-  /** A node in a graph of path explanations that is formed by disjoint union of the three given graphs. */
-  class PathNode instanceof Merged::PathNode {
-    /** Gets this as a projection on the first given `PathGraph`. */
-    PathNode1 asPathNode1() { result = super.asPathNode1().asPathNode1() }
-
-    /** Gets this as a projection on the second given `PathGraph`. */
-    PathNode2 asPathNode2() { result = super.asPathNode1().asPathNode2() }
-
-    /** Gets this as a projection on the third given `PathGraph`. */
-    PathNode3 asPathNode3() { result = super.asPathNode2() }
-
-    /** Gets a textual representation of this element. */
-    string toString() { result = super.toString() }
-
-    /**
-     * Holds if this element is at the specified location.
-     * The location spans column `startcolumn` of line `startline` to
-     * column `endcolumn` of line `endline` in file `filepath`.
-     * For more information, see
-     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-     */
-    predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    }
-
-    /** Gets the underlying `Node`. */
-    Node getNode() { result = super.getNode() }
-  }
-
-  /**
-   * Provides the query predicates needed to include a graph in a path-problem query.
-   */
-  module PathGraph implements PathGraphSig<PathNode> {
-    /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-    query predicate edges(PathNode a, PathNode b) { Merged::PathGraph::edges(a, b) }
-
-    /** Holds if `n` is a node in the graph of data flow path explanations. */
-    query predicate nodes(PathNode n, string key, string val) {
-      Merged::PathGraph::nodes(n, key, val)
-    }
-
-    /**
-     * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-     * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-     * `ret -> out` is summarized as the edge `arg -> out`.
-     */
-    query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-      Merged::PathGraph::subpaths(arg, par, ret, out)
-    }
-  }
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll

@@ -9,7 +9,7 @@ private import DataFlowImplCommon as DataFlowImplCommon
  * Gets a function that might be called by `call`.
  */
 cached
-Function viableCallable(CallInstruction call) {
+DataFlowCallable viableCallable(DataFlowCall call) {
   DataFlowImplCommon::forceCachingInSameStage() and
   result = call.getStaticCallTarget()
   or
@@ -235,7 +235,7 @@ private predicate functionSignature(Function f, string qualifiedName, int nparam
  * Holds if the set of viable implementations that can be called by `call`
  * might be improved by knowing the call context.
  */
-predicate mayBenefitFromCallContext(CallInstruction call, Function f) {
+predicate mayBenefitFromCallContext(DataFlowCall call, DataFlowCallable f) {
   mayBenefitFromCallContext(call, f, _)
 }
 
@@ -259,7 +259,7 @@ private predicate mayBenefitFromCallContext(
  * Gets a viable dispatch target of `call` in the context `ctx`. This is
  * restricted to those `call`s for which a context might make a difference.
  */
-Function viableImplInCallContext(CallInstruction call, CallInstruction ctx) {
+DataFlowCallable viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) {
   result = viableCallable(call) and
   exists(int i, Function f |
     mayBenefitFromCallContext(pragma[only_bind_into](call), f, i) and

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplSpecific.qll

@@ -1,6 +1,9 @@
 /**
  * Provides IR-specific definitions for use in the data flow library.
  */
+
+private import codeql.dataflow.DataFlowParameter
+
 module Private {
   import DataFlowPrivate
   import DataFlowDispatch
@@ -9,3 +12,10 @@ module Private {
 module Public {
   import DataFlowUtil
 }
+
+module CppDataFlow implements DataFlowParameter {
+  import Private
+  import Public
+
+  Node exprNode(DataFlowExpr e) { result = Public::exprNode(e) }
+}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -681,9 +681,7 @@ predicate storeStepImpl(Node node1, Content c, PostFieldUpdateNode node2, boolea
  * Thus, `node2` references an object with a field `f` that contains the
  * value of `node1`.
  */
-predicate storeStep(Node node1, Content c, PostFieldUpdateNode node2) {
-  storeStepImpl(node1, c, node2, _)
-}
+predicate storeStep(Node node1, ContentSet c, Node node2) { storeStepImpl(node1, c, node2, _) }
 
 /**
  * Holds if `operandFrom` flows to `operandTo` using a sequence of conversion-like
@@ -744,7 +742,7 @@ predicate nodeHasInstruction(Node node, Instruction instr, int indirectionIndex)
  * Thus, `node1` references an object with a field `f` whose value ends up in
  * `node2`.
  */
-predicate readStep(Node node1, Content c, Node node2) {
+predicate readStep(Node node1, ContentSet c, Node node2) {
   exists(FieldAddress fa1, Operand operand, int numberOfLoads, int indirectionIndex2 |
     nodeHasOperand(node2, operand, indirectionIndex2) and
     // The `1` here matches the `node2.getIndirectionIndex() = 1` conjunct
@@ -767,7 +765,7 @@ predicate readStep(Node node1, Content c, Node node2) {
 /**
  * Holds if values stored inside content `c` are cleared at node `n`.
  */
-predicate clearsContent(Node n, Content c) {
+predicate clearsContent(Node n, ContentSet c) {
   n =
     any(PostUpdateNode pun, Content d | d.impliesClearOf(c) and storeStepImpl(_, d, pun, true) | pun)
         .getPreUpdateNode() and
@@ -792,7 +790,7 @@ predicate clearsContent(Node n, Content c) {
       storeStepImpl(_, d, pun, true) and
       pun.getPreUpdateNode() = n
     |
-      c.getIndirectionIndex() = d.getIndirectionIndex()
+      c.(Content).getIndirectionIndex() = d.getIndirectionIndex()
     )
   )
 }
@@ -833,12 +831,6 @@ class CastNode extends Node {
   CastNode() { none() } // stub implementation
 }
 
-/**
- * Holds if `n` should never be skipped over in the `PathGraph` and in path
- * explanations.
- */
-predicate neverSkipInPathGraph(Node n) { none() }
-
 /**
  * A function that may contain code or a variable that may contain itself. When
  * flow crosses from one _enclosing callable_ to another, the interprocedural
@@ -853,7 +845,7 @@ class DataFlowType = Type;
 
 /** A function call relevant for data flow. */
 class DataFlowCall extends CallInstruction {
-  Function getEnclosingCallable() { result = this.getEnclosingFunction() }
+  DataFlowCallable getEnclosingCallable() { result = this.getEnclosingFunction() }
 }
 
 module IsUnreachableInCall {
@@ -924,8 +916,6 @@ module IsUnreachableInCall {
 
 import IsUnreachableInCall
 
-int accessPathLimit() { result = 5 }
-
 /**
  * Holds if access paths with `c` at their head always should be tracked at high
  * precision. This disables adaptive access path precision for such access paths.

csharp/ql/lib/qlpack.yml

@@ -6,6 +6,7 @@ extractor: csharp
 library: true
 upgrades: upgrades
 dependencies:
+  codeql/dataflow: ${workspace}
   codeql/mad: ${workspace}
   codeql/ssa: ${workspace}
   codeql/tutorial: ${workspace}

csharp/ql/lib/semmle/code/csharp/dataflow/DataFlow.qll

@@ -6,6 +6,8 @@
 import csharp
 
 module DataFlow {
-  import semmle.code.csharp.dataflow.internal.DataFlow
+  private import semmle.code.csharp.dataflow.internal.DataFlowImplSpecific
+  private import codeql.dataflow.DataFlow
+  import DataFlowMake<CsharpDataFlow>
   import semmle.code.csharp.dataflow.internal.DataFlowImpl1
 }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlow.qll

@@ -1,450 +0,0 @@
-/**
- * Provides an implementation of global (interprocedural) data flow. This file
- * re-exports the local (intraprocedural) data flow analysis from
- * `DataFlowImplSpecific::Public` and adds a global analysis, mainly exposed
- * through the `Global` and `GlobalWithState` modules.
- */
-
-private import DataFlowImplCommon
-private import DataFlowImplSpecific::Private
-import DataFlowImplSpecific::Public
-import DataFlowImplCommonPublic
-private import DataFlowImpl
-
-/** An input configuration for data flow. */
-signature module ConfigSig {
-  /**
-   * Holds if `source` is a relevant data flow source.
-   */
-  predicate isSource(Node source);
-
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  predicate isSink(Node sink);
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  default predicate isBarrier(Node node) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  default predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  default predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  default predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  default predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Holds if `node` should never be skipped over in the `PathGraph` and in path
-   * explanations.
-   */
-  default predicate neverSkip(Node node) {
-    isAdditionalFlowStep(node, _) or isAdditionalFlowStep(_, node)
-  }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  default int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  default FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `flowPath`. */
-  default predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `flowPath`. */
-  default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (as it is in a `path-problem` query).
-   */
-  default predicate includeHiddenNodes() { none() }
-}
-
-/** An input configuration for data flow using flow state. */
-signature module StateConfigSig {
-  bindingset[this]
-  class FlowState;
-
-  /**
-   * Holds if `source` is a relevant data flow source with the given initial
-   * `state`.
-   */
-  predicate isSource(Node source, FlowState state);
-
-  /**
-   * Holds if `sink` is a relevant data flow sink accepting `state`.
-   */
-  predicate isSink(Node sink, FlowState state);
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  default predicate isBarrier(Node node) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited when the flow state is
-   * `state`.
-   */
-  default predicate isBarrier(Node node, FlowState state) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  default predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  default predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  default predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  default predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
-    none()
-  }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  default predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Holds if `node` should never be skipped over in the `PathGraph` and in path
-   * explanations.
-   */
-  default predicate neverSkip(Node node) {
-    isAdditionalFlowStep(node, _) or
-    isAdditionalFlowStep(_, node) or
-    isAdditionalFlowStep(node, _, _, _) or
-    isAdditionalFlowStep(_, _, node, _)
-  }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  default int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  default FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `flowPath`. */
-  default predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `flowPath`. */
-  default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (as it is in a `path-problem` query).
-   */
-  default predicate includeHiddenNodes() { none() }
-}
-
-/**
- * Gets the exploration limit for `partialFlow` and `partialFlowRev`
- * measured in approximate number of interprocedural steps.
- */
-signature int explorationLimitSig();
-
-/**
- * The output of a global data flow computation.
- */
-signature module GlobalFlowSig {
-  /**
-   * A `Node` augmented with a call context (except for sinks) and an access path.
-   * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
-   */
-  class PathNode;
-
-  /**
-   * Holds if data can flow from `source` to `sink`.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  predicate flowPath(PathNode source, PathNode sink);
-
-  /**
-   * Holds if data can flow from `source` to `sink`.
-   */
-  predicate flow(Node source, Node sink);
-
-  /**
-   * Holds if data can flow from some source to `sink`.
-   */
-  predicate flowTo(Node sink);
-
-  /**
-   * Holds if data can flow from some source to `sink`.
-   */
-  predicate flowToExpr(DataFlowExpr sink);
-}
-
-/**
- * Constructs a global data flow computation.
- */
-module Global<ConfigSig Config> implements GlobalFlowSig {
-  private module C implements FullStateConfigSig {
-    import DefaultState<Config>
-    import Config
-  }
-
-  import Impl<C>
-}
-
-/** DEPRECATED: Use `Global` instead. */
-deprecated module Make<ConfigSig Config> implements GlobalFlowSig {
-  import Global<Config>
-}
-
-/**
- * Constructs a global data flow computation using flow state.
- */
-module GlobalWithState<StateConfigSig Config> implements GlobalFlowSig {
-  private module C implements FullStateConfigSig {
-    import Config
-  }
-
-  import Impl<C>
-}
-
-/** DEPRECATED: Use `GlobalWithState` instead. */
-deprecated module MakeWithState<StateConfigSig Config> implements GlobalFlowSig {
-  import GlobalWithState<Config>
-}
-
-signature class PathNodeSig {
-  /** Gets a textual representation of this element. */
-  string toString();
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  );
-
-  /** Gets the underlying `Node`. */
-  Node getNode();
-}
-
-signature module PathGraphSig<PathNodeSig PathNode> {
-  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  predicate edges(PathNode a, PathNode b);
-
-  /** Holds if `n` is a node in the graph of data flow path explanations. */
-  predicate nodes(PathNode n, string key, string val);
-
-  /**
-   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-   * `ret -> out` is summarized as the edge `arg -> out`.
-   */
-  predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out);
-}
-
-/**
- * Constructs a `PathGraph` from two `PathGraph`s by disjoint union.
- */
-module MergePathGraph<
-  PathNodeSig PathNode1, PathNodeSig PathNode2, PathGraphSig<PathNode1> Graph1,
-  PathGraphSig<PathNode2> Graph2>
-{
-  private newtype TPathNode =
-    TPathNode1(PathNode1 p) or
-    TPathNode2(PathNode2 p)
-
-  /** A node in a graph of path explanations that is formed by disjoint union of the two given graphs. */
-  class PathNode extends TPathNode {
-    /** Gets this as a projection on the first given `PathGraph`. */
-    PathNode1 asPathNode1() { this = TPathNode1(result) }
-
-    /** Gets this as a projection on the second given `PathGraph`. */
-    PathNode2 asPathNode2() { this = TPathNode2(result) }
-
-    /** Gets a textual representation of this element. */
-    string toString() {
-      result = this.asPathNode1().toString() or
-      result = this.asPathNode2().toString()
-    }
-
-    /**
-     * Holds if this element is at the specified location.
-     * The location spans column `startcolumn` of line `startline` to
-     * column `endcolumn` of line `endline` in file `filepath`.
-     * For more information, see
-     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-     */
-    predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      this.asPathNode1().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) or
-      this.asPathNode2().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    }
-
-    /** Gets the underlying `Node`. */
-    Node getNode() {
-      result = this.asPathNode1().getNode() or
-      result = this.asPathNode2().getNode()
-    }
-  }
-
-  /**
-   * Provides the query predicates needed to include a graph in a path-problem query.
-   */
-  module PathGraph implements PathGraphSig<PathNode> {
-    /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-    query predicate edges(PathNode a, PathNode b) {
-      Graph1::edges(a.asPathNode1(), b.asPathNode1()) or
-      Graph2::edges(a.asPathNode2(), b.asPathNode2())
-    }
-
-    /** Holds if `n` is a node in the graph of data flow path explanations. */
-    query predicate nodes(PathNode n, string key, string val) {
-      Graph1::nodes(n.asPathNode1(), key, val) or
-      Graph2::nodes(n.asPathNode2(), key, val)
-    }
-
-    /**
-     * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-     * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-     * `ret -> out` is summarized as the edge `arg -> out`.
-     */
-    query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-      Graph1::subpaths(arg.asPathNode1(), par.asPathNode1(), ret.asPathNode1(), out.asPathNode1()) or
-      Graph2::subpaths(arg.asPathNode2(), par.asPathNode2(), ret.asPathNode2(), out.asPathNode2())
-    }
-  }
-}
-
-/**
- * Constructs a `PathGraph` from three `PathGraph`s by disjoint union.
- */
-module MergePathGraph3<
-  PathNodeSig PathNode1, PathNodeSig PathNode2, PathNodeSig PathNode3,
-  PathGraphSig<PathNode1> Graph1, PathGraphSig<PathNode2> Graph2, PathGraphSig<PathNode3> Graph3>
-{
-  private module MergedInner = MergePathGraph<PathNode1, PathNode2, Graph1, Graph2>;
-
-  private module Merged =
-    MergePathGraph<MergedInner::PathNode, PathNode3, MergedInner::PathGraph, Graph3>;
-
-  /** A node in a graph of path explanations that is formed by disjoint union of the three given graphs. */
-  class PathNode instanceof Merged::PathNode {
-    /** Gets this as a projection on the first given `PathGraph`. */
-    PathNode1 asPathNode1() { result = super.asPathNode1().asPathNode1() }
-
-    /** Gets this as a projection on the second given `PathGraph`. */
-    PathNode2 asPathNode2() { result = super.asPathNode1().asPathNode2() }
-
-    /** Gets this as a projection on the third given `PathGraph`. */
-    PathNode3 asPathNode3() { result = super.asPathNode2() }
-
-    /** Gets a textual representation of this element. */
-    string toString() { result = super.toString() }
-
-    /**
-     * Holds if this element is at the specified location.
-     * The location spans column `startcolumn` of line `startline` to
-     * column `endcolumn` of line `endline` in file `filepath`.
-     * For more information, see
-     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-     */
-    predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    }
-
-    /** Gets the underlying `Node`. */
-    Node getNode() { result = super.getNode() }
-  }
-
-  /**
-   * Provides the query predicates needed to include a graph in a path-problem query.
-   */
-  module PathGraph implements PathGraphSig<PathNode> {
-    /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-    query predicate edges(PathNode a, PathNode b) { Merged::PathGraph::edges(a, b) }
-
-    /** Holds if `n` is a node in the graph of data flow path explanations. */
-    query predicate nodes(PathNode n, string key, string val) {
-      Merged::PathGraph::nodes(n, key, val)
-    }
-
-    /**
-     * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-     * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-     * `ret -> out` is summarized as the edge `arg -> out`.
-     */
-    query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-      Merged::PathGraph::subpaths(arg, par, ret, out)
-    }
-  }
-}

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll

@@ -154,17 +154,17 @@ private module DispatchImpl {
    * call is a delegate call, or if the qualifier accesses a parameter of
    * the enclosing callable `c` (including the implicit `this` parameter).
    */
-  predicate mayBenefitFromCallContext(NonDelegateDataFlowCall call, DataFlowCallable c) {
+  predicate mayBenefitFromCallContext(DataFlowCall call, DataFlowCallable c) {
     c = call.getEnclosingCallable() and
-    call.getDispatchCall().mayBenefitFromCallContext()
+    call.(NonDelegateDataFlowCall).getDispatchCall().mayBenefitFromCallContext()
   }
 
   /**
    * Gets a viable dispatch target of `call` in the context `ctx`. This is
    * restricted to those `call`s for which a context might make a difference.
    */
-  DataFlowCallable viableImplInCallContext(NonDelegateDataFlowCall call, DataFlowCall ctx) {
-    exists(DispatchCall dc | dc = call.getDispatchCall() |
+  DataFlowCallable viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) {
+    exists(DispatchCall dc | dc = call.(NonDelegateDataFlowCall).getDispatchCall() |
       result.getUnderlyingCallable() =
         getCallableForDataFlow(dc.getADynamicTargetInCallContext(ctx.(NonDelegateDataFlowCall)
                 .getDispatchCall()).getUnboundDeclaration())

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplSpecific.qll

@@ -1,6 +1,9 @@
 /**
  * Provides C#-specific definitions for use in the data flow library.
  */
+
+private import codeql.dataflow.DataFlowParameter
+
 module Private {
   import DataFlowPrivate
   import DataFlowDispatch
@@ -9,3 +12,12 @@ module Private {
 module Public {
   import DataFlowPublic
 }
+
+module CsharpDataFlow implements DataFlowParameter {
+  import Private
+  import Public
+
+  Node exprNode(DataFlowExpr e) { result = Public::exprNode(e) }
+
+  predicate accessPathLimit = Private::accessPathLimit/0;
+}

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -22,11 +22,13 @@ private import semmle.code.cil.internal.SsaImpl as CilSsaImpl
 private import codeql.util.Unit
 
 /** Gets the callable in which this node occurs. */
-DataFlowCallable nodeGetEnclosingCallable(NodeImpl n) { result = n.getEnclosingCallableImpl() }
+DataFlowCallable nodeGetEnclosingCallable(Node n) {
+  result = n.(NodeImpl).getEnclosingCallableImpl()
+}
 
 /** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
-predicate isParameterNode(ParameterNodeImpl p, DataFlowCallable c, ParameterPosition pos) {
-  p.isParameterOf(c, pos)
+predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) {
+  p.(ParameterNodeImpl).isParameterOf(c, pos)
 }
 
 /** Holds if `arg` is an `ArgumentNode` of `c` with position `pos`. */
@@ -1739,7 +1741,7 @@ private PropertyContent getResultContent() {
  * Holds if data can flow from `node1` to `node2` via an assignment to
  * content `c`.
  */
-predicate storeStep(Node node1, Content c, Node node2) {
+predicate storeStep(Node node1, ContentSet c, Node node2) {
   exists(StoreStepConfiguration x, ExprNode node, boolean postUpdate |
     hasNodePath(x, node1, node) and
     if postUpdate = true then node = node2.(PostUpdateNode).getPreUpdateNode() else node = node2
@@ -1840,7 +1842,7 @@ private class ReadStepConfiguration extends ControlFlowReachabilityConfiguration
 /**
  * Holds if data can flow from `node1` to `node2` via a read of content `c`.
  */
-predicate readStep(Node node1, Content c, Node node2) {
+predicate readStep(Node node1, ContentSet c, Node node2) {
   exists(ReadStepConfiguration x |
     hasNodePath(x, node1, node2) and
     fieldOrPropertyRead(node1.asExpr(), c, node2.asExpr())
@@ -1901,7 +1903,7 @@ predicate readStep(Node node1, Content c, Node node2) {
  * any value stored inside `f` is cleared at the pre-update node associated with `x`
  * in `x.f = newValue`.
  */
-predicate clearsContent(Node n, Content c) {
+predicate clearsContent(Node n, ContentSet c) {
   fieldOrPropertyStore(_, c, _, n.asExpr(), true)
   or
   fieldOrPropertyStore(_, c, _, n.(ObjectInitializerNode).getInitializer(), false)
@@ -1949,10 +1951,7 @@ predicate isUnreachableInCall(Node n, DataFlowCall call) {
 class DataFlowType = Gvn::GvnType;
 
 /** Gets the type of `n` used for type pruning. */
-pragma[inline]
-Gvn::GvnType getNodeType(NodeImpl n) {
-  pragma[only_bind_into](result) = pragma[only_bind_out](n).getDataFlowType()
-}
+Gvn::GvnType getNodeType(Node n) { result = n.(NodeImpl).getDataFlowType() }
 
 /** Gets a string representation of a `DataFlowType`. */
 string ppReprType(DataFlowType t) { result = t.toString() }
@@ -2140,12 +2139,6 @@ class CastNode extends Node {
   }
 }
 
-/**
- * Holds if `n` should never be skipped over in the `PathGraph` and in path
- * explanations.
- */
-predicate neverSkipInPathGraph(Node n) { none() }
-
 class DataFlowExpr = DotNet::Expr;
 
 /** Holds if `e` is an expression that always has the same Boolean value `val`. */
@@ -2188,8 +2181,8 @@ predicate forceHighPrecision(Content c) { c instanceof ElementContent }
 class LambdaCallKind = Unit;
 
 /** Holds if `creation` is an expression that creates a delegate for `c`. */
-predicate lambdaCreation(ExprNode creation, LambdaCallKind kind, DataFlowCallable c) {
-  exists(Expr e | e = creation.getExpr() |
+predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) {
+  exists(Expr e | e = creation.asExpr() |
     c.asCallable() =
       [
         e.(AnonymousFunctionExpr), e.(CallableAccess).getTarget().getUnboundDeclaration(),

go/ql/lib/qlpack.yml

@@ -6,6 +6,7 @@ extractor: go
 library: true
 upgrades: upgrades
 dependencies:
+  codeql/dataflow: ${workspace}
   codeql/mad: ${workspace}
   codeql/tutorial: ${workspace}
   codeql/util: ${workspace}

go/ql/lib/semmle/go/dataflow/DataFlow.qll

@@ -22,7 +22,9 @@ import go
  * data flow analysis.
  */
 module DataFlow {
-  import semmle.go.dataflow.internal.DataFlow
+  private import semmle.go.dataflow.internal.DataFlowImplSpecific
+  private import codeql.dataflow.DataFlow
+  import DataFlowMake<GoDataFlow>
   import semmle.go.dataflow.internal.DataFlowImpl1
   import Properties
 }

go/ql/lib/semmle/go/dataflow/internal/DataFlow.qll

@@ -1,450 +0,0 @@
-/**
- * Provides an implementation of global (interprocedural) data flow. This file
- * re-exports the local (intraprocedural) data flow analysis from
- * `DataFlowImplSpecific::Public` and adds a global analysis, mainly exposed
- * through the `Global` and `GlobalWithState` modules.
- */
-
-private import DataFlowImplCommon
-private import DataFlowImplSpecific::Private
-import DataFlowImplSpecific::Public
-import DataFlowImplCommonPublic
-private import DataFlowImpl
-
-/** An input configuration for data flow. */
-signature module ConfigSig {
-  /**
-   * Holds if `source` is a relevant data flow source.
-   */
-  predicate isSource(Node source);
-
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  predicate isSink(Node sink);
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  default predicate isBarrier(Node node) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  default predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  default predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  default predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  default predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Holds if `node` should never be skipped over in the `PathGraph` and in path
-   * explanations.
-   */
-  default predicate neverSkip(Node node) {
-    isAdditionalFlowStep(node, _) or isAdditionalFlowStep(_, node)
-  }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  default int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  default FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `flowPath`. */
-  default predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `flowPath`. */
-  default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (as it is in a `path-problem` query).
-   */
-  default predicate includeHiddenNodes() { none() }
-}
-
-/** An input configuration for data flow using flow state. */
-signature module StateConfigSig {
-  bindingset[this]
-  class FlowState;
-
-  /**
-   * Holds if `source` is a relevant data flow source with the given initial
-   * `state`.
-   */
-  predicate isSource(Node source, FlowState state);
-
-  /**
-   * Holds if `sink` is a relevant data flow sink accepting `state`.
-   */
-  predicate isSink(Node sink, FlowState state);
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  default predicate isBarrier(Node node) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited when the flow state is
-   * `state`.
-   */
-  default predicate isBarrier(Node node, FlowState state) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  default predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  default predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  default predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  default predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
-    none()
-  }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  default predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Holds if `node` should never be skipped over in the `PathGraph` and in path
-   * explanations.
-   */
-  default predicate neverSkip(Node node) {
-    isAdditionalFlowStep(node, _) or
-    isAdditionalFlowStep(_, node) or
-    isAdditionalFlowStep(node, _, _, _) or
-    isAdditionalFlowStep(_, _, node, _)
-  }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  default int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  default FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `flowPath`. */
-  default predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `flowPath`. */
-  default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (as it is in a `path-problem` query).
-   */
-  default predicate includeHiddenNodes() { none() }
-}
-
-/**
- * Gets the exploration limit for `partialFlow` and `partialFlowRev`
- * measured in approximate number of interprocedural steps.
- */
-signature int explorationLimitSig();
-
-/**
- * The output of a global data flow computation.
- */
-signature module GlobalFlowSig {
-  /**
-   * A `Node` augmented with a call context (except for sinks) and an access path.
-   * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
-   */
-  class PathNode;
-
-  /**
-   * Holds if data can flow from `source` to `sink`.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  predicate flowPath(PathNode source, PathNode sink);
-
-  /**
-   * Holds if data can flow from `source` to `sink`.
-   */
-  predicate flow(Node source, Node sink);
-
-  /**
-   * Holds if data can flow from some source to `sink`.
-   */
-  predicate flowTo(Node sink);
-
-  /**
-   * Holds if data can flow from some source to `sink`.
-   */
-  predicate flowToExpr(DataFlowExpr sink);
-}
-
-/**
- * Constructs a global data flow computation.
- */
-module Global<ConfigSig Config> implements GlobalFlowSig {
-  private module C implements FullStateConfigSig {
-    import DefaultState<Config>
-    import Config
-  }
-
-  import Impl<C>
-}
-
-/** DEPRECATED: Use `Global` instead. */
-deprecated module Make<ConfigSig Config> implements GlobalFlowSig {
-  import Global<Config>
-}
-
-/**
- * Constructs a global data flow computation using flow state.
- */
-module GlobalWithState<StateConfigSig Config> implements GlobalFlowSig {
-  private module C implements FullStateConfigSig {
-    import Config
-  }
-
-  import Impl<C>
-}
-
-/** DEPRECATED: Use `GlobalWithState` instead. */
-deprecated module MakeWithState<StateConfigSig Config> implements GlobalFlowSig {
-  import GlobalWithState<Config>
-}
-
-signature class PathNodeSig {
-  /** Gets a textual representation of this element. */
-  string toString();
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  );
-
-  /** Gets the underlying `Node`. */
-  Node getNode();
-}
-
-signature module PathGraphSig<PathNodeSig PathNode> {
-  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  predicate edges(PathNode a, PathNode b);
-
-  /** Holds if `n` is a node in the graph of data flow path explanations. */
-  predicate nodes(PathNode n, string key, string val);
-
-  /**
-   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-   * `ret -> out` is summarized as the edge `arg -> out`.
-   */
-  predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out);
-}
-
-/**
- * Constructs a `PathGraph` from two `PathGraph`s by disjoint union.
- */
-module MergePathGraph<
-  PathNodeSig PathNode1, PathNodeSig PathNode2, PathGraphSig<PathNode1> Graph1,
-  PathGraphSig<PathNode2> Graph2>
-{
-  private newtype TPathNode =
-    TPathNode1(PathNode1 p) or
-    TPathNode2(PathNode2 p)
-
-  /** A node in a graph of path explanations that is formed by disjoint union of the two given graphs. */
-  class PathNode extends TPathNode {
-    /** Gets this as a projection on the first given `PathGraph`. */
-    PathNode1 asPathNode1() { this = TPathNode1(result) }
-
-    /** Gets this as a projection on the second given `PathGraph`. */
-    PathNode2 asPathNode2() { this = TPathNode2(result) }
-
-    /** Gets a textual representation of this element. */
-    string toString() {
-      result = this.asPathNode1().toString() or
-      result = this.asPathNode2().toString()
-    }
-
-    /**
-     * Holds if this element is at the specified location.
-     * The location spans column `startcolumn` of line `startline` to
-     * column `endcolumn` of line `endline` in file `filepath`.
-     * For more information, see
-     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-     */
-    predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      this.asPathNode1().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) or
-      this.asPathNode2().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    }
-
-    /** Gets the underlying `Node`. */
-    Node getNode() {
-      result = this.asPathNode1().getNode() or
-      result = this.asPathNode2().getNode()
-    }
-  }
-
-  /**
-   * Provides the query predicates needed to include a graph in a path-problem query.
-   */
-  module PathGraph implements PathGraphSig<PathNode> {
-    /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-    query predicate edges(PathNode a, PathNode b) {
-      Graph1::edges(a.asPathNode1(), b.asPathNode1()) or
-      Graph2::edges(a.asPathNode2(), b.asPathNode2())
-    }
-
-    /** Holds if `n` is a node in the graph of data flow path explanations. */
-    query predicate nodes(PathNode n, string key, string val) {
-      Graph1::nodes(n.asPathNode1(), key, val) or
-      Graph2::nodes(n.asPathNode2(), key, val)
-    }
-
-    /**
-     * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-     * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-     * `ret -> out` is summarized as the edge `arg -> out`.
-     */
-    query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-      Graph1::subpaths(arg.asPathNode1(), par.asPathNode1(), ret.asPathNode1(), out.asPathNode1()) or
-      Graph2::subpaths(arg.asPathNode2(), par.asPathNode2(), ret.asPathNode2(), out.asPathNode2())
-    }
-  }
-}
-
-/**
- * Constructs a `PathGraph` from three `PathGraph`s by disjoint union.
- */
-module MergePathGraph3<
-  PathNodeSig PathNode1, PathNodeSig PathNode2, PathNodeSig PathNode3,
-  PathGraphSig<PathNode1> Graph1, PathGraphSig<PathNode2> Graph2, PathGraphSig<PathNode3> Graph3>
-{
-  private module MergedInner = MergePathGraph<PathNode1, PathNode2, Graph1, Graph2>;
-
-  private module Merged =
-    MergePathGraph<MergedInner::PathNode, PathNode3, MergedInner::PathGraph, Graph3>;
-
-  /** A node in a graph of path explanations that is formed by disjoint union of the three given graphs. */
-  class PathNode instanceof Merged::PathNode {
-    /** Gets this as a projection on the first given `PathGraph`. */
-    PathNode1 asPathNode1() { result = super.asPathNode1().asPathNode1() }
-
-    /** Gets this as a projection on the second given `PathGraph`. */
-    PathNode2 asPathNode2() { result = super.asPathNode1().asPathNode2() }
-
-    /** Gets this as a projection on the third given `PathGraph`. */
-    PathNode3 asPathNode3() { result = super.asPathNode2() }
-
-    /** Gets a textual representation of this element. */
-    string toString() { result = super.toString() }
-
-    /**
-     * Holds if this element is at the specified location.
-     * The location spans column `startcolumn` of line `startline` to
-     * column `endcolumn` of line `endline` in file `filepath`.
-     * For more information, see
-     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-     */
-    predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    }
-
-    /** Gets the underlying `Node`. */
-    Node getNode() { result = super.getNode() }
-  }
-
-  /**
-   * Provides the query predicates needed to include a graph in a path-problem query.
-   */
-  module PathGraph implements PathGraphSig<PathNode> {
-    /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-    query predicate edges(PathNode a, PathNode b) { Merged::PathGraph::edges(a, b) }
-
-    /** Holds if `n` is a node in the graph of data flow path explanations. */
-    query predicate nodes(PathNode n, string key, string val) {
-      Merged::PathGraph::nodes(n, key, val)
-    }
-
-    /**
-     * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-     * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-     * `ret -> out` is summarized as the edge `arg -> out`.
-     */
-    query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-      Merged::PathGraph::subpaths(arg, par, ret, out)
-    }
-  }
-}

go/ql/lib/semmle/go/dataflow/internal/DataFlowDispatch.qll

@@ -92,7 +92,7 @@ private DataFlowCallable getRestrictedInterfaceTarget(DataFlow::CallNode call) {
 /**
  * Gets a function that might be called by `call`.
  */
-DataFlowCallable viableCallable(CallExpr ma) {
+DataFlowCallable viableCallable(DataFlowCall ma) {
   exists(DataFlow::CallNode call | call.asExpr() = ma |
     if isConcreteInterfaceCall(call, _, _)
     then result = getConcreteTarget(call)

go/ql/lib/semmle/go/dataflow/internal/DataFlowImplSpecific.qll

@@ -1,6 +1,9 @@
 /**
  * Provides Go-specific definitions for use in the data flow library.
  */
+
+private import codeql.dataflow.DataFlowParameter
+
 module Private {
   import DataFlowPrivate
   import DataFlowDispatch
@@ -9,3 +12,12 @@ module Private {
 module Public {
   import DataFlowUtil
 }
+
+module GoDataFlow implements DataFlowParameter {
+  import Private
+  import Public
+
+  predicate neverSkipInPathGraph = Private::neverSkipInPathGraph/1;
+
+  Node exprNode(DataFlowExpr e) { result = Public::exprNode(e) }
+}

go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll

@@ -138,7 +138,7 @@ predicate jumpStep(Node n1, Node n2) {
  * Thus, `node2` references an object with a content `x` that contains the
  * value of `node1`.
  */
-predicate storeStep(Node node1, Content c, Node node2) {
+predicate storeStep(Node node1, ContentSet c, Node node2) {
   // a write `(*p).f = rhs` is modeled as two store steps: `rhs` is flows into field `f` of `(*p)`,
   // which in turn flows into the pointer content of `p`
   exists(Write w, Field f, DataFlow::Node base, DataFlow::Node rhs | w.writesField(base, f, rhs) |
@@ -165,7 +165,7 @@ predicate storeStep(Node node1, Content c, Node node2) {
  * Thus, `node1` references an object with a content `c` whose value ends up in
  * `node2`.
  */
-predicate readStep(Node node1, Content c, Node node2) {
+predicate readStep(Node node1, ContentSet c, Node node2) {
   node1 = node2.(PointerDereferenceNode).getOperand() and
   c = any(DataFlow::PointerContent pc | pc.getPointerType() = node1.getType())
   or
@@ -184,7 +184,7 @@ predicate readStep(Node node1, Content c, Node node2) {
 /**
  * Holds if values stored inside content `c` are cleared at node `n`.
  */
-predicate clearsContent(Node n, Content c) {
+predicate clearsContent(Node n, ContentSet c) {
   // Because our post-update nodes are shared between multiple pre-update
   // nodes, attempting to clear content causes summary stores into arg in
   // particular to malfunction.
@@ -371,8 +371,6 @@ predicate isUnreachableInCall(Node n, DataFlowCall call) {
   getAFalsifiedGuard(call).dominates(n.getBasicBlock())
 }
 
-int accessPathLimit() { result = 5 }
-
 /**
  * Holds if access paths with `c` at their head always should be tracked at high
  * precision. This disables adaptive access path precision for such access paths.

java/ql/lib/qlpack.yml

@@ -6,6 +6,7 @@ extractor: java
 library: true
 upgrades: upgrades
 dependencies:
+  codeql/dataflow: ${workspace}
   codeql/mad: ${workspace}
   codeql/regex: ${workspace}
   codeql/tutorial: ${workspace}

java/ql/lib/semmle/code/java/Type.qll

@@ -1261,6 +1261,7 @@ predicate notHaveIntersection(RefType t1, RefType t2) {
  * Holds if there is a common (reflexive, transitive) subtype of the erased
  * types `t1` and `t2`.
  */
+pragma[nomagic]
 predicate erasedHaveIntersection(RefType t1, RefType t2) {
   exists(SrcRefType commonSub |
     commonSub.getASourceSupertype*() = t1 and commonSub.getASourceSupertype*() = t2

java/ql/lib/semmle/code/java/dataflow/DataFlow.qll

@@ -6,6 +6,8 @@
 import java
 
 module DataFlow {
-  import semmle.code.java.dataflow.internal.DataFlow
+  private import semmle.code.java.dataflow.internal.DataFlowImplSpecific
+  private import codeql.dataflow.DataFlow
+  import DataFlowMake<JavaDataFlow>
   import semmle.code.java.dataflow.internal.DataFlowImpl1
 }

java/ql/lib/semmle/code/java/dataflow/internal/DataFlow.qll

@@ -1,450 +0,0 @@
-/**
- * Provides an implementation of global (interprocedural) data flow. This file
- * re-exports the local (intraprocedural) data flow analysis from
- * `DataFlowImplSpecific::Public` and adds a global analysis, mainly exposed
- * through the `Global` and `GlobalWithState` modules.
- */
-
-private import DataFlowImplCommon
-private import DataFlowImplSpecific::Private
-import DataFlowImplSpecific::Public
-import DataFlowImplCommonPublic
-private import DataFlowImpl
-
-/** An input configuration for data flow. */
-signature module ConfigSig {
-  /**
-   * Holds if `source` is a relevant data flow source.
-   */
-  predicate isSource(Node source);
-
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  predicate isSink(Node sink);
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  default predicate isBarrier(Node node) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  default predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  default predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  default predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  default predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Holds if `node` should never be skipped over in the `PathGraph` and in path
-   * explanations.
-   */
-  default predicate neverSkip(Node node) {
-    isAdditionalFlowStep(node, _) or isAdditionalFlowStep(_, node)
-  }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  default int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  default FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `flowPath`. */
-  default predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `flowPath`. */
-  default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (as it is in a `path-problem` query).
-   */
-  default predicate includeHiddenNodes() { none() }
-}
-
-/** An input configuration for data flow using flow state. */
-signature module StateConfigSig {
-  bindingset[this]
-  class FlowState;
-
-  /**
-   * Holds if `source` is a relevant data flow source with the given initial
-   * `state`.
-   */
-  predicate isSource(Node source, FlowState state);
-
-  /**
-   * Holds if `sink` is a relevant data flow sink accepting `state`.
-   */
-  predicate isSink(Node sink, FlowState state);
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  default predicate isBarrier(Node node) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited when the flow state is
-   * `state`.
-   */
-  default predicate isBarrier(Node node, FlowState state) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  default predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  default predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  default predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  default predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
-    none()
-  }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  default predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Holds if `node` should never be skipped over in the `PathGraph` and in path
-   * explanations.
-   */
-  default predicate neverSkip(Node node) {
-    isAdditionalFlowStep(node, _) or
-    isAdditionalFlowStep(_, node) or
-    isAdditionalFlowStep(node, _, _, _) or
-    isAdditionalFlowStep(_, _, node, _)
-  }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  default int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  default FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `flowPath`. */
-  default predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `flowPath`. */
-  default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (as it is in a `path-problem` query).
-   */
-  default predicate includeHiddenNodes() { none() }
-}
-
-/**
- * Gets the exploration limit for `partialFlow` and `partialFlowRev`
- * measured in approximate number of interprocedural steps.
- */
-signature int explorationLimitSig();
-
-/**
- * The output of a global data flow computation.
- */
-signature module GlobalFlowSig {
-  /**
-   * A `Node` augmented with a call context (except for sinks) and an access path.
-   * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
-   */
-  class PathNode;
-
-  /**
-   * Holds if data can flow from `source` to `sink`.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  predicate flowPath(PathNode source, PathNode sink);
-
-  /**
-   * Holds if data can flow from `source` to `sink`.
-   */
-  predicate flow(Node source, Node sink);
-
-  /**
-   * Holds if data can flow from some source to `sink`.
-   */
-  predicate flowTo(Node sink);
-
-  /**
-   * Holds if data can flow from some source to `sink`.
-   */
-  predicate flowToExpr(DataFlowExpr sink);
-}
-
-/**
- * Constructs a global data flow computation.
- */
-module Global<ConfigSig Config> implements GlobalFlowSig {
-  private module C implements FullStateConfigSig {
-    import DefaultState<Config>
-    import Config
-  }
-
-  import Impl<C>
-}
-
-/** DEPRECATED: Use `Global` instead. */
-deprecated module Make<ConfigSig Config> implements GlobalFlowSig {
-  import Global<Config>
-}
-
-/**
- * Constructs a global data flow computation using flow state.
- */
-module GlobalWithState<StateConfigSig Config> implements GlobalFlowSig {
-  private module C implements FullStateConfigSig {
-    import Config
-  }
-
-  import Impl<C>
-}
-
-/** DEPRECATED: Use `GlobalWithState` instead. */
-deprecated module MakeWithState<StateConfigSig Config> implements GlobalFlowSig {
-  import GlobalWithState<Config>
-}
-
-signature class PathNodeSig {
-  /** Gets a textual representation of this element. */
-  string toString();
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  );
-
-  /** Gets the underlying `Node`. */
-  Node getNode();
-}
-
-signature module PathGraphSig<PathNodeSig PathNode> {
-  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  predicate edges(PathNode a, PathNode b);
-
-  /** Holds if `n` is a node in the graph of data flow path explanations. */
-  predicate nodes(PathNode n, string key, string val);
-
-  /**
-   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-   * `ret -> out` is summarized as the edge `arg -> out`.
-   */
-  predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out);
-}
-
-/**
- * Constructs a `PathGraph` from two `PathGraph`s by disjoint union.
- */
-module MergePathGraph<
-  PathNodeSig PathNode1, PathNodeSig PathNode2, PathGraphSig<PathNode1> Graph1,
-  PathGraphSig<PathNode2> Graph2>
-{
-  private newtype TPathNode =
-    TPathNode1(PathNode1 p) or
-    TPathNode2(PathNode2 p)
-
-  /** A node in a graph of path explanations that is formed by disjoint union of the two given graphs. */
-  class PathNode extends TPathNode {
-    /** Gets this as a projection on the first given `PathGraph`. */
-    PathNode1 asPathNode1() { this = TPathNode1(result) }
-
-    /** Gets this as a projection on the second given `PathGraph`. */
-    PathNode2 asPathNode2() { this = TPathNode2(result) }
-
-    /** Gets a textual representation of this element. */
-    string toString() {
-      result = this.asPathNode1().toString() or
-      result = this.asPathNode2().toString()
-    }
-
-    /**
-     * Holds if this element is at the specified location.
-     * The location spans column `startcolumn` of line `startline` to
-     * column `endcolumn` of line `endline` in file `filepath`.
-     * For more information, see
-     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-     */
-    predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      this.asPathNode1().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) or
-      this.asPathNode2().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    }
-
-    /** Gets the underlying `Node`. */
-    Node getNode() {
-      result = this.asPathNode1().getNode() or
-      result = this.asPathNode2().getNode()
-    }
-  }
-
-  /**
-   * Provides the query predicates needed to include a graph in a path-problem query.
-   */
-  module PathGraph implements PathGraphSig<PathNode> {
-    /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-    query predicate edges(PathNode a, PathNode b) {
-      Graph1::edges(a.asPathNode1(), b.asPathNode1()) or
-      Graph2::edges(a.asPathNode2(), b.asPathNode2())
-    }
-
-    /** Holds if `n` is a node in the graph of data flow path explanations. */
-    query predicate nodes(PathNode n, string key, string val) {
-      Graph1::nodes(n.asPathNode1(), key, val) or
-      Graph2::nodes(n.asPathNode2(), key, val)
-    }
-
-    /**
-     * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-     * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-     * `ret -> out` is summarized as the edge `arg -> out`.
-     */
-    query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-      Graph1::subpaths(arg.asPathNode1(), par.asPathNode1(), ret.asPathNode1(), out.asPathNode1()) or
-      Graph2::subpaths(arg.asPathNode2(), par.asPathNode2(), ret.asPathNode2(), out.asPathNode2())
-    }
-  }
-}
-
-/**
- * Constructs a `PathGraph` from three `PathGraph`s by disjoint union.
- */
-module MergePathGraph3<
-  PathNodeSig PathNode1, PathNodeSig PathNode2, PathNodeSig PathNode3,
-  PathGraphSig<PathNode1> Graph1, PathGraphSig<PathNode2> Graph2, PathGraphSig<PathNode3> Graph3>
-{
-  private module MergedInner = MergePathGraph<PathNode1, PathNode2, Graph1, Graph2>;
-
-  private module Merged =
-    MergePathGraph<MergedInner::PathNode, PathNode3, MergedInner::PathGraph, Graph3>;
-
-  /** A node in a graph of path explanations that is formed by disjoint union of the three given graphs. */
-  class PathNode instanceof Merged::PathNode {
-    /** Gets this as a projection on the first given `PathGraph`. */
-    PathNode1 asPathNode1() { result = super.asPathNode1().asPathNode1() }
-
-    /** Gets this as a projection on the second given `PathGraph`. */
-    PathNode2 asPathNode2() { result = super.asPathNode1().asPathNode2() }
-
-    /** Gets this as a projection on the third given `PathGraph`. */
-    PathNode3 asPathNode3() { result = super.asPathNode2() }
-
-    /** Gets a textual representation of this element. */
-    string toString() { result = super.toString() }
-
-    /**
-     * Holds if this element is at the specified location.
-     * The location spans column `startcolumn` of line `startline` to
-     * column `endcolumn` of line `endline` in file `filepath`.
-     * For more information, see
-     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-     */
-    predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    }
-
-    /** Gets the underlying `Node`. */
-    Node getNode() { result = super.getNode() }
-  }
-
-  /**
-   * Provides the query predicates needed to include a graph in a path-problem query.
-   */
-  module PathGraph implements PathGraphSig<PathNode> {
-    /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-    query predicate edges(PathNode a, PathNode b) { Merged::PathGraph::edges(a, b) }
-
-    /** Holds if `n` is a node in the graph of data flow path explanations. */
-    query predicate nodes(PathNode n, string key, string val) {
-      Merged::PathGraph::nodes(n, key, val)
-    }
-
-    /**
-     * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-     * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-     * `ret -> out` is summarized as the edge `arg -> out`.
-     */
-    query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-      Merged::PathGraph::subpaths(arg, par, ret, out)
-    }
-  }
-}

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplSpecific.qll

@@ -1,6 +1,9 @@
 /**
  * Provides Java-specific definitions for use in the data flow library.
  */
+
+private import codeql.dataflow.DataFlowParameter
+
 module Private {
   import DataFlowPrivate
   import DataFlowDispatch
@@ -9,3 +12,10 @@ module Private {
 module Public {
   import DataFlowUtil
 }
+
+module JavaDataFlow implements DataFlowParameter {
+  import Private
+  import Public
+
+  Node exprNode(DataFlowExpr e) { result = Public::exprNode(e) }
+}

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll

@@ -106,7 +106,7 @@ private predicate instanceFieldAssign(Expr src, FieldAccess fa) {
  * Thus, `node2` references an object with a field `f` that contains the
  * value of `node1`.
  */
-predicate storeStep(Node node1, Content f, Node node2) {
+predicate storeStep(Node node1, ContentSet f, Node node2) {
   exists(FieldAccess fa |
     instanceFieldAssign(node1.asExpr(), fa) and
     node2.(PostUpdateNode).getPreUpdateNode() = getFieldQualifier(fa) and
@@ -124,7 +124,7 @@ predicate storeStep(Node node1, Content f, Node node2) {
  * Thus, `node1` references an object with a field `f` whose value ends up in
  * `node2`.
  */
-predicate readStep(Node node1, Content f, Node node2) {
+predicate readStep(Node node1, ContentSet f, Node node2) {
   exists(FieldRead fr |
     node1 = getFieldQualifier(fr) and
     fr.getField() = f.(FieldContent).getField() and
@@ -156,7 +156,7 @@ predicate readStep(Node node1, Content f, Node node2) {
  * any value stored inside `f` is cleared at the pre-update node associated with `x`
  * in `x.f = newValue`.
  */
-predicate clearsContent(Node n, Content c) {
+predicate clearsContent(Node n, ContentSet c) {
   exists(FieldAccess fa |
     instanceFieldAssign(_, fa) and
     n = getFieldQualifier(fa) and
@@ -207,47 +207,25 @@ DataFlowType getNodeType(Node n) {
 }
 
 /** Gets a string representation of a type returned by `getErasedRepr`. */
-string ppReprType(Type t) {
+string ppReprType(DataFlowType t) {
   if t.(BoxedType).getPrimitiveType().getName() = "double"
   then result = "Number"
   else result = t.toString()
 }
 
-private predicate canContainBool(Type t) {
-  t instanceof BooleanType or
-  any(BooleanType b).(RefType).getASourceSupertype+() = t
-}
-
 /**
  * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
  * a node of type `t1` to a node of type `t2`.
  */
-pragma[inline]
-predicate compatibleTypes(Type t1, Type t2) {
-  exists(Type e1, Type e2 |
-    e1 = getErasedRepr(t1) and
-    e2 = getErasedRepr(t2)
-  |
-    // Because of `getErasedRepr`, `erasedHaveIntersection` is a sufficient
-    // compatibility check, but `conContainBool` is kept as a dummy disjunct
-    // to get the proper join-order.
-    erasedHaveIntersection(e1, e2)
-    or
-    canContainBool(e1) and canContainBool(e2)
-  )
-}
+bindingset[t1, t2]
+pragma[inline_late]
+predicate compatibleTypes(DataFlowType t1, DataFlowType t2) { erasedHaveIntersection(t1, t2) }
 
 /** A node that performs a type cast. */
 class CastNode extends ExprNode {
   CastNode() { this.getExpr() instanceof CastingExpr }
 }
 
-/**
- * Holds if `n` should never be skipped over in the `PathGraph` and in path
- * explanations.
- */
-predicate neverSkipInPathGraph(Node n) { none() }
-
 private newtype TDataFlowCallable =
   TSrcCallable(Callable c) or
   TSummarizedCallable(SummarizedCallable c) or
@@ -381,8 +359,6 @@ predicate isUnreachableInCall(Node n, DataFlowCall call) {
   )
 }
 
-int accessPathLimit() { result = 5 }
-
 /**
  * Holds if access paths with `c` at their head always should be tracked at high
  * precision. This disables adaptive access path precision for such access paths.

java/ql/src/Telemetry/AutomodelAlertSinkUtil.qll

@@ -1,6 +1,5 @@
 private import java
 private import semmle.code.java.dataflow.ExternalFlow as ExternalFlow
-private import semmle.code.java.dataflow.internal.DataFlow
 private import semmle.code.java.dataflow.TaintTracking
 private import semmle.code.java.security.RequestForgeryConfig
 private import semmle.code.java.security.CommandLineQuery

python/ql/lib/qlpack.yml

@@ -6,6 +6,7 @@ extractor: python
 library: true
 upgrades: upgrades
 dependencies:
+  codeql/dataflow: ${workspace}
   codeql/mad: ${workspace}
   codeql/regex: ${workspace}
   codeql/tutorial: ${workspace}

python/ql/lib/semmle/python/dataflow/new/DataFlow.qll

@@ -22,6 +22,8 @@ private import python
  * global (inter-procedural) data flow analyses.
  */
 module DataFlow {
-  import internal.DataFlow
+  private import internal.DataFlowImplSpecific
+  private import codeql.dataflow.DataFlow
+  import DataFlowMake<PythonDataFlow>
   import internal.DataFlowImpl1
 }

python/ql/lib/semmle/python/dataflow/new/internal/DataFlow.qll

@@ -1,450 +0,0 @@
-/**
- * Provides an implementation of global (interprocedural) data flow. This file
- * re-exports the local (intraprocedural) data flow analysis from
- * `DataFlowImplSpecific::Public` and adds a global analysis, mainly exposed
- * through the `Global` and `GlobalWithState` modules.
- */
-
-private import DataFlowImplCommon
-private import DataFlowImplSpecific::Private
-import DataFlowImplSpecific::Public
-import DataFlowImplCommonPublic
-private import DataFlowImpl
-
-/** An input configuration for data flow. */
-signature module ConfigSig {
-  /**
-   * Holds if `source` is a relevant data flow source.
-   */
-  predicate isSource(Node source);
-
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  predicate isSink(Node sink);
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  default predicate isBarrier(Node node) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  default predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  default predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  default predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  default predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Holds if `node` should never be skipped over in the `PathGraph` and in path
-   * explanations.
-   */
-  default predicate neverSkip(Node node) {
-    isAdditionalFlowStep(node, _) or isAdditionalFlowStep(_, node)
-  }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  default int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  default FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `flowPath`. */
-  default predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `flowPath`. */
-  default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (as it is in a `path-problem` query).
-   */
-  default predicate includeHiddenNodes() { none() }
-}
-
-/** An input configuration for data flow using flow state. */
-signature module StateConfigSig {
-  bindingset[this]
-  class FlowState;
-
-  /**
-   * Holds if `source` is a relevant data flow source with the given initial
-   * `state`.
-   */
-  predicate isSource(Node source, FlowState state);
-
-  /**
-   * Holds if `sink` is a relevant data flow sink accepting `state`.
-   */
-  predicate isSink(Node sink, FlowState state);
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  default predicate isBarrier(Node node) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited when the flow state is
-   * `state`.
-   */
-  default predicate isBarrier(Node node, FlowState state) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  default predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  default predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  default predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  default predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
-    none()
-  }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  default predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Holds if `node` should never be skipped over in the `PathGraph` and in path
-   * explanations.
-   */
-  default predicate neverSkip(Node node) {
-    isAdditionalFlowStep(node, _) or
-    isAdditionalFlowStep(_, node) or
-    isAdditionalFlowStep(node, _, _, _) or
-    isAdditionalFlowStep(_, _, node, _)
-  }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  default int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  default FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `flowPath`. */
-  default predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `flowPath`. */
-  default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (as it is in a `path-problem` query).
-   */
-  default predicate includeHiddenNodes() { none() }
-}
-
-/**
- * Gets the exploration limit for `partialFlow` and `partialFlowRev`
- * measured in approximate number of interprocedural steps.
- */
-signature int explorationLimitSig();
-
-/**
- * The output of a global data flow computation.
- */
-signature module GlobalFlowSig {
-  /**
-   * A `Node` augmented with a call context (except for sinks) and an access path.
-   * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
-   */
-  class PathNode;
-
-  /**
-   * Holds if data can flow from `source` to `sink`.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  predicate flowPath(PathNode source, PathNode sink);
-
-  /**
-   * Holds if data can flow from `source` to `sink`.
-   */
-  predicate flow(Node source, Node sink);
-
-  /**
-   * Holds if data can flow from some source to `sink`.
-   */
-  predicate flowTo(Node sink);
-
-  /**
-   * Holds if data can flow from some source to `sink`.
-   */
-  predicate flowToExpr(DataFlowExpr sink);
-}
-
-/**
- * Constructs a global data flow computation.
- */
-module Global<ConfigSig Config> implements GlobalFlowSig {
-  private module C implements FullStateConfigSig {
-    import DefaultState<Config>
-    import Config
-  }
-
-  import Impl<C>
-}
-
-/** DEPRECATED: Use `Global` instead. */
-deprecated module Make<ConfigSig Config> implements GlobalFlowSig {
-  import Global<Config>
-}
-
-/**
- * Constructs a global data flow computation using flow state.
- */
-module GlobalWithState<StateConfigSig Config> implements GlobalFlowSig {
-  private module C implements FullStateConfigSig {
-    import Config
-  }
-
-  import Impl<C>
-}
-
-/** DEPRECATED: Use `GlobalWithState` instead. */
-deprecated module MakeWithState<StateConfigSig Config> implements GlobalFlowSig {
-  import GlobalWithState<Config>
-}
-
-signature class PathNodeSig {
-  /** Gets a textual representation of this element. */
-  string toString();
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  );
-
-  /** Gets the underlying `Node`. */
-  Node getNode();
-}
-
-signature module PathGraphSig<PathNodeSig PathNode> {
-  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  predicate edges(PathNode a, PathNode b);
-
-  /** Holds if `n` is a node in the graph of data flow path explanations. */
-  predicate nodes(PathNode n, string key, string val);
-
-  /**
-   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-   * `ret -> out` is summarized as the edge `arg -> out`.
-   */
-  predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out);
-}
-
-/**
- * Constructs a `PathGraph` from two `PathGraph`s by disjoint union.
- */
-module MergePathGraph<
-  PathNodeSig PathNode1, PathNodeSig PathNode2, PathGraphSig<PathNode1> Graph1,
-  PathGraphSig<PathNode2> Graph2>
-{
-  private newtype TPathNode =
-    TPathNode1(PathNode1 p) or
-    TPathNode2(PathNode2 p)
-
-  /** A node in a graph of path explanations that is formed by disjoint union of the two given graphs. */
-  class PathNode extends TPathNode {
-    /** Gets this as a projection on the first given `PathGraph`. */
-    PathNode1 asPathNode1() { this = TPathNode1(result) }
-
-    /** Gets this as a projection on the second given `PathGraph`. */
-    PathNode2 asPathNode2() { this = TPathNode2(result) }
-
-    /** Gets a textual representation of this element. */
-    string toString() {
-      result = this.asPathNode1().toString() or
-      result = this.asPathNode2().toString()
-    }
-
-    /**
-     * Holds if this element is at the specified location.
-     * The location spans column `startcolumn` of line `startline` to
-     * column `endcolumn` of line `endline` in file `filepath`.
-     * For more information, see
-     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-     */
-    predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      this.asPathNode1().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) or
-      this.asPathNode2().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    }
-
-    /** Gets the underlying `Node`. */
-    Node getNode() {
-      result = this.asPathNode1().getNode() or
-      result = this.asPathNode2().getNode()
-    }
-  }
-
-  /**
-   * Provides the query predicates needed to include a graph in a path-problem query.
-   */
-  module PathGraph implements PathGraphSig<PathNode> {
-    /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-    query predicate edges(PathNode a, PathNode b) {
-      Graph1::edges(a.asPathNode1(), b.asPathNode1()) or
-      Graph2::edges(a.asPathNode2(), b.asPathNode2())
-    }
-
-    /** Holds if `n` is a node in the graph of data flow path explanations. */
-    query predicate nodes(PathNode n, string key, string val) {
-      Graph1::nodes(n.asPathNode1(), key, val) or
-      Graph2::nodes(n.asPathNode2(), key, val)
-    }
-
-    /**
-     * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-     * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-     * `ret -> out` is summarized as the edge `arg -> out`.
-     */
-    query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-      Graph1::subpaths(arg.asPathNode1(), par.asPathNode1(), ret.asPathNode1(), out.asPathNode1()) or
-      Graph2::subpaths(arg.asPathNode2(), par.asPathNode2(), ret.asPathNode2(), out.asPathNode2())
-    }
-  }
-}
-
-/**
- * Constructs a `PathGraph` from three `PathGraph`s by disjoint union.
- */
-module MergePathGraph3<
-  PathNodeSig PathNode1, PathNodeSig PathNode2, PathNodeSig PathNode3,
-  PathGraphSig<PathNode1> Graph1, PathGraphSig<PathNode2> Graph2, PathGraphSig<PathNode3> Graph3>
-{
-  private module MergedInner = MergePathGraph<PathNode1, PathNode2, Graph1, Graph2>;
-
-  private module Merged =
-    MergePathGraph<MergedInner::PathNode, PathNode3, MergedInner::PathGraph, Graph3>;
-
-  /** A node in a graph of path explanations that is formed by disjoint union of the three given graphs. */
-  class PathNode instanceof Merged::PathNode {
-    /** Gets this as a projection on the first given `PathGraph`. */
-    PathNode1 asPathNode1() { result = super.asPathNode1().asPathNode1() }
-
-    /** Gets this as a projection on the second given `PathGraph`. */
-    PathNode2 asPathNode2() { result = super.asPathNode1().asPathNode2() }
-
-    /** Gets this as a projection on the third given `PathGraph`. */
-    PathNode3 asPathNode3() { result = super.asPathNode2() }
-
-    /** Gets a textual representation of this element. */
-    string toString() { result = super.toString() }
-
-    /**
-     * Holds if this element is at the specified location.
-     * The location spans column `startcolumn` of line `startline` to
-     * column `endcolumn` of line `endline` in file `filepath`.
-     * For more information, see
-     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-     */
-    predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    }
-
-    /** Gets the underlying `Node`. */
-    Node getNode() { result = super.getNode() }
-  }
-
-  /**
-   * Provides the query predicates needed to include a graph in a path-problem query.
-   */
-  module PathGraph implements PathGraphSig<PathNode> {
-    /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-    query predicate edges(PathNode a, PathNode b) { Merged::PathGraph::edges(a, b) }
-
-    /** Holds if `n` is a node in the graph of data flow path explanations. */
-    query predicate nodes(PathNode n, string key, string val) {
-      Merged::PathGraph::nodes(n, key, val)
-    }
-
-    /**
-     * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-     * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-     * `ret -> out` is summarized as the edge `arg -> out`.
-     */
-    query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-      Merged::PathGraph::subpaths(arg, par, ret, out)
-    }
-  }
-}

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll

@@ -1561,7 +1561,8 @@ private class SummaryPostUpdateNode extends FlowSummaryNode, PostUpdateNodeImpl
 }
 
 /** Gets a viable run-time target for the call `call`. */
-DataFlowCallable viableCallable(ExtractedDataFlowCall call) {
+DataFlowCallable viableCallable(DataFlowCall call) {
+  call instanceof ExtractedDataFlowCall and
   result = call.getCallable()
   or
   // A call to a library callable with a flow summary

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplSpecific.qll

@@ -2,6 +2,7 @@
  * Provides Python-specific definitions for use in the data flow library.
  */
 
+private import codeql.dataflow.DataFlowParameter
 // we need to export `Unit` for the DataFlowImpl* files
 private import python as Python
 
@@ -13,3 +14,12 @@ module Public {
   import DataFlowPublic
   import DataFlowUtil
 }
+
+module PythonDataFlow implements DataFlowParameter {
+  import Private
+  import Public
+
+  predicate neverSkipInPathGraph = Private::neverSkipInPathGraph/1;
+
+  Node exprNode(DataFlowExpr e) { result = Public::exprNode(e) }
+}

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll

@@ -22,8 +22,8 @@ import DataFlowDispatch
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }
 
 /** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
-predicate isParameterNode(ParameterNodeImpl p, DataFlowCallable c, ParameterPosition pos) {
-  p.isParameterOf(c, pos)
+predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) {
+  p.(ParameterNodeImpl).isParameterOf(c, pos)
 }
 
 /** Holds if `arg` is an `ArgumentNode` of `c` with position `pos`. */
@@ -608,7 +608,7 @@ predicate jumpStepNotSharedWithTypeTracker(Node nodeFrom, Node nodeTo) {
  * Holds if data can flow from `nodeFrom` to `nodeTo` via an assignment to
  * content `c`.
  */
-predicate storeStep(Node nodeFrom, Content c, Node nodeTo) {
+predicate storeStep(Node nodeFrom, ContentSet c, Node nodeTo) {
   listStoreStep(nodeFrom, c, nodeTo)
   or
   setStoreStep(nodeFrom, c, nodeTo)
@@ -806,7 +806,7 @@ predicate attributeStoreStep(Node nodeFrom, AttributeContent c, PostUpdateNode n
 /**
  * Holds if data can flow from `nodeFrom` to `nodeTo` via a read of content `c`.
  */
-predicate readStep(Node nodeFrom, Content c, Node nodeTo) {
+predicate readStep(Node nodeFrom, ContentSet c, Node nodeTo) {
   subscriptReadStep(nodeFrom, c, nodeTo)
   or
   iterableUnpackingReadStep(nodeFrom, c, nodeTo)
@@ -881,7 +881,7 @@ predicate attributeReadStep(Node nodeFrom, AttributeContent c, AttrRead nodeTo)
  * any value stored inside `f` is cleared at the pre-update node associated with `x`
  * in `x.f = newValue`.
  */
-predicate clearsContent(Node n, Content c) {
+predicate clearsContent(Node n, ContentSet c) {
   matchClearStep(n, c)
   or
   attributeClearStep(n, c)
@@ -933,8 +933,6 @@ DataFlowCallable viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) {
  */
 predicate mayBenefitFromCallContext(DataFlowCall call, DataFlowCallable c) { none() }
 
-int accessPathLimit() { result = 5 }
-
 /**
  * Holds if access paths with `c` at their head always should be tracked at high
  * precision. This disables adaptive access path precision for such access paths.

ruby/ql/lib/codeql/ruby/DataFlow.qll

@@ -10,6 +10,8 @@ import codeql.Locations
  * global (inter-procedural) data flow analyses.
  */
 module DataFlow {
-  import codeql.ruby.dataflow.internal.DataFlow
+  private import codeql.ruby.dataflow.internal.DataFlowImplSpecific
+  private import codeql.dataflow.DataFlow
+  import DataFlowMake<RubyDataFlow>
   import codeql.ruby.dataflow.internal.DataFlowImpl1
 }

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlow.qll

@@ -1,450 +0,0 @@
-/**
- * Provides an implementation of global (interprocedural) data flow. This file
- * re-exports the local (intraprocedural) data flow analysis from
- * `DataFlowImplSpecific::Public` and adds a global analysis, mainly exposed
- * through the `Global` and `GlobalWithState` modules.
- */
-
-private import DataFlowImplCommon
-private import DataFlowImplSpecific::Private
-import DataFlowImplSpecific::Public
-import DataFlowImplCommonPublic
-private import DataFlowImpl
-
-/** An input configuration for data flow. */
-signature module ConfigSig {
-  /**
-   * Holds if `source` is a relevant data flow source.
-   */
-  predicate isSource(Node source);
-
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  predicate isSink(Node sink);
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  default predicate isBarrier(Node node) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  default predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  default predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  default predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  default predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Holds if `node` should never be skipped over in the `PathGraph` and in path
-   * explanations.
-   */
-  default predicate neverSkip(Node node) {
-    isAdditionalFlowStep(node, _) or isAdditionalFlowStep(_, node)
-  }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  default int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  default FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `flowPath`. */
-  default predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `flowPath`. */
-  default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (as it is in a `path-problem` query).
-   */
-  default predicate includeHiddenNodes() { none() }
-}
-
-/** An input configuration for data flow using flow state. */
-signature module StateConfigSig {
-  bindingset[this]
-  class FlowState;
-
-  /**
-   * Holds if `source` is a relevant data flow source with the given initial
-   * `state`.
-   */
-  predicate isSource(Node source, FlowState state);
-
-  /**
-   * Holds if `sink` is a relevant data flow sink accepting `state`.
-   */
-  predicate isSink(Node sink, FlowState state);
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  default predicate isBarrier(Node node) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited when the flow state is
-   * `state`.
-   */
-  default predicate isBarrier(Node node, FlowState state) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  default predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  default predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  default predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  default predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
-    none()
-  }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  default predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Holds if `node` should never be skipped over in the `PathGraph` and in path
-   * explanations.
-   */
-  default predicate neverSkip(Node node) {
-    isAdditionalFlowStep(node, _) or
-    isAdditionalFlowStep(_, node) or
-    isAdditionalFlowStep(node, _, _, _) or
-    isAdditionalFlowStep(_, _, node, _)
-  }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  default int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  default FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `flowPath`. */
-  default predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `flowPath`. */
-  default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (as it is in a `path-problem` query).
-   */
-  default predicate includeHiddenNodes() { none() }
-}
-
-/**
- * Gets the exploration limit for `partialFlow` and `partialFlowRev`
- * measured in approximate number of interprocedural steps.
- */
-signature int explorationLimitSig();
-
-/**
- * The output of a global data flow computation.
- */
-signature module GlobalFlowSig {
-  /**
-   * A `Node` augmented with a call context (except for sinks) and an access path.
-   * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
-   */
-  class PathNode;
-
-  /**
-   * Holds if data can flow from `source` to `sink`.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  predicate flowPath(PathNode source, PathNode sink);
-
-  /**
-   * Holds if data can flow from `source` to `sink`.
-   */
-  predicate flow(Node source, Node sink);
-
-  /**
-   * Holds if data can flow from some source to `sink`.
-   */
-  predicate flowTo(Node sink);
-
-  /**
-   * Holds if data can flow from some source to `sink`.
-   */
-  predicate flowToExpr(DataFlowExpr sink);
-}
-
-/**
- * Constructs a global data flow computation.
- */
-module Global<ConfigSig Config> implements GlobalFlowSig {
-  private module C implements FullStateConfigSig {
-    import DefaultState<Config>
-    import Config
-  }
-
-  import Impl<C>
-}
-
-/** DEPRECATED: Use `Global` instead. */
-deprecated module Make<ConfigSig Config> implements GlobalFlowSig {
-  import Global<Config>
-}
-
-/**
- * Constructs a global data flow computation using flow state.
- */
-module GlobalWithState<StateConfigSig Config> implements GlobalFlowSig {
-  private module C implements FullStateConfigSig {
-    import Config
-  }
-
-  import Impl<C>
-}
-
-/** DEPRECATED: Use `GlobalWithState` instead. */
-deprecated module MakeWithState<StateConfigSig Config> implements GlobalFlowSig {
-  import GlobalWithState<Config>
-}
-
-signature class PathNodeSig {
-  /** Gets a textual representation of this element. */
-  string toString();
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  );
-
-  /** Gets the underlying `Node`. */
-  Node getNode();
-}
-
-signature module PathGraphSig<PathNodeSig PathNode> {
-  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  predicate edges(PathNode a, PathNode b);
-
-  /** Holds if `n` is a node in the graph of data flow path explanations. */
-  predicate nodes(PathNode n, string key, string val);
-
-  /**
-   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-   * `ret -> out` is summarized as the edge `arg -> out`.
-   */
-  predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out);
-}
-
-/**
- * Constructs a `PathGraph` from two `PathGraph`s by disjoint union.
- */
-module MergePathGraph<
-  PathNodeSig PathNode1, PathNodeSig PathNode2, PathGraphSig<PathNode1> Graph1,
-  PathGraphSig<PathNode2> Graph2>
-{
-  private newtype TPathNode =
-    TPathNode1(PathNode1 p) or
-    TPathNode2(PathNode2 p)
-
-  /** A node in a graph of path explanations that is formed by disjoint union of the two given graphs. */
-  class PathNode extends TPathNode {
-    /** Gets this as a projection on the first given `PathGraph`. */
-    PathNode1 asPathNode1() { this = TPathNode1(result) }
-
-    /** Gets this as a projection on the second given `PathGraph`. */
-    PathNode2 asPathNode2() { this = TPathNode2(result) }
-
-    /** Gets a textual representation of this element. */
-    string toString() {
-      result = this.asPathNode1().toString() or
-      result = this.asPathNode2().toString()
-    }
-
-    /**
-     * Holds if this element is at the specified location.
-     * The location spans column `startcolumn` of line `startline` to
-     * column `endcolumn` of line `endline` in file `filepath`.
-     * For more information, see
-     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-     */
-    predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      this.asPathNode1().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) or
-      this.asPathNode2().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    }
-
-    /** Gets the underlying `Node`. */
-    Node getNode() {
-      result = this.asPathNode1().getNode() or
-      result = this.asPathNode2().getNode()
-    }
-  }
-
-  /**
-   * Provides the query predicates needed to include a graph in a path-problem query.
-   */
-  module PathGraph implements PathGraphSig<PathNode> {
-    /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-    query predicate edges(PathNode a, PathNode b) {
-      Graph1::edges(a.asPathNode1(), b.asPathNode1()) or
-      Graph2::edges(a.asPathNode2(), b.asPathNode2())
-    }
-
-    /** Holds if `n` is a node in the graph of data flow path explanations. */
-    query predicate nodes(PathNode n, string key, string val) {
-      Graph1::nodes(n.asPathNode1(), key, val) or
-      Graph2::nodes(n.asPathNode2(), key, val)
-    }
-
-    /**
-     * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-     * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-     * `ret -> out` is summarized as the edge `arg -> out`.
-     */
-    query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-      Graph1::subpaths(arg.asPathNode1(), par.asPathNode1(), ret.asPathNode1(), out.asPathNode1()) or
-      Graph2::subpaths(arg.asPathNode2(), par.asPathNode2(), ret.asPathNode2(), out.asPathNode2())
-    }
-  }
-}
-
-/**
- * Constructs a `PathGraph` from three `PathGraph`s by disjoint union.
- */
-module MergePathGraph3<
-  PathNodeSig PathNode1, PathNodeSig PathNode2, PathNodeSig PathNode3,
-  PathGraphSig<PathNode1> Graph1, PathGraphSig<PathNode2> Graph2, PathGraphSig<PathNode3> Graph3>
-{
-  private module MergedInner = MergePathGraph<PathNode1, PathNode2, Graph1, Graph2>;
-
-  private module Merged =
-    MergePathGraph<MergedInner::PathNode, PathNode3, MergedInner::PathGraph, Graph3>;
-
-  /** A node in a graph of path explanations that is formed by disjoint union of the three given graphs. */
-  class PathNode instanceof Merged::PathNode {
-    /** Gets this as a projection on the first given `PathGraph`. */
-    PathNode1 asPathNode1() { result = super.asPathNode1().asPathNode1() }
-
-    /** Gets this as a projection on the second given `PathGraph`. */
-    PathNode2 asPathNode2() { result = super.asPathNode1().asPathNode2() }
-
-    /** Gets this as a projection on the third given `PathGraph`. */
-    PathNode3 asPathNode3() { result = super.asPathNode2() }
-
-    /** Gets a textual representation of this element. */
-    string toString() { result = super.toString() }
-
-    /**
-     * Holds if this element is at the specified location.
-     * The location spans column `startcolumn` of line `startline` to
-     * column `endcolumn` of line `endline` in file `filepath`.
-     * For more information, see
-     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-     */
-    predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    }
-
-    /** Gets the underlying `Node`. */
-    Node getNode() { result = super.getNode() }
-  }
-
-  /**
-   * Provides the query predicates needed to include a graph in a path-problem query.
-   */
-  module PathGraph implements PathGraphSig<PathNode> {
-    /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-    query predicate edges(PathNode a, PathNode b) { Merged::PathGraph::edges(a, b) }
-
-    /** Holds if `n` is a node in the graph of data flow path explanations. */
-    query predicate nodes(PathNode n, string key, string val) {
-      Merged::PathGraph::nodes(n, key, val)
-    }
-
-    /**
-     * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-     * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-     * `ret -> out` is summarized as the edge `arg -> out`.
-     */
-    query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-      Merged::PathGraph::subpaths(arg, par, ret, out)
-    }
-  }
-}

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll

@@ -1416,6 +1416,8 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
  * This is a temporary hook to support technical debt in the Go language; do not use.
  */
 pragma[inline]
-predicate golangSpecificParamArgFilter(DataFlowCall call, DataFlow::Node p, ArgumentNode arg) {
+predicate golangSpecificParamArgFilter(
+  DataFlowCall call, DataFlow::ParameterNode p, ArgumentNode arg
+) {
   any()
 }

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplSpecific.qll

@@ -1,6 +1,9 @@
 /**
  * Provides Ruby-specific definitions for use in the data flow library.
  */
+
+private import codeql.dataflow.DataFlowParameter
+
 module Private {
   import DataFlowPrivate
   import DataFlowDispatch
@@ -9,3 +12,16 @@ module Private {
 module Public {
   import DataFlowPublic
 }
+
+module RubyDataFlow implements DataFlowParameter {
+  import Private
+  import Public
+
+  predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) {
+    Private::isParameterNode(p, c, pos)
+  }
+
+  predicate neverSkipInPathGraph = Private::neverSkipInPathGraph/1;
+
+  Node exprNode(DataFlowExpr e) { result = Public::exprNode(e) }
+}

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll

@@ -12,7 +12,7 @@ private import FlowSummaryImplSpecific as FlowSummaryImplSpecific
 private import codeql.ruby.frameworks.data.ModelsAsData
 
 /** Gets the callable in which this node occurs. */
-DataFlowCallable nodeGetEnclosingCallable(NodeImpl n) { result = n.getEnclosingCallable() }
+DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.(NodeImpl).getEnclosingCallable() }
 
 /** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
 predicate isParameterNode(ParameterNodeImpl p, DataFlowCallable c, ParameterPosition pos) {
@@ -1232,7 +1232,7 @@ class DataFlowType extends TDataFlowType {
 predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() }
 
 /** Gets the type of `n` used for type pruning. */
-DataFlowType getNodeType(NodeImpl n) { result = TTodoDataFlowType() and exists(n) }
+DataFlowType getNodeType(Node n) { result = TTodoDataFlowType() and exists(n) }
 
 /** Gets a string representation of a `DataFlowType`. */
 string ppReprType(DataFlowType t) { none() }
@@ -1304,8 +1304,6 @@ predicate neverSkipInPathGraph(Node n) {
 
 class DataFlowExpr = CfgNodes::ExprCfgNode;
 
-int accessPathLimit() { result = 5 }
-
 /**
  * Holds if access paths with `c` at their head always should be tracked at high
  * precision. This disables adaptive access path precision for such access paths.

ruby/ql/lib/qlpack.yml

@@ -6,6 +6,7 @@ dbscheme: ruby.dbscheme
 upgrades: upgrades
 library: true
 dependencies:
+  codeql/dataflow: ${workspace}
   codeql/mad: ${workspace}
   codeql/regex: ${workspace}
   codeql/ssa: ${workspace}

shared/dataflow/change-notes/2023-08-02-dataflow-initial.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Initial release. Moves the shared inter-procedural data-flow library into its own qlpack.

shared/dataflow/codeql/dataflow/DataFlow.qll

@@ -0,0 +1,460 @@
+/**
+ * Provides an implementation of global (interprocedural) data flow. This file
+ * re-exports the local (intraprocedural) data flow analysis from
+ * `DataFlowImplSpecific::Public` and adds a global analysis, mainly exposed
+ * through the `Global` and `GlobalWithState` modules.
+ */
+
+import DataFlowParameter
+
+module Configs<DataFlowParameter Lang> {
+  private import Lang
+  private import DataFlowImplCommon::MakeImplCommon<Lang>
+  import DataFlowImplCommonPublic
+
+  /** An input configuration for data flow. */
+  signature module ConfigSig {
+    /**
+     * Holds if `source` is a relevant data flow source.
+     */
+    predicate isSource(Node source);
+
+    /**
+     * Holds if `sink` is a relevant data flow sink.
+     */
+    predicate isSink(Node sink);
+
+    /**
+     * Holds if data flow through `node` is prohibited. This completely removes
+     * `node` from the data flow graph.
+     */
+    default predicate isBarrier(Node node) { none() }
+
+    /** Holds if data flow into `node` is prohibited. */
+    default predicate isBarrierIn(Node node) { none() }
+
+    /** Holds if data flow out of `node` is prohibited. */
+    default predicate isBarrierOut(Node node) { none() }
+
+    /**
+     * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
+     */
+    default predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
+
+    /**
+     * Holds if an arbitrary number of implicit read steps of content `c` may be
+     * taken at `node`.
+     */
+    default predicate allowImplicitRead(Node node, ContentSet c) { none() }
+
+    /**
+     * Holds if `node` should never be skipped over in the `PathGraph` and in path
+     * explanations.
+     */
+    default predicate neverSkip(Node node) {
+      isAdditionalFlowStep(node, _) or isAdditionalFlowStep(_, node)
+    }
+
+    /**
+     * Gets the virtual dispatch branching limit when calculating field flow.
+     * This can be overridden to a smaller value to improve performance (a
+     * value of 0 disables field flow), or a larger value to get more results.
+     */
+    default int fieldFlowBranchLimit() { result = 2 }
+
+    /**
+     * Gets a data flow configuration feature to add restrictions to the set of
+     * valid flow paths.
+     *
+     * - `FeatureHasSourceCallContext`:
+     *    Assume that sources have some existing call context to disallow
+     *    conflicting return-flow directly following the source.
+     * - `FeatureHasSinkCallContext`:
+     *    Assume that sinks have some existing call context to disallow
+     *    conflicting argument-to-parameter flow directly preceding the sink.
+     * - `FeatureEqualSourceSinkCallContext`:
+     *    Implies both of the above and additionally ensures that the entire flow
+     *    path preserves the call context.
+     *
+     * These features are generally not relevant for typical end-to-end data flow
+     * queries, but should only be used for constructing paths that need to
+     * somehow be pluggable in another path context.
+     */
+    default FlowFeature getAFeature() { none() }
+
+    /** Holds if sources should be grouped in the result of `flowPath`. */
+    default predicate sourceGrouping(Node source, string sourceGroup) { none() }
+
+    /** Holds if sinks should be grouped in the result of `flowPath`. */
+    default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
+
+    /**
+     * Holds if hidden nodes should be included in the data flow graph.
+     *
+     * This feature should only be used for debugging or when the data flow graph
+     * is not visualized (as it is in a `path-problem` query).
+     */
+    default predicate includeHiddenNodes() { none() }
+  }
+
+  /** An input configuration for data flow using flow state. */
+  signature module StateConfigSig {
+    bindingset[this]
+    class FlowState;
+
+    /**
+     * Holds if `source` is a relevant data flow source with the given initial
+     * `state`.
+     */
+    predicate isSource(Node source, FlowState state);
+
+    /**
+     * Holds if `sink` is a relevant data flow sink accepting `state`.
+     */
+    predicate isSink(Node sink, FlowState state);
+
+    /**
+     * Holds if data flow through `node` is prohibited. This completely removes
+     * `node` from the data flow graph.
+     */
+    default predicate isBarrier(Node node) { none() }
+
+    /**
+     * Holds if data flow through `node` is prohibited when the flow state is
+     * `state`.
+     */
+    default predicate isBarrier(Node node, FlowState state) { none() }
+
+    /** Holds if data flow into `node` is prohibited. */
+    default predicate isBarrierIn(Node node) { none() }
+
+    /** Holds if data flow out of `node` is prohibited. */
+    default predicate isBarrierOut(Node node) { none() }
+
+    /**
+     * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
+     */
+    default predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
+
+    /**
+     * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
+     * This step is only applicable in `state1` and updates the flow state to `state2`.
+     */
+    default predicate isAdditionalFlowStep(
+      Node node1, FlowState state1, Node node2, FlowState state2
+    ) {
+      none()
+    }
+
+    /**
+     * Holds if an arbitrary number of implicit read steps of content `c` may be
+     * taken at `node`.
+     */
+    default predicate allowImplicitRead(Node node, ContentSet c) { none() }
+
+    /**
+     * Holds if `node` should never be skipped over in the `PathGraph` and in path
+     * explanations.
+     */
+    default predicate neverSkip(Node node) {
+      isAdditionalFlowStep(node, _) or
+      isAdditionalFlowStep(_, node) or
+      isAdditionalFlowStep(node, _, _, _) or
+      isAdditionalFlowStep(_, _, node, _)
+    }
+
+    /**
+     * Gets the virtual dispatch branching limit when calculating field flow.
+     * This can be overridden to a smaller value to improve performance (a
+     * value of 0 disables field flow), or a larger value to get more results.
+     */
+    default int fieldFlowBranchLimit() { result = 2 }
+
+    /**
+     * Gets a data flow configuration feature to add restrictions to the set of
+     * valid flow paths.
+     *
+     * - `FeatureHasSourceCallContext`:
+     *    Assume that sources have some existing call context to disallow
+     *    conflicting return-flow directly following the source.
+     * - `FeatureHasSinkCallContext`:
+     *    Assume that sinks have some existing call context to disallow
+     *    conflicting argument-to-parameter flow directly preceding the sink.
+     * - `FeatureEqualSourceSinkCallContext`:
+     *    Implies both of the above and additionally ensures that the entire flow
+     *    path preserves the call context.
+     *
+     * These features are generally not relevant for typical end-to-end data flow
+     * queries, but should only be used for constructing paths that need to
+     * somehow be pluggable in another path context.
+     */
+    default FlowFeature getAFeature() { none() }
+
+    /** Holds if sources should be grouped in the result of `flowPath`. */
+    default predicate sourceGrouping(Node source, string sourceGroup) { none() }
+
+    /** Holds if sinks should be grouped in the result of `flowPath`. */
+    default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
+
+    /**
+     * Holds if hidden nodes should be included in the data flow graph.
+     *
+     * This feature should only be used for debugging or when the data flow graph
+     * is not visualized (as it is in a `path-problem` query).
+     */
+    default predicate includeHiddenNodes() { none() }
+  }
+}
+
+module DataFlowMake<DataFlowParameter Lang> {
+  private import Lang
+  private import DataFlowImpl::MakeImpl<Lang>
+  import Configs<Lang>
+
+  /**
+   * Gets the exploration limit for `partialFlow` and `partialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  signature int explorationLimitSig();
+
+  /**
+   * The output of a global data flow computation.
+   */
+  signature module GlobalFlowSig {
+    /**
+     * A `Node` augmented with a call context (except for sinks) and an access path.
+     * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
+     */
+    class PathNode;
+
+    /**
+     * Holds if data can flow from `source` to `sink`.
+     *
+     * The corresponding paths are generated from the end-points and the graph
+     * included in the module `PathGraph`.
+     */
+    predicate flowPath(PathNode source, PathNode sink);
+
+    /**
+     * Holds if data can flow from `source` to `sink`.
+     */
+    predicate flow(Node source, Node sink);
+
+    /**
+     * Holds if data can flow from some source to `sink`.
+     */
+    predicate flowTo(Node sink);
+
+    /**
+     * Holds if data can flow from some source to `sink`.
+     */
+    predicate flowToExpr(DataFlowExpr sink);
+  }
+
+  /**
+   * Constructs a global data flow computation.
+   */
+  module Global<ConfigSig Config> implements GlobalFlowSig {
+    private module C implements FullStateConfigSig {
+      import DefaultState<Config>
+      import Config
+    }
+
+    import Impl<C>
+  }
+
+  /** DEPRECATED: Use `Global` instead. */
+  deprecated module Make<ConfigSig Config> implements GlobalFlowSig {
+    import Global<Config>
+  }
+
+  /**
+   * Constructs a global data flow computation using flow state.
+   */
+  module GlobalWithState<StateConfigSig Config> implements GlobalFlowSig {
+    private module C implements FullStateConfigSig {
+      import Config
+    }
+
+    import Impl<C>
+  }
+
+  /** DEPRECATED: Use `GlobalWithState` instead. */
+  deprecated module MakeWithState<StateConfigSig Config> implements GlobalFlowSig {
+    import GlobalWithState<Config>
+  }
+
+  signature class PathNodeSig {
+    /** Gets a textual representation of this element. */
+    string toString();
+
+    /**
+     * Holds if this element is at the specified location.
+     * The location spans column `startcolumn` of line `startline` to
+     * column `endcolumn` of line `endline` in file `filepath`.
+     * For more information, see
+     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+     */
+    predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    );
+
+    /** Gets the underlying `Node`. */
+    Node getNode();
+  }
+
+  signature module PathGraphSig<PathNodeSig PathNode> {
+    /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
+    predicate edges(PathNode a, PathNode b);
+
+    /** Holds if `n` is a node in the graph of data flow path explanations. */
+    predicate nodes(PathNode n, string key, string val);
+
+    /**
+     * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+     * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+     * `ret -> out` is summarized as the edge `arg -> out`.
+     */
+    predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out);
+  }
+
+  /**
+   * Constructs a `PathGraph` from two `PathGraph`s by disjoint union.
+   */
+  module MergePathGraph<
+    PathNodeSig PathNode1, PathNodeSig PathNode2, PathGraphSig<PathNode1> Graph1,
+    PathGraphSig<PathNode2> Graph2>
+  {
+    private newtype TPathNode =
+      TPathNode1(PathNode1 p) or
+      TPathNode2(PathNode2 p)
+
+    /** A node in a graph of path explanations that is formed by disjoint union of the two given graphs. */
+    class PathNode extends TPathNode {
+      /** Gets this as a projection on the first given `PathGraph`. */
+      PathNode1 asPathNode1() { this = TPathNode1(result) }
+
+      /** Gets this as a projection on the second given `PathGraph`. */
+      PathNode2 asPathNode2() { this = TPathNode2(result) }
+
+      /** Gets a textual representation of this element. */
+      string toString() {
+        result = this.asPathNode1().toString() or
+        result = this.asPathNode2().toString()
+      }
+
+      /**
+       * Holds if this element is at the specified location.
+       * The location spans column `startcolumn` of line `startline` to
+       * column `endcolumn` of line `endline` in file `filepath`.
+       * For more information, see
+       * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+       */
+      predicate hasLocationInfo(
+        string filepath, int startline, int startcolumn, int endline, int endcolumn
+      ) {
+        this.asPathNode1().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) or
+        this.asPathNode2().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+      }
+
+      /** Gets the underlying `Node`. */
+      Node getNode() {
+        result = this.asPathNode1().getNode() or
+        result = this.asPathNode2().getNode()
+      }
+    }
+
+    /**
+     * Provides the query predicates needed to include a graph in a path-problem query.
+     */
+    module PathGraph implements PathGraphSig<PathNode> {
+      /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
+      query predicate edges(PathNode a, PathNode b) {
+        Graph1::edges(a.asPathNode1(), b.asPathNode1()) or
+        Graph2::edges(a.asPathNode2(), b.asPathNode2())
+      }
+
+      /** Holds if `n` is a node in the graph of data flow path explanations. */
+      query predicate nodes(PathNode n, string key, string val) {
+        Graph1::nodes(n.asPathNode1(), key, val) or
+        Graph2::nodes(n.asPathNode2(), key, val)
+      }
+
+      /**
+       * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+       * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+       * `ret -> out` is summarized as the edge `arg -> out`.
+       */
+      query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
+        Graph1::subpaths(arg.asPathNode1(), par.asPathNode1(), ret.asPathNode1(), out.asPathNode1()) or
+        Graph2::subpaths(arg.asPathNode2(), par.asPathNode2(), ret.asPathNode2(), out.asPathNode2())
+      }
+    }
+  }
+
+  /**
+   * Constructs a `PathGraph` from three `PathGraph`s by disjoint union.
+   */
+  module MergePathGraph3<
+    PathNodeSig PathNode1, PathNodeSig PathNode2, PathNodeSig PathNode3,
+    PathGraphSig<PathNode1> Graph1, PathGraphSig<PathNode2> Graph2, PathGraphSig<PathNode3> Graph3>
+  {
+    private module MergedInner = MergePathGraph<PathNode1, PathNode2, Graph1, Graph2>;
+
+    private module Merged =
+      MergePathGraph<MergedInner::PathNode, PathNode3, MergedInner::PathGraph, Graph3>;
+
+    /** A node in a graph of path explanations that is formed by disjoint union of the three given graphs. */
+    class PathNode instanceof Merged::PathNode {
+      /** Gets this as a projection on the first given `PathGraph`. */
+      PathNode1 asPathNode1() { result = super.asPathNode1().asPathNode1() }
+
+      /** Gets this as a projection on the second given `PathGraph`. */
+      PathNode2 asPathNode2() { result = super.asPathNode1().asPathNode2() }
+
+      /** Gets this as a projection on the third given `PathGraph`. */
+      PathNode3 asPathNode3() { result = super.asPathNode2() }
+
+      /** Gets a textual representation of this element. */
+      string toString() { result = super.toString() }
+
+      /**
+       * Holds if this element is at the specified location.
+       * The location spans column `startcolumn` of line `startline` to
+       * column `endcolumn` of line `endline` in file `filepath`.
+       * For more information, see
+       * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+       */
+      predicate hasLocationInfo(
+        string filepath, int startline, int startcolumn, int endline, int endcolumn
+      ) {
+        super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+      }
+
+      /** Gets the underlying `Node`. */
+      Node getNode() { result = super.getNode() }
+    }
+
+    /**
+     * Provides the query predicates needed to include a graph in a path-problem query.
+     */
+    module PathGraph implements PathGraphSig<PathNode> {
+      /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
+      query predicate edges(PathNode a, PathNode b) { Merged::PathGraph::edges(a, b) }
+
+      /** Holds if `n` is a node in the graph of data flow path explanations. */
+      query predicate nodes(PathNode n, string key, string val) {
+        Merged::PathGraph::nodes(n, key, val)
+      }
+
+      /**
+       * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+       * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+       * `ret -> out` is summarized as the edge `arg -> out`.
+       */
+      query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
+        Merged::PathGraph::subpaths(arg, par, ret, out)
+      }
+    }
+  }
+}

shared/dataflow/codeql/dataflow/DataFlowParameter.qll

@@ -0,0 +1,220 @@
+signature module DataFlowParameter {
+  class Node {
+    /** Gets a textual representation of this element. */
+    string toString();
+
+    /**
+     * Holds if this element is at the specified location.
+     * The location spans column `startcolumn` of line `startline` to
+     * column `endcolumn` of line `endline` in file `filepath`.
+     * For more information, see
+     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+     */
+    predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    );
+  }
+
+  class ParameterNode extends Node;
+
+  class ArgumentNode extends Node;
+
+  class ReturnNode extends Node {
+    ReturnKind getKind();
+  }
+
+  class OutNode extends Node;
+
+  class PostUpdateNode extends Node {
+    Node getPreUpdateNode();
+  }
+
+  class CastNode extends Node;
+
+  predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos);
+
+  predicate isArgumentNode(ArgumentNode n, DataFlowCall call, ArgumentPosition pos);
+
+  DataFlowCallable nodeGetEnclosingCallable(Node node);
+
+  DataFlowType getNodeType(Node node);
+
+  predicate nodeIsHidden(Node node);
+
+  class DataFlowExpr;
+
+  /** Gets the node corresponding to `e`. */
+  Node exprNode(DataFlowExpr e);
+
+  class DataFlowCall {
+    /** Gets a textual representation of this element. */
+    string toString();
+
+    DataFlowCallable getEnclosingCallable();
+  }
+
+  class DataFlowCallable {
+    /** Gets a textual representation of this element. */
+    string toString();
+  }
+
+  class ReturnKind {
+    /** Gets a textual representation of this element. */
+    string toString();
+  }
+
+  /** Gets a viable implementation of the target of the given `Call`. */
+  DataFlowCallable viableCallable(DataFlowCall c);
+
+  /**
+   * Holds if the set of viable implementations that can be called by `call`
+   * might be improved by knowing the call context.
+   */
+  predicate mayBenefitFromCallContext(DataFlowCall call, DataFlowCallable c);
+
+  /**
+   * Gets a viable dispatch target of `call` in the context `ctx`. This is
+   * restricted to those `call`s for which a context might make a difference.
+   */
+  DataFlowCallable viableImplInCallContext(DataFlowCall call, DataFlowCall ctx);
+
+  /**
+   * Gets a node that can read the value returned from `call` with return kind
+   * `kind`.
+   */
+  OutNode getAnOutNode(DataFlowCall call, ReturnKind kind);
+
+  class DataFlowType {
+    /** Gets a textual representation of this element. */
+    string toString();
+  }
+
+  string ppReprType(DataFlowType t);
+
+  bindingset[t1, t2]
+  predicate compatibleTypes(DataFlowType t1, DataFlowType t2);
+
+  predicate typeStrongerThan(DataFlowType t1, DataFlowType t2);
+
+  class Content {
+    /** Gets a textual representation of this element. */
+    string toString();
+  }
+
+  predicate forceHighPrecision(Content c);
+
+  /**
+   * An entity that represents a set of `Content`s.
+   *
+   * The set may be interpreted differently depending on whether it is
+   * stored into (`getAStoreContent`) or read from (`getAReadContent`).
+   */
+  class ContentSet {
+    /** Gets a content that may be stored into when storing into this set. */
+    Content getAStoreContent();
+
+    /** Gets a content that may be read from when reading from this set. */
+    Content getAReadContent();
+  }
+
+  class ContentApprox {
+    /** Gets a textual representation of this element. */
+    string toString();
+  }
+
+  ContentApprox getContentApprox(Content c);
+
+  class ParameterPosition {
+    /** Gets a textual representation of this element. */
+    bindingset[this]
+    string toString();
+  }
+
+  class ArgumentPosition {
+    /** Gets a textual representation of this element. */
+    bindingset[this]
+    string toString();
+  }
+
+  predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos);
+
+  predicate simpleLocalFlowStep(Node node1, Node node2);
+
+  /**
+   * Holds if data can flow from `node1` to `node2` through a non-local step
+   * that does not follow a call edge. For example, a step through a global
+   * variable.
+   */
+  predicate jumpStep(Node node1, Node node2);
+
+  /**
+   * Holds if data can flow from `node1` to `node2` via a read of `c`.  Thus,
+   * `node1` references an object with a content `c.getAReadContent()` whose
+   * value ends up in `node2`.
+   */
+  predicate readStep(Node node1, ContentSet c, Node node2);
+
+  /**
+   * Holds if data can flow from `node1` to `node2` via a store into `c`.  Thus,
+   * `node2` references an object with a content `c.getAStoreContent()` that
+   * contains the value of `node1`.
+   */
+  predicate storeStep(Node node1, ContentSet c, Node node2);
+
+  /**
+   * Holds if values stored inside content `c` are cleared at node `n`. For example,
+   * any value stored inside `f` is cleared at the pre-update node associated with `x`
+   * in `x.f = newValue`.
+   */
+  predicate clearsContent(Node n, ContentSet c);
+
+  /**
+   * Holds if the value that is being tracked is expected to be stored inside content `c`
+   * at node `n`.
+   */
+  predicate expectsContent(Node n, ContentSet c);
+
+  /**
+   * Holds if the node `n` is unreachable when the call context is `call`.
+   */
+  predicate isUnreachableInCall(Node n, DataFlowCall call);
+
+  default int accessPathLimit() { result = 5 }
+
+  /**
+   * Holds if flow is allowed to pass from parameter `p` and back to itself as a
+   * side-effect, resulting in a summary from `p` to itself.
+   *
+   * One example would be to allow flow like `p.foo = p.bar;`, which is disallowed
+   * by default as a heuristic.
+   */
+  predicate allowParameterReturnInSelf(ParameterNode p);
+
+  class LambdaCallKind;
+
+  /** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */
+  predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c);
+
+  /** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
+  predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver);
+
+  /** Extra data-flow steps needed for lambda flow analysis. */
+  predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue);
+
+  /**
+   * Holds if `n` should never be skipped over in the `PathGraph` and in path
+   * explanations.
+   */
+  default predicate neverSkipInPathGraph(Node n) { none() }
+
+  /**
+   * Gets an additional term that is added to the `join` and `branch` computations to reflect
+   * an additional forward or backwards branching factor that is not taken into account
+   * when calculating the (virtual) dispatch cost.
+   *
+   * Argument `arg` is part of a path from a source to a sink, and `p` is the target parameter.
+   */
+  int getAdditionalFlowIntoCallNodeTerm(ArgumentNode arg, ParameterNode p);
+
+  predicate golangSpecificParamArgFilter(DataFlowCall call, ParameterNode p, ArgumentNode arg);
+}

shared/dataflow/qlpack.yml

@@ -0,0 +1,8 @@
+name: codeql/dataflow
+version: 0.0.1-dev
+groups: shared
+library: true
+dependencies:
+  codeql/ssa: ${workspace}
+  codeql/util: ${workspace}
+warnOnImplicitThis: true

swift/ql/lib/codeql/swift/dataflow/DataFlow.qll

@@ -3,6 +3,8 @@
  * global (inter-procedural) data flow analyses.
  */
 module DataFlow {
-  import internal.DataFlow
+  private import internal.DataFlowImplSpecific
+  private import codeql.dataflow.DataFlow
+  import DataFlowMake<SwiftDataFlow>
   import internal.DataFlowImpl1
 }

swift/ql/lib/codeql/swift/dataflow/internal/DataFlow.qll

@@ -1,450 +0,0 @@
-/**
- * Provides an implementation of global (interprocedural) data flow. This file
- * re-exports the local (intraprocedural) data flow analysis from
- * `DataFlowImplSpecific::Public` and adds a global analysis, mainly exposed
- * through the `Global` and `GlobalWithState` modules.
- */
-
-private import DataFlowImplCommon
-private import DataFlowImplSpecific::Private
-import DataFlowImplSpecific::Public
-import DataFlowImplCommonPublic
-private import DataFlowImpl
-
-/** An input configuration for data flow. */
-signature module ConfigSig {
-  /**
-   * Holds if `source` is a relevant data flow source.
-   */
-  predicate isSource(Node source);
-
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  predicate isSink(Node sink);
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  default predicate isBarrier(Node node) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  default predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  default predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  default predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  default predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Holds if `node` should never be skipped over in the `PathGraph` and in path
-   * explanations.
-   */
-  default predicate neverSkip(Node node) {
-    isAdditionalFlowStep(node, _) or isAdditionalFlowStep(_, node)
-  }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  default int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  default FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `flowPath`. */
-  default predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `flowPath`. */
-  default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (as it is in a `path-problem` query).
-   */
-  default predicate includeHiddenNodes() { none() }
-}
-
-/** An input configuration for data flow using flow state. */
-signature module StateConfigSig {
-  bindingset[this]
-  class FlowState;
-
-  /**
-   * Holds if `source` is a relevant data flow source with the given initial
-   * `state`.
-   */
-  predicate isSource(Node source, FlowState state);
-
-  /**
-   * Holds if `sink` is a relevant data flow sink accepting `state`.
-   */
-  predicate isSink(Node sink, FlowState state);
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  default predicate isBarrier(Node node) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited when the flow state is
-   * `state`.
-   */
-  default predicate isBarrier(Node node, FlowState state) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  default predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  default predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  default predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  default predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
-    none()
-  }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  default predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Holds if `node` should never be skipped over in the `PathGraph` and in path
-   * explanations.
-   */
-  default predicate neverSkip(Node node) {
-    isAdditionalFlowStep(node, _) or
-    isAdditionalFlowStep(_, node) or
-    isAdditionalFlowStep(node, _, _, _) or
-    isAdditionalFlowStep(_, _, node, _)
-  }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  default int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  default FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `flowPath`. */
-  default predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `flowPath`. */
-  default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (as it is in a `path-problem` query).
-   */
-  default predicate includeHiddenNodes() { none() }
-}
-
-/**
- * Gets the exploration limit for `partialFlow` and `partialFlowRev`
- * measured in approximate number of interprocedural steps.
- */
-signature int explorationLimitSig();
-
-/**
- * The output of a global data flow computation.
- */
-signature module GlobalFlowSig {
-  /**
-   * A `Node` augmented with a call context (except for sinks) and an access path.
-   * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
-   */
-  class PathNode;
-
-  /**
-   * Holds if data can flow from `source` to `sink`.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  predicate flowPath(PathNode source, PathNode sink);
-
-  /**
-   * Holds if data can flow from `source` to `sink`.
-   */
-  predicate flow(Node source, Node sink);
-
-  /**
-   * Holds if data can flow from some source to `sink`.
-   */
-  predicate flowTo(Node sink);
-
-  /**
-   * Holds if data can flow from some source to `sink`.
-   */
-  predicate flowToExpr(DataFlowExpr sink);
-}
-
-/**
- * Constructs a global data flow computation.
- */
-module Global<ConfigSig Config> implements GlobalFlowSig {
-  private module C implements FullStateConfigSig {
-    import DefaultState<Config>
-    import Config
-  }
-
-  import Impl<C>
-}
-
-/** DEPRECATED: Use `Global` instead. */
-deprecated module Make<ConfigSig Config> implements GlobalFlowSig {
-  import Global<Config>
-}
-
-/**
- * Constructs a global data flow computation using flow state.
- */
-module GlobalWithState<StateConfigSig Config> implements GlobalFlowSig {
-  private module C implements FullStateConfigSig {
-    import Config
-  }
-
-  import Impl<C>
-}
-
-/** DEPRECATED: Use `GlobalWithState` instead. */
-deprecated module MakeWithState<StateConfigSig Config> implements GlobalFlowSig {
-  import GlobalWithState<Config>
-}
-
-signature class PathNodeSig {
-  /** Gets a textual representation of this element. */
-  string toString();
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  );
-
-  /** Gets the underlying `Node`. */
-  Node getNode();
-}
-
-signature module PathGraphSig<PathNodeSig PathNode> {
-  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  predicate edges(PathNode a, PathNode b);
-
-  /** Holds if `n` is a node in the graph of data flow path explanations. */
-  predicate nodes(PathNode n, string key, string val);
-
-  /**
-   * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-   * `ret -> out` is summarized as the edge `arg -> out`.
-   */
-  predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out);
-}
-
-/**
- * Constructs a `PathGraph` from two `PathGraph`s by disjoint union.
- */
-module MergePathGraph<
-  PathNodeSig PathNode1, PathNodeSig PathNode2, PathGraphSig<PathNode1> Graph1,
-  PathGraphSig<PathNode2> Graph2>
-{
-  private newtype TPathNode =
-    TPathNode1(PathNode1 p) or
-    TPathNode2(PathNode2 p)
-
-  /** A node in a graph of path explanations that is formed by disjoint union of the two given graphs. */
-  class PathNode extends TPathNode {
-    /** Gets this as a projection on the first given `PathGraph`. */
-    PathNode1 asPathNode1() { this = TPathNode1(result) }
-
-    /** Gets this as a projection on the second given `PathGraph`. */
-    PathNode2 asPathNode2() { this = TPathNode2(result) }
-
-    /** Gets a textual representation of this element. */
-    string toString() {
-      result = this.asPathNode1().toString() or
-      result = this.asPathNode2().toString()
-    }
-
-    /**
-     * Holds if this element is at the specified location.
-     * The location spans column `startcolumn` of line `startline` to
-     * column `endcolumn` of line `endline` in file `filepath`.
-     * For more information, see
-     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-     */
-    predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      this.asPathNode1().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) or
-      this.asPathNode2().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    }
-
-    /** Gets the underlying `Node`. */
-    Node getNode() {
-      result = this.asPathNode1().getNode() or
-      result = this.asPathNode2().getNode()
-    }
-  }
-
-  /**
-   * Provides the query predicates needed to include a graph in a path-problem query.
-   */
-  module PathGraph implements PathGraphSig<PathNode> {
-    /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-    query predicate edges(PathNode a, PathNode b) {
-      Graph1::edges(a.asPathNode1(), b.asPathNode1()) or
-      Graph2::edges(a.asPathNode2(), b.asPathNode2())
-    }
-
-    /** Holds if `n` is a node in the graph of data flow path explanations. */
-    query predicate nodes(PathNode n, string key, string val) {
-      Graph1::nodes(n.asPathNode1(), key, val) or
-      Graph2::nodes(n.asPathNode2(), key, val)
-    }
-
-    /**
-     * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-     * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-     * `ret -> out` is summarized as the edge `arg -> out`.
-     */
-    query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-      Graph1::subpaths(arg.asPathNode1(), par.asPathNode1(), ret.asPathNode1(), out.asPathNode1()) or
-      Graph2::subpaths(arg.asPathNode2(), par.asPathNode2(), ret.asPathNode2(), out.asPathNode2())
-    }
-  }
-}
-
-/**
- * Constructs a `PathGraph` from three `PathGraph`s by disjoint union.
- */
-module MergePathGraph3<
-  PathNodeSig PathNode1, PathNodeSig PathNode2, PathNodeSig PathNode3,
-  PathGraphSig<PathNode1> Graph1, PathGraphSig<PathNode2> Graph2, PathGraphSig<PathNode3> Graph3>
-{
-  private module MergedInner = MergePathGraph<PathNode1, PathNode2, Graph1, Graph2>;
-
-  private module Merged =
-    MergePathGraph<MergedInner::PathNode, PathNode3, MergedInner::PathGraph, Graph3>;
-
-  /** A node in a graph of path explanations that is formed by disjoint union of the three given graphs. */
-  class PathNode instanceof Merged::PathNode {
-    /** Gets this as a projection on the first given `PathGraph`. */
-    PathNode1 asPathNode1() { result = super.asPathNode1().asPathNode1() }
-
-    /** Gets this as a projection on the second given `PathGraph`. */
-    PathNode2 asPathNode2() { result = super.asPathNode1().asPathNode2() }
-
-    /** Gets this as a projection on the third given `PathGraph`. */
-    PathNode3 asPathNode3() { result = super.asPathNode2() }
-
-    /** Gets a textual representation of this element. */
-    string toString() { result = super.toString() }
-
-    /**
-     * Holds if this element is at the specified location.
-     * The location spans column `startcolumn` of line `startline` to
-     * column `endcolumn` of line `endline` in file `filepath`.
-     * For more information, see
-     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-     */
-    predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    }
-
-    /** Gets the underlying `Node`. */
-    Node getNode() { result = super.getNode() }
-  }
-
-  /**
-   * Provides the query predicates needed to include a graph in a path-problem query.
-   */
-  module PathGraph implements PathGraphSig<PathNode> {
-    /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-    query predicate edges(PathNode a, PathNode b) { Merged::PathGraph::edges(a, b) }
-
-    /** Holds if `n` is a node in the graph of data flow path explanations. */
-    query predicate nodes(PathNode n, string key, string val) {
-      Merged::PathGraph::nodes(n, key, val)
-    }
-
-    /**
-     * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
-     * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
-     * `ret -> out` is summarized as the edge `arg -> out`.
-     */
-    query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-      Merged::PathGraph::subpaths(arg, par, ret, out)
-    }
-  }
-}

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplSpecific.qll

@@ -2,6 +2,7 @@
  * Provides Swift-specific definitions for use in the data flow library.
  */
 
+private import codeql.dataflow.DataFlowParameter
 // we need to export `Unit` for the DataFlowImpl* files
 private import swift as Swift
 
@@ -13,3 +14,10 @@ module Private {
 module Public {
   import DataFlowPublic
 }
+
+module SwiftDataFlow implements DataFlowParameter {
+  import Private
+  import Public
+
+  Node exprNode(DataFlowExpr e) { result = Public::exprNode(e) }
+}

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll

@@ -10,11 +10,11 @@ private import codeql.swift.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import codeql.swift.frameworks.StandardLibrary.PointerTypes
 
 /** Gets the callable in which this node occurs. */
-DataFlowCallable nodeGetEnclosingCallable(NodeImpl n) { result = n.getEnclosingCallable() }
+DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.(NodeImpl).getEnclosingCallable() }
 
 /** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
-predicate isParameterNode(ParameterNodeImpl p, DataFlowCallable c, ParameterPosition pos) {
-  p.isParameterOf(c, pos)
+predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) {
+  p.(ParameterNodeImpl).isParameterOf(c, pos)
 }
 
 /** Holds if `arg` is an `ArgumentNode` of `c` with position `pos`. */
@@ -804,7 +804,7 @@ class DataFlowType extends TDataFlowType {
 predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() }
 
 /** Gets the type of `n` used for type pruning. */
-DataFlowType getNodeType(NodeImpl n) {
+DataFlowType getNodeType(Node n) {
   any() // return the singleton DataFlowType until we support type pruning for Swift
 }
 
@@ -857,18 +857,8 @@ class CastNode extends Node {
   CastNode() { none() }
 }
 
-/**
- * Holds if `n` should never be skipped over in the `PathGraph` and in path
- * explanations.
- */
-predicate neverSkipInPathGraph(Node n) { none() }
-
 class DataFlowExpr = Expr;
 
-class DataFlowParameter = ParamDecl;
-
-int accessPathLimit() { result = 5 }
-
 /**
  * Holds if access paths with `c` at their head always should be tracked at high
  * precision. This disables adaptive access path precision for such access paths.

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPublic.qll

@@ -137,7 +137,7 @@ ExprNode exprNode(DataFlowExpr e) { result.asExpr() = e }
 /**
  * Gets the node corresponding to the value of parameter `p` at function entry.
  */
-ParameterNode parameterNode(DataFlowParameter p) { result.getParameter() = p }
+ParameterNode parameterNode(ParamDecl p) { result.getParameter() = p }
 
 /**
  * Holds if data flows from `nodeFrom` to `nodeTo` in exactly one local

swift/ql/lib/qlpack.yml

@@ -6,6 +6,7 @@ dbscheme: swift.dbscheme
 upgrades: upgrades
 library: true
 dependencies:
+  codeql/dataflow: ${workspace}
   codeql/regex: ${workspace}
   codeql/mad: ${workspace}
   codeql/ssa: ${workspace}