Merge branch 'main' into commandinject2

2026-04-28 10:15:14 +02:00 · 2023-08-07 19:37:05 +01:00
parent 4c8accd5ba 022a06659c
commit da34da7497
170 changed files with 10737 additions and 991 deletions
--- a/cpp/downgrades/d77c09d8bdc172c9201dec293de1e14c931d3f05/old.dbscheme
+++ b/cpp/downgrades/d77c09d8bdc172c9201dec293de1e14c931d3f05/old.dbscheme
--- a/cpp/downgrades/d77c09d8bdc172c9201dec293de1e14c931d3f05/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/d77c09d8bdc172c9201dec293de1e14c931d3f05/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/d77c09d8bdc172c9201dec293de1e14c931d3f05/upgrade.properties
+++ b/cpp/downgrades/d77c09d8bdc172c9201dec293de1e14c931d3f05/upgrade.properties
@@ -0,0 +1,2 @@
+description: Remove _Float128 type
+compatibility: full
--- a/cpp/ql/lib/change-notes/2023-08-07-removal-of-float128x.md
+++ b/cpp/ql/lib/change-notes/2023-08-07-removal-of-float128x.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `_Float128x` type is no longer exposed as a builtin type. As this type could not occur any code base, this should only affect queries that explicitly looked at the builtin types.
--- a/cpp/ql/lib/semmle/code/cpp/Type.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Type.qll
@@ -814,9 +814,6 @@ private predicate floatingPointTypeMapping(
  // _Float128
  kind = 49 and base = 2 and domain = TRealDomain() and realKind = 49 and extended = false
  or
-  // _Float128x
-  kind = 50 and base = 2 and domain = TRealDomain() and realKind = 50 and extended = true
-  or
  // _Float16
  kind = 52 and base = 2 and domain = TRealDomain() and realKind = 52 and extended = false
  or
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -1,3 +1,3 @@
 private import DataFlowImplSpecific
-private import codeql.dataflow.DataFlowImpl
+private import codeql.dataflow.internal.DataFlowImpl
 import MakeImpl<CppOldDataFlow>
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
@@ -1,3 +1,3 @@
 private import DataFlowImplSpecific
-private import codeql.dataflow.DataFlowImplCommon
+private import codeql.dataflow.internal.DataFlowImplCommon
 import MakeImplCommon<CppOldDataFlow>
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplSpecific.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplSpecific.qll
@@ -2,7 +2,7 @@
 * Provides C++-specific definitions for use in the data flow library.
 */

-private import codeql.dataflow.DataFlowParameter
+private import codeql.dataflow.DataFlow

 module Private {
  import DataFlowPrivate
@@ -13,7 +13,7 @@ module Public {
  import DataFlowUtil
 }

-module CppOldDataFlow implements DataFlowParameter {
+module CppOldDataFlow implements InputSig {
  import Private
  import Public

--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTracking.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTracking.qll
@@ -24,6 +24,7 @@ private module AddTaintDefaults<DataFlowInternal::FullStateConfigSig Config> imp
    Config::allowImplicitRead(node, c)
    or
    (
+      Config::isSink(node) or
      Config::isSink(node, _) or
      Config::isAdditionalFlowStep(node, _) or
      Config::isAdditionalFlowStep(node, _, _, _)
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -1,3 +1,3 @@
 private import DataFlowImplSpecific
-private import codeql.dataflow.DataFlowImpl
+private import codeql.dataflow.internal.DataFlowImpl
 import MakeImpl<CppDataFlow>
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
@@ -1,3 +1,3 @@
 private import DataFlowImplSpecific
-private import codeql.dataflow.DataFlowImplCommon
+private import codeql.dataflow.internal.DataFlowImplCommon
 import MakeImplCommon<CppDataFlow>
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplSpecific.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplSpecific.qll
@@ -2,7 +2,7 @@
 * Provides IR-specific definitions for use in the data flow library.
 */

-private import codeql.dataflow.DataFlowParameter
+private import codeql.dataflow.DataFlow

 module Private {
  import DataFlowPrivate
@@ -13,7 +13,7 @@ module Public {
  import DataFlowUtil
 }

-module CppDataFlow implements DataFlowParameter {
+module CppDataFlow implements InputSig {
  import Private
  import Public

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -1078,7 +1078,7 @@ private IRVariable getIRVariableForParameterNode(ParameterNode p) {

 /** Holds if `v` is the source variable corresponding to the parameter represented by `p`. */
 pragma[nomagic]
-private predicate parameterNodeHasSourceVariable(ParameterNode p, Ssa::SourceIRVariable v) {
+private predicate parameterNodeHasSourceVariable(ParameterNode p, Ssa::SourceVariable v) {
  v.getIRVariable() = getIRVariableForParameterNode(p) and
  exists(Position pos | p.isParameterOf(_, pos) |
    pos instanceof DirectPosition and
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -10,32 +10,35 @@ private import ssa0.SsaInternals as SsaInternals0
 import SsaInternalsCommon

 private module SourceVariables {
-  int getMaxIndirectionForIRVariable(IRVariable var) {
-    exists(Type type, boolean isGLValue |
-      var.getLanguageType().hasType(type, isGLValue) and
-      if isGLValue = true
-      then result = 1 + getMaxIndirectionsForType(type)
-      else result = getMaxIndirectionsForType(type)
-    )
-  }
-
  cached
  private newtype TSourceVariable =
-    TSourceIRVariable(BaseIRVariable baseVar, int ind) {
-      ind = [0 .. getMaxIndirectionForIRVariable(baseVar.getIRVariable())]
-    } or
-    TCallVariable(AllocationInstruction call, int ind) {
-      ind = [0 .. countIndirectionsForCppType(getResultLanguageType(call))]
+    TMkSourceVariable(SsaInternals0::SourceVariable base, int ind) {
+      ind = [0 .. countIndirectionsForCppType(base.getLanguageType()) + 1]
    }

-  abstract class SourceVariable extends TSourceVariable {
+  class SourceVariable extends TSourceVariable {
+    SsaInternals0::SourceVariable base;
    int ind;

-    bindingset[ind]
-    SourceVariable() { any() }
+    SourceVariable() { this = TMkSourceVariable(base, ind) }
+
+    /** Gets the IR variable associated with this `SourceVariable`, if any. */
+    IRVariable getIRVariable() { result = base.(BaseIRVariable).getIRVariable() }
+
+    /**
+     * Gets the base source variable (i.e., the variable without any
+     * indirections) of this source variable.
+     */
+    SsaInternals0::SourceVariable getBaseVariable() { result = base }

    /** Gets a textual representation of this element. */
-    abstract string toString();
+    string toString() {
+      ind = 0 and
+      result = this.getBaseVariable().toString()
+      or
+      ind > 0 and
+      result = this.getBaseVariable().toString() + " indirection"
+    }

    /**
     * Gets the number of loads performed on the base source variable
@@ -43,65 +46,19 @@ private module SourceVariables {
     */
    int getIndirection() { result = ind }

-    /**
-     * Gets the base source variable (i.e., the variable without any
-     * indirections) of this source variable.
-     */
-    abstract BaseSourceVariable getBaseVariable();
-
    /** Holds if this variable is a glvalue. */
-    predicate isGLValue() { none() }
+    predicate isGLValue() { ind = 0 }

    /**
     * Gets the type of this source variable. If `isGLValue()` holds, then
     * the type of this source variable should be thought of as "pointer
     * to `getType()`".
     */
-    abstract DataFlowType getType();
-  }
-
-  class SourceIRVariable extends SourceVariable, TSourceIRVariable {
-    BaseIRVariable var;
-
-    SourceIRVariable() { this = TSourceIRVariable(var, ind) }
-
-    IRVariable getIRVariable() { result = var.getIRVariable() }
-
-    override BaseIRVariable getBaseVariable() { result.getIRVariable() = this.getIRVariable() }
-
-    override string toString() {
-      ind = 0 and
-      result = this.getIRVariable().toString()
-      or
-      ind > 0 and
-      result = this.getIRVariable().toString() + " indirection"
+    DataFlowType getType() {
+      if this.isGLValue()
+      then result = base.getType()
+      else result = getTypeImpl(base.getType(), ind - 1)
    }
-
-    override predicate isGLValue() { ind = 0 }
-
-    override DataFlowType getType() {
-      if ind = 0 then result = var.getType() else result = getTypeImpl(var.getType(), ind - 1)
-    }
-  }
-
-  class CallVariable extends SourceVariable, TCallVariable {
-    AllocationInstruction call;
-
-    CallVariable() { this = TCallVariable(call, ind) }
-
-    AllocationInstruction getCall() { result = call }
-
-    override BaseCallVariable getBaseVariable() { result.getCallInstruction() = call }
-
-    override string toString() {
-      ind = 0 and
-      result = "Call"
-      or
-      ind > 0 and
-      result = "Call indirection"
-    }
-
-    override DataFlowType getType() { result = getTypeImpl(call.getResultType(), ind) }
  }
 }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
@@ -370,15 +370,20 @@ newtype TBaseSourceVariable =
  // Each allocation gets its own source variable
  TBaseCallVariable(AllocationInstruction call)

-abstract class BaseSourceVariable extends TBaseSourceVariable {
+abstract private class AbstractBaseSourceVariable extends TBaseSourceVariable {
  /** Gets a textual representation of this element. */
  abstract string toString();

  /** Gets the type of this base source variable. */
-  abstract DataFlowType getType();
+  final DataFlowType getType() { this.getLanguageType().hasUnspecifiedType(result, _) }
+
+  /** Gets the `CppType` of this base source variable. */
+  abstract CppType getLanguageType();
 }

-class BaseIRVariable extends BaseSourceVariable, TBaseIRVariable {
+final class BaseSourceVariable = AbstractBaseSourceVariable;
+
+class BaseIRVariable extends AbstractBaseSourceVariable, TBaseIRVariable {
  IRVariable var;

  IRVariable getIRVariable() { result = var }
@@ -387,10 +392,10 @@ class BaseIRVariable extends BaseSourceVariable, TBaseIRVariable {

  override string toString() { result = var.toString() }

-  override DataFlowType getType() { result = var.getType() }
+  override CppType getLanguageType() { result = var.getLanguageType() }
 }

-class BaseCallVariable extends BaseSourceVariable, TBaseCallVariable {
+class BaseCallVariable extends AbstractBaseSourceVariable, TBaseCallVariable {
  AllocationInstruction call;

  BaseCallVariable() { this = TBaseCallVariable(call) }
@@ -399,7 +404,7 @@ class BaseCallVariable extends BaseSourceVariable, TBaseCallVariable {

  override string toString() { result = call.toString() }

-  override DataFlowType getType() { result = call.getResultType() }
+  override CppType getLanguageType() { result = getResultLanguageType(call) }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ssa0/SsaInternals.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ssa0/SsaInternals.qll
@@ -15,15 +15,12 @@ private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
 private import semmle.code.cpp.ir.dataflow.internal.SsaInternalsCommon

 private module SourceVariables {
-  class SourceVariable instanceof BaseSourceVariable {
-    string toString() { result = BaseSourceVariable.super.toString() }
-
+  class SourceVariable extends BaseSourceVariable {
+    /**
+     * Gets the base source variable of this `SourceVariable`.
+     */
    BaseSourceVariable getBaseVariable() { result = this }
  }
-
-  class SourceIRVariable = BaseIRVariable;
-
-  class CallVariable = BaseCallVariable;
 }

 import SourceVariables
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTracking.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTracking.qll
@@ -24,6 +24,7 @@ private module AddTaintDefaults<DataFlowInternal::FullStateConfigSig Config> imp
    Config::allowImplicitRead(node, c)
    or
    (
+      Config::isSink(node) or
      Config::isSink(node, _) or
      Config::isAdditionalFlowStep(node, _) or
      Config::isAdditionalFlowStep(node, _, _, _)
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExpr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExpr.qll
@@ -307,3 +307,8 @@ class SemConditionalExpr extends SemKnownExpr {
    branch = false and result = falseResult
  }
 }
+
+/** Holds if `upper = true` and `e <= bound` or `upper = false` and `e >= bound`. */
+predicate semHasConstantBoundConstantSpecific(SemExpr e, float bound, boolean upper) {
+  Specific::hasConstantBoundConstantSpecific(e, bound, upper)
+}
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExprSpecific.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExprSpecific.qll
@@ -434,6 +434,50 @@ module SemanticExprConfig {

  /** Gets the expression associated with `instr`. */
  SemExpr getSemanticExpr(IR::Instruction instr) { result = Equiv::getEquivalenceClass(instr) }
+
+  private predicate typeBounds(SemType t, float lb, float ub) {
+    exists(SemIntegerType integralType, float limit |
+      integralType = t and limit = 2.pow(8 * integralType.getByteSize())
+    |
+      if integralType instanceof SemBooleanType
+      then lb = 0 and ub = 1
+      else
+        if integralType.isSigned()
+        then (
+          lb = -(limit / 2) and ub = (limit / 2) - 1
+        ) else (
+          lb = 0 and ub = limit - 1
+        )
+    )
+    or
+    // This covers all floating point types. The range is (-Inf, +Inf).
+    t instanceof SemFloatingPointType and lb = -(1.0 / 0.0) and ub = 1.0 / 0.0
+  }
+
+  /**
+   * Holds if `upper = true` and `e <= bound` or `upper = false` and `e >= bound` based
+   * only on type information.
+   */
+  predicate hasConstantBoundConstantSpecific(Expr e, float bound, boolean upper) {
+    exists(
+      SemType converted, SemType unconverted, float unconvertedLb, float convertedLb,
+      float unconvertedUb, float convertedUb
+    |
+      unconverted = getSemanticType(e.getUnconverted().getResultIRType()) and
+      converted = getSemanticType(e.getConverted().getResultIRType()) and
+      typeBounds(unconverted, unconvertedLb, unconvertedUb) and
+      typeBounds(converted, convertedLb, convertedUb) and
+      (
+        upper = true and
+        unconvertedUb < convertedUb and
+        bound = unconvertedUb
+        or
+        upper = false and
+        unconvertedLb > convertedLb and
+        bound = unconvertedLb
+      )
+    )
+  }
 }

 predicate getSemanticExpr = SemanticExprConfig::getSemanticExpr/1;
@@ -457,3 +501,5 @@ IRBound::Bound getCppBound(SemBound bound) { bound = result }
 SemGuard getSemanticGuard(IRGuards::IRGuardCondition guard) { result = guard }

 IRGuards::IRGuardCondition getCppGuard(SemGuard guard) { guard = result }
+
+predicate hasConstantBoundConstantSpecific = SemanticExprConfig::hasConstantBoundConstantSpecific/3;
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisConstantSpecific.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisConstantSpecific.qll
@@ -3,10 +3,24 @@
 */

 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
+private import codeql.util.Unit
+private import Reason as Reason
 private import RangeAnalysisStage
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.FloatDelta

 module CppLangImplConstant implements LangSig<FloatDelta> {
+  private module Param implements Reason::ParamSig {
+    class TypeReasonImpl = Unit;
+  }
+
+  class SemReason = Reason::Make<Param>::SemReason;
+
+  class SemNoReason = Reason::Make<Param>::SemNoReason;
+
+  class SemCondReason = Reason::Make<Param>::SemCondReason;
+
+  class SemTypeReason = Reason::Make<Param>::SemTypeReason;
+
  /**
   * Holds if the specified expression should be excluded from the result of `ssaRead()`.
   *
@@ -60,7 +74,10 @@ module CppLangImplConstant implements LangSig<FloatDelta> {
  /**
   * Holds if `e >= bound` (if `upper = false`) or `e <= bound` (if `upper = true`).
   */
-  predicate hasConstantBound(SemExpr e, float bound, boolean upper) { none() }
+  predicate hasConstantBound(SemExpr e, float bound, boolean upper, SemReason reason) {
+    semHasConstantBoundConstantSpecific(e, bound, upper) and
+    reason instanceof SemTypeReason
+  }

  /**
   * Holds if `e >= bound + delta` (if `upper = false`) or `e <= bound + delta` (if `upper = true`).
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll
@@ -61,18 +61,23 @@ private newtype TSemReason =
    guard = any(ConstantStage::SemCondReason reason).getCond()
    or
    guard = any(RelativeStage::SemCondReason reason).getCond()
-  }
+  } or
+  TSemTypeReason()

-ConstantStage::SemReason constantReason(SemReason reason) {
+private ConstantStage::SemReason constantReason(SemReason reason) {
  result instanceof ConstantStage::SemNoReason and reason instanceof SemNoReason
  or
  result.(ConstantStage::SemCondReason).getCond() = reason.(SemCondReason).getCond()
+  or
+  result instanceof ConstantStage::SemTypeReason and reason instanceof SemTypeReason
 }

-RelativeStage::SemReason relativeReason(SemReason reason) {
+private RelativeStage::SemReason relativeReason(SemReason reason) {
  result instanceof RelativeStage::SemNoReason and reason instanceof SemNoReason
  or
  result.(RelativeStage::SemCondReason).getCond() = reason.(SemCondReason).getCond()
+  or
+  result instanceof RelativeStage::SemTypeReason and reason instanceof SemTypeReason
 }

 import Public
@@ -111,4 +116,12 @@ module Public {

    override string toString() { result = this.getCond().toString() }
  }
+
+  /**
+   * A reason for an inferred bound that indicates that the bound is inferred
+   * based on type-information.
+   */
+  class SemTypeReason extends SemReason, TSemTypeReason {
+    override string toString() { result = "TypeReason" }
+  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisRelativeSpecific.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisRelativeSpecific.qll
@@ -7,9 +7,25 @@ private import RangeAnalysisStage
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.FloatDelta
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.IntDelta
 private import RangeAnalysisImpl
+private import codeql.util.Unit
+private import Reason as Reason
 private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils

 module CppLangImplRelative implements LangSig<FloatDelta> {
+  private module Param implements Reason::ParamSig {
+    class TypeReasonImpl extends Unit {
+      TypeReasonImpl() { none() }
+    }
+  }
+
+  class SemReason = Reason::Make<Param>::SemReason;
+
+  class SemNoReason = Reason::Make<Param>::SemNoReason;
+
+  class SemCondReason = Reason::Make<Param>::SemCondReason;
+
+  class SemTypeReason = Reason::Make<Param>::SemTypeReason;
+
  /**
   * Holds if the specified expression should be excluded from the result of `ssaRead()`.
   *
@@ -94,7 +110,7 @@ module CppLangImplRelative implements LangSig<FloatDelta> {
  /**
   * Holds if `e >= bound` (if `upper = false`) or `e <= bound` (if `upper = true`).
   */
-  predicate hasConstantBound(SemExpr e, float bound, boolean upper) { none() }
+  predicate hasConstantBound(SemExpr e, float bound, boolean upper, SemReason reason) { none() }

  /**
   * Holds if `e >= bound + delta` (if `upper = false`) or `e <= bound + delta` (if `upper = true`).
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisStage.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisStage.qll
@@ -113,6 +113,37 @@ signature module DeltaSig {
 }

 signature module LangSig<DeltaSig D> {
+  /** A reason for an inferred bound. */
+  class SemReason {
+    /**
+     * Returns `this` if `reason` is not a `SemTypeReason`. Otherwise,
+     * this predicate returns `SemTypeReason`.
+     *
+     * This predicate ensures that we propagate `SemTypeReason` all the way
+     * to the top-level of a call to `semBounded` if the inferred bound is
+     * based on type-information.
+     */
+    bindingset[this, reason]
+    SemReason combineWith(SemReason reason);
+  }
+
+  /**
+   * A reason for an inferred bound that indicates that the bound is inferred
+   * without going through a bounding condition.
+   */
+  class SemNoReason extends SemReason;
+
+  /** A reason for an inferred bound pointing to a condition. */
+  class SemCondReason extends SemReason {
+    SemGuard getCond();
+  }
+
+  /**
+   * A reason for an inferred bound that indicates that the bound is inferred
+   * based on type-information.
+   */
+  class SemTypeReason extends SemReason;
+
  /**
   * Holds if the specified expression should be excluded from the result of `ssaRead()`.
   *
@@ -124,7 +155,7 @@ signature module LangSig<DeltaSig D> {
  /**
   * Holds if `e >= bound` (if `upper = false`) or `e <= bound` (if `upper = true`).
   */
-  predicate hasConstantBound(SemExpr e, D::Delta bound, boolean upper);
+  predicate hasConstantBound(SemExpr e, D::Delta bound, boolean upper, SemReason reason);

  /**
   * Holds if `e >= bound + delta` (if `upper = false`) or `e <= bound + delta` (if `upper = true`).
@@ -249,6 +280,14 @@ module RangeStage<
  DeltaSig D, BoundSig<D> Bounds, OverflowSig<D> OverflowParam, LangSig<D> LangParam,
  UtilSig<D> UtilParam>
 {
+  class SemReason = LangParam::SemReason;
+
+  class SemCondReason = LangParam::SemCondReason;
+
+  class SemNoReason = LangParam::SemNoReason;
+
+  class SemTypeReason = LangParam::SemTypeReason;
+
  private import Bounds
  private import LangParam
  private import UtilParam
@@ -509,36 +548,6 @@ module RangeStage<
    )
  }

-  private newtype TSemReason =
-    TSemNoReason() or
-    TSemCondReason(SemGuard guard) { possibleReason(guard) }
-
-  /**
-   * A reason for an inferred bound. This can either be `CondReason` if the bound
-   * is due to a specific condition, or `NoReason` if the bound is inferred
-   * without going through a bounding condition.
-   */
-  abstract class SemReason extends TSemReason {
-    /** Gets a textual representation of this reason. */
-    abstract string toString();
-  }
-
-  /**
-   * A reason for an inferred bound that indicates that the bound is inferred
-   * without going through a bounding condition.
-   */
-  class SemNoReason extends SemReason, TSemNoReason {
-    override string toString() { result = "NoReason" }
-  }
-
-  /** A reason for an inferred bound pointing to a condition. */
-  class SemCondReason extends SemReason, TSemCondReason {
-    /** Gets the condition that is the reason for the bound. */
-    SemGuard getCond() { this = TSemCondReason(result) }
-
-    override string toString() { result = this.getCond().toString() }
-  }
-
  /**
   * Holds if `e + delta` is a valid bound for `v` at `pos`.
   * - `upper = true`  : `v <= e + delta`
@@ -551,13 +560,13 @@ module RangeStage<
    semSsaUpdateStep(v, e, delta) and
    pos.hasReadOfVar(v) and
    (upper = true or upper = false) and
-    reason = TSemNoReason()
+    reason instanceof SemNoReason
    or
    exists(SemGuard guard, boolean testIsTrue |
      pos.hasReadOfVar(v) and
      guard = boundFlowCond(v, e, delta, upper, testIsTrue) and
      semGuardDirectlyControlsSsaRead(guard, pos, testIsTrue) and
-      reason = TSemCondReason(guard)
+      reason.(SemCondReason).getCond() = guard
    )
  }

@@ -570,7 +579,7 @@ module RangeStage<
      pos.hasReadOfVar(v) and
      guard = semEqFlowCond(v, e, delta, false, testIsTrue) and
      semGuardDirectlyControlsSsaRead(guard, pos, testIsTrue) and
-      reason = TSemCondReason(guard)
+      reason.(SemCondReason).getCond() = guard
    )
  }

@@ -700,7 +709,7 @@ module RangeStage<
      // upper = true:  v <= mid + d1 <= b + d1 + d2 = b + delta
      // upper = false: v >= mid + d1 >= b + d1 + d2 = b + delta
      delta = D::fromFloat(D::toFloat(d1) + D::toFloat(d2)) and
-      (if r1 instanceof SemNoReason then reason = r2 else reason = r1)
+      (if r1 instanceof SemNoReason then reason = r2 else reason = r1.combineWith(r2))
    )
    or
    exists(D::Delta d, SemReason r1, SemReason r2 |
@@ -714,9 +723,9 @@ module RangeStage<
        upper = false and delta = D::fromFloat(D::toFloat(d) + 1)
      ) and
      (
-        reason = r1
+        reason = r1.combineWith(r2)
        or
-        reason = r2 and not r2 instanceof SemNoReason
+        reason = r2.combineWith(r1) and not r2 instanceof SemNoReason
      )
    )
  }
@@ -786,7 +795,7 @@ module RangeStage<
      (upper = true or upper = false) and
      fromBackEdge0 = false and
      origdelta = D::fromFloat(0) and
-      reason = TSemNoReason()
+      reason instanceof SemNoReason
    |
      if semBackEdge(phi, inp, edge)
      then
@@ -911,14 +920,15 @@ module RangeStage<
   * Holds if `e` has an upper (for `upper = true`) or lower
   * (for `upper = false`) bound of `b`.
   */
-  private predicate baseBound(SemExpr e, D::Delta b, boolean upper) {
-    hasConstantBound(e, b, upper)
+  private predicate baseBound(SemExpr e, D::Delta b, boolean upper, SemReason reason) {
+    hasConstantBound(e, b, upper, reason)
    or
    upper = false and
    b = D::fromInt(0) and
    semPositive(e.(SemBitAndExpr).getAnOperand()) and
    // REVIEW: We let the language opt out here to preserve original results.
-    not ignoreZeroLowerBound(e)
+    not ignoreZeroLowerBound(e) and
+    reason instanceof SemNoReason
  }

  /**
@@ -1044,13 +1054,12 @@ module RangeStage<
      (upper = true or upper = false) and
      fromBackEdge = false and
      origdelta = delta and
-      reason = TSemNoReason()
+      reason instanceof SemNoReason
      or
-      baseBound(e, delta, upper) and
+      baseBound(e, delta, upper, reason) and
      b instanceof SemZeroBound and
      fromBackEdge = false and
-      origdelta = delta and
-      reason = TSemNoReason()
+      origdelta = delta
      or
      exists(SemSsaVariable v, SemSsaReadPositionBlock bb |
        boundedSsa(v, bb, b, delta, upper, fromBackEdge, origdelta, reason) and
@@ -1104,9 +1113,9 @@ module RangeStage<
        boundedConditionalExpr(cond, b, upper, true, d1, fbe1, od1, r1) and
        boundedConditionalExpr(cond, b, upper, false, d2, fbe2, od2, r2) and
        (
-          delta = d1 and fromBackEdge = fbe1 and origdelta = od1 and reason = r1
+          delta = d1 and fromBackEdge = fbe1 and origdelta = od1 and reason = r1.combineWith(r2)
          or
-          delta = d2 and fromBackEdge = fbe2 and origdelta = od2 and reason = r2
+          delta = d2 and fromBackEdge = fbe2 and origdelta = od2 and reason = r2.combineWith(r1)
        )
      |
        upper = true and delta = D::fromFloat(D::toFloat(d1).maximum(D::toFloat(d2)))
@@ -1132,9 +1141,15 @@ module RangeStage<
        delta = D::fromFloat(D::toFloat(dLeft) + D::toFloat(dRight)) and
        fromBackEdge = fbeLeft.booleanOr(fbeRight)
      |
-        b = bLeft and origdelta = odLeft and reason = rLeft and bRight instanceof SemZeroBound
+        b = bLeft and
+        origdelta = odLeft and
+        reason = rLeft.combineWith(rRight) and
+        bRight instanceof SemZeroBound
        or
-        b = bRight and origdelta = odRight and reason = rRight and bLeft instanceof SemZeroBound
+        b = bRight and
+        origdelta = odRight and
+        reason = rRight.combineWith(rLeft) and
+        bLeft instanceof SemZeroBound
      )
      or
      exists(
@@ -1150,9 +1165,9 @@ module RangeStage<
        (
          if D::toFloat(d1).abs() > D::toFloat(d2).abs()
          then (
-            d_max = d1 and fromBackEdge = fbe1 and origdelta = od1 and reason = r1
+            d_max = d1 and fromBackEdge = fbe1 and origdelta = od1 and reason = r1.combineWith(r2)
          ) else (
-            d_max = d2 and fromBackEdge = fbe2 and origdelta = od2 and reason = r2
+            d_max = d2 and fromBackEdge = fbe2 and origdelta = od2 and reason = r2.combineWith(r1)
          )
        )
      |
@@ -1168,11 +1183,14 @@ module RangeStage<
        boundedMulOperand(e, upper, true, dLeft, fbeLeft, odLeft, rLeft) and
        boundedMulOperand(e, upper, false, dRight, fbeRight, odRight, rRight) and
        delta = D::fromFloat(D::toFloat(dLeft) * D::toFloat(dRight)) and
-        fromBackEdge = fbeLeft.booleanOr(fbeRight)
+        fromBackEdge = fbeLeft.booleanOr(fbeRight) and
+        b instanceof SemZeroBound
      |
-        b instanceof SemZeroBound and origdelta = odLeft and reason = rLeft
+        origdelta = odLeft and
+        reason = rLeft.combineWith(rRight)
        or
-        b instanceof SemZeroBound and origdelta = odRight and reason = rRight
+        origdelta = odRight and
+        reason = rRight.combineWith(rLeft)
      )
    )
  }
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/Reason.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/Reason.qll
@@ -0,0 +1,83 @@
+/**
+ * Provides a `Make` parameterized module for constructing a `Reason` type that is used
+ * when implementing the `LangSig` module.
+ */
+
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
+
+/** The necessary parameters that must be implemented to instantiate `Make`. */
+signature module ParamSig {
+  class TypeReasonImpl;
+}
+
+/**
+ * The module that constructs a `Reason` type when provided with an implementation
+ * of `ParamSig`.
+ */
+module Make<ParamSig Param> {
+  private import Param
+
+  private newtype TSemReason =
+    TSemNoReason() or
+    TSemCondReason(SemGuard guard) or
+    TSemTypeReason(TypeReasonImpl trc)
+
+  /**
+   * A reason for an inferred bound. This can either be `CondReason` if the bound
+   * is due to a specific condition, or `NoReason` if the bound is inferred
+   * without going through a bounding condition.
+   */
+  abstract class SemReason extends TSemReason {
+    /** Gets a textual representation of this reason. */
+    abstract string toString();
+
+    bindingset[this, reason]
+    abstract SemReason combineWith(SemReason reason);
+  }
+
+  /**
+   * A reason for an inferred bound that indicates that the bound is inferred
+   * without going through a bounding condition.
+   */
+  class SemNoReason extends SemReason, TSemNoReason {
+    override string toString() { result = "NoReason" }
+
+    override SemReason combineWith(SemReason reason) { result = reason }
+  }
+
+  /** A reason for an inferred bound pointing to a condition. */
+  class SemCondReason extends SemReason, TSemCondReason {
+    /** Gets the condition that is the reason for the bound. */
+    SemGuard getCond() { this = TSemCondReason(result) }
+
+    override string toString() { result = this.getCond().toString() }
+
+    bindingset[this, reason]
+    override SemReason combineWith(SemReason reason) {
+      // Since we end up reporting a `SemReason` for the inferred bound we often pick somewhat
+      // arbitrarily between two `SemReason`s during the analysis. This isn't an issue for most reasons
+      // since they're mainly used for constructing alert messages. However, the `SemTypeReason` is
+      // supposed to be used in query logic to filter out bounds inferred by type-based analysis if
+      // the query author chooses to do so. So we need to ensure that if _any_ of the bounds that
+      // contribute to the final bound depends on type information then the `SemReason` we report must
+      // be a `SemTypeReason`. So when we need to combine this `SemCondReason` with a `SemTypeReason`
+      // the result should always be a `SemTypeReason`.
+      if reason instanceof SemTypeReason then result instanceof SemTypeReason else result = this
+    }
+  }
+
+  /**
+   * A reason for an inferred bound that indicates that the bound is inferred
+   * based on type-information.
+   */
+  class SemTypeReason extends SemReason, TSemTypeReason {
+    TypeReasonImpl impl;
+
+    SemTypeReason() { this = TSemTypeReason(impl) }
+
+    override string toString() { result = "TypeReason" }
+
+    bindingset[this, reason]
+    override SemReason combineWith(SemReason reason) { result = this and exists(reason) }
+  }
+}
--- a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/RangeAnalysisUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/RangeAnalysisUtil.qll
@@ -20,7 +20,8 @@ private Instruction getABoundIn(SemBound b, IRFunction func) {
 pragma[inline]
 private predicate boundedImpl(Instruction i, Instruction b, int delta) {
  exists(SemBound bound, IRFunction func |
-    semBounded(getSemanticExpr(i), bound, delta, true, _) and
+    semBounded(getSemanticExpr(i), bound, delta, true,
+      any(SemReason reason | not reason instanceof SemTypeReason)) and
    b = getABoundIn(bound, func) and
    i.getEnclosingIRFunction() = func
  )
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme
@@ -608,7 +608,7 @@ case @builtintype.kind of
 | 47 = @std_float64           // _Float64
 | 48 = @float64x              // _Float64x
 | 49 = @std_float128          // _Float128
-| 50 = @float128x             // _Float128x
+// ... 50 _Float128x
 | 51 = @char8_t
 | 52 = @float16               // _Float16
 | 53 = @complex_float16       // _Complex _Float16
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
--- a/cpp/ql/lib/upgrades/19887dbd33327fb07d54251786e0cb2578539775/builtintypes.ql
+++ b/cpp/ql/lib/upgrades/19887dbd33327fb07d54251786e0cb2578539775/builtintypes.ql
@@ -0,0 +1,13 @@
+class BuiltinType extends @builtintype {
+  string toString() { none() }
+}
+
+predicate isFloat128xBuiltinType(BuiltinType type) {
+  exists(int kind | builtintypes(type, _, kind, _, _, _) | kind = 50)
+}
+
+from BuiltinType type, string name, int kind, int kind_new, int size, int sign, int alignment
+where
+  builtintypes(type, name, kind, size, sign, alignment) and
+  if isFloat128xBuiltinType(type) then kind_new = 1 else kind_new = kind
+select type, name, kind_new, size, sign, alignment
--- a/cpp/ql/lib/upgrades/19887dbd33327fb07d54251786e0cb2578539775/old.dbscheme
+++ b/cpp/ql/lib/upgrades/19887dbd33327fb07d54251786e0cb2578539775/old.dbscheme
--- a/cpp/ql/lib/upgrades/19887dbd33327fb07d54251786e0cb2578539775/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/upgrades/19887dbd33327fb07d54251786e0cb2578539775/semmlecode.cpp.dbscheme
--- a/cpp/ql/lib/upgrades/19887dbd33327fb07d54251786e0cb2578539775/upgrade.properties
+++ b/cpp/ql/lib/upgrades/19887dbd33327fb07d54251786e0cb2578539775/upgrade.properties
@@ -0,0 +1,3 @@
+description: Remove _Float128 type
+compatibility: partial
+builtintypes.rel: run builtintypes.qlo
--- a/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
@@ -28,7 +28,8 @@ Instruction getABoundIn(SemBound b, IRFunction func) {
 pragma[inline]
 predicate boundedImpl(Instruction i, Instruction b, int delta) {
  exists(SemBound bound, IRFunction func |
-    semBounded(getSemanticExpr(i), bound, delta, true, _) and
+    semBounded(getSemanticExpr(i), bound, delta, true,
+      any(SemReason reason | not reason instanceof SemTypeReason)) and
    b = getABoundIn(bound, func) and
    pragma[only_bind_out](i.getEnclosingIRFunction()) = func
  )
@@ -93,7 +94,8 @@ predicate arrayTypeHasSizes(ArrayType arr, int baseTypeSize, int size) {
 bindingset[pai]
 pragma[inline_late]
 predicate constantUpperBounded(PointerArithmeticInstruction pai, int delta) {
-  semBounded(getSemanticExpr(pai.getRight()), any(SemZeroBound b), delta, true, _)
+  semBounded(getSemanticExpr(pai.getRight()), any(SemZeroBound b), delta, true,
+    any(SemReason reason | not reason instanceof SemTypeReason))
 }

 bindingset[pai, size]
--- a/cpp/ql/test/library-tests/attributes/var_attributes/ms_var_attributes.cpp
+++ b/cpp/ql/test/library-tests/attributes/var_attributes/ms_var_attributes.cpp
@@ -16,3 +16,5 @@ class AddressOfGetter {
    &field;
  }
 };
+
+__declspec("SAL_volatile") char* pBuf;
--- a/cpp/ql/test/library-tests/attributes/var_attributes/var_attributes.expected
+++ b/cpp/ql/test/library-tests/attributes/var_attributes/var_attributes.expected
@@ -4,6 +4,7 @@
 | ms_var_attributes.cpp:8:15:8:20 | myInt4 | ms_var_attributes.cpp:8:1:8:9 | dllexport |
 | ms_var_attributes.cpp:9:5:9:10 | myInt5 | ms_var_attributes.h:7:1:7:9 | dllexport |
 | ms_var_attributes.cpp:12:42:12:46 | field | ms_var_attributes.cpp:12:14:12:21 | property |
+| ms_var_attributes.cpp:20:34:20:37 | pBuf | ms_var_attributes.cpp:20:12:20:12 | SAL_volatile |
 | ms_var_attributes.h:5:22:5:27 | myInt3 | ms_var_attributes.h:5:1:5:9 | dllexport |
 | var_attributes.c:1:12:1:19 | weak_var | var_attributes.c:1:36:1:39 | weak |
 | var_attributes.c:2:12:2:22 | weakref_var | var_attributes.c:2:39:2:45 | weakref |
--- a/cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp
+++ b/cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp
@@ -195,18 +195,18 @@ int test13(char c, int i) {
  int z = i+1;  // $ overflow=+
  range(z); // $ range="==InitializeParameter: i+1"
  range(c + i + uc + x + y + z); // $ overflow=+- overflow=+ overflow=- MISSING: range=>=1
-  range((double)(c + i + uc + x + y + z)); // $ overflow=+ overflow=+- overflow=- MISSING:  range=>=1
+  range((double)(c + i + uc + x + y + z)); // $ overflow=+ overflow=+- overflow=- range=<=4294967295 MISSING: range=>=1
  return (double)(c + i + uc + x + y + z);  // $ overflow=+- overflow=+ overflow=-
 }

 // Regression test for ODASA-6013.
 int test14(int x) {
  int x0 = (int)(char)x;
-  range(x0);
+  range(x0); // $ range=<=127 range=>=-128
  int x1 = (int)(unsigned char)x;
-  range(x1);
+  range(x1); // $ range=<=255 range=>=0
  int x2 = (int)(unsigned short)x;
-  range(x2);
+  range(x2); // $ range=<=65535 range=>=0
  int x3 = (int)(unsigned int)x;
  range(x3);
  char c0 = x;
@@ -759,9 +759,9 @@ unsigned long mult_overflow() {
 unsigned long mult_lower_bound(unsigned int ui, unsigned long ul) {
  if (ui >= 10) {
    range(ui); // $ range=>=10
-    range((unsigned long)ui); // $ range=>=10
-    unsigned long result = (unsigned long)ui * ui; // $ overflow=+
-    range(result); // $ MISSING: range=>=100
+    range((unsigned long)ui); // $ range=>=10 range=<=4294967295
+    unsigned long result = (unsigned long)ui * ui; // no overflow
+    range(result); // $ range=>=100 range=<=18446744065119617024
    return result; // BUG: upper bound should be >= 18446744065119617025
  }
  if (ul >= 10) {
@@ -888,7 +888,7 @@ void notequal_variations(short n, float f) {
  }

  if (n >= 5) {
-    if (2 * n - 10 == 0) { // $ overflow=+
+    if (2 * n - 10 == 0) { // no overflow
      range(n); // $ range=>=5 MISSING: range===5
      return;
    }
@@ -936,7 +936,7 @@ void two_bounds_from_one_test(short ss, unsigned short us) {
    range(ss); // -32768 .. 32767
  }

-  if (ss + 1 < sizeof(int)) {  // $ overflow=+
+  if (ss + 1 < sizeof(int)) { // $ overflow=-
    range(ss); // -1 .. 2
  }
 }
--- a/cpp/ql/test/library-tests/templates/type_instantiations/types.expected
+++ b/cpp/ql/test/library-tests/templates/type_instantiations/types.expected
@@ -13,7 +13,6 @@
 | file://:0:0:0:0 | _Float64 |
 | file://:0:0:0:0 | _Float64x |
 | file://:0:0:0:0 | _Float128 |
-| file://:0:0:0:0 | _Float128x |
 | file://:0:0:0:0 | _Imaginary double |
 | file://:0:0:0:0 | _Imaginary float |
 | file://:0:0:0:0 | _Imaginary long double |
--- a/cpp/ql/test/library-tests/type_sizes/type_sizes.expected
+++ b/cpp/ql/test/library-tests/type_sizes/type_sizes.expected
@@ -33,7 +33,6 @@
 | file://:0:0:0:0 | _Float64 | 8 |
 | file://:0:0:0:0 | _Float64x | 16 |
 | file://:0:0:0:0 | _Float128 | 16 |
-| file://:0:0:0:0 | _Float128x | 32 |
 | file://:0:0:0:0 | _Imaginary double | 8 |
 | file://:0:0:0:0 | _Imaginary float | 4 |
 | file://:0:0:0:0 | _Imaginary long double | 16 |
--- a/cpp/ql/test/library-tests/unspecified_type/types/unspecified_type.expected
+++ b/cpp/ql/test/library-tests/unspecified_type/types/unspecified_type.expected
@@ -15,7 +15,6 @@
 | file://:0:0:0:0 | _Float64 | _Float64 |
 | file://:0:0:0:0 | _Float64x | _Float64x |
 | file://:0:0:0:0 | _Float128 | _Float128 |
-| file://:0:0:0:0 | _Float128x | _Float128x |
 | file://:0:0:0:0 | _Imaginary double | _Imaginary double |
 | file://:0:0:0:0 | _Imaginary float | _Imaginary float |
 | file://:0:0:0:0 | _Imaginary long double | _Imaginary long double |
--- a/cpp/ql/test/library-tests/variables/variables/types.expected
+++ b/cpp/ql/test/library-tests/variables/variables/types.expected
@@ -14,7 +14,6 @@
 | _Float64 | BinaryFloatingPointType, RealNumberType |  |  |  |  |
 | _Float64x | BinaryFloatingPointType, RealNumberType |  |  |  |  |
 | _Float128 | BinaryFloatingPointType, RealNumberType |  |  |  |  |
-| _Float128x | BinaryFloatingPointType, RealNumberType |  |  |  |  |
 | _Imaginary double | BinaryFloatingPointType, ImaginaryNumberType |  |  |  |  |
 | _Imaginary float | BinaryFloatingPointType, ImaginaryNumberType |  |  |  |  |
 | _Imaginary long double | BinaryFloatingPointType, ImaginaryNumberType |  |  |  |  |
--- a/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Runtime.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Runtime.cs
@@ -22,7 +22,7 @@ namespace Semmle.Extraction.CSharp.Standalone

        public Runtime(IDotNet dotNet) => this.dotNet = dotNet;

-        internal sealed class RuntimeVersion : IComparable<RuntimeVersion>
+        internal record RuntimeVersion : IComparable<RuntimeVersion>
        {
            private readonly string dir;
            private readonly Version version;
@@ -71,11 +71,6 @@ namespace Semmle.Extraction.CSharp.Standalone
                return c;
            }

-            public override bool Equals(object? obj) =>
-                obj is not null && obj is RuntimeVersion other && other.FullPath == FullPath;
-
-            public override int GetHashCode() => FullPath.GetHashCode();
-
            public override string ToString() => FullPath;
        }

@@ -97,7 +92,7 @@ namespace Semmle.Extraction.CSharp.Standalone
                var match = RuntimeRegex().Match(r);
                if (match.Success)
                {
-                    runtimes.AddOrUpdate(match.Groups[1].Value, new RuntimeVersion(match.Groups[6].Value, match.Groups[2].Value, match.Groups[4].Value, match.Groups[5].Value));
+                    runtimes.AddOrUpdateToLatest(match.Groups[1].Value, new RuntimeVersion(match.Groups[6].Value, match.Groups[2].Value, match.Groups[4].Value, match.Groups[5].Value));
                }
            });

--- a/csharp/extractor/Semmle.Util/DictionaryExtensions.cs
+++ b/csharp/extractor/Semmle.Util/DictionaryExtensions.cs
@@ -22,9 +22,9 @@ namespace Semmle.Util

        /// <summary>
        /// Adds a new value or replaces the existing value (if the new value is greater than the existing) 
-        /// in dictionary for the given key.
+        /// in this dictionary for the given key.
        /// </summary>
-        public static void AddOrUpdate<T1, T2>(this Dictionary<T1, T2> dict, T1 key, T2 value) where T1 : notnull where T2 : IComparable<T2>
+        public static void AddOrUpdateToLatest<T1, T2>(this Dictionary<T1, T2> dict, T1 key, T2 value) where T1 : notnull where T2 : IComparable<T2>
        {
            if (!dict.TryGetValue(key, out var existing) || existing.CompareTo(value) < 0)
            {
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -1,3 +1,3 @@
 private import DataFlowImplSpecific
-private import codeql.dataflow.DataFlowImpl
+private import codeql.dataflow.internal.DataFlowImpl
 import MakeImpl<CsharpDataFlow>
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
@@ -1,3 +1,3 @@
 private import DataFlowImplSpecific
-private import codeql.dataflow.DataFlowImplCommon
+private import codeql.dataflow.internal.DataFlowImplCommon
 import MakeImplCommon<CsharpDataFlow>
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplSpecific.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplSpecific.qll
@@ -2,7 +2,7 @@
 * Provides C#-specific definitions for use in the data flow library.
 */

-private import codeql.dataflow.DataFlowParameter
+private import codeql.dataflow.DataFlow

 module Private {
  import DataFlowPrivate
@@ -13,7 +13,7 @@ module Public {
  import DataFlowPublic
 }

-module CsharpDataFlow implements DataFlowParameter {
+module CsharpDataFlow implements InputSig {
  import Private
  import Public

--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTracking.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTracking.qll
@@ -24,6 +24,7 @@ private module AddTaintDefaults<DataFlowInternal::FullStateConfigSig Config> imp
    Config::allowImplicitRead(node, c)
    or
    (
+      Config::isSink(node) or
      Config::isSink(node, _) or
      Config::isAdditionalFlowStep(node, _) or
      Config::isAdditionalFlowStep(node, _, _, _)
--- a/csharp/ql/test/query-tests/Architecture/Dependencies/MutualDependency/options
+++ b/csharp/ql/test/query-tests/Architecture/Dependencies/MutualDependency/options
@@ -1 +1,2 @@
-semmle-extractor-options: /r:System.Linq.dll
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/csharp/ql/test/query-tests/Architecture/Refactoring
+++ b/csharp/ql/test/query-tests/Architecture/Refactoring
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/csharp/ql/test/query-tests/Architecture/Refactoring
+++ b/csharp/ql/test/query-tests/Architecture/Refactoring
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Practices/Comments/CommentedOutCode/options
+++ b/Practices/Comments/CommentedOutCode/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Practices/Comments/TodoComments/options
+++ b/Practices/Comments/TodoComments/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Practices/Control-Flow/ConstantCondition/options
+++ b/Practices/Control-Flow/ConstantCondition/options
@@ -1 +1,2 @@
-semmle-extractor-options: /r:System.Threading.Thread.dll /r:System.Diagnostics.Debug.dll /langversion:preview
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Practices/Declarations/EmptyInterface/options
+++ b/Practices/Declarations/EmptyInterface/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Practices/Declarations/LocalScopeVariableShadowsMember/options
+++ b/Practices/Declarations/LocalScopeVariableShadowsMember/options
@@ -1 +1,3 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
 semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Windows.cs
--- a/Practices/Declarations/NoConstantsOnly/options
+++ b/Practices/Declarations/NoConstantsOnly/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Practices/Declarations/TooManyRefParameters/options
+++ b/Practices/Declarations/TooManyRefParameters/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Practices/EmptyCatchBlock/options
+++ b/Practices/EmptyCatchBlock/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Hiding/AbstractToConcreteCollection/options
+++ b/Hiding/AbstractToConcreteCollection/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Hiding/ExposeRepresentation/options
+++ b/Hiding/ExposeRepresentation/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/csharp/ql/test/query-tests/Bad
+++ b/csharp/ql/test/query-tests/Bad
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Conventions/ConfusingMethodNames/options
+++ b/Conventions/ConfusingMethodNames/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Conventions/VariableNameTooShort/options
+++ b/Conventions/VariableNameTooShort/options
@@ -1 +1,2 @@
-semmle-extractor-options: /r:System.Linq.dll
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Practices/VirtualCallInConstructorOrDestructor/options
+++ b/Practices/VirtualCallInConstructorOrDestructor/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/csharp/ql/test/query-tests/CSI/CompareIdenticalValues/options
+++ b/csharp/ql/test/query-tests/CSI/CompareIdenticalValues/options
@@ -1 +1,2 @@
-semmle-extractor-options: /r:System.Diagnostics.Debug.dll
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/csharp/ql/test/query-tests/Concurrency/FutileSyncOnField/options
+++ b/csharp/ql/test/query-tests/Concurrency/FutileSyncOnField/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/csharp/ql/test/query-tests/Concurrency/LockOrder/options
+++ b/csharp/ql/test/query-tests/Concurrency/LockOrder/options
@@ -1 +1,2 @@
-semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.Threading.dll /r:System.Threading.Thread.dll
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/csharp/ql/test/query-tests/Concurrency/LockThis/options
+++ b/csharp/ql/test/query-tests/Concurrency/LockThis/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/csharp/ql/test/query-tests/Concurrency/LockedWait/options
+++ b/csharp/ql/test/query-tests/Concurrency/LockedWait/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/csharp/ql/test/query-tests/Concurrency/SynchSetUnsynchGet/options
+++ b/csharp/ql/test/query-tests/Concurrency/SynchSetUnsynchGet/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/csharp/ql/test/query-tests/Concurrency/UnsafeLazyInitialization/options
+++ b/csharp/ql/test/query-tests/Concurrency/UnsafeLazyInitialization/options
@@ -1 +1,2 @@
-semmle-extractor-options: -langversion:latest
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/csharp/ql/test/query-tests/Concurrency/UnsynchronizedStaticAccess/options
+++ b/csharp/ql/test/query-tests/Concurrency/UnsynchronizedStaticAccess/options
@@ -1 +1,2 @@
-semmle-extractor-options: /r:System.Collections.Concurrent.dll /r:System.Threading.Thread.dll
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/options
+++ b/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl.qll
+++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl.qll
@@ -1,3 +1,3 @@
 private import DataFlowImplSpecific
-private import codeql.dataflow.DataFlowImpl
+private import codeql.dataflow.internal.DataFlowImpl
 import MakeImpl<GoDataFlow>
--- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll
+++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll
+++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImplCommon.qll
+++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImplCommon.qll
@@ -1,3 +1,3 @@
 private import DataFlowImplSpecific
-private import codeql.dataflow.DataFlowImplCommon
+private import codeql.dataflow.internal.DataFlowImplCommon
 import MakeImplCommon<GoDataFlow>
--- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImplForStringsNewReplacer.qll
+++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImplForStringsNewReplacer.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImplSpecific.qll
+++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImplSpecific.qll
@@ -2,7 +2,7 @@
 * Provides Go-specific definitions for use in the data flow library.
 */

-private import codeql.dataflow.DataFlowParameter
+private import codeql.dataflow.DataFlow

 module Private {
  import DataFlowPrivate
@@ -13,7 +13,7 @@ module Public {
  import DataFlowUtil
 }

-module GoDataFlow implements DataFlowParameter {
+module GoDataFlow implements InputSig {
  import Private
  import Public

--- a/go/ql/lib/semmle/go/dataflow/internal/tainttracking1/TaintTracking.qll
+++ b/go/ql/lib/semmle/go/dataflow/internal/tainttracking1/TaintTracking.qll
@@ -24,6 +24,7 @@ private module AddTaintDefaults<DataFlowInternal::FullStateConfigSig Config> imp
    Config::allowImplicitRead(node, c)
    or
    (
+      Config::isSink(node) or
      Config::isSink(node, _) or
      Config::isAdditionalFlowStep(node, _) or
      Config::isAdditionalFlowStep(node, _, _, _)
--- a/java/kotlin-extractor/src/main/kotlin/KotlinFileExtractor.kt
+++ b/java/kotlin-extractor/src/main/kotlin/KotlinFileExtractor.kt
@@ -552,7 +552,7 @@ open class KotlinFileExtractor(
                logger.warnElement("Expected annotation property to define a getter", prop)
            } else {
                val getterId = useFunction<DbMethod>(getter)
-                val exprId = extractAnnotationValueExpression(v, id, i, "{${getterId}}", getter.returnType, extractEnumTypeAccesses)
+                val exprId = extractAnnotationValueExpression(v, id, i, "{$getterId}", getter.returnType, extractEnumTypeAccesses)
                if (exprId != null) {
                    tw.writeAnnotValue(id, getterId, exprId)
                }
@@ -587,7 +587,7 @@ open class KotlinFileExtractor(
                extractAnnotation(v, parent, idx, extractEnumTypeAccesses, contextLabel)
            }
            is IrVararg -> {
-                tw.getLabelFor<DbArrayinit>("@\"annotationarray;{${parent}};$contextLabel\"").also { arrayId ->
+                tw.getLabelFor<DbArrayinit>("@\"annotationarray;{$parent};$contextLabel\"").also { arrayId ->
                    // Use the context type (i.e., the type the annotation expects, not the actual type of the array)
                    // because the Java extractor fills in array types using the same technique. These should only
                    // differ for generic annotations.
@@ -1193,7 +1193,7 @@ open class KotlinFileExtractor(
            // n + o'th parameter, where `o` is the parameter offset caused by adding any dispatch receiver to the parameter list.
            // Note we don't need to add the extension receiver here because `useValueParameter` always assumes an extension receiver
            // will be prepended if one exists.
-            val realFunctionId = useFunction<DbCallable>(f)
+            val realFunctionId = useFunction<DbCallable>(f, parentId, null)
            DeclarationStackAdjuster(f, OverriddenFunctionAttributes(id, id, locId, nonSyntheticParams, typeParameters = listOf(), isStatic = true)).use {
                val realParamsVarId = getValueParameterLabel(id, parameterTypes.size - 2)
                val intType = pluginContext.irBuiltIns.intType
--- a/java/kotlin-extractor/src/main/kotlin/KotlinUsesExtractor.kt
+++ b/java/kotlin-extractor/src/main/kotlin/KotlinUsesExtractor.kt
@@ -612,7 +612,7 @@ open class KotlinUsesExtractor(
        val componentTypeLabel = recInfo.componentTypeResults.javaResult.id
        val dimensions = recInfo.dimensions + 1

-        val id = tw.getLabelFor<DbArray>("@\"array;$dimensions;{${elementTypeLabel}}\"") {
+        val id = tw.getLabelFor<DbArray>("@\"array;$dimensions;{$elementTypeLabel}\"") {
            tw.writeArrays(
                it,
                javaShortName,
@@ -1141,7 +1141,7 @@ open class KotlinUsesExtractor(
        // method (and presumably that disambiguation is never needed when the method belongs to a parameterized
        // instance of a generic class), but as of now I don't know when the raw method would be referred to.
        val typeArgSuffix = if (functionTypeParameters.isNotEmpty() && classTypeArgsIncludingOuterClasses.isNullOrEmpty()) "<${functionTypeParameters.size}>" else "";
-        return "@\"$prefix;{$parentId}.$name($paramTypeIds){$returnTypeId}${typeArgSuffix}\""
+        return "@\"$prefix;{$parentId}.$name($paramTypeIds){$returnTypeId}$typeArgSuffix\""
    }

    val javaLangClass by lazy { referenceExternalClass("java.lang.Class") }
@@ -1672,7 +1672,7 @@ open class KotlinUsesExtractor(
        // clashing trap labels. These are always private, so we can just make up a label without
        // worrying about their names as seen from Java.
        val extensionPropertyDiscriminator = getExtensionReceiverType(f)?.let { "extension;${useType(it).javaResult.id}" } ?: ""
-        return "@\"field;{$parentId};${extensionPropertyDiscriminator}${f.name.asString()}\""
+        return "@\"field;{$parentId};$extensionPropertyDiscriminator${f.name.asString()}\""
    }

    fun useField(f: IrField): Label<out DbField> =
--- a/java/ql/lib/change-notes/2023-08-07-randomdatasource-typo-fix.md
+++ b/java/ql/lib/change-notes/2023-08-07-randomdatasource-typo-fix.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed a typo in the `StdlibRandomSource` class in `RandomDataSource.qll`, which caused the class to improperly model calls to the `nextBytes` method. Queries relying on `StdlibRandomSource` may see an increase in results.
--- a/java/ql/lib/ext/java.nio.file.model.yml
+++ b/java/ql/lib/ext/java.nio.file.model.yml
@@ -17,11 +17,11 @@ extensions:
      - ["java.nio.file", "Files", False, "createTempFile", "(Path,String,String,FileAttribute[])", "", "Argument[0]", "path-injection", "manual"]
      - ["java.nio.file", "Files", False, "delete", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
      - ["java.nio.file", "Files", False, "deleteIfExists", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
-      - ["java.nio.file", "Files", False, "deleteIfExists", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
      - ["java.nio.file", "Files", False, "getFileStore", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"] # the FileStore class is unlikely to be used for later sanitization
      - ["java.nio.file", "Files", False, "lines", "(Path,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]
      - ["java.nio.file", "Files", False, "lines", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
      - ["java.nio.file", "Files", False, "move", "", "", "Argument[1]", "path-injection", "manual"]
+      - ["java.nio.file", "Files", False, "move", "(Path,Path,CopyOption[])", "", "Argument[0]", "path-injection", "ai-manual"]
      - ["java.nio.file", "Files", False, "newBufferedReader", "(Path,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]
      - ["java.nio.file", "Files", False, "newBufferedReader", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
      - ["java.nio.file", "Files", False, "newBufferedWriter", "", "", "Argument[0]", "path-injection", "manual"]
@@ -37,11 +37,6 @@ extensions:
      - ["java.nio.file", "Files", False, "write", "", "", "Argument[1]", "file-content-store", "manual"]
      - ["java.nio.file", "Files", False, "writeString", "", "", "Argument[0]", "path-injection", "manual"]
      - ["java.nio.file", "Files", False, "writeString", "", "", "Argument[1]", "file-content-store", "manual"]
-      - ["java.nio.file", "Files", True, "move", "(Path,Path,CopyOption[])", "", "Argument[1]", "path-injection", "ai-manual"]
-      - ["java.nio.file", "Files", True, "move", "(Path,Path,CopyOption[])", "", "Argument[0]", "path-injection", "ai-manual"]
-      - ["java.nio.file", "Files", True, "delete", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
-      - ["java.nio.file", "Files", True, "newInputStream", "(Path,OpenOption[])", "", "Argument[0]", "path-injection", "ai-manual"]
-      - ["java.nio.file", "Files", True, "newOutputStream", "(Path,OpenOption[])", "", "Argument[0]", "path-injection", "ai-manual"]
      - ["java.nio.file", "FileSystem", False, "getPath", "", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation
      - ["java.nio.file", "FileSystems", False, "newFileSystem", "(URI,Map)", "", "Argument[0]", "path-injection", "ai-manual"]
      - ["java.nio.file", "FileSystems", False, "newFileSystem", "(URI,Map)", "", "Argument[0]", "request-forgery", "ai-manual"]
--- a/java/ql/lib/ext/threatmodels/supported-threat-models.model.yml
+++ b/java/ql/lib/ext/threatmodels/supported-threat-models.model.yml
@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: supportedThreatModels
+    data:
+      - ["default"] # The "default" threat model is always included.
--- a/java/ql/lib/ext/threatmodels/threat-model-grouping.model.yml
+++ b/java/ql/lib/ext/threatmodels/threat-model-grouping.model.yml
@@ -0,0 +1,23 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: threatModelGrouping
+    data:
+      # Default threat model
+      - ["remote", "default"]
+      - ["uri-path", "default"]
+
+      # Android threat models
+      - ["android-external-storage-dir", "android"]
+      - ["contentprovider", "android"]
+
+      # Remote threat models
+      - ["request", "remote"]
+      - ["response", "remote"]
+
+      # Local threat models
+      - ["database", "local"]
+      - ["cli", "local"]
+      - ["environment", "local"]
+      - ["file", "local"]
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -16,4 +16,5 @@ dataExtensions:
  - ext/*.model.yml
  - ext/generated/*.model.yml
  - ext/experimental/*.model.yml
+  - ext/threatmodels/*.model.yml
 warnOnImplicitThis: true
--- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlowConfiguration.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlowConfiguration.qll
@@ -0,0 +1,31 @@
+/**
+ * INTERNAL use only. This is an experimental API subject to change without notice.
+ *
+ * This module provides extensible predicates for configuring which kinds of MaD models
+ * are applicable to generic queries.
+ */
+
+private import ExternalFlowExtensions
+
+/**
+ * Holds if the specified kind of source model is supported for the current query.
+ */
+extensible private predicate supportedThreatModels(string kind);
+
+/**
+ * Holds if the specified kind of source model is containted within the specified group.
+ */
+extensible private predicate threatModelGrouping(string kind, string group);
+
+/**
+ * Gets the threat models that are direct descendants of the specified kind/group.
+ */
+private string getChildThreatModel(string group) { threatModelGrouping(result, group) }
+
+/**
+ * Holds if the source model kind `kind` is relevant for generic queries
+ * under the current threat model configuration.
+ */
+predicate sourceModelKindConfig(string kind) {
+  exists(string group | supportedThreatModels(group) and kind = getChildThreatModel*(group))
+}
--- a/Show More
+++ b/Show More