Merge pull request #11938 from github/release-prep/2.12.1

Release preparation for version 2.12.1
Apply suggestions from code review
2026-05-18 13:17:08 +02:00 · 2023-01-20 14:30:42 +00:00 · 2023-01-20 14:10:27 +01:00 · 2023-01-20 12:03:19 +00:00 · 2023-01-19 20:59:32 +00:00 · 2023-01-19 15:33:08 +00:00
1964 changed files with 154435 additions and 48931 deletions
--- a/.github/actions/cache-query-compilation/action.yml
+++ b/.github/actions/cache-query-compilation/action.yml
@@ -23,20 +23,19 @@ runs:
      run: |
        MERGE_BASE=$(git cat-file commit $GITHUB_SHA | grep '^parent ' | head -1 | cut -f 2 -d " ")
        echo "merge_base=$MERGE_BASE" >> $GITHUB_ENV
-    - name: Restore read-only cache (PR)
+    - name: Restore cache (PR)
      if: ${{ github.event_name == 'pull_request' }}
-      uses: erik-krogh/actions-cache@a88d0603fe5fb5606db9f002dfcadeb32b5f84c6
+      uses: actions/cache/restore@v3
      with:
        path: '**/.cache'
-        read-only: true
        key: codeql-compile-${{ inputs.key }}-pr-${{ github.sha }}
        restore-keys: |
          codeql-compile-${{ inputs.key }}-${{ github.base_ref }}-${{ env.merge_base }}
          codeql-compile-${{ inputs.key }}-${{ github.base_ref }}-
          codeql-compile-${{ inputs.key }}-main-
-    - name: Fill cache (push)
+    - name: Fill cache (only branch push)
      if: ${{ github.event_name != 'pull_request' }}
-      uses: erik-krogh/actions-cache@a88d0603fe5fb5606db9f002dfcadeb32b5f84c6
+      uses: actions/cache@v3
      with:
        path: '**/.cache'
        key: codeql-compile-${{ inputs.key }}-${{ github.ref_name }}-${{ github.sha }} # just fill on main
--- a/.github/actions/fetch-codeql/action.yml
+++ b/.github/actions/fetch-codeql/action.yml
@@ -19,4 +19,6 @@ runs:
        gh extension install github/gh-codeql
        gh codeql set-channel "$CHANNEL"
        gh codeql version
+        printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}"
+        gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}"
        gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}"
--- a/.github/actions/os-version/action.yml
+++ b/.github/actions/os-version/action.yml
@@ -0,0 +1,32 @@
+name: OS Version
+description: Get OS version.
+
+outputs:
+  version:
+    description: "OS version"
+    value: ${{ steps.version.outputs.version }}
+
+runs:
+  using: composite
+  steps:
+    - if: runner.os == 'Linux'
+      shell: bash
+      run: |
+        . /etc/os-release
+        echo "VERSION=${NAME} ${VERSION}" >> $GITHUB_ENV
+    - if: runner.os == 'Windows'
+      shell: powershell
+      run: |
+        $objects = systeminfo.exe /FO CSV | ConvertFrom-Csv
+        "VERSION=$($objects.'OS Name') $($objects.'OS Version')" >> $env:GITHUB_ENV
+    - if: runner.os == 'macOS'
+      shell: bash
+      run: |
+        echo "VERSION=$(sw_vers -productName) $(sw_vers -productVersion)" >> $GITHUB_ENV
+    - name: Emit OS version
+      id: version
+      shell: bash
+      run: |
+        echo "$VERSION"
+        echo "version=${VERSION}" >> $GITHUB_OUTPUT
+
--- a/.github/workflows/atm-check-query-suite.yml
+++ b/.github/workflows/atm-check-query-suite.yml
@@ -13,7 +13,7 @@ on:

 jobs:
  atm-check-query-suite:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-xl

    steps:
      - uses: actions/checkout@v3
@@ -23,6 +23,12 @@ jobs:
        with:
          channel: release

+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with: 
+          key: atm-suite
+
      - name: Install ATM model
        run: |
          set -exu
@@ -50,10 +56,13 @@ jobs:
          echo "SARIF_PATH=${SARIF_PATH}" >> "${GITHUB_ENV}"

          codeql database analyze \
+            --threads=0 \
+            --ram 50000 \
            --format sarif-latest \
            --output "${SARIF_PATH}" \
            --sarif-group-rules-by-pack \
            -vv \
+            --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" \
            -- \
            "${DB_PATH}" \
            "${QUERY_PACK}/${QUERY_SUITE}"
--- a/.github/workflows/check-change-note.yml
+++ b/.github/workflows/check-change-note.yml
@@ -26,3 +26,9 @@ jobs:
        run: |
          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
          grep true -c
+      - name: Fail if the change note filename doesn't match the expected format. The file name must be of the form 'YYYY-MM-DD.md' or 'YYYY-MM-DD-{title}.md', where '{title}' is arbitrary text.
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))] | all(test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$"))' |
+          grep true -c
--- a/.github/workflows/close-stale.yml
+++ b/.github/workflows/close-stale.yml
@@ -12,7 +12,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-    - uses: actions/stale@v6
+    - uses: actions/stale@v7
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'
--- a/.github/workflows/mad_modelDiff.yml
+++ b/.github/workflows/mad_modelDiff.yml
@@ -11,7 +11,7 @@ on:
    branches:
      - main
    paths:
-      - "java/ql/src/utils/model-generator/**/*.*"
+      - "java/ql/src/utils/modelgenerator/**/*.*"
      - ".github/workflows/mad_modelDiff.yml"

 permissions:
@@ -40,12 +40,12 @@ jobs:
      - name: Download database
        env:
          SLUG: ${{ matrix.slug }}
+          GH_TOKEN: ${{ github.token }}
        run: |
          set -x
          mkdir lib-dbs
          SHORTNAME=${SLUG//[^a-zA-Z0-9_]/}
-          projectId=`curl -s https://lgtm.com/api/v1.0/projects/g/${SLUG} | jq .id`
-          curl -L "https://lgtm.com/api/v1.0/snapshots/$projectId/java" -o "$SHORTNAME.zip"
+          gh api -H "Accept: application/zip" "/repos/${SLUG}/code-scanning/codeql/databases/java" > "$SHORTNAME.zip"
          unzip -q -d "${SHORTNAME}-db" "${SHORTNAME}.zip"
          mkdir "lib-dbs/$SHORTNAME/"
          mv "${SHORTNAME}-db/"$(ls -1 "${SHORTNAME}"-db)/* "lib-dbs/${SHORTNAME}/"
@@ -61,7 +61,7 @@ jobs:
            DATABASE=$2
            cd codeql-$QL_VARIANT
            SHORTNAME=`basename $DATABASE`
-            python java/ql/src/utils/model-generator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE ${SHORTNAME}.temp.model.yml
+            python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE ${SHORTNAME}.temp.model.yml
            mv java/ql/lib/ext/generated/${SHORTNAME}.temp.model.yml $MODELS/${SHORTNAME}Generated_${QL_VARIANT}.model.yml
            cd ..
          }
@@ -100,4 +100,6 @@ jobs:
        with:
          name: diffs
          path: tmp-models/*.html
+          # An html file is only produced if the generated models differ.
+          if-no-files-found: ignore
          retention-days: 20
--- a/.github/workflows/mad_regenerate-models.yml
+++ b/.github/workflows/mad_regenerate-models.yml
@@ -50,7 +50,7 @@ jobs:
          SLUG: ${{ matrix.slug }}
        run: |
          SHORTNAME=${SLUG//[^a-zA-Z0-9_]/}
-          java/ql/src/utils/model-generator/RegenerateModels.py "${SLUG}" dbs/${SHORTNAME}
+          java/ql/src/utils/modelgenerator/RegenerateModels.py "${SLUG}" dbs/${SHORTNAME}
      - name: Stage changes
        run: |
          find java -name "*.model.yml" -print0 | xargs -0 git add
--- a/.github/workflows/ql-for-ql-build.yml
+++ b/.github/workflows/ql-for-ql-build.yml
@@ -27,7 +27,7 @@ jobs:
        uses: ./.github/actions/find-latest-bundle
      - name: Find codeql
        id: find-codeql
-        uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
+        uses: github/codeql-action/init@45955cb1830b640e2c1603ad72ad542a49d47b96
        with:
          languages: javascript # does not matter
          tools: ${{ steps.find-latest-bundle.outputs.url }}
@@ -38,12 +38,14 @@ jobs:
        shell: bash
        env:
          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
+      - uses: ./.github/actions/os-version
+        id: os_version
      - name: Cache entire pack
        id: cache-pack
        uses: actions/cache@v3
        with:
          path: ${{ runner.temp }}/pack
-          key: ${{ runner.os }}-pack-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}-${{ hashFiles('ql/**/*.ql*') }}-${{ hashFiles('ql/**/qlpack.yml') }}-${{ hashFiles('ql/ql/src/ql.dbscheme*') }}-${{ steps.get-codeql-version.outputs.version }}--${{ hashFiles('.github/workflows/ql-for-ql-build.yml') }}
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-pack-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}-${{ hashFiles('ql/**/*.ql*') }}-${{ hashFiles('ql/**/qlpack.yml') }}-${{ hashFiles('ql/ql/src/ql.dbscheme*') }}-${{ steps.get-codeql-version.outputs.version }}--${{ hashFiles('.github/workflows/ql-for-ql-build.yml') }}
      - name: Cache queries
        if: steps.cache-pack.outputs.cache-hit != 'true'
        id: cache-queries
@@ -77,7 +79,7 @@ jobs:
            ql/target/release/ql-autobuilder.exe
            ql/target/release/ql-extractor
            ql/target/release/ql-extractor.exe
-          key: ${{ runner.os }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}
      - name: Cache cargo
        if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
        uses: actions/cache@v3
@@ -86,7 +88,7 @@ jobs:
            ~/.cargo/registry
            ~/.cargo/git
            ql/target
-          key: ${{ runner.os }}-rust-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-rust-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
      - name: Check formatting
        if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
        run: cd ql; cargo fmt --all -- --check
@@ -137,20 +139,20 @@ jobs:
        env:
          CONF: ./ql-for-ql-config.yml
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
+        uses: github/codeql-action/init@45955cb1830b640e2c1603ad72ad542a49d47b96
        with:
          languages: ql
          db-location: ${{ runner.temp }}/db
          config-file: ./ql-for-ql-config.yml
          tools: ${{ steps.find-latest-bundle.outputs.url }}
-      - name: Move pack cache
+      - name: Move pack queries
        run: |
-          cp -r ${PACK}/.cache ql/ql/src/.cache
+          cp -r ${PACK}/queries ql/ql/src
        env:
          PACK: ${{ runner.temp }}/pack

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
+        uses: github/codeql-action/analyze@45955cb1830b640e2c1603ad72ad542a49d47b96
        with:
          category: "ql-for-ql"
      - name: Copy sarif file to CWD
@@ -172,4 +174,4 @@ jobs:
        with:
          name: ql-for-ql-langs
          path: split-sarif
-          retention-days: 1
+          retention-days: 1
--- a/.github/workflows/ql-for-ql-dataset_measure.yml
+++ b/.github/workflows/ql-for-ql-dataset_measure.yml
@@ -25,16 +25,18 @@ jobs:

      - name: Find codeql
        id: find-codeql
-        uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
+        uses: github/codeql-action/init@45955cb1830b640e2c1603ad72ad542a49d47b96
        with:
          languages: javascript # does not matter
+      - uses: ./.github/actions/os-version
+        id: os_version
      - uses: actions/cache@v3
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
            ql/target
-          key: ${{ runner.os }}-qltest-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-qltest-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
      - name: Build Extractor
        run: cd ql; env "PATH=$PATH:`dirname ${CODEQL}`" ./scripts/create-extractor-pack.sh
        env:
--- a/.github/workflows/ql-for-ql-tests.yml
+++ b/.github/workflows/ql-for-ql-tests.yml
@@ -22,28 +22,84 @@ jobs:
      - uses: actions/checkout@v3
      - name: Find codeql
        id: find-codeql
-        uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
+        uses: github/codeql-action/init@45955cb1830b640e2c1603ad72ad542a49d47b96
        with:
          languages: javascript # does not matter
+      - uses: ./.github/actions/os-version
+        id: os_version
      - uses: actions/cache@v3
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
            ql/target
-          key: ${{ runner.os }}-qltest-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-qltest-cargo-${{ hashFiles('ql/rust-toolchain.toml', 'ql/**/Cargo.lock') }}
      - name: Build extractor
        run: |
          cd ql;
          codeqlpath=$(dirname ${{ steps.find-codeql.outputs.codeql-path }});
          env "PATH=$PATH:$codeqlpath" ./scripts/create-extractor-pack.sh
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with: 
+          key: ql-for-ql-tests
      - name: Run QL tests
        run: |
-          "${CODEQL}" test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}/ql/extractor-pack" --consistency-queries ql/ql/consistency-queries ql/ql/test
+          "${CODEQL}" test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}/ql/extractor-pack" --consistency-queries ql/ql/consistency-queries --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" ql/ql/test
        env:
          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
-      - name: Check QL formatting
+
+  other-os: 
+    strategy:
+      matrix:
+        os: [macos-latest, windows-latest]
+    needs: [qltest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install GNU tar 
+        if: runner.os == 'macOS'
        run: |
-          find ql/ql/src "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 "${CODEQL}" query format --check-only
+          brew install gnu-tar
+          echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
+      - name: Find codeql
+        id: find-codeql
+        uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
+        with:
+          languages: javascript # does not matter
+      - uses: ./.github/actions/os-version
+        id: os_version
+      - uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            ql/target
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-qltest-cargo-${{ hashFiles('ql/rust-toolchain.toml', 'ql/**/Cargo.lock') }}
+      - name: Build extractor
+        if: runner.os != 'Windows'
+        run: |
+          cd ql;
+          codeqlpath=$(dirname ${{ steps.find-codeql.outputs.codeql-path }});
+          env "PATH=$PATH:$codeqlpath" ./scripts/create-extractor-pack.sh
+      - name: Build extractor (Windows)
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: |
+          cd ql;
+          $Env:PATH += ";$(dirname ${{ steps.find-codeql.outputs.codeql-path }})"
+          pwsh ./scripts/create-extractor-pack.ps1
+      - name: Run a single QL tests - Unix
+        if: runner.os != 'Windows'
+        run: |
+          "${CODEQL}" test run --check-databases --search-path "${{ github.workspace }}/ql/extractor-pack" ql/ql/test/queries/style/DeadCode/DeadCode.qlref
        env:
          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
+      - name: Run a single QL tests - Windows
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: |
+          $Env:PATH += ";$(dirname ${{ steps.find-codeql.outputs.codeql-path }})"
+          codeql test run --check-databases --search-path "${{ github.workspace }}/ql/extractor-pack" ql/ql/test/queries/style/DeadCode/DeadCode.qlref
+      
--- a/.github/workflows/ruby-build.yml
+++ b/.github/workflows/ruby-build.yml
@@ -48,6 +48,8 @@ jobs:
        run: |
          brew install gnu-tar
          echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
+      - uses: ./.github/actions/os-version
+        id: os_version
      - name: Cache entire extractor
        uses: actions/cache@v3
        id: cache-extractor
@@ -58,7 +60,7 @@ jobs:
            ruby/target/release/ruby-extractor
            ruby/target/release/ruby-extractor.exe
            ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
-          key: ${{ runner.os }}-ruby-extractor-${{ hashFiles('ruby/rust-toolchain.toml', 'ruby/**/Cargo.lock') }}--${{ hashFiles('ruby/**/*.rs') }}
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/rust-toolchain.toml', 'ruby/**/Cargo.lock') }}--${{ hashFiles('ruby/**/*.rs') }}
      - uses: actions/cache@v3
        if: steps.cache-extractor.outputs.cache-hit != 'true'
        with:
@@ -66,7 +68,7 @@ jobs:
            ~/.cargo/registry
            ~/.cargo/git
            ruby/target
-          key: ${{ runner.os }}-ruby-rust-cargo-${{ hashFiles('ruby/rust-toolchain.toml', 'ruby/**/Cargo.lock') }}
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-rust-cargo-${{ hashFiles('ruby/rust-toolchain.toml', 'ruby/**/Cargo.lock') }}
      - name: Check formatting
        if: steps.cache-extractor.outputs.cache-hit != 'true'
        run: cargo fmt --all -- --check
@@ -115,9 +117,10 @@ jobs:
      - name: Build Query Pack
        run: |
          rm -rf target/packs
-          codeql pack create ../shared/ssa --output target/packs
          codeql pack create ../misc/suite-helpers --output target/packs
          codeql pack create ../shared/regex --output target/packs
+          codeql pack create ../shared/ssa --output target/packs
+          codeql pack create ../shared/tutorial --output target/packs
          codeql pack create ql/lib --output target/packs
          codeql pack create -j0 ql/src --output target/packs --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
          PACK_FOLDER=$(readlink -f target/packs/codeql/ruby-queries/*)
@@ -202,11 +205,6 @@ jobs:
      - name: Fetch CodeQL
        uses: ./.github/actions/fetch-codeql

-      - uses: actions/checkout@v3
-        with:
-          repository: Shopify/example-ruby-app
-          ref: 67a0decc5eb550f3a9228eda53925c3afd40dfe9
-
      - name: Download Ruby bundle
        uses: actions/download-artifact@v3
        with:
@@ -215,26 +213,15 @@ jobs:
      - name: Unzip Ruby bundle
        shell: bash
        run: unzip -q -d "${{ runner.temp }}/ruby-bundle" "${{ runner.temp }}/codeql-ruby-bundle.zip"
-      - name: Prepare test files
-        shell: bash
-        run: |
-          echo "import codeql.ruby.AST select count(File f)" > "test.ql"
-          echo "| 4 |" > "test.expected"
-          echo 'name: sample-tests
-          version: 0.0.0
-          dependencies:
-            codeql/ruby-all: "*"
-          extractor: ruby
-          tests: .
-          ' > qlpack.yml
+
      - name: Run QL test
        shell: bash
        run: |
-          codeql test run --search-path "${{ runner.temp }}/ruby-bundle" --additional-packs "${{ runner.temp }}/ruby-bundle" .
+          codeql test run --search-path "${{ runner.temp }}/ruby-bundle" --additional-packs "${{ runner.temp }}/ruby-bundle" ruby/ql/test/library-tests/ast/constants/
      - name: Create database
        shell: bash
        run: |
-          codeql database create --search-path "${{ runner.temp }}/ruby-bundle" --language ruby --source-root . ../database
+          codeql database create --search-path "${{ runner.temp }}/ruby-bundle" --language ruby --source-root ruby/ql/test/library-tests/ast/constants/ ../database
      - name: Analyze database
        shell: bash
        run: |
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -25,6 +25,7 @@ If you have an idea for a query that you would like to share with other CodeQL u

    Each language-specific directory contains further subdirectories that group queries based on their `@tags` or purpose.
    - Experimental queries and libraries are stored in the `experimental` subdirectory within each language-specific directory in the [CodeQL repository](https://github.com/github/codeql). For example, experimental Java queries and libraries are stored in `java/ql/src/experimental` and any corresponding tests in `java/ql/test/experimental`.
+    - Experimental queries need to include `experimental` in their `@tags`
    - The structure of an `experimental` subdirectory mirrors the structure of its parent directory.
    - Select or create an appropriate directory in `experimental` based on the existing directory structure of `experimental` or its parent directory.

--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -29,6 +29,7 @@
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplForContentDataFlow.qll",
    "go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl.qll",
    "go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll",
+    "go/ql/lib/semmle/go/dataflow/internal/DataFlowImplForStringsNewReplacer.qll",
    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
@@ -402,16 +403,6 @@
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
  ],
-  "Inline Test Expectations": [
-    "cpp/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "csharp/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "java/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "python/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "ruby/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "ql/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "go/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "swift/ql/test/TestUtilities/InlineExpectationsTest.qll"
-  ],
  "C++ ExternalAPIs": [
    "cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll",
    "cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll"
@@ -505,14 +496,6 @@
    "python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll",
    "ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll"
  ],
-  "CodeQL Tutorial": [
-    "cpp/ql/lib/tutorial.qll",
-    "csharp/ql/lib/tutorial.qll",
-    "java/ql/lib/tutorial.qll",
-    "javascript/ql/lib/tutorial.qll",
-    "python/ql/lib/tutorial.qll",
-    "ruby/ql/lib/tutorial.qll"
-  ],
  "AccessPathSyntax": [
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/AccessPathSyntax.qll",
    "go/ql/lib/semmle/go/dataflow/internal/AccessPathSyntax.qll",
@@ -531,11 +514,6 @@
    "ruby/ql/lib/codeql/ruby/internal/ConceptsShared.qll",
    "javascript/ql/lib/semmle/javascript/internal/ConceptsShared.qll"
  ],
-  "Hostname Regexp queries": [
-    "javascript/ql/src/Security/CWE-020/HostnameRegexpShared.qll",
-    "python/ql/src/Security/CWE-020/HostnameRegexpShared.qll",
-    "ruby/ql/src/queries/security/cwe-020/HostnameRegexpShared.qll"
-  ],
  "ApiGraphModels": [
    "javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll",
    "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll",
--- a/cpp/downgrades/23f7cbb88a4eb29f30c3490363dc201bc054c5ff/exprs.ql
+++ b/cpp/downgrades/23f7cbb88a4eb29f30c3490363dc201bc054c5ff/exprs.ql
@@ -13,5 +13,5 @@ predicate isExprWithNewBuiltin(Expr expr) {
 from Expr expr, int kind, int kind_new, Location location
 where
  exprs(expr, kind, location) and
-  if isExprWithNewBuiltin(expr) then kind_new = 0 else kind_new = kind
+  if isExprWithNewBuiltin(expr) then kind_new = 1 else kind_new = kind
 select expr, kind_new, location
--- a/cpp/downgrades/73af5058c6899dcdb05754c27ca966aeb3a68c94/exprs.ql
+++ b/cpp/downgrades/73af5058c6899dcdb05754c27ca966aeb3a68c94/exprs.ql
@@ -9,5 +9,5 @@ class Location extends @location_expr {
 from Expr expr, int kind, int kind_new, Location location
 where
  exprs(expr, kind, location) and
-  if expr instanceof @blockassignexpr then kind_new = 0 else kind_new = kind
+  if expr instanceof @blockassignexpr then kind_new = 1 else kind_new = kind
 select expr, kind_new, location
--- a/cpp/downgrades/a5bb28ed29f73855d64cc5f939cef977fa8fd19a/builtintypes.ql
+++ b/cpp/downgrades/a5bb28ed29f73855d64cc5f939cef977fa8fd19a/builtintypes.ql
@@ -0,0 +1,11 @@
+class BuiltinType extends @builtintype {
+  string toString() { none() }
+}
+
+from BuiltinType type, string name, int kind, int kind_new, int size, int sign, int alignment
+where
+  builtintypes(type, name, kind, size, sign, alignment) and
+  if type instanceof @float16 or type instanceof @complex_float16
+  then kind_new = 2
+  else kind_new = kind
+select type, name, kind_new, size, sign, alignment
--- a/cpp/downgrades/a5bb28ed29f73855d64cc5f939cef977fa8fd19a/old.dbscheme
+++ b/cpp/downgrades/a5bb28ed29f73855d64cc5f939cef977fa8fd19a/old.dbscheme
--- a/cpp/downgrades/a5bb28ed29f73855d64cc5f939cef977fa8fd19a/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/a5bb28ed29f73855d64cc5f939cef977fa8fd19a/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/a5bb28ed29f73855d64cc5f939cef977fa8fd19a/upgrade.properties
+++ b/cpp/downgrades/a5bb28ed29f73855d64cc5f939cef977fa8fd19a/upgrade.properties
@@ -0,0 +1,3 @@
+description: Introduce (_Complex) _Float16 type
+compatibility: backwards
+builtintypes.rel: run builtintypes.qlo
--- a/cpp/downgrades/ba86bebea4c7a8235c2fa0e220391fbd4446a087/old.dbscheme
+++ b/cpp/downgrades/ba86bebea4c7a8235c2fa0e220391fbd4446a087/old.dbscheme
--- a/cpp/downgrades/ba86bebea4c7a8235c2fa0e220391fbd4446a087/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/ba86bebea4c7a8235c2fa0e220391fbd4446a087/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/ba86bebea4c7a8235c2fa0e220391fbd4446a087/upgrade.properties
+++ b/cpp/downgrades/ba86bebea4c7a8235c2fa0e220391fbd4446a087/upgrade.properties
@@ -0,0 +1,2 @@
+description: Uncomment case splits in dbscheme
+compatibility: full
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,32 @@
+## 0.5.1
+
+No user-facing changes.
+
+## 0.5.0
+
+### Breaking Changes
+
+The predicates in the `MustFlow::Configuration` class used by the `MustFlow` library (`semmle.code.cpp.ir.dataflow.MustFlow`) have changed to be defined directly in terms of the C++ IR instead of IR dataflow nodes.
+
+### Deprecated APIs
+
+* Deprecated `semmle.code.cpp.ir.dataflow.DefaultTaintTracking`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
+* Deprecated `semmle.code.cpp.security.TaintTrackingImpl`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
+* Deprecated `semmle.code.cpp.valuenumbering.GlobalValueNumberingImpl`. Use `semmle.code.cpp.valuenumbering.GlobalValueNumbering`, which exposes the same API.
+
+### Minor Analysis Improvements
+
+* The `ArgvSource` flow source now uses the second parameter of `main` as its source instead of the uses of this parameter.
+* The `ArgvSource` flow source has been generalized to handle cases where the argument vector of `main` is not named `argv`.
+* The `getaddrinfo` function is now recognized as a flow source.
+* The `secure_getenv` and `_wgetenv` functions are now recognized as local flow sources.
+* The `scanf` and `fscanf` functions and their variants are now recognized as flow sources.
+* Deleted the deprecated `getName` and `getShortName` predicates from the `Folder` class.
+
+## 0.4.6
+
+No user-facing changes.
+
 ## 0.4.5

 No user-facing changes.
--- a/cpp/ql/lib/change-notes/2022-11-14-deprecate-ast-gvn.md
+++ b/cpp/ql/lib/change-notes/2022-11-14-deprecate-ast-gvn.md
@@ -1,6 +0,0 @@
---
-category: deprecated
---
-
-
-* Deprecated `semmle.code.cpp.valuenumbering.GlobalValueNumberingImpl`. Use `semmle.code.cpp.valuenumbering.GlobalValueNumbering`, which exposes the same API.
--- a/cpp/ql/lib/change-notes/2022-11-16-must-flow.md
+++ b/cpp/ql/lib/change-notes/2022-11-16-must-flow.md
@@ -1,4 +0,0 @@
---
-category: breaking
---
-The predicates in the `MustFlow::Configuration` class used by the `MustFlow` library (`semmle.code.cpp.ir.dataflow.MustFlow`) have changed to be defined directly in terms of the C++ IR instead of IR dataflow nodes.
--- a/cpp/ql/lib/change-notes/2022-11-17-deleted-deps.md
+++ b/cpp/ql/lib/change-notes/2022-11-17-deleted-deps.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Deleted the deprecated `getName` and `getShortName` predicates from the `Folder` class.
--- a/cpp/ql/lib/change-notes/2022-11-25-deprecate-default-taint-tracking.md
+++ b/cpp/ql/lib/change-notes/2022-11-25-deprecate-default-taint-tracking.md
@@ -1,6 +0,0 @@
---
-category: deprecated
---
-
-* Deprecated `semmle.code.cpp.ir.dataflow.DefaultTaintTracking`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
-* Deprecated `semmle.code.cpp.security.TaintTrackingImpl`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
--- a/cpp/ql/lib/change-notes/2022-12-08-support-getaddrinfo-dataflow.md
+++ b/cpp/ql/lib/change-notes/2022-12-08-support-getaddrinfo-dataflow.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `getaddrinfo` function is now recognized as a flow source.
--- a/cpp/ql/lib/change-notes/2022-12-08-support-getenv-variants.md
+++ b/cpp/ql/lib/change-notes/2022-12-08-support-getenv-variants.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `secure_getenv` and `_wgetenv` functions are now recognized as local flow sources.
--- a/cpp/ql/lib/change-notes/2022-12-08-support-scanf-dataflow.md
+++ b/cpp/ql/lib/change-notes/2022-12-08-support-scanf-dataflow.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `scanf` and `fscanf` functions and their variants are now recognized as flow sources.
--- a/cpp/ql/lib/change-notes/2022-12-09-generalize-argv-source.md
+++ b/cpp/ql/lib/change-notes/2022-12-09-generalize-argv-source.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `ArgvSource` flow source has been generalized to handle cases where the argument vector of `main` is not named `argv`.
--- a/cpp/ql/lib/change-notes/released/0.4.6.md
+++ b/cpp/ql/lib/change-notes/released/0.4.6.md
@@ -0,0 +1,3 @@
+## 0.4.6
+
+No user-facing changes.
--- a/cpp/ql/lib/change-notes/released/0.5.0.md
+++ b/cpp/ql/lib/change-notes/released/0.5.0.md
@@ -0,0 +1,20 @@
+## 0.5.0
+
+### Breaking Changes
+
+The predicates in the `MustFlow::Configuration` class used by the `MustFlow` library (`semmle.code.cpp.ir.dataflow.MustFlow`) have changed to be defined directly in terms of the C++ IR instead of IR dataflow nodes.
+
+### Deprecated APIs
+
+* Deprecated `semmle.code.cpp.ir.dataflow.DefaultTaintTracking`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
+* Deprecated `semmle.code.cpp.security.TaintTrackingImpl`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
+* Deprecated `semmle.code.cpp.valuenumbering.GlobalValueNumberingImpl`. Use `semmle.code.cpp.valuenumbering.GlobalValueNumbering`, which exposes the same API.
+
+### Minor Analysis Improvements
+
+* The `ArgvSource` flow source now uses the second parameter of `main` as its source instead of the uses of this parameter.
+* The `ArgvSource` flow source has been generalized to handle cases where the argument vector of `main` is not named `argv`.
+* The `getaddrinfo` function is now recognized as a flow source.
+* The `secure_getenv` and `_wgetenv` functions are now recognized as local flow sources.
+* The `scanf` and `fscanf` functions and their variants are now recognized as flow sources.
+* Deleted the deprecated `getName` and `getShortName` predicates from the `Folder` class.
--- a/cpp/ql/lib/change-notes/released/0.5.1.md
+++ b/cpp/ql/lib/change-notes/released/0.5.1.md
@@ -0,0 +1,3 @@
+## 0.5.1
+
+No user-facing changes.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.5
+lastReleaseVersion: 0.5.1
--- a/cpp/ql/lib/definitions.qll
+++ b/cpp/ql/lib/definitions.qll
@@ -123,6 +123,13 @@ private predicate constructorCallTypeMention(ConstructorCall cc, TypeMention tm)
  )
 }

+/** Holds if `loc` has the container `container` and is on the line starting at `startLine`. */
+pragma[nomagic]
+private predicate hasContainerAndStartLine(Location loc, Container container, int startLine) {
+  loc.getStartLine() = startLine and
+  loc.getContainer() = container
+}
+
 /**
 * Gets an element, of kind `kind`, that element `e` uses, if any.
 * Attention: This predicate yields multiple definitions for a single location.
@@ -159,9 +166,9 @@ Top definitionOf(Top e, string kind) {
    // Multiple type mentions can be generated when a typedef is used, and
    // in such cases we want to exclude all but the originating typedef.
    not exists(Type secondary |
-      exists(TypeMention tm, File f, int startline, int startcol |
+      exists(File f, int startline, int startcol |
        typeMentionStartLoc(e, result, f, startline, startcol) and
-        typeMentionStartLoc(tm, secondary, f, startline, startcol) and
+        typeMentionStartLoc(_, secondary, f, startline, startcol) and
        (
          result = secondary.(TypedefType).getBaseType() or
          result = secondary.(TypedefType).getBaseType().(SpecifiedType).getBaseType()
@@ -184,11 +191,9 @@ Top definitionOf(Top e, string kind) {
    kind = "I" and
    result = e.(Include).getIncludedFile() and
    // exclude `#include` directives containing macros
-    not exists(MacroInvocation mi, Location l1, Location l2 |
-      l1 = e.(Include).getLocation() and
-      l2 = mi.getLocation() and
-      l1.getContainer() = l2.getContainer() and
-      l1.getStartLine() = l2.getStartLine()
+    not exists(MacroInvocation mi, Container container, int startLine |
+      hasContainerAndStartLine(e.(Include).getLocation(), container, startLine) and
+      hasContainerAndStartLine(mi.getLocation(), container, startLine)
      // (an #include directive must be always on it's own line)
    )
  ) and
--- a/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -622,7 +622,11 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }

 private module Stage1 implements StageSig {
-  class Ap = Unit;
+  class Ap extends int {
+    // workaround for bad functionality-induced joins (happens when using `Unit`)
+    pragma[nomagic]
+    Ap() { this in [0 .. 1] and this < 1 }
+  }

  private class Cc = boolean;

@@ -872,9 +876,9 @@ private module Stage1 implements StageSig {

  pragma[nomagic]
  private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
      revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
    )
  }

@@ -1327,8 +1331,8 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
      PrevStage::revFlow(node, state, apa, config) and
@@ -1337,21 +1341,21 @@ private module MkStage<StageSig PrevStage> {

    pragma[inline]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      Configuration config
    ) {
      fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
    }

    pragma[nomagic]
    private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      sourceNode(node, state, config) and
      (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
      argAp = apNone() and
-      summaryCtx = TParameterPositionNone() and
+      summaryCtx = TParamNodeNone() and
      ap = getApNil(node) and
      apa = getApprox(ap)
      or
@@ -1372,7 +1376,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
        jumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone()
      )
      or
@@ -1380,7 +1384,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1390,7 +1394,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStateStep(mid, state0, node, state, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1414,10 +1418,10 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
      if PrevStage::parameterMayFlowThrough(node, apa, config)
      then (
-        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
+        summaryCtx = TParamNodeSome(node.asNode()) and
        argAp = apSome(ap)
      ) else (
-        summaryCtx = TParameterPositionNone() and argAp = apNone()
+        summaryCtx = TParamNodeNone() and argAp = apNone()
      )
      or
      // flow out of a callable
@@ -1433,16 +1437,19 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
-        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
-        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
+      exists(
+        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
+      |
+        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate fwdFlowStore(
      NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      exists(DataFlowType contentType, ApApprox apa1 |
        fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1473,8 +1480,8 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ApNonNil ap, Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
+      Configuration config
    ) {
      fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, _, _, config)
@@ -1483,7 +1490,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
@@ -1493,7 +1500,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowIn(
      DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
    ) {
      exists(ArgNodeEx arg, boolean allowsFieldFlow |
        fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1505,64 +1512,38 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
-      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
+      Ap ap, ApApprox apa, Configuration config
    ) {
-      exists(DataFlowCallable c, ReturnKindExt kind |
+      exists(ReturnKindExt kind |
        fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
-        getApprox(argAp) = argApa and
-        c = ret.getEnclosingCallable() and
+          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
+          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
+          pragma[only_bind_into](config)) and
        kind = ret.getKind() and
-        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
-        parameterFlowThroughAllowed(p, kind)
+        parameterFlowThroughAllowed(summaryCtx, kind) and
+        argApa = getApprox(argAp) and
+        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
      )
    }

    pragma[inline]
-    private predicate fwdFlowInMayFlowThrough(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
+    private predicate fwdFlowThrough0(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
+      Ap innerArgAp, ApApprox innerArgApa, Configuration config
    ) {
-      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
-        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-      PrevStage::parameterMayFlowThrough(param, apa, config)
-    }
-
-    // dedup before joining with `flowThroughOutOfCall`
-    pragma[nomagic]
-    private predicate fwdFlowInMayFlowThroughProj(
-      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
-    }
-
-    /**
-     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
-     * in the flow covered by `fwdFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate fwdFlowThroughOutOfCall(
-      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-      ApApprox argApa, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
+      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
+      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
    }

    pragma[nomagic]
-    private predicate fwdFlowOutFromArg(
-      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
-      ApApprox apa, Configuration config
+    private predicate fwdFlowThrough(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
    ) {
-      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
-          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
-          config) and
-        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
-      )
+      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
+        config)
    }

    /**
@@ -1571,12 +1552,14 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParameterPosition pos, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
+      ParamNodeEx p, Ap ap, Configuration config
    ) {
-      exists(ParamNodeEx param |
-        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
-        pos = param.getPosition()
+      exists(ApApprox apa |
+        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
+          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+        PrevStage::parameterMayFlowThrough(p, apa, config) and
+        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
      )
    }

@@ -1596,23 +1579,31 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowConsCand(ap1, c, ap2, config)
    }

+    pragma[nomagic]
+    private predicate returnFlowsThrough0(
+      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
+      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    ) {
+      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
+        innerArgApa, config)
+    }
+
    pragma[nomagic]
    private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
      Ap ap, Configuration config
    ) {
-      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
-          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
-        kind = ret.getKind() and
-        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
+        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
+        pos = ret.getReturnPosition() and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
      Configuration config
    ) {
      exists(ApApprox argApa |
@@ -1620,7 +1611,7 @@ private module MkStage<StageSig PrevStage> {
          allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
        fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
          pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
          pragma[only_bind_into](config)) and
        if allowsFieldFlow = false then argAp instanceof ApNil else any()
      )
@@ -1639,12 +1630,13 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
      Ap ap, Configuration config
    ) {
      exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config)
+        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config) and
+        pos = ret.getReturnPosition()
      )
    }

@@ -1739,17 +1731,17 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
      )
      or
      // flow out of a callable
-      exists(ReturnKindExt kind |
-        revFlowOut(_, node, kind, state, _, _, ap, config) and
-        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
+      exists(ReturnPosition pos |
+        revFlowOut(_, node, pos, state, _, _, ap, config) and
+        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
        then (
-          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
+          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
          returnAp = apSome(ap)
        ) else (
          returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1782,47 +1774,33 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
      ApOption returnAp, Ap ap, Configuration config
    ) {
      exists(NodeEx out, boolean allowsFieldFlow |
        revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

-    /**
-     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
-     * in the flow covered by `revFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate revFlowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
-      Configuration config
-    ) {
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
-      revFlowIsReturned(call, _, _, _, _, config)
-    }
-
    pragma[nomagic]
    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
+      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
    ) {
-      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
+        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
+      parameterFlowThroughAllowed(p, pos.getKind()) and
+      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
    }

    pragma[nomagic]
-    private predicate revFlowInToReturn(
-      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
-      Configuration config
+    private predicate revFlowThrough(
+      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
+      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
    ) {
-      exists(ParamNodeEx p, boolean allowsFieldFlow |
-        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
-        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
-      )
+      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
+      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
    }

    /**
@@ -1832,12 +1810,12 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
      Configuration config
    ) {
      exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
        matchesCall(ccc, call)
      )
    }
@@ -1915,17 +1893,17 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
    ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, pos.getKind())
    }

    pragma[nomagic]
    predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnKindExt kind |
-        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, kind, _, config)
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, pos, _, config)
      )
    }

@@ -1933,20 +1911,21 @@ private module MkStage<StageSig PrevStage> {
    predicate returnMayFlowThrough(
      RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
    ) {
-      exists(ParamNodeEx p |
-        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, kind, ap, config)
+      exists(ParamNodeEx p, ReturnPosition pos |
+        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
+        kind = pos.getKind()
      )
    }

    pragma[nomagic]
-    predicate revFlowInToReturnIsReturned(
+    private predicate revFlowThroughArg(
      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
      Ap ap, Configuration config
    ) {
-      exists(ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
      )
    }

@@ -1954,7 +1933,7 @@ private module MkStage<StageSig PrevStage> {
    predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
      exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
        revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
      )
    }

@@ -1967,8 +1946,9 @@ private module MkStage<StageSig PrevStage> {
      conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
      states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
      tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
+        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
+          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
+        )
      or
      fwd = false and
      nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2823,13 +2803,12 @@ private Configuration unbindConf(Configuration conf) {

 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
-  Configuration config
+  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
 ) {
  exists(AccessPathApprox apa0 |
-    c = n.getEnclosingCallable() and
+    Stage5::parameterMayFlowThrough(p, _, _) and
    Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
      TAccessPathApproxSome(apa), apa0, config)
  )
 }
@@ -2838,10 +2817,9 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
  NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
+  exists(ParamNodeEx p |
    Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, c, pos, state, apa, config) and
-    p.isParameterOf(c, pos)
+    nodeMayUseSummary0(n, p, state, apa, config)
  )
 }

@@ -3771,8 +3749,8 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
  AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
    kind = ret.getKind() and
    apa = ap.getApprox() and
    parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4234,17 +4212,15 @@ private module FlowExploration {
      ap = TRevPartialNil() and
      exists(config.explorationLimit())
      or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
    }

  pragma[nomagic]
@@ -4252,19 +4228,17 @@ private module FlowExploration {
    NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
    TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
  }

  /**
--- a/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -622,7 +622,11 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }

 private module Stage1 implements StageSig {
-  class Ap = Unit;
+  class Ap extends int {
+    // workaround for bad functionality-induced joins (happens when using `Unit`)
+    pragma[nomagic]
+    Ap() { this in [0 .. 1] and this < 1 }
+  }

  private class Cc = boolean;

@@ -872,9 +876,9 @@ private module Stage1 implements StageSig {

  pragma[nomagic]
  private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
      revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
    )
  }

@@ -1327,8 +1331,8 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
      PrevStage::revFlow(node, state, apa, config) and
@@ -1337,21 +1341,21 @@ private module MkStage<StageSig PrevStage> {

    pragma[inline]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      Configuration config
    ) {
      fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
    }

    pragma[nomagic]
    private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      sourceNode(node, state, config) and
      (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
      argAp = apNone() and
-      summaryCtx = TParameterPositionNone() and
+      summaryCtx = TParamNodeNone() and
      ap = getApNil(node) and
      apa = getApprox(ap)
      or
@@ -1372,7 +1376,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
        jumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone()
      )
      or
@@ -1380,7 +1384,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1390,7 +1394,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStateStep(mid, state0, node, state, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1414,10 +1418,10 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
      if PrevStage::parameterMayFlowThrough(node, apa, config)
      then (
-        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
+        summaryCtx = TParamNodeSome(node.asNode()) and
        argAp = apSome(ap)
      ) else (
-        summaryCtx = TParameterPositionNone() and argAp = apNone()
+        summaryCtx = TParamNodeNone() and argAp = apNone()
      )
      or
      // flow out of a callable
@@ -1433,16 +1437,19 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
-        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
-        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
+      exists(
+        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
+      |
+        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate fwdFlowStore(
      NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      exists(DataFlowType contentType, ApApprox apa1 |
        fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1473,8 +1480,8 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ApNonNil ap, Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
+      Configuration config
    ) {
      fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, _, _, config)
@@ -1483,7 +1490,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
@@ -1493,7 +1500,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowIn(
      DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
    ) {
      exists(ArgNodeEx arg, boolean allowsFieldFlow |
        fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1505,64 +1512,38 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
-      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
+      Ap ap, ApApprox apa, Configuration config
    ) {
-      exists(DataFlowCallable c, ReturnKindExt kind |
+      exists(ReturnKindExt kind |
        fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
-        getApprox(argAp) = argApa and
-        c = ret.getEnclosingCallable() and
+          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
+          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
+          pragma[only_bind_into](config)) and
        kind = ret.getKind() and
-        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
-        parameterFlowThroughAllowed(p, kind)
+        parameterFlowThroughAllowed(summaryCtx, kind) and
+        argApa = getApprox(argAp) and
+        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
      )
    }

    pragma[inline]
-    private predicate fwdFlowInMayFlowThrough(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
+    private predicate fwdFlowThrough0(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
+      Ap innerArgAp, ApApprox innerArgApa, Configuration config
    ) {
-      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
-        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-      PrevStage::parameterMayFlowThrough(param, apa, config)
-    }
-
-    // dedup before joining with `flowThroughOutOfCall`
-    pragma[nomagic]
-    private predicate fwdFlowInMayFlowThroughProj(
-      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
-    }
-
-    /**
-     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
-     * in the flow covered by `fwdFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate fwdFlowThroughOutOfCall(
-      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-      ApApprox argApa, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
+      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
+      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
    }

    pragma[nomagic]
-    private predicate fwdFlowOutFromArg(
-      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
-      ApApprox apa, Configuration config
+    private predicate fwdFlowThrough(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
    ) {
-      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
-          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
-          config) and
-        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
-      )
+      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
+        config)
    }

    /**
@@ -1571,12 +1552,14 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParameterPosition pos, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
+      ParamNodeEx p, Ap ap, Configuration config
    ) {
-      exists(ParamNodeEx param |
-        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
-        pos = param.getPosition()
+      exists(ApApprox apa |
+        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
+          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+        PrevStage::parameterMayFlowThrough(p, apa, config) and
+        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
      )
    }

@@ -1596,23 +1579,31 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowConsCand(ap1, c, ap2, config)
    }

+    pragma[nomagic]
+    private predicate returnFlowsThrough0(
+      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
+      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    ) {
+      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
+        innerArgApa, config)
+    }
+
    pragma[nomagic]
    private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
      Ap ap, Configuration config
    ) {
-      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
-          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
-        kind = ret.getKind() and
-        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
+        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
+        pos = ret.getReturnPosition() and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
      Configuration config
    ) {
      exists(ApApprox argApa |
@@ -1620,7 +1611,7 @@ private module MkStage<StageSig PrevStage> {
          allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
        fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
          pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
          pragma[only_bind_into](config)) and
        if allowsFieldFlow = false then argAp instanceof ApNil else any()
      )
@@ -1639,12 +1630,13 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
      Ap ap, Configuration config
    ) {
      exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config)
+        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config) and
+        pos = ret.getReturnPosition()
      )
    }

@@ -1739,17 +1731,17 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
      )
      or
      // flow out of a callable
-      exists(ReturnKindExt kind |
-        revFlowOut(_, node, kind, state, _, _, ap, config) and
-        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
+      exists(ReturnPosition pos |
+        revFlowOut(_, node, pos, state, _, _, ap, config) and
+        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
        then (
-          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
+          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
          returnAp = apSome(ap)
        ) else (
          returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1782,47 +1774,33 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
      ApOption returnAp, Ap ap, Configuration config
    ) {
      exists(NodeEx out, boolean allowsFieldFlow |
        revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

-    /**
-     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
-     * in the flow covered by `revFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate revFlowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
-      Configuration config
-    ) {
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
-      revFlowIsReturned(call, _, _, _, _, config)
-    }
-
    pragma[nomagic]
    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
+      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
    ) {
-      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
+        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
+      parameterFlowThroughAllowed(p, pos.getKind()) and
+      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
    }

    pragma[nomagic]
-    private predicate revFlowInToReturn(
-      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
-      Configuration config
+    private predicate revFlowThrough(
+      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
+      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
    ) {
-      exists(ParamNodeEx p, boolean allowsFieldFlow |
-        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
-        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
-      )
+      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
+      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
    }

    /**
@@ -1832,12 +1810,12 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
      Configuration config
    ) {
      exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
        matchesCall(ccc, call)
      )
    }
@@ -1915,17 +1893,17 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
    ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, pos.getKind())
    }

    pragma[nomagic]
    predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnKindExt kind |
-        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, kind, _, config)
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, pos, _, config)
      )
    }

@@ -1933,20 +1911,21 @@ private module MkStage<StageSig PrevStage> {
    predicate returnMayFlowThrough(
      RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
    ) {
-      exists(ParamNodeEx p |
-        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, kind, ap, config)
+      exists(ParamNodeEx p, ReturnPosition pos |
+        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
+        kind = pos.getKind()
      )
    }

    pragma[nomagic]
-    predicate revFlowInToReturnIsReturned(
+    private predicate revFlowThroughArg(
      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
      Ap ap, Configuration config
    ) {
-      exists(ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
      )
    }

@@ -1954,7 +1933,7 @@ private module MkStage<StageSig PrevStage> {
    predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
      exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
        revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
      )
    }

@@ -1967,8 +1946,9 @@ private module MkStage<StageSig PrevStage> {
      conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
      states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
      tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
+        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
+          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
+        )
      or
      fwd = false and
      nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2823,13 +2803,12 @@ private Configuration unbindConf(Configuration conf) {

 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
-  Configuration config
+  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
 ) {
  exists(AccessPathApprox apa0 |
-    c = n.getEnclosingCallable() and
+    Stage5::parameterMayFlowThrough(p, _, _) and
    Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
      TAccessPathApproxSome(apa), apa0, config)
  )
 }
@@ -2838,10 +2817,9 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
  NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
+  exists(ParamNodeEx p |
    Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, c, pos, state, apa, config) and
-    p.isParameterOf(c, pos)
+    nodeMayUseSummary0(n, p, state, apa, config)
  )
 }

@@ -3771,8 +3749,8 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
  AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
    kind = ret.getKind() and
    apa = ap.getApprox() and
    parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4234,17 +4212,15 @@ private module FlowExploration {
      ap = TRevPartialNil() and
      exists(config.explorationLimit())
      or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
    }

  pragma[nomagic]
@@ -4252,19 +4228,17 @@ private module FlowExploration {
    NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
    TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
  }

  /**
--- a/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -622,7 +622,11 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }

 private module Stage1 implements StageSig {
-  class Ap = Unit;
+  class Ap extends int {
+    // workaround for bad functionality-induced joins (happens when using `Unit`)
+    pragma[nomagic]
+    Ap() { this in [0 .. 1] and this < 1 }
+  }

  private class Cc = boolean;

@@ -872,9 +876,9 @@ private module Stage1 implements StageSig {

  pragma[nomagic]
  private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
      revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
    )
  }

@@ -1327,8 +1331,8 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
      PrevStage::revFlow(node, state, apa, config) and
@@ -1337,21 +1341,21 @@ private module MkStage<StageSig PrevStage> {

    pragma[inline]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      Configuration config
    ) {
      fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
    }

    pragma[nomagic]
    private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      sourceNode(node, state, config) and
      (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
      argAp = apNone() and
-      summaryCtx = TParameterPositionNone() and
+      summaryCtx = TParamNodeNone() and
      ap = getApNil(node) and
      apa = getApprox(ap)
      or
@@ -1372,7 +1376,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
        jumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone()
      )
      or
@@ -1380,7 +1384,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1390,7 +1394,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStateStep(mid, state0, node, state, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1414,10 +1418,10 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
      if PrevStage::parameterMayFlowThrough(node, apa, config)
      then (
-        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
+        summaryCtx = TParamNodeSome(node.asNode()) and
        argAp = apSome(ap)
      ) else (
-        summaryCtx = TParameterPositionNone() and argAp = apNone()
+        summaryCtx = TParamNodeNone() and argAp = apNone()
      )
      or
      // flow out of a callable
@@ -1433,16 +1437,19 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
-        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
-        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
+      exists(
+        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
+      |
+        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate fwdFlowStore(
      NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      exists(DataFlowType contentType, ApApprox apa1 |
        fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1473,8 +1480,8 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ApNonNil ap, Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
+      Configuration config
    ) {
      fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, _, _, config)
@@ -1483,7 +1490,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
@@ -1493,7 +1500,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowIn(
      DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
    ) {
      exists(ArgNodeEx arg, boolean allowsFieldFlow |
        fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1505,64 +1512,38 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
-      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
+      Ap ap, ApApprox apa, Configuration config
    ) {
-      exists(DataFlowCallable c, ReturnKindExt kind |
+      exists(ReturnKindExt kind |
        fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
-        getApprox(argAp) = argApa and
-        c = ret.getEnclosingCallable() and
+          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
+          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
+          pragma[only_bind_into](config)) and
        kind = ret.getKind() and
-        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
-        parameterFlowThroughAllowed(p, kind)
+        parameterFlowThroughAllowed(summaryCtx, kind) and
+        argApa = getApprox(argAp) and
+        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
      )
    }

    pragma[inline]
-    private predicate fwdFlowInMayFlowThrough(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
+    private predicate fwdFlowThrough0(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
+      Ap innerArgAp, ApApprox innerArgApa, Configuration config
    ) {
-      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
-        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-      PrevStage::parameterMayFlowThrough(param, apa, config)
-    }
-
-    // dedup before joining with `flowThroughOutOfCall`
-    pragma[nomagic]
-    private predicate fwdFlowInMayFlowThroughProj(
-      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
-    }
-
-    /**
-     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
-     * in the flow covered by `fwdFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate fwdFlowThroughOutOfCall(
-      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-      ApApprox argApa, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
+      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
+      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
    }

    pragma[nomagic]
-    private predicate fwdFlowOutFromArg(
-      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
-      ApApprox apa, Configuration config
+    private predicate fwdFlowThrough(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
    ) {
-      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
-          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
-          config) and
-        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
-      )
+      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
+        config)
    }

    /**
@@ -1571,12 +1552,14 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParameterPosition pos, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
+      ParamNodeEx p, Ap ap, Configuration config
    ) {
-      exists(ParamNodeEx param |
-        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
-        pos = param.getPosition()
+      exists(ApApprox apa |
+        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
+          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+        PrevStage::parameterMayFlowThrough(p, apa, config) and
+        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
      )
    }

@@ -1596,23 +1579,31 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowConsCand(ap1, c, ap2, config)
    }

+    pragma[nomagic]
+    private predicate returnFlowsThrough0(
+      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
+      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    ) {
+      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
+        innerArgApa, config)
+    }
+
    pragma[nomagic]
    private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
      Ap ap, Configuration config
    ) {
-      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
-          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
-        kind = ret.getKind() and
-        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
+        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
+        pos = ret.getReturnPosition() and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
      Configuration config
    ) {
      exists(ApApprox argApa |
@@ -1620,7 +1611,7 @@ private module MkStage<StageSig PrevStage> {
          allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
        fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
          pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
          pragma[only_bind_into](config)) and
        if allowsFieldFlow = false then argAp instanceof ApNil else any()
      )
@@ -1639,12 +1630,13 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
      Ap ap, Configuration config
    ) {
      exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config)
+        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config) and
+        pos = ret.getReturnPosition()
      )
    }

@@ -1739,17 +1731,17 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
      )
      or
      // flow out of a callable
-      exists(ReturnKindExt kind |
-        revFlowOut(_, node, kind, state, _, _, ap, config) and
-        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
+      exists(ReturnPosition pos |
+        revFlowOut(_, node, pos, state, _, _, ap, config) and
+        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
        then (
-          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
+          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
          returnAp = apSome(ap)
        ) else (
          returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1782,47 +1774,33 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
      ApOption returnAp, Ap ap, Configuration config
    ) {
      exists(NodeEx out, boolean allowsFieldFlow |
        revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

-    /**
-     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
-     * in the flow covered by `revFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate revFlowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
-      Configuration config
-    ) {
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
-      revFlowIsReturned(call, _, _, _, _, config)
-    }
-
    pragma[nomagic]
    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
+      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
    ) {
-      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
+        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
+      parameterFlowThroughAllowed(p, pos.getKind()) and
+      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
    }

    pragma[nomagic]
-    private predicate revFlowInToReturn(
-      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
-      Configuration config
+    private predicate revFlowThrough(
+      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
+      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
    ) {
-      exists(ParamNodeEx p, boolean allowsFieldFlow |
-        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
-        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
-      )
+      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
+      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
    }

    /**
@@ -1832,12 +1810,12 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
      Configuration config
    ) {
      exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
        matchesCall(ccc, call)
      )
    }
@@ -1915,17 +1893,17 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
    ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, pos.getKind())
    }

    pragma[nomagic]
    predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnKindExt kind |
-        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, kind, _, config)
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, pos, _, config)
      )
    }

@@ -1933,20 +1911,21 @@ private module MkStage<StageSig PrevStage> {
    predicate returnMayFlowThrough(
      RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
    ) {
-      exists(ParamNodeEx p |
-        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, kind, ap, config)
+      exists(ParamNodeEx p, ReturnPosition pos |
+        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
+        kind = pos.getKind()
      )
    }

    pragma[nomagic]
-    predicate revFlowInToReturnIsReturned(
+    private predicate revFlowThroughArg(
      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
      Ap ap, Configuration config
    ) {
-      exists(ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
      )
    }

@@ -1954,7 +1933,7 @@ private module MkStage<StageSig PrevStage> {
    predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
      exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
        revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
      )
    }

@@ -1967,8 +1946,9 @@ private module MkStage<StageSig PrevStage> {
      conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
      states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
      tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
+        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
+          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
+        )
      or
      fwd = false and
      nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2823,13 +2803,12 @@ private Configuration unbindConf(Configuration conf) {

 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
-  Configuration config
+  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
 ) {
  exists(AccessPathApprox apa0 |
-    c = n.getEnclosingCallable() and
+    Stage5::parameterMayFlowThrough(p, _, _) and
    Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
      TAccessPathApproxSome(apa), apa0, config)
  )
 }
@@ -2838,10 +2817,9 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
  NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
+  exists(ParamNodeEx p |
    Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, c, pos, state, apa, config) and
-    p.isParameterOf(c, pos)
+    nodeMayUseSummary0(n, p, state, apa, config)
  )
 }

@@ -3771,8 +3749,8 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
  AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
    kind = ret.getKind() and
    apa = ap.getApprox() and
    parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4234,17 +4212,15 @@ private module FlowExploration {
      ap = TRevPartialNil() and
      exists(config.explorationLimit())
      or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
    }

  pragma[nomagic]
@@ -4252,19 +4228,17 @@ private module FlowExploration {
    NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
    TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
  }

  /**
--- a/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -622,7 +622,11 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }

 private module Stage1 implements StageSig {
-  class Ap = Unit;
+  class Ap extends int {
+    // workaround for bad functionality-induced joins (happens when using `Unit`)
+    pragma[nomagic]
+    Ap() { this in [0 .. 1] and this < 1 }
+  }

  private class Cc = boolean;

@@ -872,9 +876,9 @@ private module Stage1 implements StageSig {

  pragma[nomagic]
  private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
      revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
    )
  }

@@ -1327,8 +1331,8 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
      PrevStage::revFlow(node, state, apa, config) and
@@ -1337,21 +1341,21 @@ private module MkStage<StageSig PrevStage> {

    pragma[inline]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      Configuration config
    ) {
      fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
    }

    pragma[nomagic]
    private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      sourceNode(node, state, config) and
      (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
      argAp = apNone() and
-      summaryCtx = TParameterPositionNone() and
+      summaryCtx = TParamNodeNone() and
      ap = getApNil(node) and
      apa = getApprox(ap)
      or
@@ -1372,7 +1376,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
        jumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone()
      )
      or
@@ -1380,7 +1384,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1390,7 +1394,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStateStep(mid, state0, node, state, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1414,10 +1418,10 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
      if PrevStage::parameterMayFlowThrough(node, apa, config)
      then (
-        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
+        summaryCtx = TParamNodeSome(node.asNode()) and
        argAp = apSome(ap)
      ) else (
-        summaryCtx = TParameterPositionNone() and argAp = apNone()
+        summaryCtx = TParamNodeNone() and argAp = apNone()
      )
      or
      // flow out of a callable
@@ -1433,16 +1437,19 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
-        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
-        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
+      exists(
+        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
+      |
+        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate fwdFlowStore(
      NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      exists(DataFlowType contentType, ApApprox apa1 |
        fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1473,8 +1480,8 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ApNonNil ap, Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
+      Configuration config
    ) {
      fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, _, _, config)
@@ -1483,7 +1490,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
@@ -1493,7 +1500,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowIn(
      DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
    ) {
      exists(ArgNodeEx arg, boolean allowsFieldFlow |
        fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1505,64 +1512,38 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
-      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
+      Ap ap, ApApprox apa, Configuration config
    ) {
-      exists(DataFlowCallable c, ReturnKindExt kind |
+      exists(ReturnKindExt kind |
        fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
-        getApprox(argAp) = argApa and
-        c = ret.getEnclosingCallable() and
+          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
+          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
+          pragma[only_bind_into](config)) and
        kind = ret.getKind() and
-        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
-        parameterFlowThroughAllowed(p, kind)
+        parameterFlowThroughAllowed(summaryCtx, kind) and
+        argApa = getApprox(argAp) and
+        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
      )
    }

    pragma[inline]
-    private predicate fwdFlowInMayFlowThrough(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
+    private predicate fwdFlowThrough0(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
+      Ap innerArgAp, ApApprox innerArgApa, Configuration config
    ) {
-      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
-        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-      PrevStage::parameterMayFlowThrough(param, apa, config)
-    }
-
-    // dedup before joining with `flowThroughOutOfCall`
-    pragma[nomagic]
-    private predicate fwdFlowInMayFlowThroughProj(
-      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
-    }
-
-    /**
-     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
-     * in the flow covered by `fwdFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate fwdFlowThroughOutOfCall(
-      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-      ApApprox argApa, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
+      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
+      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
    }

    pragma[nomagic]
-    private predicate fwdFlowOutFromArg(
-      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
-      ApApprox apa, Configuration config
+    private predicate fwdFlowThrough(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
    ) {
-      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
-          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
-          config) and
-        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
-      )
+      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
+        config)
    }

    /**
@@ -1571,12 +1552,14 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParameterPosition pos, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
+      ParamNodeEx p, Ap ap, Configuration config
    ) {
-      exists(ParamNodeEx param |
-        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
-        pos = param.getPosition()
+      exists(ApApprox apa |
+        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
+          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+        PrevStage::parameterMayFlowThrough(p, apa, config) and
+        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
      )
    }

@@ -1596,23 +1579,31 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowConsCand(ap1, c, ap2, config)
    }

+    pragma[nomagic]
+    private predicate returnFlowsThrough0(
+      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
+      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    ) {
+      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
+        innerArgApa, config)
+    }
+
    pragma[nomagic]
    private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
      Ap ap, Configuration config
    ) {
-      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
-          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
-        kind = ret.getKind() and
-        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
+        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
+        pos = ret.getReturnPosition() and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
      Configuration config
    ) {
      exists(ApApprox argApa |
@@ -1620,7 +1611,7 @@ private module MkStage<StageSig PrevStage> {
          allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
        fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
          pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
          pragma[only_bind_into](config)) and
        if allowsFieldFlow = false then argAp instanceof ApNil else any()
      )
@@ -1639,12 +1630,13 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
      Ap ap, Configuration config
    ) {
      exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config)
+        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config) and
+        pos = ret.getReturnPosition()
      )
    }

@@ -1739,17 +1731,17 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
      )
      or
      // flow out of a callable
-      exists(ReturnKindExt kind |
-        revFlowOut(_, node, kind, state, _, _, ap, config) and
-        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
+      exists(ReturnPosition pos |
+        revFlowOut(_, node, pos, state, _, _, ap, config) and
+        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
        then (
-          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
+          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
          returnAp = apSome(ap)
        ) else (
          returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1782,47 +1774,33 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
      ApOption returnAp, Ap ap, Configuration config
    ) {
      exists(NodeEx out, boolean allowsFieldFlow |
        revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

-    /**
-     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
-     * in the flow covered by `revFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate revFlowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
-      Configuration config
-    ) {
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
-      revFlowIsReturned(call, _, _, _, _, config)
-    }
-
    pragma[nomagic]
    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
+      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
    ) {
-      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
+        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
+      parameterFlowThroughAllowed(p, pos.getKind()) and
+      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
    }

    pragma[nomagic]
-    private predicate revFlowInToReturn(
-      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
-      Configuration config
+    private predicate revFlowThrough(
+      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
+      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
    ) {
-      exists(ParamNodeEx p, boolean allowsFieldFlow |
-        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
-        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
-      )
+      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
+      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
    }

    /**
@@ -1832,12 +1810,12 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
      Configuration config
    ) {
      exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
        matchesCall(ccc, call)
      )
    }
@@ -1915,17 +1893,17 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
    ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, pos.getKind())
    }

    pragma[nomagic]
    predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnKindExt kind |
-        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, kind, _, config)
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, pos, _, config)
      )
    }

@@ -1933,20 +1911,21 @@ private module MkStage<StageSig PrevStage> {
    predicate returnMayFlowThrough(
      RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
    ) {
-      exists(ParamNodeEx p |
-        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, kind, ap, config)
+      exists(ParamNodeEx p, ReturnPosition pos |
+        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
+        kind = pos.getKind()
      )
    }

    pragma[nomagic]
-    predicate revFlowInToReturnIsReturned(
+    private predicate revFlowThroughArg(
      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
      Ap ap, Configuration config
    ) {
-      exists(ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
      )
    }

@@ -1954,7 +1933,7 @@ private module MkStage<StageSig PrevStage> {
    predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
      exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
        revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
      )
    }

@@ -1967,8 +1946,9 @@ private module MkStage<StageSig PrevStage> {
      conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
      states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
      tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
+        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
+          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
+        )
      or
      fwd = false and
      nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2823,13 +2803,12 @@ private Configuration unbindConf(Configuration conf) {

 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
-  Configuration config
+  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
 ) {
  exists(AccessPathApprox apa0 |
-    c = n.getEnclosingCallable() and
+    Stage5::parameterMayFlowThrough(p, _, _) and
    Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
      TAccessPathApproxSome(apa), apa0, config)
  )
 }
@@ -2838,10 +2817,9 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
  NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
+  exists(ParamNodeEx p |
    Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, c, pos, state, apa, config) and
-    p.isParameterOf(c, pos)
+    nodeMayUseSummary0(n, p, state, apa, config)
  )
 }

@@ -3771,8 +3749,8 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
  AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
    kind = ret.getKind() and
    apa = ap.getApprox() and
    parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4234,17 +4212,15 @@ private module FlowExploration {
      ap = TRevPartialNil() and
      exists(config.explorationLimit())
      or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
    }

  pragma[nomagic]
@@ -4252,19 +4228,17 @@ private module FlowExploration {
    NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
    TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
  }

  /**
--- a/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
@@ -916,15 +916,15 @@ private module Cached {
    TDataFlowCallSome(DataFlowCall call)

  cached
-  newtype TParameterPositionOption =
-    TParameterPositionNone() or
-    TParameterPositionSome(ParameterPosition pos)
+  newtype TParamNodeOption =
+    TParamNodeNone() or
+    TParamNodeSome(ParamNode p)

  cached
  newtype TReturnCtx =
    TReturnCtxNone() or
    TReturnCtxNoFlowThrough() or
-    TReturnCtxMaybeFlowThrough(ReturnKindExt kind)
+    TReturnCtxMaybeFlowThrough(ReturnPosition pos)

  cached
  newtype TTypedContentApprox =
@@ -1343,15 +1343,15 @@ class DataFlowCallOption extends TDataFlowCallOption {
  }
 }

-/** An optional `ParameterPosition`. */
-class ParameterPositionOption extends TParameterPositionOption {
+/** An optional `ParamNode`. */
+class ParamNodeOption extends TParamNodeOption {
  string toString() {
-    this = TParameterPositionNone() and
+    this = TParamNodeNone() and
    result = "(none)"
    or
-    exists(ParameterPosition pos |
-      this = TParameterPositionSome(pos) and
-      result = pos.toString()
+    exists(ParamNode p |
+      this = TParamNodeSome(p) and
+      result = p.toString()
    )
  }
 }
@@ -1363,7 +1363,7 @@ class ParameterPositionOption extends TParameterPositionOption {
 *
 * - `TReturnCtxNone()`: no return flow.
 * - `TReturnCtxNoFlowThrough()`: return flow, but flow through is not possible.
- * - `TReturnCtxMaybeFlowThrough(ReturnKindExt kind)`: return flow, of kind `kind`, and
+ * - `TReturnCtxMaybeFlowThrough(ReturnPosition pos)`: return flow, of kind `pos`, and
 *    flow through may be possible.
 */
 class ReturnCtx extends TReturnCtx {
@@ -1374,9 +1374,9 @@ class ReturnCtx extends TReturnCtx {
    this = TReturnCtxNoFlowThrough() and
    result = "(no flow through)"
    or
-    exists(ReturnKindExt kind |
-      this = TReturnCtxMaybeFlowThrough(kind) and
-      result = kind.toString()
+    exists(ReturnPosition pos |
+      this = TReturnCtxMaybeFlowThrough(pos) and
+      result = pos.toString()
    )
  }
 }
--- a/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll
@@ -45,6 +45,16 @@ module Consistency {
    ) {
      none()
    }
+
+    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodeAtPosition`. */
+    predicate uniqueParameterNodeAtPositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
+      none()
+    }
+
+    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodePosition`. */
+    predicate uniqueParameterNodePositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
+      none()
+    }
  }

  private class RelevantNode extends Node {
@@ -101,9 +111,7 @@ module Consistency {
    exists(int c |
      c =
        strictcount(Node n |
-          not exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
-            n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-          ) and
+          not n.hasLocationInfo(_, _, _, _, _) and
          not any(ConsistencyConfiguration conf).missingLocationExclude(n)
        ) and
      msg = "Nodes without location: " + c
@@ -248,6 +256,7 @@ module Consistency {
  query predicate uniqueParameterNodeAtPosition(
    DataFlowCallable c, ParameterPosition pos, Node p, string msg
  ) {
+    not any(ConsistencyConfiguration conf).uniqueParameterNodeAtPositionExclude(c, pos, p) and
    isParameterNode(p, c, pos) and
    not exists(unique(Node p0 | isParameterNode(p0, c, pos))) and
    msg = "Parameters with overlapping positions."
@@ -256,6 +265,7 @@ module Consistency {
  query predicate uniqueParameterNodePosition(
    DataFlowCallable c, ParameterPosition pos, Node p, string msg
  ) {
+    not any(ConsistencyConfiguration conf).uniqueParameterNodePositionExclude(c, pos, p) and
    isParameterNode(p, c, pos) and
    not exists(unique(ParameterPosition pos0 | isParameterNode(p, c, pos0))) and
    msg = "Parameter node with multiple positions."
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/ArrayLengthAnalysis.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/ArrayLengthAnalysis.qll
@@ -218,7 +218,7 @@ private predicate allocation(Instruction array, Length length, int delta) {
          length.(VNLength).getInstruction().getConvertedResultExpression() = lengthExpr
        )
        or
-        not exists(int d | deconstructMallocSizeExpr(alloc.getSizeExpr(), _, d)) and
+        not deconstructMallocSizeExpr(alloc.getSizeExpr(), _, _) and
        length.(VNLength).getInstruction().getConvertedResultExpression() = alloc.getSizeExpr() and
        delta = 0
      )
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll
@@ -543,9 +543,7 @@ private predicate boundedPhiCand(
  PhiInstruction phi, boolean upper, Bound b, int delta, boolean fromBackEdge, int origdelta,
  Reason reason
 ) {
-  exists(PhiInputOperand op |
-    boundedPhiInp(phi, op, b, delta, upper, fromBackEdge, origdelta, reason)
-  )
+  boundedPhiInp(phi, _, b, delta, upper, fromBackEdge, origdelta, reason)
 }

 /**
--- a/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/FloatDelta.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/FloatDelta.qll
@@ -0,0 +1,29 @@
+private import RangeAnalysisStage
+
+module FloatDelta implements DeltaSig {
+  class Delta = float;
+
+  bindingset[d]
+  bindingset[result]
+  float toFloat(Delta d) { result = d }
+
+  bindingset[d]
+  bindingset[result]
+  int toInt(Delta d) { result = d }
+
+  bindingset[n]
+  bindingset[result]
+  Delta fromInt(int n) { result = n }
+
+  bindingset[f]
+  Delta fromFloat(float f) {
+    result =
+      min(float diff, float res |
+        diff = (res - f) and res = f.ceil()
+        or
+        diff = (f - res) and res = f.floor()
+      |
+        res order by diff
+      )
+  }
+}
--- a/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/ModulusAnalysis.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/ModulusAnalysis.qll
@@ -14,321 +14,328 @@ private import ModulusAnalysisSpecific::Private
 private import experimental.semmle.code.cpp.semantic.Semantic
 private import ConstantAnalysis
 private import RangeUtils
+private import RangeAnalysisStage

-/**
- * Holds if `e + delta` equals `v` at `pos`.
- */
-private predicate valueFlowStepSsa(SemSsaVariable v, SemSsaReadPosition pos, SemExpr e, int delta) {
-  semSsaUpdateStep(v, e, delta) and pos.hasReadOfVar(v)
-  or
-  exists(SemGuard guard, boolean testIsTrue |
-    pos.hasReadOfVar(v) and
-    guard = semEqFlowCond(v, e, delta, true, testIsTrue) and
-    semGuardDirectlyControlsSsaRead(guard, pos, testIsTrue)
-  )
-}
-
-/**
- * Holds if `add` is the addition of `larg` and `rarg`, neither of which are
- * `ConstantIntegerExpr`s.
- */
-private predicate nonConstAddition(SemExpr add, SemExpr larg, SemExpr rarg) {
-  exists(SemAddExpr a | a = add |
-    larg = a.getLeftOperand() and
-    rarg = a.getRightOperand()
-  ) and
-  not larg instanceof SemConstantIntegerExpr and
-  not rarg instanceof SemConstantIntegerExpr
-}
-
-/**
- * Holds if `sub` is the subtraction of `larg` and `rarg`, where `rarg` is not
- * a `ConstantIntegerExpr`.
- */
-private predicate nonConstSubtraction(SemExpr sub, SemExpr larg, SemExpr rarg) {
-  exists(SemSubExpr s | s = sub |
-    larg = s.getLeftOperand() and
-    rarg = s.getRightOperand()
-  ) and
-  not rarg instanceof SemConstantIntegerExpr
-}
-
-/** Gets an expression that is the remainder modulo `mod` of `arg`. */
-private SemExpr modExpr(SemExpr arg, int mod) {
-  exists(SemRemExpr rem |
-    result = rem and
-    arg = rem.getLeftOperand() and
-    rem.getRightOperand().(SemConstantIntegerExpr).getIntValue() = mod and
-    mod >= 2
-  )
-  or
-  exists(SemConstantIntegerExpr c |
-    mod = 2.pow([1 .. 30]) and
-    c.getIntValue() = mod - 1 and
-    result.(SemBitAndExpr).hasOperands(arg, c)
-  )
-}
-
-/**
- * Gets a guard that tests whether `v` is congruent with `val` modulo `mod` on
- * its `testIsTrue` branch.
- */
-private SemGuard moduloCheck(SemSsaVariable v, int val, int mod, boolean testIsTrue) {
-  exists(SemExpr rem, SemConstantIntegerExpr c, int r, boolean polarity |
-    result.isEquality(rem, c, polarity) and
-    c.getIntValue() = r and
-    rem = modExpr(v.getAUse(), mod) and
-    (
-      testIsTrue = polarity and val = r
-      or
-      testIsTrue = polarity.booleanNot() and
-      mod = 2 and
-      val = 1 - r and
-      (r = 0 or r = 1)
-    )
-  )
-}
-
-/**
- * Holds if a guard ensures that `v` at `pos` is congruent with `val` modulo `mod`.
- */
-private predicate moduloGuardedRead(SemSsaVariable v, SemSsaReadPosition pos, int val, int mod) {
-  exists(SemGuard guard, boolean testIsTrue |
-    pos.hasReadOfVar(v) and
-    guard = moduloCheck(v, val, mod, testIsTrue) and
-    semGuardControlsSsaRead(guard, pos, testIsTrue)
-  )
-}
-
-/** Holds if `factor` is a power of 2 that divides `mask`. */
-bindingset[mask]
-private predicate andmaskFactor(int mask, int factor) {
-  mask % factor = 0 and
-  factor = 2.pow([1 .. 30])
-}
-
-/** Holds if `e` is evenly divisible by `factor`. */
-private predicate evenlyDivisibleExpr(SemExpr e, int factor) {
-  exists(SemConstantIntegerExpr c, int k | k = c.getIntValue() |
-    e.(SemMulExpr).getAnOperand() = c and factor = k.abs() and factor >= 2
-    or
-    e.(SemShiftLeftExpr).getRightOperand() = c and factor = 2.pow(k) and k > 0
-    or
-    e.(SemBitAndExpr).getAnOperand() = c and factor = max(int f | andmaskFactor(k, f))
-  )
-}
-
-/**
- * Holds if `rix` is the number of input edges to `phi`.
- */
-private predicate maxPhiInputRank(SemSsaPhiNode phi, int rix) {
-  rix = max(int r | rankedPhiInput(phi, _, _, r))
-}
-
-/**
- * Gets the remainder of `val` modulo `mod`.
- *
- * For `mod = 0` the result equals `val` and for `mod > 1` the result is within
- * the range `[0 .. mod-1]`.
- */
-bindingset[val, mod]
-private int remainder(int val, int mod) {
-  mod = 0 and result = val
-  or
-  mod > 1 and result = ((val % mod) + mod) % mod
-}
-
-/**
- * Holds if `inp` is an input to `phi` and equals `phi` modulo `mod` along `edge`.
- */
-private predicate phiSelfModulus(
-  SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int mod
-) {
-  exists(SemSsaBound phibound, int v, int m |
-    edge.phiInput(phi, inp) and
-    phibound.getAVariable() = phi and
-    ssaModulus(inp, edge, phibound, v, m) and
-    mod = m.gcd(v) and
-    mod != 1
-  )
-}
-
-/**
- * Holds if `b + val` modulo `mod` is a candidate congruence class for `phi`.
- */
-private predicate phiModulusInit(SemSsaPhiNode phi, SemBound b, int val, int mod) {
-  exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge |
-    edge.phiInput(phi, inp) and
-    ssaModulus(inp, edge, b, val, mod)
-  )
-}
-
-/**
- * Holds if all inputs to `phi` numbered `1` to `rix` are equal to `b + val` modulo `mod`.
- */
-pragma[nomagic]
-private predicate phiModulusRankStep(SemSsaPhiNode phi, SemBound b, int val, int mod, int rix) {
-  /*
-   * base case. If any phi input is equal to `b + val` modulo `mod`, that's a potential congruence
-   * class for the phi node.
+module ModulusAnalysis<DeltaSig D, BoundSig<D> Bounds, UtilSig<D> U> {
+  /**
+   * Holds if `e + delta` equals `v` at `pos`.
   */
+  private predicate valueFlowStepSsa(SemSsaVariable v, SemSsaReadPosition pos, SemExpr e, int delta) {
+    U::semSsaUpdateStep(v, e, D::fromInt(delta)) and pos.hasReadOfVar(v)
+    or
+    exists(SemGuard guard, boolean testIsTrue |
+      pos.hasReadOfVar(v) and
+      guard = U::semEqFlowCond(v, e, D::fromInt(delta), true, testIsTrue) and
+      semGuardDirectlyControlsSsaRead(guard, pos, testIsTrue)
+    )
+  }

-  rix = 0 and
-  phiModulusInit(phi, b, val, mod)
-  or
-  exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int v1, int m1 |
-    mod != 1 and
-    val = remainder(v1, mod)
-  |
+  /**
+   * Holds if `add` is the addition of `larg` and `rarg`, neither of which are
+   * `ConstantIntegerExpr`s.
+   */
+  private predicate nonConstAddition(SemExpr add, SemExpr larg, SemExpr rarg) {
+    exists(SemAddExpr a | a = add |
+      larg = a.getLeftOperand() and
+      rarg = a.getRightOperand()
+    ) and
+    not larg instanceof SemConstantIntegerExpr and
+    not rarg instanceof SemConstantIntegerExpr
+  }
+
+  /**
+   * Holds if `sub` is the subtraction of `larg` and `rarg`, where `rarg` is not
+   * a `ConstantIntegerExpr`.
+   */
+  private predicate nonConstSubtraction(SemExpr sub, SemExpr larg, SemExpr rarg) {
+    exists(SemSubExpr s | s = sub |
+      larg = s.getLeftOperand() and
+      rarg = s.getRightOperand()
+    ) and
+    not rarg instanceof SemConstantIntegerExpr
+  }
+
+  /** Gets an expression that is the remainder modulo `mod` of `arg`. */
+  private SemExpr modExpr(SemExpr arg, int mod) {
+    exists(SemRemExpr rem |
+      result = rem and
+      arg = rem.getLeftOperand() and
+      rem.getRightOperand().(SemConstantIntegerExpr).getIntValue() = mod and
+      mod >= 2
+    )
+    or
+    exists(SemConstantIntegerExpr c |
+      mod = 2.pow([1 .. 30]) and
+      c.getIntValue() = mod - 1 and
+      result.(SemBitAndExpr).hasOperands(arg, c)
+    )
+  }
+
+  /**
+   * Gets a guard that tests whether `v` is congruent with `val` modulo `mod` on
+   * its `testIsTrue` branch.
+   */
+  private SemGuard moduloCheck(SemSsaVariable v, int val, int mod, boolean testIsTrue) {
+    exists(SemExpr rem, SemConstantIntegerExpr c, int r, boolean polarity |
+      result.isEquality(rem, c, polarity) and
+      c.getIntValue() = r and
+      rem = modExpr(v.getAUse(), mod) and
+      (
+        testIsTrue = polarity and val = r
+        or
+        testIsTrue = polarity.booleanNot() and
+        mod = 2 and
+        val = 1 - r and
+        (r = 0 or r = 1)
+      )
+    )
+  }
+
+  /**
+   * Holds if a guard ensures that `v` at `pos` is congruent with `val` modulo `mod`.
+   */
+  private predicate moduloGuardedRead(SemSsaVariable v, SemSsaReadPosition pos, int val, int mod) {
+    exists(SemGuard guard, boolean testIsTrue |
+      pos.hasReadOfVar(v) and
+      guard = moduloCheck(v, val, mod, testIsTrue) and
+      semGuardControlsSsaRead(guard, pos, testIsTrue)
+    )
+  }
+
+  /** Holds if `factor` is a power of 2 that divides `mask`. */
+  bindingset[mask]
+  private predicate andmaskFactor(int mask, int factor) {
+    mask % factor = 0 and
+    factor = 2.pow([1 .. 30])
+  }
+
+  /** Holds if `e` is evenly divisible by `factor`. */
+  private predicate evenlyDivisibleExpr(SemExpr e, int factor) {
+    exists(SemConstantIntegerExpr c, int k | k = c.getIntValue() |
+      e.(SemMulExpr).getAnOperand() = c and factor = k.abs() and factor >= 2
+      or
+      e.(SemShiftLeftExpr).getRightOperand() = c and factor = 2.pow(k) and k > 0
+      or
+      e.(SemBitAndExpr).getAnOperand() = c and factor = max(int f | andmaskFactor(k, f))
+    )
+  }
+
+  /**
+   * Holds if `rix` is the number of input edges to `phi`.
+   */
+  private predicate maxPhiInputRank(SemSsaPhiNode phi, int rix) {
+    rix = max(int r | rankedPhiInput(phi, _, _, r))
+  }
+
+  /**
+   * Gets the remainder of `val` modulo `mod`.
+   *
+   * For `mod = 0` the result equals `val` and for `mod > 1` the result is within
+   * the range `[0 .. mod-1]`.
+   */
+  bindingset[val, mod]
+  private int remainder(int val, int mod) {
+    mod = 0 and result = val
+    or
+    mod > 1 and result = ((val % mod) + mod) % mod
+  }
+
+  /**
+   * Holds if `inp` is an input to `phi` and equals `phi` modulo `mod` along `edge`.
+   */
+  private predicate phiSelfModulus(
+    SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int mod
+  ) {
+    exists(Bounds::SemSsaBound phibound, int v, int m |
+      edge.phiInput(phi, inp) and
+      phibound.getAVariable() = phi and
+      ssaModulus(inp, edge, phibound, v, m) and
+      mod = m.gcd(v) and
+      mod != 1
+    )
+  }
+
+  /**
+   * Holds if `b + val` modulo `mod` is a candidate congruence class for `phi`.
+   */
+  private predicate phiModulusInit(SemSsaPhiNode phi, Bounds::SemBound b, int val, int mod) {
+    exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge |
+      edge.phiInput(phi, inp) and
+      ssaModulus(inp, edge, b, val, mod)
+    )
+  }
+
+  /**
+   * Holds if all inputs to `phi` numbered `1` to `rix` are equal to `b + val` modulo `mod`.
+   */
+  pragma[nomagic]
+  private predicate phiModulusRankStep(
+    SemSsaPhiNode phi, Bounds::SemBound b, int val, int mod, int rix
+  ) {
    /*
-     * Recursive case. If `inp` = `b + v2` mod `m2`, we combine that with the preceding potential
-     * congruence class `b + v1` mod `m1`. The result will be the congruence class of `v1` modulo
-     * the greatest common denominator of `m1`, `m2`, and `v1 - v2`.
+     * base case. If any phi input is equal to `b + val` modulo `mod`, that's a potential congruence
+     * class for the phi node.
     */

-    exists(int v2, int m2 |
-      rankedPhiInput(pragma[only_bind_out](phi), inp, edge, rix) and
-      phiModulusRankStep(phi, b, v1, m1, rix - 1) and
-      ssaModulus(inp, edge, b, v2, m2) and
-      mod = m1.gcd(m2).gcd(v1 - v2)
+    rix = 0 and
+    phiModulusInit(phi, b, val, mod)
+    or
+    exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int v1, int m1 |
+      mod != 1 and
+      val = remainder(v1, mod)
+    |
+      /*
+       * Recursive case. If `inp` = `b + v2` mod `m2`, we combine that with the preceding potential
+       * congruence class `b + v1` mod `m1`. The result will be the congruence class of `v1` modulo
+       * the greatest common denominator of `m1`, `m2`, and `v1 - v2`.
+       */
+
+      exists(int v2, int m2 |
+        rankedPhiInput(pragma[only_bind_out](phi), inp, edge, rix) and
+        phiModulusRankStep(phi, b, v1, m1, rix - 1) and
+        ssaModulus(inp, edge, b, v2, m2) and
+        mod = m1.gcd(m2).gcd(v1 - v2)
+      )
+      or
+      /*
+       * Recursive case. If `inp` = `phi` mod `m2`, we combine that with the preceding potential
+       * congruence class `b + v1` mod `m1`. The result will be a congruence class modulo the greatest
+       * common denominator of `m1` and `m2`.
+       */
+
+      exists(int m2 |
+        rankedPhiInput(phi, inp, edge, rix) and
+        phiModulusRankStep(phi, b, v1, m1, rix - 1) and
+        phiSelfModulus(phi, inp, edge, m2) and
+        mod = m1.gcd(m2)
+      )
    )
-    or
-    /*
-     * Recursive case. If `inp` = `phi` mod `m2`, we combine that with the preceding potential
-     * congruence class `b + v1` mod `m1`. The result will be a congruence class modulo the greatest
-     * common denominator of `m1` and `m2`.
-     */
+  }

-    exists(int m2 |
-      rankedPhiInput(phi, inp, edge, rix) and
-      phiModulusRankStep(phi, b, v1, m1, rix - 1) and
-      phiSelfModulus(phi, inp, edge, m2) and
-      mod = m1.gcd(m2)
+  /**
+   * Holds if `phi` is equal to `b + val` modulo `mod`.
+   */
+  private predicate phiModulus(SemSsaPhiNode phi, Bounds::SemBound b, int val, int mod) {
+    exists(int r |
+      maxPhiInputRank(phi, r) and
+      phiModulusRankStep(phi, b, val, mod, r)
    )
-  )
-}
+  }

-/**
- * Holds if `phi` is equal to `b + val` modulo `mod`.
- */
-private predicate phiModulus(SemSsaPhiNode phi, SemBound b, int val, int mod) {
-  exists(int r |
-    maxPhiInputRank(phi, r) and
-    phiModulusRankStep(phi, b, val, mod, r)
-  )
-}
-
-/**
- * Holds if `v` at `pos` is equal to `b + val` modulo `mod`.
- */
-private predicate ssaModulus(SemSsaVariable v, SemSsaReadPosition pos, SemBound b, int val, int mod) {
-  phiModulus(v, b, val, mod) and pos.hasReadOfVar(v)
-  or
-  b.(SemSsaBound).getAVariable() = v and pos.hasReadOfVar(v) and val = 0 and mod = 0
-  or
-  exists(SemExpr e, int val0, int delta |
-    semExprModulus(e, b, val0, mod) and
-    valueFlowStepSsa(v, pos, e, delta) and
-    val = remainder(val0 + delta, mod)
-  )
-  or
-  moduloGuardedRead(v, pos, val, mod) and b instanceof SemZeroBound
-}
-
-/**
- * Holds if `e` is equal to `b + val` modulo `mod`.
- *
- * There are two cases for the modulus:
- * - `mod = 0`: The equality `e = b + val` is an ordinary equality.
- * - `mod > 1`: `val` lies within the range `[0 .. mod-1]`.
- */
-cached
-predicate semExprModulus(SemExpr e, SemBound b, int val, int mod) {
-  not ignoreExprModulus(e) and
-  (
-    e = b.getExpr(val) and mod = 0
+  /**
+   * Holds if `v` at `pos` is equal to `b + val` modulo `mod`.
+   */
+  private predicate ssaModulus(
+    SemSsaVariable v, SemSsaReadPosition pos, Bounds::SemBound b, int val, int mod
+  ) {
+    phiModulus(v, b, val, mod) and pos.hasReadOfVar(v)
    or
-    evenlyDivisibleExpr(e, mod) and
-    val = 0 and
-    b instanceof SemZeroBound
+    b.(Bounds::SemSsaBound).getAVariable() = v and pos.hasReadOfVar(v) and val = 0 and mod = 0
    or
-    exists(SemSsaVariable v, SemSsaReadPositionBlock bb |
-      ssaModulus(v, bb, b, val, mod) and
-      e = v.getAUse() and
-      bb.getAnExpr() = e
-    )
-    or
-    exists(SemExpr mid, int val0, int delta |
-      semExprModulus(mid, b, val0, mod) and
-      semValueFlowStep(e, mid, delta) and
+    exists(SemExpr e, int val0, int delta |
+      semExprModulus(e, b, val0, mod) and
+      valueFlowStepSsa(v, pos, e, delta) and
      val = remainder(val0 + delta, mod)
    )
    or
-    exists(SemConditionalExpr cond, int v1, int v2, int m1, int m2 |
-      cond = e and
-      condExprBranchModulus(cond, true, b, v1, m1) and
-      condExprBranchModulus(cond, false, b, v2, m2) and
-      mod = m1.gcd(m2).gcd(v1 - v2) and
-      mod != 1 and
-      val = remainder(v1, mod)
-    )
-    or
-    exists(SemBound b1, SemBound b2, int v1, int v2, int m1, int m2 |
-      addModulus(e, true, b1, v1, m1) and
-      addModulus(e, false, b2, v2, m2) and
-      mod = m1.gcd(m2) and
-      mod != 1 and
-      val = remainder(v1 + v2, mod)
-    |
-      b = b1 and b2 instanceof SemZeroBound
+    moduloGuardedRead(v, pos, val, mod) and b instanceof Bounds::SemZeroBound
+  }
+
+  /**
+   * Holds if `e` is equal to `b + val` modulo `mod`.
+   *
+   * There are two cases for the modulus:
+   * - `mod = 0`: The equality `e = b + val` is an ordinary equality.
+   * - `mod > 1`: `val` lies within the range `[0 .. mod-1]`.
+   */
+  cached
+  predicate semExprModulus(SemExpr e, Bounds::SemBound b, int val, int mod) {
+    not ignoreExprModulus(e) and
+    (
+      e = b.getExpr(D::fromInt(val)) and mod = 0
      or
-      b = b2 and b1 instanceof SemZeroBound
+      evenlyDivisibleExpr(e, mod) and
+      val = 0 and
+      b instanceof Bounds::SemZeroBound
+      or
+      exists(SemSsaVariable v, SemSsaReadPositionBlock bb |
+        ssaModulus(v, bb, b, val, mod) and
+        e = v.getAUse() and
+        bb.getAnExpr() = e
+      )
+      or
+      exists(SemExpr mid, int val0, int delta |
+        semExprModulus(mid, b, val0, mod) and
+        U::semValueFlowStep(e, mid, D::fromInt(delta)) and
+        val = remainder(val0 + delta, mod)
+      )
+      or
+      exists(SemConditionalExpr cond, int v1, int v2, int m1, int m2 |
+        cond = e and
+        condExprBranchModulus(cond, true, b, v1, m1) and
+        condExprBranchModulus(cond, false, b, v2, m2) and
+        mod = m1.gcd(m2).gcd(v1 - v2) and
+        mod != 1 and
+        val = remainder(v1, mod)
+      )
+      or
+      exists(Bounds::SemBound b1, Bounds::SemBound b2, int v1, int v2, int m1, int m2 |
+        addModulus(e, true, b1, v1, m1) and
+        addModulus(e, false, b2, v2, m2) and
+        mod = m1.gcd(m2) and
+        mod != 1 and
+        val = remainder(v1 + v2, mod)
+      |
+        b = b1 and b2 instanceof Bounds::SemZeroBound
+        or
+        b = b2 and b1 instanceof Bounds::SemZeroBound
+      )
+      or
+      exists(int v1, int v2, int m1, int m2 |
+        subModulus(e, true, b, v1, m1) and
+        subModulus(e, false, any(Bounds::SemZeroBound zb), v2, m2) and
+        mod = m1.gcd(m2) and
+        mod != 1 and
+        val = remainder(v1 - v2, mod)
+      )
    )
-    or
-    exists(int v1, int v2, int m1, int m2 |
-      subModulus(e, true, b, v1, m1) and
-      subModulus(e, false, any(SemZeroBound zb), v2, m2) and
-      mod = m1.gcd(m2) and
-      mod != 1 and
-      val = remainder(v1 - v2, mod)
+  }
+
+  private predicate condExprBranchModulus(
+    SemConditionalExpr cond, boolean branch, Bounds::SemBound b, int val, int mod
+  ) {
+    semExprModulus(cond.getBranchExpr(branch), b, val, mod)
+  }
+
+  private predicate addModulus(SemExpr add, boolean isLeft, Bounds::SemBound b, int val, int mod) {
+    exists(SemExpr larg, SemExpr rarg | nonConstAddition(add, larg, rarg) |
+      semExprModulus(larg, b, val, mod) and isLeft = true
+      or
+      semExprModulus(rarg, b, val, mod) and isLeft = false
    )
-  )
-}
+  }

-private predicate condExprBranchModulus(
-  SemConditionalExpr cond, boolean branch, SemBound b, int val, int mod
-) {
-  semExprModulus(cond.getBranchExpr(branch), b, val, mod)
-}
-
-private predicate addModulus(SemExpr add, boolean isLeft, SemBound b, int val, int mod) {
-  exists(SemExpr larg, SemExpr rarg | nonConstAddition(add, larg, rarg) |
-    semExprModulus(larg, b, val, mod) and isLeft = true
-    or
-    semExprModulus(rarg, b, val, mod) and isLeft = false
-  )
-}
-
-private predicate subModulus(SemExpr sub, boolean isLeft, SemBound b, int val, int mod) {
-  exists(SemExpr larg, SemExpr rarg | nonConstSubtraction(sub, larg, rarg) |
-    semExprModulus(larg, b, val, mod) and isLeft = true
-    or
-    semExprModulus(rarg, b, val, mod) and isLeft = false
-  )
-}
-
-/**
- * Holds if `inp` is an input to `phi` along `edge` and this input has index `r`
- * in an arbitrary 1-based numbering of the input edges to `phi`.
- */
-private predicate rankedPhiInput(
-  SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int r
-) {
-  edge.phiInput(phi, inp) and
-  edge =
-    rank[r](SemSsaReadPositionPhiInputEdge e |
-      e.phiInput(phi, _)
-    |
-      e order by e.getOrigBlock().getUniqueId()
+  private predicate subModulus(SemExpr sub, boolean isLeft, Bounds::SemBound b, int val, int mod) {
+    exists(SemExpr larg, SemExpr rarg | nonConstSubtraction(sub, larg, rarg) |
+      semExprModulus(larg, b, val, mod) and isLeft = true
+      or
+      semExprModulus(rarg, b, val, mod) and isLeft = false
    )
+  }
+
+  /**
+   * Holds if `inp` is an input to `phi` along `edge` and this input has index `r`
+   * in an arbitrary 1-based numbering of the input edges to `phi`.
+   */
+  private predicate rankedPhiInput(
+    SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int r
+  ) {
+    edge.phiInput(phi, inp) and
+    edge =
+      rank[r](SemSsaReadPositionPhiInputEdge e |
+        e.phiInput(phi, _)
+      |
+        e order by e.getOrigBlock().getUniqueId()
+      )
+  }
 }
--- a/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysis.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysis.qll
@@ -1,832 +1,24 @@
-/**
- * Provides classes and predicates for range analysis.
- *
- * An inferred bound can either be a specific integer, the abstract value of an
- * SSA variable, or the abstract value of an interesting expression. The latter
- * category includes array lengths that are not SSA variables.
- *
- * If an inferred bound relies directly on a condition, then this condition is
- * reported as the reason for the bound.
- */
-
-/*
- * This library tackles range analysis as a flow problem. Consider e.g.:
- * ```
- *   len = arr.length;
- *   if (x < len) { ... y = x-1; ... y ... }
- * ```
- * In this case we would like to infer `y <= arr.length - 2`, and this is
- * accomplished by tracking the bound through a sequence of steps:
- * ```
- *   arr.length --> len = .. --> x < len --> x-1 --> y = .. --> y
- * ```
- *
- * In its simplest form the step relation `E1 --> E2` relates two expressions
- * such that `E1 <= B` implies `E2 <= B` for any `B` (with a second separate
- * step relation handling lower bounds). Examples of such steps include
- * assignments `E2 = E1` and conditions `x <= E1` where `E2` is a use of `x`
- * guarded by the condition.
- *
- * In order to handle subtractions and additions with constants, and strict
- * comparisons, the step relation is augmented with an integer delta. With this
- * generalization `E1 --(delta)--> E2` relates two expressions and an integer
- * such that `E1 <= B` implies `E2 <= B + delta` for any `B`. This corresponds
- * to the predicate `boundFlowStep`.
- *
- * The complete range analysis is then implemented as the transitive closure of
- * the step relation summing the deltas along the way. If `E1` transitively
- * steps to `E2`, `delta` is the sum of deltas along the path, and `B` is an
- * interesting bound equal to the value of `E1` then `E2 <= B + delta`. This
- * corresponds to the predicate `bounded`.
- *
- * Phi nodes need a little bit of extra handling. Consider `x0 = phi(x1, x2)`.
- * There are essentially two cases:
- * - If `x1 <= B + d1` and `x2 <= B + d2` then `x0 <= B + max(d1,d2)`.
- * - If `x1 <= B + d1` and `x2 <= x0 + d2` with `d2 <= 0` then `x0 <= B + d1`.
- * The first case is for whenever a bound can be proven without taking looping
- * into account. The second case is relevant when `x2` comes from a back-edge
- * where we can prove that the variable has been non-increasing through the
- * loop-iteration as this means that any upper bound that holds prior to the
- * loop also holds for the variable during the loop.
- * This generalizes to a phi node with `n` inputs, so if
- * `x0 = phi(x1, ..., xn)` and `xi <= B + delta` for one of the inputs, then we
- * also have `x0 <= B + delta` if we can prove either:
- * - `xj <= B + d` with `d <= delta` or
- * - `xj <= x0 + d` with `d <= 0`
- * for each input `xj`.
- *
- * As all inferred bounds can be related directly to a path in the source code
- * the only source of non-termination is if successive redundant (and thereby
- * increasingly worse) bounds are calculated along a loop in the source code.
- * We prevent this by weakening the bound to a small finite set of bounds when
- * a path follows a second back-edge (we postpone weakening till the second
- * back-edge as a precise bound might require traversing a loop once).
- */
-
-private import RangeAnalysisSpecific as Specific
+private import RangeAnalysisStage
+private import RangeAnalysisSpecific
+private import experimental.semmle.code.cpp.semantic.analysis.FloatDelta
 private import RangeUtils
-private import SignAnalysisCommon
-private import ModulusAnalysis
-private import experimental.semmle.code.cpp.semantic.Semantic
-private import ConstantAnalysis
+private import experimental.semmle.code.cpp.semantic.SemanticBound as SemanticBound

-cached
-private module RangeAnalysisCache {
-  cached
-  module RangeAnalysisPublic {
-    /**
-     * Holds if `b + delta` is a valid bound for `e`.
-     * - `upper = true`  : `e <= b + delta`
-     * - `upper = false` : `e >= b + delta`
-     *
-     * The reason for the bound is given by `reason` and may be either a condition
-     * or `NoReason` if the bound was proven directly without the use of a bounding
-     * condition.
-     */
-    cached
-    predicate semBounded(SemExpr e, SemBound b, int delta, boolean upper, SemReason reason) {
-      bounded(e, b, delta, upper, _, _, reason) and
-      bestBound(e, b, delta, upper)
-    }
+module Bounds implements BoundSig<FloatDelta> {
+  class SemBound instanceof SemanticBound::SemBound {
+    string toString() { result = super.toString() }
+
+    SemExpr getExpr(float delta) { result = super.getExpr(delta) }
  }

-  /**
-   * Holds if `guard = boundFlowCond(_, _, _, _, _) or guard = eqFlowCond(_, _, _, _, _)`.
-   */
-  cached
-  predicate possibleReason(SemGuard guard) {
-    guard = boundFlowCond(_, _, _, _, _) or guard = semEqFlowCond(_, _, _, _, _)
+  class SemZeroBound extends SemBound instanceof SemanticBound::SemZeroBound { }
+
+  class SemSsaBound extends SemBound instanceof SemanticBound::SemSsaBound {
+    SemSsaVariable getAVariable() { result = this.(SemanticBound::SemSsaBound).getAVariable() }
  }
 }

-private import RangeAnalysisCache
-import RangeAnalysisPublic
+private module CppRangeAnalysis =
+  RangeStage<FloatDelta, Bounds, CppLangImpl, RangeUtil<FloatDelta, CppLangImpl>>;

-/**
- * Holds if `b + delta` is a valid bound for `e` and this is the best such delta.
- * - `upper = true`  : `e <= b + delta`
- * - `upper = false` : `e >= b + delta`
- */
-private predicate bestBound(SemExpr e, SemBound b, int delta, boolean upper) {
-  delta = min(int d | bounded(e, b, d, upper, _, _, _)) and upper = true
-  or
-  delta = max(int d | bounded(e, b, d, upper, _, _, _)) and upper = false
-}
-
-/**
- * Holds if `comp` corresponds to:
- * - `upper = true`  : `v <= e + delta` or `v < e + delta`
- * - `upper = false` : `v >= e + delta` or `v > e + delta`
- */
-private predicate boundCondition(
-  SemRelationalExpr comp, SemSsaVariable v, SemExpr e, int delta, boolean upper
-) {
-  comp.getLesserOperand() = semSsaRead(v, delta) and e = comp.getGreaterOperand() and upper = true
-  or
-  comp.getGreaterOperand() = semSsaRead(v, delta) and e = comp.getLesserOperand() and upper = false
-  or
-  exists(SemSubExpr sub, SemConstantIntegerExpr c, int d |
-    // (v - d) - e < c
-    comp.getLesserOperand() = sub and
-    comp.getGreaterOperand() = c and
-    sub.getLeftOperand() = semSsaRead(v, d) and
-    sub.getRightOperand() = e and
-    upper = true and
-    delta = d + c.getIntValue()
-    or
-    // (v - d) - e > c
-    comp.getGreaterOperand() = sub and
-    comp.getLesserOperand() = c and
-    sub.getLeftOperand() = semSsaRead(v, d) and
-    sub.getRightOperand() = e and
-    upper = false and
-    delta = d + c.getIntValue()
-    or
-    // e - (v - d) < c
-    comp.getLesserOperand() = sub and
-    comp.getGreaterOperand() = c and
-    sub.getLeftOperand() = e and
-    sub.getRightOperand() = semSsaRead(v, d) and
-    upper = false and
-    delta = d - c.getIntValue()
-    or
-    // e - (v - d) > c
-    comp.getGreaterOperand() = sub and
-    comp.getLesserOperand() = c and
-    sub.getLeftOperand() = e and
-    sub.getRightOperand() = semSsaRead(v, d) and
-    upper = true and
-    delta = d - c.getIntValue()
-  )
-}
-
-/**
- * Holds if `comp` is a comparison between `x` and `y` for which `y - x` has a
- * fixed value modulo some `mod > 1`, such that the comparison can be
- * strengthened by `strengthen` when evaluating to `testIsTrue`.
- */
-private predicate modulusComparison(SemRelationalExpr comp, boolean testIsTrue, int strengthen) {
-  exists(
-    SemBound b, int v1, int v2, int mod1, int mod2, int mod, boolean resultIsStrict, int d, int k
-  |
-    // If `x <= y` and `x =(mod) b + v1` and `y =(mod) b + v2` then
-    // `0 <= y - x =(mod) v2 - v1`. By choosing `k =(mod) v2 - v1` with
-    // `0 <= k < mod` we get `k <= y - x`. If the resulting comparison is
-    // strict then the strengthening amount is instead `k - 1` modulo `mod`:
-    // `x < y` means `0 <= y - x - 1 =(mod) k - 1` so `k - 1 <= y - x - 1` and
-    // thus `k - 1 < y - x` with `0 <= k - 1 < mod`.
-    semExprModulus(comp.getLesserOperand(), b, v1, mod1) and
-    semExprModulus(comp.getGreaterOperand(), b, v2, mod2) and
-    mod = mod1.gcd(mod2) and
-    mod != 1 and
-    (testIsTrue = true or testIsTrue = false) and
-    (
-      if comp.isStrict()
-      then resultIsStrict = testIsTrue
-      else resultIsStrict = testIsTrue.booleanNot()
-    ) and
-    (
-      resultIsStrict = true and d = 1
-      or
-      resultIsStrict = false and d = 0
-    ) and
-    (
-      testIsTrue = true and k = v2 - v1
-      or
-      testIsTrue = false and k = v1 - v2
-    ) and
-    strengthen = (((k - d) % mod) + mod) % mod
-  )
-}
-
-/**
- * Gets a condition that tests whether `v` is bounded by `e + delta`.
- *
- * If the condition evaluates to `testIsTrue`:
- * - `upper = true`  : `v <= e + delta`
- * - `upper = false` : `v >= e + delta`
- */
-private SemGuard boundFlowCond(
-  SemSsaVariable v, SemExpr e, int delta, boolean upper, boolean testIsTrue
-) {
-  exists(
-    SemRelationalExpr comp, int d1, int d2, int d3, int strengthen, boolean compIsUpper,
-    boolean resultIsStrict
-  |
-    comp = result.asExpr() and
-    boundCondition(comp, v, e, d1, compIsUpper) and
-    (testIsTrue = true or testIsTrue = false) and
-    upper = compIsUpper.booleanXor(testIsTrue.booleanNot()) and
-    (
-      if comp.isStrict()
-      then resultIsStrict = testIsTrue
-      else resultIsStrict = testIsTrue.booleanNot()
-    ) and
-    (
-      if
-        getTrackedTypeForSsaVariable(v) instanceof SemIntegerType or
-        getTrackedTypeForSsaVariable(v) instanceof SemAddressType
-      then
-        upper = true and strengthen = -1
-        or
-        upper = false and strengthen = 1
-      else strengthen = 0
-    ) and
-    (
-      exists(int k | modulusComparison(comp, testIsTrue, k) and d2 = strengthen * k)
-      or
-      not modulusComparison(comp, testIsTrue, _) and d2 = 0
-    ) and
-    // A strict inequality `x < y` can be strengthened to `x <= y - 1`.
-    (
-      resultIsStrict = true and d3 = strengthen
-      or
-      resultIsStrict = false and d3 = 0
-    ) and
-    delta = d1 + d2 + d3
-  )
-  or
-  exists(boolean testIsTrue0 |
-    semImplies_v2(result, testIsTrue, boundFlowCond(v, e, delta, upper, testIsTrue0), testIsTrue0)
-  )
-  or
-  result = semEqFlowCond(v, e, delta, true, testIsTrue) and
-  (upper = true or upper = false)
-  or
-  // guard that tests whether `v2` is bounded by `e + delta + d1 - d2` and
-  // exists a guard `guardEq` such that `v = v2 - d1 + d2`.
-  exists(SemSsaVariable v2, SemGuard guardEq, boolean eqIsTrue, int d1, int d2 |
-    guardEq = semEqFlowCond(v, semSsaRead(v2, d1), d2, true, eqIsTrue) and
-    result = boundFlowCond(v2, e, delta + d1 - d2, upper, testIsTrue) and
-    // guardEq needs to control guard
-    guardEq.directlyControls(result.getBasicBlock(), eqIsTrue)
-  )
-}
-
-private newtype TSemReason =
-  TSemNoReason() or
-  TSemCondReason(SemGuard guard) { possibleReason(guard) }
-
-/**
- * A reason for an inferred bound. This can either be `CondReason` if the bound
- * is due to a specific condition, or `NoReason` if the bound is inferred
- * without going through a bounding condition.
- */
-abstract class SemReason extends TSemReason {
-  /** Gets a textual representation of this reason. */
-  abstract string toString();
-}
-
-/**
- * A reason for an inferred bound that indicates that the bound is inferred
- * without going through a bounding condition.
- */
-class SemNoReason extends SemReason, TSemNoReason {
-  override string toString() { result = "NoReason" }
-}
-
-/** A reason for an inferred bound pointing to a condition. */
-class SemCondReason extends SemReason, TSemCondReason {
-  /** Gets the condition that is the reason for the bound. */
-  SemGuard getCond() { this = TSemCondReason(result) }
-
-  override string toString() { result = getCond().toString() }
-}
-
-/**
- * Holds if `e + delta` is a valid bound for `v` at `pos`.
- * - `upper = true`  : `v <= e + delta`
- * - `upper = false` : `v >= e + delta`
- */
-private predicate boundFlowStepSsa(
-  SemSsaVariable v, SemSsaReadPosition pos, SemExpr e, int delta, boolean upper, SemReason reason
-) {
-  semSsaUpdateStep(v, e, delta) and
-  pos.hasReadOfVar(v) and
-  (upper = true or upper = false) and
-  reason = TSemNoReason()
-  or
-  exists(SemGuard guard, boolean testIsTrue |
-    pos.hasReadOfVar(v) and
-    guard = boundFlowCond(v, e, delta, upper, testIsTrue) and
-    semGuardDirectlyControlsSsaRead(guard, pos, testIsTrue) and
-    reason = TSemCondReason(guard)
-  )
-}
-
-/** Holds if `v != e + delta` at `pos` and `v` is of integral type. */
-private predicate unequalFlowStepIntegralSsa(
-  SemSsaVariable v, SemSsaReadPosition pos, SemExpr e, int delta, SemReason reason
-) {
-  getTrackedTypeForSsaVariable(v) instanceof SemIntegerType and
-  exists(SemGuard guard, boolean testIsTrue |
-    pos.hasReadOfVar(v) and
-    guard = semEqFlowCond(v, e, delta, false, testIsTrue) and
-    semGuardDirectlyControlsSsaRead(guard, pos, testIsTrue) and
-    reason = TSemCondReason(guard)
-  )
-}
-
-/**
- * An expression that does conversion, boxing, or unboxing
- */
-private class ConvertOrBoxExpr extends SemUnaryExpr {
-  ConvertOrBoxExpr() {
-    this instanceof SemConvertExpr
-    or
-    this instanceof SemBoxExpr
-    or
-    this instanceof SemUnboxExpr
-  }
-}
-
-/**
- * A cast that can be ignored for the purpose of range analysis.
- */
-private class SafeCastExpr extends ConvertOrBoxExpr {
-  SafeCastExpr() {
-    conversionCannotOverflow(getTrackedType(pragma[only_bind_into](getOperand())),
-      getTrackedType(this))
-  }
-}
-
-/**
- * Holds if `typ` is a small integral type with the given lower and upper bounds.
- */
-private predicate typeBound(SemIntegerType typ, int lowerbound, int upperbound) {
-  exists(int bitSize | bitSize = typ.getByteSize() * 8 |
-    bitSize < 32 and
-    (
-      if typ.isSigned()
-      then (
-        upperbound = 1.bitShiftLeft(bitSize - 1) - 1 and
-        lowerbound = -upperbound - 1
-      ) else (
-        lowerbound = 0 and
-        upperbound = 1.bitShiftLeft(bitSize) - 1
-      )
-    )
-  )
-}
-
-/**
- * A cast to a small integral type that may overflow or underflow.
- */
-private class NarrowingCastExpr extends ConvertOrBoxExpr {
-  NarrowingCastExpr() {
-    not this instanceof SafeCastExpr and
-    typeBound(getTrackedType(this), _, _)
-  }
-
-  /** Gets the lower bound of the resulting type. */
-  int getLowerBound() { typeBound(getTrackedType(this), result, _) }
-
-  /** Gets the upper bound of the resulting type. */
-  int getUpperBound() { typeBound(getTrackedType(this), _, result) }
-}
-
-/** Holds if `e >= 1` as determined by sign analysis. */
-private predicate strictlyPositiveIntegralExpr(SemExpr e) {
-  semStrictlyPositive(e) and getTrackedType(e) instanceof SemIntegerType
-}
-
-/** Holds if `e <= -1` as determined by sign analysis. */
-private predicate strictlyNegativeIntegralExpr(SemExpr e) {
-  semStrictlyNegative(e) and getTrackedType(e) instanceof SemIntegerType
-}
-
-/**
- * Holds if `e1 + delta` is a valid bound for `e2`.
- * - `upper = true`  : `e2 <= e1 + delta`
- * - `upper = false` : `e2 >= e1 + delta`
- */
-private predicate boundFlowStep(SemExpr e2, SemExpr e1, int delta, boolean upper) {
-  semValueFlowStep(e2, e1, delta) and
-  (upper = true or upper = false)
-  or
-  e2.(SafeCastExpr).getOperand() = e1 and
-  delta = 0 and
-  (upper = true or upper = false)
-  or
-  exists(SemExpr x | e2.(SemAddExpr).hasOperands(e1, x) |
-    // `x instanceof ConstantIntegerExpr` is covered by valueFlowStep
-    not x instanceof SemConstantIntegerExpr and
-    not e1 instanceof SemConstantIntegerExpr and
-    if strictlyPositiveIntegralExpr(x)
-    then upper = false and delta = 1
-    else
-      if semPositive(x)
-      then upper = false and delta = 0
-      else
-        if strictlyNegativeIntegralExpr(x)
-        then upper = true and delta = -1
-        else
-          if semNegative(x)
-          then upper = true and delta = 0
-          else none()
-  )
-  or
-  exists(SemExpr x, SemSubExpr sub |
-    e2 = sub and
-    sub.getLeftOperand() = e1 and
-    sub.getRightOperand() = x
-  |
-    // `x instanceof ConstantIntegerExpr` is covered by valueFlowStep
-    not x instanceof SemConstantIntegerExpr and
-    if strictlyPositiveIntegralExpr(x)
-    then upper = true and delta = -1
-    else
-      if semPositive(x)
-      then upper = true and delta = 0
-      else
-        if strictlyNegativeIntegralExpr(x)
-        then upper = false and delta = 1
-        else
-          if semNegative(x)
-          then upper = false and delta = 0
-          else none()
-  )
-  or
-  e2.(SemRemExpr).getRightOperand() = e1 and
-  semPositive(e1) and
-  delta = -1 and
-  upper = true
-  or
-  e2.(SemRemExpr).getLeftOperand() = e1 and semPositive(e1) and delta = 0 and upper = true
-  or
-  e2.(SemBitAndExpr).getAnOperand() = e1 and
-  semPositive(e1) and
-  delta = 0 and
-  upper = true
-  or
-  e2.(SemBitOrExpr).getAnOperand() = e1 and
-  semPositive(e2) and
-  delta = 0 and
-  upper = false
-  or
-  Specific::hasBound(e2, e1, delta, upper)
-}
-
-/** Holds if `e2 = e1 * factor` and `factor > 0`. */
-private predicate boundFlowStepMul(SemExpr e2, SemExpr e1, int factor) {
-  exists(SemConstantIntegerExpr c, int k | k = c.getIntValue() and k > 0 |
-    e2.(SemMulExpr).hasOperands(e1, c) and factor = k
-    or
-    exists(SemShiftLeftExpr e |
-      e = e2 and e.getLeftOperand() = e1 and e.getRightOperand() = c and factor = 2.pow(k)
-    )
-  )
-}
-
-/**
- * Holds if `e2 = e1 / factor` and `factor > 0`.
- *
- * This conflates division, right shift, and unsigned right shift and is
- * therefore only valid for non-negative numbers.
- */
-private predicate boundFlowStepDiv(SemExpr e2, SemExpr e1, int factor) {
-  exists(SemConstantIntegerExpr c, int k | k = c.getIntValue() and k > 0 |
-    exists(SemDivExpr e |
-      e = e2 and e.getLeftOperand() = e1 and e.getRightOperand() = c and factor = k
-    )
-    or
-    exists(SemShiftRightExpr e |
-      e = e2 and e.getLeftOperand() = e1 and e.getRightOperand() = c and factor = 2.pow(k)
-    )
-    or
-    exists(SemShiftRightUnsignedExpr e |
-      e = e2 and e.getLeftOperand() = e1 and e.getRightOperand() = c and factor = 2.pow(k)
-    )
-  )
-}
-
-/**
- * Holds if `b + delta` is a valid bound for `v` at `pos`.
- * - `upper = true`  : `v <= b + delta`
- * - `upper = false` : `v >= b + delta`
- */
-private predicate boundedSsa(
-  SemSsaVariable v, SemSsaReadPosition pos, SemBound b, int delta, boolean upper,
-  boolean fromBackEdge, int origdelta, SemReason reason
-) {
-  exists(SemExpr mid, int d1, int d2, SemReason r1, SemReason r2 |
-    boundFlowStepSsa(v, pos, mid, d1, upper, r1) and
-    bounded(mid, b, d2, upper, fromBackEdge, origdelta, r2) and
-    // upper = true:  v <= mid + d1 <= b + d1 + d2 = b + delta
-    // upper = false: v >= mid + d1 >= b + d1 + d2 = b + delta
-    delta = d1 + d2 and
-    (if r1 instanceof SemNoReason then reason = r2 else reason = r1)
-  )
-  or
-  exists(int d, SemReason r1, SemReason r2 |
-    boundedSsa(v, pos, b, d, upper, fromBackEdge, origdelta, r2) or
-    boundedPhi(v, b, d, upper, fromBackEdge, origdelta, r2)
-  |
-    unequalIntegralSsa(v, pos, b, d, r1) and
-    (
-      upper = true and delta = d - 1
-      or
-      upper = false and delta = d + 1
-    ) and
-    (
-      reason = r1
-      or
-      reason = r2 and not r2 instanceof SemNoReason
-    )
-  )
-}
-
-/**
- * Holds if `v != b + delta` at `pos` and `v` is of integral type.
- */
-private predicate unequalIntegralSsa(
-  SemSsaVariable v, SemSsaReadPosition pos, SemBound b, int delta, SemReason reason
-) {
-  exists(SemExpr e, int d1, int d2 |
-    unequalFlowStepIntegralSsa(v, pos, e, d1, reason) and
-    boundedUpper(e, b, d1) and
-    boundedLower(e, b, d2) and
-    delta = d2 + d1
-  )
-}
-
-/**
- * Holds if `b + delta` is an upper bound for `e`.
- *
- * This predicate only exists to prevent a bad standard order in `unequalIntegralSsa`.
- */
-pragma[nomagic]
-private predicate boundedUpper(SemExpr e, SemBound b, int delta) {
-  bounded(e, b, delta, true, _, _, _)
-}
-
-/**
- * Holds if `b + delta` is a lower bound for `e`.
- *
- * This predicate only exists to prevent a bad standard order in `unequalIntegralSsa`.
- */
-pragma[nomagic]
-private predicate boundedLower(SemExpr e, SemBound b, int delta) {
-  bounded(e, b, delta, false, _, _, _)
-}
-
-/** Weakens a delta to lie in the range `[-1..1]`. */
-bindingset[delta, upper]
-private int weakenDelta(boolean upper, int delta) {
-  delta in [-1 .. 1] and result = delta
-  or
-  upper = true and result = -1 and delta < -1
-  or
-  upper = false and result = 1 and delta > 1
-}
-
-/**
- * Holds if `b + delta` is a valid bound for `inp` when used as an input to
- * `phi` along `edge`.
- * - `upper = true`  : `inp <= b + delta`
- * - `upper = false` : `inp >= b + delta`
- */
-private predicate boundedPhiInp(
-  SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, SemBound b, int delta,
-  boolean upper, boolean fromBackEdge, int origdelta, SemReason reason
-) {
-  edge.phiInput(phi, inp) and
-  exists(int d, boolean fromBackEdge0 |
-    boundedSsa(inp, edge, b, d, upper, fromBackEdge0, origdelta, reason)
-    or
-    boundedPhi(inp, b, d, upper, fromBackEdge0, origdelta, reason)
-    or
-    b.(SemSsaBound).getAVariable() = inp and
-    d = 0 and
-    (upper = true or upper = false) and
-    fromBackEdge0 = false and
-    origdelta = 0 and
-    reason = TSemNoReason()
-  |
-    if semBackEdge(phi, inp, edge)
-    then
-      fromBackEdge = true and
-      (
-        fromBackEdge0 = true and delta = weakenDelta(upper, d - origdelta) + origdelta
-        or
-        fromBackEdge0 = false and delta = d
-      )
-    else (
-      delta = d and fromBackEdge = fromBackEdge0
-    )
-  )
-}
-
-/**
- * Holds if `b + delta` is a valid bound for `inp` when used as an input to
- * `phi` along `edge`.
- * - `upper = true`  : `inp <= b + delta`
- * - `upper = false` : `inp >= b + delta`
- *
- * Equivalent to `boundedPhiInp(phi, inp, edge, b, delta, upper, _, _, _)`.
- */
-pragma[noinline]
-private predicate boundedPhiInp1(
-  SemSsaPhiNode phi, SemBound b, boolean upper, SemSsaVariable inp,
-  SemSsaReadPositionPhiInputEdge edge, int delta
-) {
-  boundedPhiInp(phi, inp, edge, b, delta, upper, _, _, _)
-}
-
-/**
- * Holds if `phi` is a valid bound for `inp` when used as an input to `phi`
- * along `edge`.
- * - `upper = true`  : `inp <= phi`
- * - `upper = false` : `inp >= phi`
- */
-private predicate selfBoundedPhiInp(
-  SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, boolean upper
-) {
-  exists(int d, SemSsaBound phibound |
-    phibound.getAVariable() = phi and
-    boundedPhiInp(phi, inp, edge, phibound, d, upper, _, _, _) and
-    (
-      upper = true and d <= 0
-      or
-      upper = false and d >= 0
-    )
-  )
-}
-
-/**
- * Holds if `b + delta` is a valid bound for some input, `inp`, to `phi`, and
- * thus a candidate bound for `phi`.
- * - `upper = true`  : `inp <= b + delta`
- * - `upper = false` : `inp >= b + delta`
- */
-pragma[noinline]
-private predicate boundedPhiCand(
-  SemSsaPhiNode phi, boolean upper, SemBound b, int delta, boolean fromBackEdge, int origdelta,
-  SemReason reason
-) {
-  exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge |
-    boundedPhiInp(phi, inp, edge, b, delta, upper, fromBackEdge, origdelta, reason)
-  )
-}
-
-/**
- * Holds if the candidate bound `b + delta` for `phi` is valid for the phi input
- * `inp` along `edge`.
- */
-private predicate boundedPhiCandValidForEdge(
-  SemSsaPhiNode phi, SemBound b, int delta, boolean upper, boolean fromBackEdge, int origdelta,
-  SemReason reason, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge
-) {
-  boundedPhiCand(phi, upper, b, delta, fromBackEdge, origdelta, reason) and
-  (
-    exists(int d | boundedPhiInp1(phi, b, upper, inp, edge, d) | upper = true and d <= delta)
-    or
-    exists(int d | boundedPhiInp1(phi, b, upper, inp, edge, d) | upper = false and d >= delta)
-    or
-    selfBoundedPhiInp(phi, inp, edge, upper)
-  )
-}
-
-/**
- * Holds if `b + delta` is a valid bound for `phi`.
- * - `upper = true`  : `phi <= b + delta`
- * - `upper = false` : `phi >= b + delta`
- */
-private predicate boundedPhi(
-  SemSsaPhiNode phi, SemBound b, int delta, boolean upper, boolean fromBackEdge, int origdelta,
-  SemReason reason
-) {
-  forex(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge | edge.phiInput(phi, inp) |
-    boundedPhiCandValidForEdge(phi, b, delta, upper, fromBackEdge, origdelta, reason, inp, edge)
-  )
-}
-
-/**
- * Holds if `e` has an upper (for `upper = true`) or lower
- * (for `upper = false`) bound of `b`.
- */
-private predicate baseBound(SemExpr e, int b, boolean upper) {
-  Specific::hasConstantBound(e, b, upper)
-  or
-  upper = false and
-  b = 0 and
-  semPositive(e.(SemBitAndExpr).getAnOperand()) and
-  // REVIEW: We let the language opt out here to preserve original results.
-  not Specific::ignoreZeroLowerBound(e)
-}
-
-/**
- * Holds if the value being cast has an upper (for `upper = true`) or lower
- * (for `upper = false`) bound within the bounds of the resulting type.
- * For `upper = true` this means that the cast will not overflow and for
- * `upper = false` this means that the cast will not underflow.
- */
-private predicate safeNarrowingCast(NarrowingCastExpr cast, boolean upper) {
-  exists(int bound | bounded(cast.getOperand(), any(SemZeroBound zb), bound, upper, _, _, _) |
-    upper = true and bound <= cast.getUpperBound()
-    or
-    upper = false and bound >= cast.getLowerBound()
-  )
-}
-
-pragma[noinline]
-private predicate boundedCastExpr(
-  NarrowingCastExpr cast, SemBound b, int delta, boolean upper, boolean fromBackEdge, int origdelta,
-  SemReason reason
-) {
-  bounded(cast.getOperand(), b, delta, upper, fromBackEdge, origdelta, reason)
-}
-
-/**
- * Holds if `b + delta` is a valid bound for `e`.
- * - `upper = true`  : `e <= b + delta`
- * - `upper = false` : `e >= b + delta`
- */
-private predicate bounded(
-  SemExpr e, SemBound b, int delta, boolean upper, boolean fromBackEdge, int origdelta,
-  SemReason reason
-) {
-  not Specific::ignoreExprBound(e) and
-  (
-    e = b.getExpr(delta) and
-    (upper = true or upper = false) and
-    fromBackEdge = false and
-    origdelta = delta and
-    reason = TSemNoReason()
-    or
-    baseBound(e, delta, upper) and
-    b instanceof SemZeroBound and
-    fromBackEdge = false and
-    origdelta = delta and
-    reason = TSemNoReason()
-    or
-    exists(SemSsaVariable v, SemSsaReadPositionBlock bb |
-      boundedSsa(v, bb, b, delta, upper, fromBackEdge, origdelta, reason) and
-      e = v.getAUse() and
-      bb.getBlock() = e.getBasicBlock()
-    )
-    or
-    exists(SemExpr mid, int d1, int d2 |
-      boundFlowStep(e, mid, d1, upper) and
-      // Constants have easy, base-case bounds, so let's not infer any recursive bounds.
-      not e instanceof SemConstantIntegerExpr and
-      bounded(mid, b, d2, upper, fromBackEdge, origdelta, reason) and
-      // upper = true:  e <= mid + d1 <= b + d1 + d2 = b + delta
-      // upper = false: e >= mid + d1 >= b + d1 + d2 = b + delta
-      delta = d1 + d2
-    )
-    or
-    exists(SemSsaPhiNode phi |
-      boundedPhi(phi, b, delta, upper, fromBackEdge, origdelta, reason) and
-      e = phi.getAUse()
-    )
-    or
-    exists(SemExpr mid, int factor, int d |
-      boundFlowStepMul(e, mid, factor) and
-      not e instanceof SemConstantIntegerExpr and
-      bounded(mid, b, d, upper, fromBackEdge, origdelta, reason) and
-      b instanceof SemZeroBound and
-      delta = d * factor
-    )
-    or
-    exists(SemExpr mid, int factor, int d |
-      boundFlowStepDiv(e, mid, factor) and
-      not e instanceof SemConstantIntegerExpr and
-      bounded(mid, b, d, upper, fromBackEdge, origdelta, reason) and
-      b instanceof SemZeroBound and
-      d >= 0 and
-      delta = d / factor
-    )
-    or
-    exists(NarrowingCastExpr cast |
-      cast = e and
-      safeNarrowingCast(cast, upper.booleanNot()) and
-      boundedCastExpr(cast, b, delta, upper, fromBackEdge, origdelta, reason)
-    )
-    or
-    exists(
-      SemConditionalExpr cond, int d1, int d2, boolean fbe1, boolean fbe2, int od1, int od2,
-      SemReason r1, SemReason r2
-    |
-      cond = e and
-      boundedConditionalExpr(cond, b, upper, true, d1, fbe1, od1, r1) and
-      boundedConditionalExpr(cond, b, upper, false, d2, fbe2, od2, r2) and
-      (
-        delta = d1 and fromBackEdge = fbe1 and origdelta = od1 and reason = r1
-        or
-        delta = d2 and fromBackEdge = fbe2 and origdelta = od2 and reason = r2
-      )
-    |
-      upper = true and delta = d1.maximum(d2)
-      or
-      upper = false and delta = d1.minimum(d2)
-    )
-  )
-}
-
-private predicate boundedConditionalExpr(
-  SemConditionalExpr cond, SemBound b, boolean upper, boolean branch, int delta,
-  boolean fromBackEdge, int origdelta, SemReason reason
-) {
-  bounded(cond.getBranchExpr(branch), b, delta, upper, fromBackEdge, origdelta, reason)
-}
+import CppRangeAnalysis
--- a/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysisSpecific.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysisSpecific.qll
@@ -3,86 +3,90 @@
 */

 private import experimental.semmle.code.cpp.semantic.Semantic
+private import RangeAnalysisStage
+private import experimental.semmle.code.cpp.semantic.analysis.FloatDelta

-/**
- * Holds if the specified expression should be excluded from the result of `ssaRead()`.
- *
- * This predicate is to keep the results identical to the original Java implementation. It should be
- * removed once we have the new implementation matching the old results exactly.
- */
-predicate ignoreSsaReadCopy(SemExpr e) { none() }
+module CppLangImpl implements LangSig<FloatDelta> {
+  /**
+   * Holds if the specified expression should be excluded from the result of `ssaRead()`.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreSsaReadCopy(SemExpr e) { none() }

-/**
- * Ignore the bound on this expression.
- *
- * This predicate is to keep the results identical to the original Java implementation. It should be
- * removed once we have the new implementation matching the old results exactly.
- */
-predicate ignoreExprBound(SemExpr e) { none() }
+  /**
+   * Ignore the bound on this expression.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreExprBound(SemExpr e) { none() }

-/**
- * Ignore any inferred zero lower bound on this expression.
- *
- * This predicate is to keep the results identical to the original Java implementation. It should be
- * removed once we have the new implementation matching the old results exactly.
- */
-predicate ignoreZeroLowerBound(SemExpr e) { none() }
+  /**
+   * Ignore any inferred zero lower bound on this expression.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreZeroLowerBound(SemExpr e) { none() }

-/**
- * Holds if the specified expression should be excluded from the result of `ssaRead()`.
- *
- * This predicate is to keep the results identical to the original Java implementation. It should be
- * removed once we have the new implementation matching the old results exactly.
- */
-predicate ignoreSsaReadArithmeticExpr(SemExpr e) { none() }
+  /**
+   * Holds if the specified expression should be excluded from the result of `ssaRead()`.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreSsaReadArithmeticExpr(SemExpr e) { none() }

-/**
- * Holds if the specified variable should be excluded from the result of `ssaRead()`.
- *
- * This predicate is to keep the results identical to the original Java implementation. It should be
- * removed once we have the new implementation matching the old results exactly.
- */
-predicate ignoreSsaReadAssignment(SemSsaVariable v) { none() }
+  /**
+   * Holds if the specified variable should be excluded from the result of `ssaRead()`.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreSsaReadAssignment(SemSsaVariable v) { none() }

-/**
- * Adds additional results to `ssaRead()` that are specific to Java.
- *
- * This predicate handles propagation of offsets for post-increment and post-decrement expressions
- * in exactly the same way as the old Java implementation. Once the new implementation matches the
- * old one, we should remove this predicate and propagate deltas for all similar patterns, whether
- * or not they come from a post-increment/decrement expression.
- */
-SemExpr specificSsaRead(SemSsaVariable v, int delta) { none() }
+  /**
+   * Adds additional results to `ssaRead()` that are specific to Java.
+   *
+   * This predicate handles propagation of offsets for post-increment and post-decrement expressions
+   * in exactly the same way as the old Java implementation. Once the new implementation matches the
+   * old one, we should remove this predicate and propagate deltas for all similar patterns, whether
+   * or not they come from a post-increment/decrement expression.
+   */
+  SemExpr specificSsaRead(SemSsaVariable v, float delta) { none() }

-/**
- * Holds if `e >= bound` (if `upper = false`) or `e <= bound` (if `upper = true`).
- */
-predicate hasConstantBound(SemExpr e, int bound, boolean upper) { none() }
+  /**
+   * Holds if `e >= bound` (if `upper = false`) or `e <= bound` (if `upper = true`).
+   */
+  predicate hasConstantBound(SemExpr e, float bound, boolean upper) { none() }

-/**
- * Holds if `e >= bound + delta` (if `upper = false`) or `e <= bound + delta` (if `upper = true`).
- */
-predicate hasBound(SemExpr e, SemExpr bound, int delta, boolean upper) { none() }
+  /**
+   * Holds if `e >= bound + delta` (if `upper = false`) or `e <= bound + delta` (if `upper = true`).
+   */
+  predicate hasBound(SemExpr e, SemExpr bound, float delta, boolean upper) { none() }

-/**
- * Holds if the value of `dest` is known to be `src + delta`.
- */
-predicate additionalValueFlowStep(SemExpr dest, SemExpr src, int delta) { none() }
+  /**
+   * Holds if the value of `dest` is known to be `src + delta`.
+   */
+  predicate additionalValueFlowStep(SemExpr dest, SemExpr src, float delta) { none() }

-/**
- * Gets the type that range analysis should use to track the result of the specified expression,
- * if a type other than the original type of the expression is to be used.
- *
- * This predicate is commonly used in languages that support immutable "boxed" types that are
- * actually references but whose values can be tracked as the type contained in the box.
- */
-SemType getAlternateType(SemExpr e) { none() }
+  /**
+   * Gets the type that range analysis should use to track the result of the specified expression,
+   * if a type other than the original type of the expression is to be used.
+   *
+   * This predicate is commonly used in languages that support immutable "boxed" types that are
+   * actually references but whose values can be tracked as the type contained in the box.
+   */
+  SemType getAlternateType(SemExpr e) { none() }

-/**
- * Gets the type that range analysis should use to track the result of the specified source
- * variable, if a type other than the original type of the expression is to be used.
- *
- * This predicate is commonly used in languages that support immutable "boxed" types that are
- * actually references but whose values can be tracked as the type contained in the box.
- */
-SemType getAlternateTypeForSsaVariable(SemSsaVariable var) { none() }
+  /**
+   * Gets the type that range analysis should use to track the result of the specified source
+   * variable, if a type other than the original type of the expression is to be used.
+   *
+   * This predicate is commonly used in languages that support immutable "boxed" types that are
+   * actually references but whose values can be tracked as the type contained in the box.
+   */
+  SemType getAlternateTypeForSsaVariable(SemSsaVariable var) { none() }
+}
--- a/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysisStage.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysisStage.qll
--- a/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeUtils.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeUtils.qll
@@ -3,133 +3,138 @@
 */

 private import experimental.semmle.code.cpp.semantic.Semantic
-private import RangeAnalysisSpecific as Specific
+private import RangeAnalysisSpecific
+private import RangeAnalysisStage as Range
 private import ConstantAnalysis

-/**
- * Gets an expression that equals `v - d`.
- */
-SemExpr semSsaRead(SemSsaVariable v, int delta) {
-  // There are various language-specific extension points that can be removed once we no longer
-  // expect to match the original Java implementation's results exactly.
-  result = v.getAUse() and delta = 0
-  or
-  exists(int d1, SemConstantIntegerExpr c |
-    result.(SemAddExpr).hasOperands(semSsaRead(v, d1), c) and
-    delta = d1 - c.getIntValue() and
-    not Specific::ignoreSsaReadArithmeticExpr(result)
-  )
-  or
-  exists(SemSubExpr sub, int d1, SemConstantIntegerExpr c |
-    result = sub and
-    sub.getLeftOperand() = semSsaRead(v, d1) and
-    sub.getRightOperand() = c and
-    delta = d1 + c.getIntValue() and
-    not Specific::ignoreSsaReadArithmeticExpr(result)
-  )
-  or
-  result = v.(SemSsaExplicitUpdate).getSourceExpr() and
-  delta = 0 and
-  not Specific::ignoreSsaReadAssignment(v)
-  or
-  result = Specific::specificSsaRead(v, delta)
-  or
-  result.(SemCopyValueExpr).getOperand() = semSsaRead(v, delta) and
-  not Specific::ignoreSsaReadCopy(result)
-  or
-  result.(SemStoreExpr).getOperand() = semSsaRead(v, delta)
-}
-
-/**
- * Gets a condition that tests whether `v` equals `e + delta`.
- *
- * If the condition evaluates to `testIsTrue`:
- * - `isEq = true`  : `v == e + delta`
- * - `isEq = false` : `v != e + delta`
- */
-SemGuard semEqFlowCond(SemSsaVariable v, SemExpr e, int delta, boolean isEq, boolean testIsTrue) {
-  exists(boolean eqpolarity |
-    result.isEquality(semSsaRead(v, delta), e, eqpolarity) and
-    (testIsTrue = true or testIsTrue = false) and
-    eqpolarity.booleanXor(testIsTrue).booleanNot() = isEq
-  )
-  or
-  exists(boolean testIsTrue0 |
-    semImplies_v2(result, testIsTrue, semEqFlowCond(v, e, delta, isEq, testIsTrue0), testIsTrue0)
-  )
-}
-
-/**
- * Holds if `v` is an `SsaExplicitUpdate` that equals `e + delta`.
- */
-predicate semSsaUpdateStep(SemSsaExplicitUpdate v, SemExpr e, int delta) {
-  exists(SemExpr defExpr | defExpr = v.getSourceExpr() |
-    defExpr.(SemCopyValueExpr).getOperand() = e and delta = 0
+module RangeUtil<Range::DeltaSig D, Range::LangSig<D> Lang> implements Range::UtilSig<D> {
+  /**
+   * Gets an expression that equals `v - d`.
+   */
+  SemExpr semSsaRead(SemSsaVariable v, D::Delta delta) {
+    // There are various language-specific extension points that can be removed once we no longer
+    // expect to match the original Java implementation's results exactly.
+    result = v.getAUse() and delta = D::fromInt(0)
    or
-    defExpr.(SemStoreExpr).getOperand() = e and delta = 0
+    exists(D::Delta d1, SemConstantIntegerExpr c |
+      result.(SemAddExpr).hasOperands(semSsaRead(v, d1), c) and
+      delta = D::fromFloat(D::toFloat(d1) - c.getIntValue()) and
+      not Lang::ignoreSsaReadArithmeticExpr(result)
+    )
    or
-    defExpr.(SemAddOneExpr).getOperand() = e and delta = 1
+    exists(SemSubExpr sub, D::Delta d1, SemConstantIntegerExpr c |
+      result = sub and
+      sub.getLeftOperand() = semSsaRead(v, d1) and
+      sub.getRightOperand() = c and
+      delta = D::fromFloat(D::toFloat(d1) + c.getIntValue()) and
+      not Lang::ignoreSsaReadArithmeticExpr(result)
+    )
    or
-    defExpr.(SemSubOneExpr).getOperand() = e and delta = -1
+    result = v.(SemSsaExplicitUpdate).getSourceExpr() and
+    delta = D::fromFloat(0) and
+    not Lang::ignoreSsaReadAssignment(v)
    or
-    e = defExpr and
-    not (
-      defExpr instanceof SemCopyValueExpr or
-      defExpr instanceof SemStoreExpr or
-      defExpr instanceof SemAddOneExpr or
-      defExpr instanceof SemSubOneExpr
-    ) and
-    delta = 0
-  )
-}
+    result = Lang::specificSsaRead(v, delta)
+    or
+    result.(SemCopyValueExpr).getOperand() = semSsaRead(v, delta) and
+    not Lang::ignoreSsaReadCopy(result)
+    or
+    result.(SemStoreExpr).getOperand() = semSsaRead(v, delta)
+  }

-/**
- * Holds if `e1 + delta` equals `e2`.
- */
-predicate semValueFlowStep(SemExpr e2, SemExpr e1, int delta) {
-  e2.(SemCopyValueExpr).getOperand() = e1 and delta = 0
-  or
-  e2.(SemStoreExpr).getOperand() = e1 and delta = 0
-  or
-  e2.(SemAddOneExpr).getOperand() = e1 and delta = 1
-  or
-  e2.(SemSubOneExpr).getOperand() = e1 and delta = -1
-  or
-  Specific::additionalValueFlowStep(e2, e1, delta)
-  or
-  exists(SemExpr x | e2.(SemAddExpr).hasOperands(e1, x) |
-    x.(SemConstantIntegerExpr).getIntValue() = delta
-  )
-  or
-  exists(SemExpr x, SemSubExpr sub |
-    e2 = sub and
-    sub.getLeftOperand() = e1 and
-    sub.getRightOperand() = x
-  |
-    x.(SemConstantIntegerExpr).getIntValue() = -delta
-  )
-}
+  /**
+   * Gets a condition that tests whether `v` equals `e + delta`.
+   *
+   * If the condition evaluates to `testIsTrue`:
+   * - `isEq = true`  : `v == e + delta`
+   * - `isEq = false` : `v != e + delta`
+   */
+  SemGuard semEqFlowCond(
+    SemSsaVariable v, SemExpr e, D::Delta delta, boolean isEq, boolean testIsTrue
+  ) {
+    exists(boolean eqpolarity |
+      result.isEquality(semSsaRead(v, delta), e, eqpolarity) and
+      (testIsTrue = true or testIsTrue = false) and
+      eqpolarity.booleanXor(testIsTrue).booleanNot() = isEq
+    )
+    or
+    exists(boolean testIsTrue0 |
+      semImplies_v2(result, testIsTrue, semEqFlowCond(v, e, delta, isEq, testIsTrue0), testIsTrue0)
+    )
+  }

-/**
- * Gets the type used to track the specified expression's range information.
- *
- * Usually, this just `e.getSemType()`, but the language can override this to track immutable boxed
- * primitive types as the underlying primitive type.
- */
-SemType getTrackedType(SemExpr e) {
-  result = Specific::getAlternateType(e)
-  or
-  not exists(Specific::getAlternateType(e)) and result = e.getSemType()
-}
+  /**
+   * Holds if `v` is an `SsaExplicitUpdate` that equals `e + delta`.
+   */
+  predicate semSsaUpdateStep(SemSsaExplicitUpdate v, SemExpr e, D::Delta delta) {
+    exists(SemExpr defExpr | defExpr = v.getSourceExpr() |
+      defExpr.(SemCopyValueExpr).getOperand() = e and delta = D::fromFloat(0)
+      or
+      defExpr.(SemStoreExpr).getOperand() = e and delta = D::fromFloat(0)
+      or
+      defExpr.(SemAddOneExpr).getOperand() = e and delta = D::fromFloat(1)
+      or
+      defExpr.(SemSubOneExpr).getOperand() = e and delta = D::fromFloat(-1)
+      or
+      e = defExpr and
+      not (
+        defExpr instanceof SemCopyValueExpr or
+        defExpr instanceof SemStoreExpr or
+        defExpr instanceof SemAddOneExpr or
+        defExpr instanceof SemSubOneExpr
+      ) and
+      delta = D::fromFloat(0)
+    )
+  }

-/**
- * Gets the type used to track the specified source variable's range information.
- *
- * Usually, this just `e.getType()`, but the language can override this to track immutable boxed
- * primitive types as the underlying primitive type.
- */
-SemType getTrackedTypeForSsaVariable(SemSsaVariable var) {
-  result = Specific::getAlternateTypeForSsaVariable(var)
-  or
-  not exists(Specific::getAlternateTypeForSsaVariable(var)) and result = var.getType()
+  /**
+   * Holds if `e1 + delta` equals `e2`.
+   */
+  predicate semValueFlowStep(SemExpr e2, SemExpr e1, D::Delta delta) {
+    e2.(SemCopyValueExpr).getOperand() = e1 and delta = D::fromFloat(0)
+    or
+    e2.(SemStoreExpr).getOperand() = e1 and delta = D::fromFloat(0)
+    or
+    e2.(SemAddOneExpr).getOperand() = e1 and delta = D::fromFloat(1)
+    or
+    e2.(SemSubOneExpr).getOperand() = e1 and delta = D::fromFloat(-1)
+    or
+    Lang::additionalValueFlowStep(e2, e1, delta)
+    or
+    exists(SemExpr x | e2.(SemAddExpr).hasOperands(e1, x) |
+      D::fromInt(x.(SemConstantIntegerExpr).getIntValue()) = delta
+    )
+    or
+    exists(SemExpr x, SemSubExpr sub |
+      e2 = sub and
+      sub.getLeftOperand() = e1 and
+      sub.getRightOperand() = x
+    |
+      D::fromInt(-x.(SemConstantIntegerExpr).getIntValue()) = delta
+    )
+  }
+
+  /**
+   * Gets the type used to track the specified expression's range information.
+   *
+   * Usually, this just `e.getSemType()`, but the language can override this to track immutable boxed
+   * primitive types as the underlying primitive type.
+   */
+  SemType getTrackedType(SemExpr e) {
+    result = Lang::getAlternateType(e)
+    or
+    not exists(Lang::getAlternateType(e)) and result = e.getSemType()
+  }
+
+  /**
+   * Gets the type used to track the specified source variable's range information.
+   *
+   * Usually, this just `e.getType()`, but the language can override this to track immutable boxed
+   * primitive types as the underlying primitive type.
+   */
+  SemType getTrackedTypeForSsaVariable(SemSsaVariable var) {
+    result = Lang::getAlternateTypeForSsaVariable(var)
+    or
+    not exists(Lang::getAlternateTypeForSsaVariable(var)) and result = var.getType()
+  }
 }
--- a/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/SignAnalysisCommon.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/SignAnalysisCommon.qll
@@ -6,488 +6,494 @@
 * three-valued domain `{negative, zero, positive}`.
 */

+private import RangeAnalysisStage
 private import SignAnalysisSpecific as Specific
 private import experimental.semmle.code.cpp.semantic.Semantic
 private import ConstantAnalysis
 private import RangeUtils
 private import Sign

-/**
- * An SSA definition for which the analysis can compute the sign.
- *
- * The actual computation of the sign is done in an override of the `getSign()` predicate. The
- * charpred of any subclass must _not_ invoke `getSign()`, directly or indirectly. This ensures
- * that the charpred does not introduce negative recursion. The `getSign()` predicate may be
- * recursive.
- */
-abstract private class SignDef instanceof SemSsaVariable {
-  final string toString() { result = super.toString() }
+module SignAnalysis<DeltaSig D, UtilSig<D> Utils> {
+  /**
+   * An SSA definition for which the analysis can compute the sign.
+   *
+   * The actual computation of the sign is done in an override of the `getSign()` predicate. The
+   * charpred of any subclass must _not_ invoke `getSign()`, directly or indirectly. This ensures
+   * that the charpred does not introduce negative recursion. The `getSign()` predicate may be
+   * recursive.
+   */
+  abstract private class SignDef instanceof SemSsaVariable {
+    final string toString() { result = super.toString() }

-  /** Gets the possible signs of this SSA definition. */
-  abstract Sign getSign();
-}
-
-/** An SSA definition whose sign is computed based on standard flow. */
-abstract private class FlowSignDef extends SignDef {
-  abstract override Sign getSign();
-}
-
-/** An SSA definition whose sign is determined by the sign of that definitions source expression. */
-private class ExplicitSignDef extends FlowSignDef instanceof SemSsaExplicitUpdate {
-  final override Sign getSign() { result = semExprSign(super.getSourceExpr()) }
-}
-
-/** An SSA Phi definition, whose sign is the union of the signs of its inputs. */
-private class PhiSignDef extends FlowSignDef instanceof SemSsaPhiNode {
-  final override Sign getSign() {
-    exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge |
-      edge.phiInput(this, inp) and
-      result = semSsaSign(inp, edge)
-    )
-  }
-}
-
-/** An SSA definition whose sign is computed by a language-specific implementation. */
-abstract class CustomSignDef extends SignDef {
-  abstract override Sign getSign();
-}
-
-/**
- * An expression for which the analysis can compute the sign.
- *
- * The actual computation of the sign is done in an override of the `getSign()` predicate. The
- * charpred of any subclass must _not_ invoke `getSign()`, directly or indirectly. This ensures
- * that the charpred does not introduce negative recursion. The `getSign()` predicate may be
- * recursive.
- *
- * Concrete implementations extend one of the following subclasses:
- * - `ConstantSignExpr`, for expressions with a compile-time constant value.
- * - `FlowSignExpr`, for expressions whose sign can be computed from the signs of their operands.
- * - `CustomsignExpr`, for expressions whose sign can be computed by a language-specific
- *   implementation.
- *
- * If the same expression matches more than one of the above subclasses, the sign is computed as
- * follows:
- * - The sign of a `ConstantSignExpr` is computed solely from `ConstantSignExpr.getSign()`,
- *   regardless of any other subclasses.
- * - If a non-`ConstantSignExpr` expression matches exactly one of `FlowSignExpr` or
- *   `CustomSignExpr`, the sign is computed by that class' `getSign()` predicate.
- * - If a non-`ConstantSignExpr` expression matches both `FlowSignExpr` and `CustomSignExpr`, the
- *   sign is the _intersection_ of the signs of those two classes' `getSign()` predicates. Thus,
- *   both classes have the opportunity to _restrict_ the set of possible signs, not to generate new
- *   possible signs.
- * - If an expression does not match any of the three subclasses, then it can have any sign.
- *
- * Note that the `getSign()` predicate is introduced only in subclasses of `SignExpr`.
- */
-abstract class SignExpr instanceof SemExpr {
-  SignExpr() { not Specific::ignoreExprSign(this) }
-
-  final string toString() { result = super.toString() }
-
-  abstract Sign getSign();
-}
-
-/** An expression whose sign is determined by its constant numeric value. */
-private class ConstantSignExpr extends SignExpr {
-  ConstantSignExpr() {
-    this instanceof SemConstantIntegerExpr or
-    exists(this.(SemNumericLiteralExpr).getApproximateFloatValue())
+    /** Gets the possible signs of this SSA definition. */
+    abstract Sign getSign();
  }

-  final override Sign getSign() {
-    exists(int i | this.(SemConstantIntegerExpr).getIntValue() = i |
-      i < 0 and result = TNeg()
+  /** An SSA definition whose sign is computed based on standard flow. */
+  abstract private class FlowSignDef extends SignDef {
+    abstract override Sign getSign();
+  }
+
+  /** An SSA definition whose sign is determined by the sign of that definitions source expression. */
+  private class ExplicitSignDef extends FlowSignDef instanceof SemSsaExplicitUpdate {
+    final override Sign getSign() { result = semExprSign(super.getSourceExpr()) }
+  }
+
+  /** An SSA Phi definition, whose sign is the union of the signs of its inputs. */
+  private class PhiSignDef extends FlowSignDef instanceof SemSsaPhiNode {
+    final override Sign getSign() {
+      exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge |
+        edge.phiInput(this, inp) and
+        result = semSsaSign(inp, edge)
+      )
+    }
+  }
+
+  /** An SSA definition whose sign is computed by a language-specific implementation. */
+  abstract class CustomSignDef extends SignDef {
+    abstract override Sign getSign();
+  }
+
+  /**
+   * An expression for which the analysis can compute the sign.
+   *
+   * The actual computation of the sign is done in an override of the `getSign()` predicate. The
+   * charpred of any subclass must _not_ invoke `getSign()`, directly or indirectly. This ensures
+   * that the charpred does not introduce negative recursion. The `getSign()` predicate may be
+   * recursive.
+   *
+   * Concrete implementations extend one of the following subclasses:
+   * - `ConstantSignExpr`, for expressions with a compile-time constant value.
+   * - `FlowSignExpr`, for expressions whose sign can be computed from the signs of their operands.
+   * - `CustomsignExpr`, for expressions whose sign can be computed by a language-specific
+   *   implementation.
+   *
+   * If the same expression matches more than one of the above subclasses, the sign is computed as
+   * follows:
+   * - The sign of a `ConstantSignExpr` is computed solely from `ConstantSignExpr.getSign()`,
+   *   regardless of any other subclasses.
+   * - If a non-`ConstantSignExpr` expression matches exactly one of `FlowSignExpr` or
+   *   `CustomSignExpr`, the sign is computed by that class' `getSign()` predicate.
+   * - If a non-`ConstantSignExpr` expression matches both `FlowSignExpr` and `CustomSignExpr`, the
+   *   sign is the _intersection_ of the signs of those two classes' `getSign()` predicates. Thus,
+   *   both classes have the opportunity to _restrict_ the set of possible signs, not to generate new
+   *   possible signs.
+   * - If an expression does not match any of the three subclasses, then it can have any sign.
+   *
+   * Note that the `getSign()` predicate is introduced only in subclasses of `SignExpr`.
+   */
+  abstract class SignExpr instanceof SemExpr {
+    SignExpr() { not Specific::ignoreExprSign(this) }
+
+    final string toString() { result = super.toString() }
+
+    abstract Sign getSign();
+  }
+
+  /** An expression whose sign is determined by its constant numeric value. */
+  private class ConstantSignExpr extends SignExpr {
+    ConstantSignExpr() {
+      this instanceof SemConstantIntegerExpr or
+      exists(this.(SemNumericLiteralExpr).getApproximateFloatValue())
+    }
+
+    final override Sign getSign() {
+      exists(int i | this.(SemConstantIntegerExpr).getIntValue() = i |
+        i < 0 and result = TNeg()
+        or
+        i = 0 and result = TZero()
+        or
+        i > 0 and result = TPos()
+      )
      or
-      i = 0 and result = TZero()
-      or
-      i > 0 and result = TPos()
-    )
-    or
-    not exists(this.(SemConstantIntegerExpr).getIntValue()) and
-    exists(float f | f = this.(SemNumericLiteralExpr).getApproximateFloatValue() |
-      f < 0 and result = TNeg()
-      or
-      f = 0 and result = TZero()
-      or
-      f > 0 and result = TPos()
-    )
-  }
-}
-
-abstract private class NonConstantSignExpr extends SignExpr {
-  NonConstantSignExpr() { not this instanceof ConstantSignExpr }
-
-  final override Sign getSign() {
-    // The result is the _intersection_ of the signs computed from flow and by the language.
-    (result = this.(FlowSignExpr).getSignRestriction() or not this instanceof FlowSignExpr) and
-    (result = this.(CustomSignExpr).getSignRestriction() or not this instanceof CustomSignExpr)
-  }
-}
-
-/** An expression whose sign is computed from the signs of its operands. */
-abstract private class FlowSignExpr extends NonConstantSignExpr {
-  abstract Sign getSignRestriction();
-}
-
-/** An expression whose sign is computed by a language-specific implementation. */
-abstract class CustomSignExpr extends NonConstantSignExpr {
-  abstract Sign getSignRestriction();
-}
-
-/** An expression whose sign is unknown. */
-private class UnknownSignExpr extends SignExpr {
-  UnknownSignExpr() {
-    not this instanceof FlowSignExpr and
-    not this instanceof CustomSignExpr and
-    not this instanceof ConstantSignExpr and
-    (
-      // Only track numeric types.
-      getTrackedType(this) instanceof SemNumericType
-      or
-      // Unless the language says to track this expression anyway.
-      Specific::trackUnknownNonNumericExpr(this)
-    )
+      not exists(this.(SemConstantIntegerExpr).getIntValue()) and
+      exists(float f | f = this.(SemNumericLiteralExpr).getApproximateFloatValue() |
+        f < 0 and result = TNeg()
+        or
+        f = 0 and result = TZero()
+        or
+        f > 0 and result = TPos()
+      )
+    }
  }

-  final override Sign getSign() { semAnySign(result) }
-}
+  abstract private class NonConstantSignExpr extends SignExpr {
+    NonConstantSignExpr() { not this instanceof ConstantSignExpr }

-/**
- * A `Load` expression whose sign is computed from the sign of its SSA definition, restricted by
- * inference from any intervening guards.
- */
-class UseSignExpr extends FlowSignExpr {
-  SemSsaVariable v;
-
-  UseSignExpr() { v.getAUse() = this }
-
-  override Sign getSignRestriction() {
-    // Propagate via SSA
-    // Propagate the sign from the def of `v`, incorporating any inference from guards.
-    result = semSsaSign(v, any(SemSsaReadPositionBlock bb | bb.getAnExpr() = this))
-    or
-    // No block for this read. Just use the sign of the def.
-    // REVIEW: How can this happen?
-    not exists(SemSsaReadPositionBlock bb | bb.getAnExpr() = this) and
-    result = semSsaDefSign(v)
+    final override Sign getSign() {
+      // The result is the _intersection_ of the signs computed from flow and by the language.
+      (result = this.(FlowSignExpr).getSignRestriction() or not this instanceof FlowSignExpr) and
+      (result = this.(CustomSignExpr).getSignRestriction() or not this instanceof CustomSignExpr)
+    }
  }
-}

-/** A binary expression whose sign is computed from the signs of its operands. */
-private class BinarySignExpr extends FlowSignExpr {
-  SemBinaryExpr binary;
+  /** An expression whose sign is computed from the signs of its operands. */
+  abstract private class FlowSignExpr extends NonConstantSignExpr {
+    abstract Sign getSignRestriction();
+  }

-  BinarySignExpr() { binary = this }
+  /** An expression whose sign is computed by a language-specific implementation. */
+  abstract class CustomSignExpr extends NonConstantSignExpr {
+    abstract Sign getSignRestriction();
+  }

-  override Sign getSignRestriction() {
-    exists(SemExpr left, SemExpr right |
-      binaryExprOperands(binary, left, right) and
+  /** An expression whose sign is unknown. */
+  private class UnknownSignExpr extends SignExpr {
+    UnknownSignExpr() {
+      not this instanceof FlowSignExpr and
+      not this instanceof CustomSignExpr and
+      not this instanceof ConstantSignExpr and
+      (
+        // Only track numeric types.
+        Utils::getTrackedType(this) instanceof SemNumericType
+        or
+        // Unless the language says to track this expression anyway.
+        Specific::trackUnknownNonNumericExpr(this)
+      )
+    }
+
+    final override Sign getSign() { semAnySign(result) }
+  }
+
+  /**
+   * A `Load` expression whose sign is computed from the sign of its SSA definition, restricted by
+   * inference from any intervening guards.
+   */
+  class UseSignExpr extends FlowSignExpr {
+    SemSsaVariable v;
+
+    UseSignExpr() { v.getAUse() = this }
+
+    override Sign getSignRestriction() {
+      // Propagate via SSA
+      // Propagate the sign from the def of `v`, incorporating any inference from guards.
+      result = semSsaSign(v, any(SemSsaReadPositionBlock bb | bb.getAnExpr() = this))
+      or
+      // No block for this read. Just use the sign of the def.
+      // REVIEW: How can this happen?
+      not exists(SemSsaReadPositionBlock bb | bb.getAnExpr() = this) and
+      result = semSsaDefSign(v)
+    }
+  }
+
+  /** A binary expression whose sign is computed from the signs of its operands. */
+  private class BinarySignExpr extends FlowSignExpr {
+    SemBinaryExpr binary;
+
+    BinarySignExpr() { binary = this }
+
+    override Sign getSignRestriction() {
+      exists(SemExpr left, SemExpr right |
+        binaryExprOperands(binary, left, right) and
+        result =
+          semExprSign(pragma[only_bind_out](left))
+              .applyBinaryOp(semExprSign(pragma[only_bind_out](right)), binary.getOpcode())
+      )
+      or
+      exists(SemDivExpr div | div = binary |
+        result = semExprSign(div.getLeftOperand()) and
+        result != TZero() and
+        div.getRightOperand().(SemFloatingPointLiteralExpr).getFloatValue() = 0
+      )
+    }
+  }
+
+  pragma[nomagic]
+  private predicate binaryExprOperands(SemBinaryExpr binary, SemExpr left, SemExpr right) {
+    binary.getLeftOperand() = left and binary.getRightOperand() = right
+  }
+
+  /**
+   * A `Convert`, `Box`, or `Unbox` expression.
+   */
+  private class SemCastExpr instanceof SemUnaryExpr {
+    string toString() { result = super.toString() }
+
+    SemCastExpr() {
+      this instanceof SemConvertExpr
+      or
+      this instanceof SemBoxExpr
+      or
+      this instanceof SemUnboxExpr
+    }
+  }
+
+  /** A unary expression whose sign is computed from the sign of its operand. */
+  private class UnarySignExpr extends FlowSignExpr {
+    SemUnaryExpr unary;
+
+    UnarySignExpr() { unary = this and not this instanceof SemCastExpr }
+
+    override Sign getSignRestriction() {
      result =
-        semExprSign(pragma[only_bind_out](left))
-            .applyBinaryOp(semExprSign(pragma[only_bind_out](right)), binary.getOpcode())
-    )
-    or
-    exists(SemDivExpr div | div = binary |
-      result = semExprSign(div.getLeftOperand()) and
-      result != TZero() and
-      div.getRightOperand().(SemFloatingPointLiteralExpr).getFloatValue() = 0
+        semExprSign(pragma[only_bind_out](unary.getOperand())).applyUnaryOp(unary.getOpcode())
+    }
+  }
+
+  /**
+   * A `Convert`, `Box`, or `Unbox` expression, whose sign is computed based on
+   * the sign of its operand and the source and destination types.
+   */
+  abstract private class CastSignExpr extends FlowSignExpr {
+    SemUnaryExpr cast;
+
+    CastSignExpr() { cast = this and cast instanceof SemCastExpr }
+
+    override Sign getSignRestriction() { result = semExprSign(cast.getOperand()) }
+  }
+
+  /**
+   * A `Convert` expression.
+   */
+  private class ConvertSignExpr extends CastSignExpr {
+    override SemConvertExpr cast;
+  }
+
+  /**
+   * A `Box` expression.
+   */
+  private class BoxSignExpr extends CastSignExpr {
+    override SemBoxExpr cast;
+  }
+
+  /**
+   * An `Unbox` expression.
+   */
+  private class UnboxSignExpr extends CastSignExpr {
+    override SemUnboxExpr cast;
+
+    UnboxSignExpr() {
+      exists(SemType fromType | fromType = Utils::getTrackedType(cast.getOperand()) |
+        // Only numeric source types are handled here.
+        fromType instanceof SemNumericType
+      )
+    }
+  }
+
+  private predicate unknownSign(SemExpr e) { e instanceof UnknownSignExpr }
+
+  /**
+   * Holds if `lowerbound` is a lower bound for `v` at `pos`. This is restricted
+   * to only include bounds for which we might determine a sign.
+   */
+  private predicate lowerBound(
+    SemExpr lowerbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isStrict
+  ) {
+    exists(boolean testIsTrue, SemRelationalExpr comp |
+      pos.hasReadOfVar(v) and
+      semGuardControlsSsaRead(semGetComparisonGuard(comp), pos, testIsTrue) and
+      not unknownSign(lowerbound)
+    |
+      testIsTrue = true and
+      comp.getLesserOperand() = lowerbound and
+      comp.getGreaterOperand() = Utils::semSsaRead(v, D::fromInt(0)) and
+      (if comp.isStrict() then isStrict = true else isStrict = false)
+      or
+      testIsTrue = false and
+      comp.getGreaterOperand() = lowerbound and
+      comp.getLesserOperand() = Utils::semSsaRead(v, D::fromInt(0)) and
+      (if comp.isStrict() then isStrict = false else isStrict = true)
    )
  }
-}

-pragma[nomagic]
-private predicate binaryExprOperands(SemBinaryExpr binary, SemExpr left, SemExpr right) {
-  binary.getLeftOperand() = left and binary.getRightOperand() = right
-}
-
-/**
- * A `Convert`, `Box`, or `Unbox` expression.
- */
-private class SemCastExpr extends SemUnaryExpr {
-  SemCastExpr() {
-    this instanceof SemConvertExpr
-    or
-    this instanceof SemBoxExpr
-    or
-    this instanceof SemUnboxExpr
-  }
-}
-
-/** A unary expression whose sign is computed from the sign of its operand. */
-private class UnarySignExpr extends FlowSignExpr {
-  SemUnaryExpr unary;
-
-  UnarySignExpr() { unary = this and not this instanceof SemCastExpr }
-
-  override Sign getSignRestriction() {
-    result = semExprSign(pragma[only_bind_out](unary.getOperand())).applyUnaryOp(unary.getOpcode())
-  }
-}
-
-/**
- * A `Convert`, `Box`, or `Unbox` expression, whose sign is computed based on
- * the sign of its operand and the source and destination types.
- */
-abstract private class CastSignExpr extends FlowSignExpr {
-  SemUnaryExpr cast;
-
-  CastSignExpr() { cast = this and cast instanceof SemCastExpr }
-
-  override Sign getSignRestriction() { result = semExprSign(cast.getOperand()) }
-}
-
-/**
- * A `Convert` expression.
- */
-private class ConvertSignExpr extends CastSignExpr {
-  override SemConvertExpr cast;
-}
-
-/**
- * A `Box` expression.
- */
-private class BoxSignExpr extends CastSignExpr {
-  override SemBoxExpr cast;
-}
-
-/**
- * An `Unbox` expression.
- */
-private class UnboxSignExpr extends CastSignExpr {
-  override SemUnboxExpr cast;
-
-  UnboxSignExpr() {
-    exists(SemType fromType | fromType = getTrackedType(cast.getOperand()) |
-      // Only numeric source types are handled here.
-      fromType instanceof SemNumericType
+  /**
+   * Holds if `upperbound` is an upper bound for `v` at `pos`. This is restricted
+   * to only include bounds for which we might determine a sign.
+   */
+  private predicate upperBound(
+    SemExpr upperbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isStrict
+  ) {
+    exists(boolean testIsTrue, SemRelationalExpr comp |
+      pos.hasReadOfVar(v) and
+      semGuardControlsSsaRead(semGetComparisonGuard(comp), pos, testIsTrue) and
+      not unknownSign(upperbound)
+    |
+      testIsTrue = true and
+      comp.getGreaterOperand() = upperbound and
+      comp.getLesserOperand() = Utils::semSsaRead(v, D::fromInt(0)) and
+      (if comp.isStrict() then isStrict = true else isStrict = false)
+      or
+      testIsTrue = false and
+      comp.getLesserOperand() = upperbound and
+      comp.getGreaterOperand() = Utils::semSsaRead(v, D::fromInt(0)) and
+      (if comp.isStrict() then isStrict = false else isStrict = true)
    )
  }
-}

-private predicate unknownSign(SemExpr e) { e instanceof UnknownSignExpr }
+  /**
+   * Holds if `eqbound` is an equality/inequality for `v` at `pos`. This is
+   * restricted to only include bounds for which we might determine a sign. The
+   * boolean `isEq` gives the polarity:
+   *  - `isEq = true` : `v = eqbound`
+   *  - `isEq = false` : `v != eqbound`
+   */
+  private predicate eqBound(SemExpr eqbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isEq) {
+    exists(SemGuard guard, boolean testIsTrue, boolean polarity |
+      pos.hasReadOfVar(v) and
+      semGuardControlsSsaRead(guard, pos, testIsTrue) and
+      guard.isEquality(eqbound, Utils::semSsaRead(v, D::fromInt(0)), polarity) and
+      isEq = polarity.booleanXor(testIsTrue).booleanNot() and
+      not unknownSign(eqbound)
+    )
+  }

-/**
- * Holds if `lowerbound` is a lower bound for `v` at `pos`. This is restricted
- * to only include bounds for which we might determine a sign.
- */
-private predicate lowerBound(
-  SemExpr lowerbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isStrict
-) {
-  exists(boolean testIsTrue, SemRelationalExpr comp |
-    pos.hasReadOfVar(v) and
-    semGuardControlsSsaRead(semGetComparisonGuard(comp), pos, testIsTrue) and
-    not unknownSign(lowerbound)
-  |
-    testIsTrue = true and
-    comp.getLesserOperand() = lowerbound and
-    comp.getGreaterOperand() = semSsaRead(v, 0) and
-    (if comp.isStrict() then isStrict = true else isStrict = false)
+  /**
+   * Holds if `bound` is a bound for `v` at `pos` that needs to be positive in
+   * order for `v` to be positive.
+   */
+  private predicate posBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
+    upperBound(bound, v, pos, _) or
+    eqBound(bound, v, pos, true)
+  }
+
+  /**
+   * Holds if `bound` is a bound for `v` at `pos` that needs to be negative in
+   * order for `v` to be negative.
+   */
+  private predicate negBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
+    lowerBound(bound, v, pos, _) or
+    eqBound(bound, v, pos, true)
+  }
+
+  /**
+   * Holds if `bound` is a bound for `v` at `pos` that can restrict whether `v`
+   * can be zero.
+   */
+  private predicate zeroBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
+    lowerBound(bound, v, pos, _) or
+    upperBound(bound, v, pos, _) or
+    eqBound(bound, v, pos, _)
+  }
+
+  /** Holds if `bound` allows `v` to be positive at `pos`. */
+  private predicate posBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
+    posBound(bound, v, pos) and TPos() = semExprSign(bound)
+  }
+
+  /** Holds if `bound` allows `v` to be negative at `pos`. */
+  private predicate negBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
+    negBound(bound, v, pos) and TNeg() = semExprSign(bound)
+  }
+
+  /** Holds if `bound` allows `v` to be zero at `pos`. */
+  private predicate zeroBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
+    lowerBound(bound, v, pos, _) and TNeg() = semExprSign(bound)
    or
-    testIsTrue = false and
-    comp.getGreaterOperand() = lowerbound and
-    comp.getLesserOperand() = semSsaRead(v, 0) and
-    (if comp.isStrict() then isStrict = false else isStrict = true)
-  )
-}
-
-/**
- * Holds if `upperbound` is an upper bound for `v` at `pos`. This is restricted
- * to only include bounds for which we might determine a sign.
- */
-private predicate upperBound(
-  SemExpr upperbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isStrict
-) {
-  exists(boolean testIsTrue, SemRelationalExpr comp |
-    pos.hasReadOfVar(v) and
-    semGuardControlsSsaRead(semGetComparisonGuard(comp), pos, testIsTrue) and
-    not unknownSign(upperbound)
-  |
-    testIsTrue = true and
-    comp.getGreaterOperand() = upperbound and
-    comp.getLesserOperand() = semSsaRead(v, 0) and
-    (if comp.isStrict() then isStrict = true else isStrict = false)
+    lowerBound(bound, v, pos, false) and TZero() = semExprSign(bound)
    or
-    testIsTrue = false and
-    comp.getLesserOperand() = upperbound and
-    comp.getGreaterOperand() = semSsaRead(v, 0) and
-    (if comp.isStrict() then isStrict = false else isStrict = true)
-  )
-}
+    upperBound(bound, v, pos, _) and TPos() = semExprSign(bound)
+    or
+    upperBound(bound, v, pos, false) and TZero() = semExprSign(bound)
+    or
+    eqBound(bound, v, pos, true) and TZero() = semExprSign(bound)
+    or
+    eqBound(bound, v, pos, false) and TZero() != semExprSign(bound)
+  }

-/**
- * Holds if `eqbound` is an equality/inequality for `v` at `pos`. This is
- * restricted to only include bounds for which we might determine a sign. The
- * boolean `isEq` gives the polarity:
- *  - `isEq = true` : `v = eqbound`
- *  - `isEq = false` : `v != eqbound`
- */
-private predicate eqBound(SemExpr eqbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isEq) {
-  exists(SemGuard guard, boolean testIsTrue, boolean polarity |
+  /**
+   * Holds if there is a bound that might restrict whether `v` has the sign `s`
+   * at `pos`.
+   */
+  private predicate hasGuard(SemSsaVariable v, SemSsaReadPosition pos, Sign s) {
+    s = TPos() and posBound(_, v, pos)
+    or
+    s = TNeg() and negBound(_, v, pos)
+    or
+    s = TZero() and zeroBound(_, v, pos)
+  }
+
+  /**
+   * Gets a possible sign of `v` at `pos` based on its definition, where the sign
+   * might be ruled out by a guard.
+   */
+  pragma[noinline]
+  private Sign guardedSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
+    result = semSsaDefSign(v) and
    pos.hasReadOfVar(v) and
-    semGuardControlsSsaRead(guard, pos, testIsTrue) and
-    guard.isEquality(eqbound, semSsaRead(v, 0), polarity) and
-    isEq = polarity.booleanXor(testIsTrue).booleanNot() and
-    not unknownSign(eqbound)
-  )
-}
-
-/**
- * Holds if `bound` is a bound for `v` at `pos` that needs to be positive in
- * order for `v` to be positive.
- */
-private predicate posBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
-  upperBound(bound, v, pos, _) or
-  eqBound(bound, v, pos, true)
-}
-
-/**
- * Holds if `bound` is a bound for `v` at `pos` that needs to be negative in
- * order for `v` to be negative.
- */
-private predicate negBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
-  lowerBound(bound, v, pos, _) or
-  eqBound(bound, v, pos, true)
-}
-
-/**
- * Holds if `bound` is a bound for `v` at `pos` that can restrict whether `v`
- * can be zero.
- */
-private predicate zeroBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
-  lowerBound(bound, v, pos, _) or
-  upperBound(bound, v, pos, _) or
-  eqBound(bound, v, pos, _)
-}
-
-/** Holds if `bound` allows `v` to be positive at `pos`. */
-private predicate posBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
-  posBound(bound, v, pos) and TPos() = semExprSign(bound)
-}
-
-/** Holds if `bound` allows `v` to be negative at `pos`. */
-private predicate negBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
-  negBound(bound, v, pos) and TNeg() = semExprSign(bound)
-}
-
-/** Holds if `bound` allows `v` to be zero at `pos`. */
-private predicate zeroBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
-  lowerBound(bound, v, pos, _) and TNeg() = semExprSign(bound)
-  or
-  lowerBound(bound, v, pos, false) and TZero() = semExprSign(bound)
-  or
-  upperBound(bound, v, pos, _) and TPos() = semExprSign(bound)
-  or
-  upperBound(bound, v, pos, false) and TZero() = semExprSign(bound)
-  or
-  eqBound(bound, v, pos, true) and TZero() = semExprSign(bound)
-  or
-  eqBound(bound, v, pos, false) and TZero() != semExprSign(bound)
-}
-
-/**
- * Holds if there is a bound that might restrict whether `v` has the sign `s`
- * at `pos`.
- */
-private predicate hasGuard(SemSsaVariable v, SemSsaReadPosition pos, Sign s) {
-  s = TPos() and posBound(_, v, pos)
-  or
-  s = TNeg() and negBound(_, v, pos)
-  or
-  s = TZero() and zeroBound(_, v, pos)
-}
-
-/**
- * Gets a possible sign of `v` at `pos` based on its definition, where the sign
- * might be ruled out by a guard.
- */
-pragma[noinline]
-private Sign guardedSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
-  result = semSsaDefSign(v) and
-  pos.hasReadOfVar(v) and
-  hasGuard(v, pos, result)
-}
-
-/**
- * Gets a possible sign of `v` at `pos` based on its definition, where no guard
- * can rule it out.
- */
-pragma[noinline]
-private Sign unguardedSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
-  result = semSsaDefSign(v) and
-  pos.hasReadOfVar(v) and
-  not hasGuard(v, pos, result)
-}
-
-/**
- * Gets a possible sign of `v` at read position `pos`, where a guard could have
- * ruled out the sign but does not.
- * This does not check that the definition of `v` also allows the sign.
- */
-private Sign guardedSsaSignOk(SemSsaVariable v, SemSsaReadPosition pos) {
-  result = TPos() and
-  forex(SemExpr bound | posBound(bound, v, pos) | posBoundOk(bound, v, pos))
-  or
-  result = TNeg() and
-  forex(SemExpr bound | negBound(bound, v, pos) | negBoundOk(bound, v, pos))
-  or
-  result = TZero() and
-  forex(SemExpr bound | zeroBound(bound, v, pos) | zeroBoundOk(bound, v, pos))
-}
-
-/** Gets a possible sign for `v` at `pos`. */
-private Sign semSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
-  result = unguardedSsaSign(v, pos)
-  or
-  result = guardedSsaSign(v, pos) and
-  result = guardedSsaSignOk(v, pos)
-}
-
-/** Gets a possible sign for `v`. */
-pragma[nomagic]
-Sign semSsaDefSign(SemSsaVariable v) { result = v.(SignDef).getSign() }
-
-/** Gets a possible sign for `e`. */
-cached
-Sign semExprSign(SemExpr e) {
-  exists(Sign s | s = e.(SignExpr).getSign() |
-    if
-      getTrackedType(e) instanceof SemUnsignedIntegerType and
-      s = TNeg() and
-      not Specific::ignoreTypeRestrictions(e)
-    then result = TPos()
-    else result = s
-  )
-}
-
-/**
- * Dummy predicate that holds for any sign. This is added to improve readability
- * of cases where the sign is unrestricted.
- */
-predicate semAnySign(Sign s) { any() }
-
-/** Holds if `e` can be positive and cannot be negative. */
-predicate semPositive(SemExpr e) {
-  semExprSign(e) = TPos() and
-  not semExprSign(e) = TNeg()
-}
-
-/** Holds if `e` can be negative and cannot be positive. */
-predicate semNegative(SemExpr e) {
-  semExprSign(e) = TNeg() and
-  not semExprSign(e) = TPos()
-}
-
-/** Holds if `e` is strictly positive. */
-predicate semStrictlyPositive(SemExpr e) {
-  semExprSign(e) = TPos() and
-  not semExprSign(e) = TNeg() and
-  not semExprSign(e) = TZero()
-}
-
-/** Holds if `e` is strictly negative. */
-predicate semStrictlyNegative(SemExpr e) {
-  semExprSign(e) = TNeg() and
-  not semExprSign(e) = TPos() and
-  not semExprSign(e) = TZero()
+    hasGuard(v, pos, result)
+  }
+
+  /**
+   * Gets a possible sign of `v` at `pos` based on its definition, where no guard
+   * can rule it out.
+   */
+  pragma[noinline]
+  private Sign unguardedSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
+    result = semSsaDefSign(v) and
+    pos.hasReadOfVar(v) and
+    not hasGuard(v, pos, result)
+  }
+
+  /**
+   * Gets a possible sign of `v` at read position `pos`, where a guard could have
+   * ruled out the sign but does not.
+   * This does not check that the definition of `v` also allows the sign.
+   */
+  private Sign guardedSsaSignOk(SemSsaVariable v, SemSsaReadPosition pos) {
+    result = TPos() and
+    forex(SemExpr bound | posBound(bound, v, pos) | posBoundOk(bound, v, pos))
+    or
+    result = TNeg() and
+    forex(SemExpr bound | negBound(bound, v, pos) | negBoundOk(bound, v, pos))
+    or
+    result = TZero() and
+    forex(SemExpr bound | zeroBound(bound, v, pos) | zeroBoundOk(bound, v, pos))
+  }
+
+  /** Gets a possible sign for `v` at `pos`. */
+  private Sign semSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
+    result = unguardedSsaSign(v, pos)
+    or
+    result = guardedSsaSign(v, pos) and
+    result = guardedSsaSignOk(v, pos)
+  }
+
+  /** Gets a possible sign for `v`. */
+  pragma[nomagic]
+  Sign semSsaDefSign(SemSsaVariable v) { result = v.(SignDef).getSign() }
+
+  /** Gets a possible sign for `e`. */
+  cached
+  Sign semExprSign(SemExpr e) {
+    exists(Sign s | s = e.(SignExpr).getSign() |
+      if
+        Utils::getTrackedType(e) instanceof SemUnsignedIntegerType and
+        s = TNeg() and
+        not Specific::ignoreTypeRestrictions(e)
+      then result = TPos()
+      else result = s
+    )
+  }
+
+  /**
+   * Dummy predicate that holds for any sign. This is added to improve readability
+   * of cases where the sign is unrestricted.
+   */
+  predicate semAnySign(Sign s) { any() }
+
+  /** Holds if `e` can be positive and cannot be negative. */
+  predicate semPositive(SemExpr e) {
+    semExprSign(e) = TPos() and
+    not semExprSign(e) = TNeg()
+  }
+
+  /** Holds if `e` can be negative and cannot be positive. */
+  predicate semNegative(SemExpr e) {
+    semExprSign(e) = TNeg() and
+    not semExprSign(e) = TPos()
+  }
+
+  /** Holds if `e` is strictly positive. */
+  predicate semStrictlyPositive(SemExpr e) {
+    semExprSign(e) = TPos() and
+    not semExprSign(e) = TNeg() and
+    not semExprSign(e) = TZero()
+  }
+
+  /** Holds if `e` is strictly negative. */
+  predicate semStrictlyNegative(SemExpr e) {
+    semExprSign(e) = TNeg() and
+    not semExprSign(e) = TPos() and
+    not semExprSign(e) = TZero()
+  }
 }
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.4.6-dev
+version: 0.5.1
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
@@ -7,3 +7,4 @@ library: true
 upgrades: upgrades
 dependencies:
  codeql/ssa: ${workspace}
+  codeql/tutorial: ${workspace}
--- a/cpp/ql/lib/semmle/code/cpp/Function.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Function.qll
@@ -318,7 +318,7 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
  MetricFunction getMetrics() { result = this }

  /** Holds if this function calls the function `f`. */
-  predicate calls(Function f) { exists(Locatable l | this.calls(f, l)) }
+  predicate calls(Function f) { this.calls(f, _) }

  /**
   * Holds if this function calls the function `f` in the `FunctionCall`
@@ -335,7 +335,7 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
  }

  /** Holds if this function accesses a function or variable or enumerator `a`. */
-  predicate accesses(Declaration a) { exists(Locatable l | this.accesses(a, l)) }
+  predicate accesses(Declaration a) { this.accesses(a, _) }

  /**
   * Holds if this function accesses a function or variable or enumerator `a`
--- a/cpp/ql/lib/semmle/code/cpp/Location.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Location.qll
@@ -10,12 +10,14 @@ import semmle.code.cpp.File
 */
 class Location extends @location {
  /** Gets the container corresponding to this location. */
+  pragma[nomagic]
  Container getContainer() { this.fullLocationInfo(result, _, _, _, _) }

  /** Gets the file corresponding to this location, if any. */
  File getFile() { result = this.getContainer() }

  /** Gets the 1-based line number (inclusive) where this location starts. */
+  pragma[nomagic]
  int getStartLine() { this.fullLocationInfo(_, result, _, _, _) }

  /** Gets the 1-based column number (inclusive) where this location starts. */
--- a/cpp/ql/lib/semmle/code/cpp/Type.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Type.qll
@@ -816,6 +816,12 @@ private predicate floatingPointTypeMapping(
  or
  // _Float128x
  kind = 50 and base = 2 and domain = TRealDomain() and realKind = 50 and extended = true
+  or
+  // _Float16
+  kind = 52 and base = 2 and domain = TRealDomain() and realKind = 52 and extended = false
+  or
+  // _Complex _Float16
+  kind = 53 and base = 2 and domain = TComplexDomain() and realKind = 52 and extended = false
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/commons/Dependency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Dependency.qll
@@ -33,7 +33,7 @@ DependencyOptions getDependencyOptions() { any() }
 class DependsSource extends Element {
  DependsSource() {
    // not inside a template instantiation
-    not exists(Element other | this.isFromTemplateInstantiation(other)) or
+    not this.isFromTemplateInstantiation(_) or
    // allow DeclarationEntrys of template specializations
    this.(DeclarationEntry).getDeclaration().(Function).isConstructedFrom(_) or
    this.(DeclarationEntry).getDeclaration().(Class).isConstructedFrom(_)
--- a/cpp/ql/lib/semmle/code/cpp/commons/Exclusions.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Exclusions.qll
@@ -69,12 +69,9 @@ predicate functionContainsDisabledCode(Function f) {
 */
 predicate functionContainsPreprocCode(Function f) {
  // `f` contains a preprocessor branch
-  exists(
-    PreprocessorBranchDirective pbd, string file, int pbdStartLine, int fBlockStartLine,
-    int fBlockEndLine
-  |
+  exists(string file, int pbdStartLine, int fBlockStartLine, int fBlockEndLine |
    functionLocation(f, file, fBlockStartLine, fBlockEndLine) and
-    pbdLocation(pbd, file, pbdStartLine) and
+    pbdLocation(_, file, pbdStartLine) and
    pbdStartLine <= fBlockEndLine and
    pbdStartLine >= fBlockStartLine
  )
--- a/cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll
@@ -244,9 +244,7 @@ class ScanfFormatLiteral extends Expr {
  /**
   * Gets the maximum width option of the nth input (empty string if none is given).
   */
-  string getMaxWidthOpt(int n) {
-    exists(string spec, string len, string conv | this.parseConvSpec(n, spec, result, len, conv))
-  }
+  string getMaxWidthOpt(int n) { this.parseConvSpec(n, _, result, _, _) }

  /**
   * Gets the maximum width of the nth input.
@@ -256,18 +254,12 @@ class ScanfFormatLiteral extends Expr {
  /**
   * Gets the length flag of the nth conversion specifier.
   */
-  string getLength(int n) {
-    exists(string spec, string width, string conv |
-      this.parseConvSpec(n, spec, width, result, conv)
-    )
-  }
+  string getLength(int n) { this.parseConvSpec(n, _, _, result, _) }

  /**
   * Gets the conversion character of the nth conversion specifier.
   */
-  string getConversionChar(int n) {
-    exists(string spec, string width, string len | this.parseConvSpec(n, spec, width, len, result))
-  }
+  string getConversionChar(int n) { this.parseConvSpec(n, _, _, _, result) }

  /**
   * Gets the maximum length of the string that can be produced by the nth
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/SubBasicBlocks.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/SubBasicBlocks.qll
@@ -54,7 +54,7 @@ class SubBasicBlock extends ControlFlowNodeBase {
   * only condition under which a `SubBasicBlock` may have multiple
   * predecessors.
   */
-  predicate firstInBB() { exists(BasicBlock bb | this.getRankInBasicBlock(bb) = 1) }
+  predicate firstInBB() { this.getRankInBasicBlock(_) = 1 }

  /**
   * Holds if this `SubBasicBlock` comes last in its basic block. This is the
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
@@ -441,8 +441,8 @@ library class ExprEvaluator extends int {
      req = mid.(AssignExpr).getRValue()
    )
    or
-    exists(VariableAccess va, Variable v, boolean sub1 |
-      this.interestingVariableAccess(e, va, v, sub1) and
+    exists(Variable v, boolean sub1 |
+      this.interestingVariableAccess(e, _, v, sub1) and
      req = v.getAnAssignedValue() and
      (sub1 = true implies not this.ignoreVariableAssignment(e, v, req)) and
      sub = false
@@ -876,7 +876,7 @@ private predicate nonAnalyzableVariableDefinition(Variable v, StmtParent def) {
 * empirically to have effect only on a few rare and pathological examples.
 */
 private predicate tractableVariable(Variable v) {
-  not exists(StmtParent def | nonAnalyzableVariableDefinition(v, def)) or
+  not nonAnalyzableVariableDefinition(v, _) or
  strictcount(StmtParent def | nonAnalyzableVariableDefinition(v, def)) < 1000
 }

--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -622,7 +622,11 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }

 private module Stage1 implements StageSig {
-  class Ap = Unit;
+  class Ap extends int {
+    // workaround for bad functionality-induced joins (happens when using `Unit`)
+    pragma[nomagic]
+    Ap() { this in [0 .. 1] and this < 1 }
+  }

  private class Cc = boolean;

@@ -872,9 +876,9 @@ private module Stage1 implements StageSig {

  pragma[nomagic]
  private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
      revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
    )
  }

@@ -1327,8 +1331,8 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
      PrevStage::revFlow(node, state, apa, config) and
@@ -1337,21 +1341,21 @@ private module MkStage<StageSig PrevStage> {

    pragma[inline]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      Configuration config
    ) {
      fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
    }

    pragma[nomagic]
    private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      sourceNode(node, state, config) and
      (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
      argAp = apNone() and
-      summaryCtx = TParameterPositionNone() and
+      summaryCtx = TParamNodeNone() and
      ap = getApNil(node) and
      apa = getApprox(ap)
      or
@@ -1372,7 +1376,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
        jumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone()
      )
      or
@@ -1380,7 +1384,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1390,7 +1394,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStateStep(mid, state0, node, state, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1414,10 +1418,10 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
      if PrevStage::parameterMayFlowThrough(node, apa, config)
      then (
-        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
+        summaryCtx = TParamNodeSome(node.asNode()) and
        argAp = apSome(ap)
      ) else (
-        summaryCtx = TParameterPositionNone() and argAp = apNone()
+        summaryCtx = TParamNodeNone() and argAp = apNone()
      )
      or
      // flow out of a callable
@@ -1433,16 +1437,19 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
-        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
-        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
+      exists(
+        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
+      |
+        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate fwdFlowStore(
      NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      exists(DataFlowType contentType, ApApprox apa1 |
        fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1473,8 +1480,8 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ApNonNil ap, Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
+      Configuration config
    ) {
      fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, _, _, config)
@@ -1483,7 +1490,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
@@ -1493,7 +1500,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowIn(
      DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
    ) {
      exists(ArgNodeEx arg, boolean allowsFieldFlow |
        fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1505,64 +1512,38 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
-      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
+      Ap ap, ApApprox apa, Configuration config
    ) {
-      exists(DataFlowCallable c, ReturnKindExt kind |
+      exists(ReturnKindExt kind |
        fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
-        getApprox(argAp) = argApa and
-        c = ret.getEnclosingCallable() and
+          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
+          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
+          pragma[only_bind_into](config)) and
        kind = ret.getKind() and
-        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
-        parameterFlowThroughAllowed(p, kind)
+        parameterFlowThroughAllowed(summaryCtx, kind) and
+        argApa = getApprox(argAp) and
+        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
      )
    }

    pragma[inline]
-    private predicate fwdFlowInMayFlowThrough(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
+    private predicate fwdFlowThrough0(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
+      Ap innerArgAp, ApApprox innerArgApa, Configuration config
    ) {
-      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
-        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-      PrevStage::parameterMayFlowThrough(param, apa, config)
-    }
-
-    // dedup before joining with `flowThroughOutOfCall`
-    pragma[nomagic]
-    private predicate fwdFlowInMayFlowThroughProj(
-      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
-    }
-
-    /**
-     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
-     * in the flow covered by `fwdFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate fwdFlowThroughOutOfCall(
-      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-      ApApprox argApa, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
+      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
+      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
    }

    pragma[nomagic]
-    private predicate fwdFlowOutFromArg(
-      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
-      ApApprox apa, Configuration config
+    private predicate fwdFlowThrough(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
    ) {
-      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
-          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
-          config) and
-        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
-      )
+      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
+        config)
    }

    /**
@@ -1571,12 +1552,14 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParameterPosition pos, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
+      ParamNodeEx p, Ap ap, Configuration config
    ) {
-      exists(ParamNodeEx param |
-        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
-        pos = param.getPosition()
+      exists(ApApprox apa |
+        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
+          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+        PrevStage::parameterMayFlowThrough(p, apa, config) and
+        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
      )
    }

@@ -1596,23 +1579,31 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowConsCand(ap1, c, ap2, config)
    }

+    pragma[nomagic]
+    private predicate returnFlowsThrough0(
+      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
+      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    ) {
+      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
+        innerArgApa, config)
+    }
+
    pragma[nomagic]
    private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
      Ap ap, Configuration config
    ) {
-      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
-          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
-        kind = ret.getKind() and
-        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
+        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
+        pos = ret.getReturnPosition() and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
      Configuration config
    ) {
      exists(ApApprox argApa |
@@ -1620,7 +1611,7 @@ private module MkStage<StageSig PrevStage> {
          allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
        fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
          pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
          pragma[only_bind_into](config)) and
        if allowsFieldFlow = false then argAp instanceof ApNil else any()
      )
@@ -1639,12 +1630,13 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
      Ap ap, Configuration config
    ) {
      exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config)
+        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config) and
+        pos = ret.getReturnPosition()
      )
    }

@@ -1739,17 +1731,17 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
      )
      or
      // flow out of a callable
-      exists(ReturnKindExt kind |
-        revFlowOut(_, node, kind, state, _, _, ap, config) and
-        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
+      exists(ReturnPosition pos |
+        revFlowOut(_, node, pos, state, _, _, ap, config) and
+        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
        then (
-          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
+          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
          returnAp = apSome(ap)
        ) else (
          returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1782,47 +1774,33 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
      ApOption returnAp, Ap ap, Configuration config
    ) {
      exists(NodeEx out, boolean allowsFieldFlow |
        revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

-    /**
-     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
-     * in the flow covered by `revFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate revFlowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
-      Configuration config
-    ) {
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
-      revFlowIsReturned(call, _, _, _, _, config)
-    }
-
    pragma[nomagic]
    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
+      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
    ) {
-      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
+        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
+      parameterFlowThroughAllowed(p, pos.getKind()) and
+      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
    }

    pragma[nomagic]
-    private predicate revFlowInToReturn(
-      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
-      Configuration config
+    private predicate revFlowThrough(
+      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
+      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
    ) {
-      exists(ParamNodeEx p, boolean allowsFieldFlow |
-        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
-        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
-      )
+      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
+      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
    }

    /**
@@ -1832,12 +1810,12 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
      Configuration config
    ) {
      exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
        matchesCall(ccc, call)
      )
    }
@@ -1915,17 +1893,17 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
    ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, pos.getKind())
    }

    pragma[nomagic]
    predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnKindExt kind |
-        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, kind, _, config)
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, pos, _, config)
      )
    }

@@ -1933,20 +1911,21 @@ private module MkStage<StageSig PrevStage> {
    predicate returnMayFlowThrough(
      RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
    ) {
-      exists(ParamNodeEx p |
-        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, kind, ap, config)
+      exists(ParamNodeEx p, ReturnPosition pos |
+        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
+        kind = pos.getKind()
      )
    }

    pragma[nomagic]
-    predicate revFlowInToReturnIsReturned(
+    private predicate revFlowThroughArg(
      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
      Ap ap, Configuration config
    ) {
-      exists(ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
      )
    }

@@ -1954,7 +1933,7 @@ private module MkStage<StageSig PrevStage> {
    predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
      exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
        revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
      )
    }

@@ -1967,8 +1946,9 @@ private module MkStage<StageSig PrevStage> {
      conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
      states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
      tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
+        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
+          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
+        )
      or
      fwd = false and
      nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2823,13 +2803,12 @@ private Configuration unbindConf(Configuration conf) {

 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
-  Configuration config
+  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
 ) {
  exists(AccessPathApprox apa0 |
-    c = n.getEnclosingCallable() and
+    Stage5::parameterMayFlowThrough(p, _, _) and
    Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
      TAccessPathApproxSome(apa), apa0, config)
  )
 }
@@ -2838,10 +2817,9 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
  NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
+  exists(ParamNodeEx p |
    Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, c, pos, state, apa, config) and
-    p.isParameterOf(c, pos)
+    nodeMayUseSummary0(n, p, state, apa, config)
  )
 }

@@ -3771,8 +3749,8 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
  AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
    kind = ret.getKind() and
    apa = ap.getApprox() and
    parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4234,17 +4212,15 @@ private module FlowExploration {
      ap = TRevPartialNil() and
      exists(config.explorationLimit())
      or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
    }

  pragma[nomagic]
@@ -4252,19 +4228,17 @@ private module FlowExploration {
    NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
    TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -622,7 +622,11 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }

 private module Stage1 implements StageSig {
-  class Ap = Unit;
+  class Ap extends int {
+    // workaround for bad functionality-induced joins (happens when using `Unit`)
+    pragma[nomagic]
+    Ap() { this in [0 .. 1] and this < 1 }
+  }

  private class Cc = boolean;

@@ -872,9 +876,9 @@ private module Stage1 implements StageSig {

  pragma[nomagic]
  private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
      revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
    )
  }

@@ -1327,8 +1331,8 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
      PrevStage::revFlow(node, state, apa, config) and
@@ -1337,21 +1341,21 @@ private module MkStage<StageSig PrevStage> {

    pragma[inline]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      Configuration config
    ) {
      fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
    }

    pragma[nomagic]
    private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      sourceNode(node, state, config) and
      (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
      argAp = apNone() and
-      summaryCtx = TParameterPositionNone() and
+      summaryCtx = TParamNodeNone() and
      ap = getApNil(node) and
      apa = getApprox(ap)
      or
@@ -1372,7 +1376,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
        jumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone()
      )
      or
@@ -1380,7 +1384,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1390,7 +1394,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStateStep(mid, state0, node, state, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1414,10 +1418,10 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
      if PrevStage::parameterMayFlowThrough(node, apa, config)
      then (
-        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
+        summaryCtx = TParamNodeSome(node.asNode()) and
        argAp = apSome(ap)
      ) else (
-        summaryCtx = TParameterPositionNone() and argAp = apNone()
+        summaryCtx = TParamNodeNone() and argAp = apNone()
      )
      or
      // flow out of a callable
@@ -1433,16 +1437,19 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
-        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
-        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
+      exists(
+        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
+      |
+        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate fwdFlowStore(
      NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      exists(DataFlowType contentType, ApApprox apa1 |
        fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1473,8 +1480,8 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ApNonNil ap, Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
+      Configuration config
    ) {
      fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, _, _, config)
@@ -1483,7 +1490,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
@@ -1493,7 +1500,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowIn(
      DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
    ) {
      exists(ArgNodeEx arg, boolean allowsFieldFlow |
        fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1505,64 +1512,38 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
-      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
+      Ap ap, ApApprox apa, Configuration config
    ) {
-      exists(DataFlowCallable c, ReturnKindExt kind |
+      exists(ReturnKindExt kind |
        fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
-        getApprox(argAp) = argApa and
-        c = ret.getEnclosingCallable() and
+          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
+          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
+          pragma[only_bind_into](config)) and
        kind = ret.getKind() and
-        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
-        parameterFlowThroughAllowed(p, kind)
+        parameterFlowThroughAllowed(summaryCtx, kind) and
+        argApa = getApprox(argAp) and
+        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
      )
    }

    pragma[inline]
-    private predicate fwdFlowInMayFlowThrough(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
+    private predicate fwdFlowThrough0(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
+      Ap innerArgAp, ApApprox innerArgApa, Configuration config
    ) {
-      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
-        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-      PrevStage::parameterMayFlowThrough(param, apa, config)
-    }
-
-    // dedup before joining with `flowThroughOutOfCall`
-    pragma[nomagic]
-    private predicate fwdFlowInMayFlowThroughProj(
-      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
-    }
-
-    /**
-     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
-     * in the flow covered by `fwdFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate fwdFlowThroughOutOfCall(
-      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-      ApApprox argApa, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
+      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
+      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
    }

    pragma[nomagic]
-    private predicate fwdFlowOutFromArg(
-      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
-      ApApprox apa, Configuration config
+    private predicate fwdFlowThrough(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
    ) {
-      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
-          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
-          config) and
-        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
-      )
+      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
+        config)
    }

    /**
@@ -1571,12 +1552,14 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParameterPosition pos, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
+      ParamNodeEx p, Ap ap, Configuration config
    ) {
-      exists(ParamNodeEx param |
-        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
-        pos = param.getPosition()
+      exists(ApApprox apa |
+        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
+          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+        PrevStage::parameterMayFlowThrough(p, apa, config) and
+        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
      )
    }

@@ -1596,23 +1579,31 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowConsCand(ap1, c, ap2, config)
    }

+    pragma[nomagic]
+    private predicate returnFlowsThrough0(
+      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
+      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    ) {
+      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
+        innerArgApa, config)
+    }
+
    pragma[nomagic]
    private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
      Ap ap, Configuration config
    ) {
-      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
-          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
-        kind = ret.getKind() and
-        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
+        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
+        pos = ret.getReturnPosition() and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
      Configuration config
    ) {
      exists(ApApprox argApa |
@@ -1620,7 +1611,7 @@ private module MkStage<StageSig PrevStage> {
          allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
        fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
          pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
          pragma[only_bind_into](config)) and
        if allowsFieldFlow = false then argAp instanceof ApNil else any()
      )
@@ -1639,12 +1630,13 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
      Ap ap, Configuration config
    ) {
      exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config)
+        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config) and
+        pos = ret.getReturnPosition()
      )
    }

@@ -1739,17 +1731,17 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
      )
      or
      // flow out of a callable
-      exists(ReturnKindExt kind |
-        revFlowOut(_, node, kind, state, _, _, ap, config) and
-        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
+      exists(ReturnPosition pos |
+        revFlowOut(_, node, pos, state, _, _, ap, config) and
+        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
        then (
-          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
+          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
          returnAp = apSome(ap)
        ) else (
          returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1782,47 +1774,33 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
      ApOption returnAp, Ap ap, Configuration config
    ) {
      exists(NodeEx out, boolean allowsFieldFlow |
        revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

-    /**
-     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
-     * in the flow covered by `revFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate revFlowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
-      Configuration config
-    ) {
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
-      revFlowIsReturned(call, _, _, _, _, config)
-    }
-
    pragma[nomagic]
    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
+      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
    ) {
-      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
+        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
+      parameterFlowThroughAllowed(p, pos.getKind()) and
+      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
    }

    pragma[nomagic]
-    private predicate revFlowInToReturn(
-      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
-      Configuration config
+    private predicate revFlowThrough(
+      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
+      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
    ) {
-      exists(ParamNodeEx p, boolean allowsFieldFlow |
-        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
-        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
-      )
+      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
+      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
    }

    /**
@@ -1832,12 +1810,12 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
      Configuration config
    ) {
      exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
        matchesCall(ccc, call)
      )
    }
@@ -1915,17 +1893,17 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
    ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, pos.getKind())
    }

    pragma[nomagic]
    predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnKindExt kind |
-        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, kind, _, config)
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, pos, _, config)
      )
    }

@@ -1933,20 +1911,21 @@ private module MkStage<StageSig PrevStage> {
    predicate returnMayFlowThrough(
      RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
    ) {
-      exists(ParamNodeEx p |
-        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, kind, ap, config)
+      exists(ParamNodeEx p, ReturnPosition pos |
+        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
+        kind = pos.getKind()
      )
    }

    pragma[nomagic]
-    predicate revFlowInToReturnIsReturned(
+    private predicate revFlowThroughArg(
      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
      Ap ap, Configuration config
    ) {
-      exists(ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
      )
    }

@@ -1954,7 +1933,7 @@ private module MkStage<StageSig PrevStage> {
    predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
      exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
        revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
      )
    }

@@ -1967,8 +1946,9 @@ private module MkStage<StageSig PrevStage> {
      conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
      states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
      tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
+        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
+          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
+        )
      or
      fwd = false and
      nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2823,13 +2803,12 @@ private Configuration unbindConf(Configuration conf) {

 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
-  Configuration config
+  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
 ) {
  exists(AccessPathApprox apa0 |
-    c = n.getEnclosingCallable() and
+    Stage5::parameterMayFlowThrough(p, _, _) and
    Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
      TAccessPathApproxSome(apa), apa0, config)
  )
 }
@@ -2838,10 +2817,9 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
  NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
+  exists(ParamNodeEx p |
    Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, c, pos, state, apa, config) and
-    p.isParameterOf(c, pos)
+    nodeMayUseSummary0(n, p, state, apa, config)
  )
 }

@@ -3771,8 +3749,8 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
  AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
    kind = ret.getKind() and
    apa = ap.getApprox() and
    parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4234,17 +4212,15 @@ private module FlowExploration {
      ap = TRevPartialNil() and
      exists(config.explorationLimit())
      or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
    }

  pragma[nomagic]
@@ -4252,19 +4228,17 @@ private module FlowExploration {
    NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
    TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -622,7 +622,11 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }

 private module Stage1 implements StageSig {
-  class Ap = Unit;
+  class Ap extends int {
+    // workaround for bad functionality-induced joins (happens when using `Unit`)
+    pragma[nomagic]
+    Ap() { this in [0 .. 1] and this < 1 }
+  }

  private class Cc = boolean;

@@ -872,9 +876,9 @@ private module Stage1 implements StageSig {

  pragma[nomagic]
  private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
      revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
    )
  }

@@ -1327,8 +1331,8 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
      PrevStage::revFlow(node, state, apa, config) and
@@ -1337,21 +1341,21 @@ private module MkStage<StageSig PrevStage> {

    pragma[inline]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      Configuration config
    ) {
      fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
    }

    pragma[nomagic]
    private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      sourceNode(node, state, config) and
      (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
      argAp = apNone() and
-      summaryCtx = TParameterPositionNone() and
+      summaryCtx = TParamNodeNone() and
      ap = getApNil(node) and
      apa = getApprox(ap)
      or
@@ -1372,7 +1376,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
        jumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone()
      )
      or
@@ -1380,7 +1384,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1390,7 +1394,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStateStep(mid, state0, node, state, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1414,10 +1418,10 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
      if PrevStage::parameterMayFlowThrough(node, apa, config)
      then (
-        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
+        summaryCtx = TParamNodeSome(node.asNode()) and
        argAp = apSome(ap)
      ) else (
-        summaryCtx = TParameterPositionNone() and argAp = apNone()
+        summaryCtx = TParamNodeNone() and argAp = apNone()
      )
      or
      // flow out of a callable
@@ -1433,16 +1437,19 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
-        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
-        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
+      exists(
+        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
+      |
+        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate fwdFlowStore(
      NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      exists(DataFlowType contentType, ApApprox apa1 |
        fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1473,8 +1480,8 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ApNonNil ap, Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
+      Configuration config
    ) {
      fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, _, _, config)
@@ -1483,7 +1490,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
@@ -1493,7 +1500,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowIn(
      DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
    ) {
      exists(ArgNodeEx arg, boolean allowsFieldFlow |
        fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1505,64 +1512,38 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
-      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
+      Ap ap, ApApprox apa, Configuration config
    ) {
-      exists(DataFlowCallable c, ReturnKindExt kind |
+      exists(ReturnKindExt kind |
        fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
-        getApprox(argAp) = argApa and
-        c = ret.getEnclosingCallable() and
+          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
+          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
+          pragma[only_bind_into](config)) and
        kind = ret.getKind() and
-        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
-        parameterFlowThroughAllowed(p, kind)
+        parameterFlowThroughAllowed(summaryCtx, kind) and
+        argApa = getApprox(argAp) and
+        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
      )
    }

    pragma[inline]
-    private predicate fwdFlowInMayFlowThrough(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
+    private predicate fwdFlowThrough0(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
+      Ap innerArgAp, ApApprox innerArgApa, Configuration config
    ) {
-      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
-        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-      PrevStage::parameterMayFlowThrough(param, apa, config)
-    }
-
-    // dedup before joining with `flowThroughOutOfCall`
-    pragma[nomagic]
-    private predicate fwdFlowInMayFlowThroughProj(
-      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
-    }
-
-    /**
-     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
-     * in the flow covered by `fwdFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate fwdFlowThroughOutOfCall(
-      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-      ApApprox argApa, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
+      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
+      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
    }

    pragma[nomagic]
-    private predicate fwdFlowOutFromArg(
-      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
-      ApApprox apa, Configuration config
+    private predicate fwdFlowThrough(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
    ) {
-      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
-          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
-          config) and
-        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
-      )
+      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
+        config)
    }

    /**
@@ -1571,12 +1552,14 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParameterPosition pos, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
+      ParamNodeEx p, Ap ap, Configuration config
    ) {
-      exists(ParamNodeEx param |
-        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
-        pos = param.getPosition()
+      exists(ApApprox apa |
+        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
+          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+        PrevStage::parameterMayFlowThrough(p, apa, config) and
+        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
      )
    }

@@ -1596,23 +1579,31 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowConsCand(ap1, c, ap2, config)
    }

+    pragma[nomagic]
+    private predicate returnFlowsThrough0(
+      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
+      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    ) {
+      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
+        innerArgApa, config)
+    }
+
    pragma[nomagic]
    private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
      Ap ap, Configuration config
    ) {
-      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
-          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
-        kind = ret.getKind() and
-        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
+        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
+        pos = ret.getReturnPosition() and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
      Configuration config
    ) {
      exists(ApApprox argApa |
@@ -1620,7 +1611,7 @@ private module MkStage<StageSig PrevStage> {
          allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
        fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
          pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
          pragma[only_bind_into](config)) and
        if allowsFieldFlow = false then argAp instanceof ApNil else any()
      )
@@ -1639,12 +1630,13 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
      Ap ap, Configuration config
    ) {
      exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config)
+        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config) and
+        pos = ret.getReturnPosition()
      )
    }

@@ -1739,17 +1731,17 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
      )
      or
      // flow out of a callable
-      exists(ReturnKindExt kind |
-        revFlowOut(_, node, kind, state, _, _, ap, config) and
-        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
+      exists(ReturnPosition pos |
+        revFlowOut(_, node, pos, state, _, _, ap, config) and
+        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
        then (
-          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
+          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
          returnAp = apSome(ap)
        ) else (
          returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1782,47 +1774,33 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
      ApOption returnAp, Ap ap, Configuration config
    ) {
      exists(NodeEx out, boolean allowsFieldFlow |
        revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

-    /**
-     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
-     * in the flow covered by `revFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate revFlowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
-      Configuration config
-    ) {
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
-      revFlowIsReturned(call, _, _, _, _, config)
-    }
-
    pragma[nomagic]
    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
+      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
    ) {
-      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
+        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
+      parameterFlowThroughAllowed(p, pos.getKind()) and
+      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
    }

    pragma[nomagic]
-    private predicate revFlowInToReturn(
-      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
-      Configuration config
+    private predicate revFlowThrough(
+      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
+      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
    ) {
-      exists(ParamNodeEx p, boolean allowsFieldFlow |
-        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
-        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
-      )
+      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
+      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
    }

    /**
@@ -1832,12 +1810,12 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
      Configuration config
    ) {
      exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
        matchesCall(ccc, call)
      )
    }
@@ -1915,17 +1893,17 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
    ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, pos.getKind())
    }

    pragma[nomagic]
    predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnKindExt kind |
-        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, kind, _, config)
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, pos, _, config)
      )
    }

@@ -1933,20 +1911,21 @@ private module MkStage<StageSig PrevStage> {
    predicate returnMayFlowThrough(
      RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
    ) {
-      exists(ParamNodeEx p |
-        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, kind, ap, config)
+      exists(ParamNodeEx p, ReturnPosition pos |
+        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
+        kind = pos.getKind()
      )
    }

    pragma[nomagic]
-    predicate revFlowInToReturnIsReturned(
+    private predicate revFlowThroughArg(
      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
      Ap ap, Configuration config
    ) {
-      exists(ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
      )
    }

@@ -1954,7 +1933,7 @@ private module MkStage<StageSig PrevStage> {
    predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
      exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
        revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
      )
    }

@@ -1967,8 +1946,9 @@ private module MkStage<StageSig PrevStage> {
      conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
      states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
      tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
+        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
+          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
+        )
      or
      fwd = false and
      nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2823,13 +2803,12 @@ private Configuration unbindConf(Configuration conf) {

 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
-  Configuration config
+  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
 ) {
  exists(AccessPathApprox apa0 |
-    c = n.getEnclosingCallable() and
+    Stage5::parameterMayFlowThrough(p, _, _) and
    Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
      TAccessPathApproxSome(apa), apa0, config)
  )
 }
@@ -2838,10 +2817,9 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
  NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
+  exists(ParamNodeEx p |
    Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, c, pos, state, apa, config) and
-    p.isParameterOf(c, pos)
+    nodeMayUseSummary0(n, p, state, apa, config)
  )
 }

@@ -3771,8 +3749,8 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
  AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
    kind = ret.getKind() and
    apa = ap.getApprox() and
    parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4234,17 +4212,15 @@ private module FlowExploration {
      ap = TRevPartialNil() and
      exists(config.explorationLimit())
      or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
    }

  pragma[nomagic]
@@ -4252,19 +4228,17 @@ private module FlowExploration {
    NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
    TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -622,7 +622,11 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }

 private module Stage1 implements StageSig {
-  class Ap = Unit;
+  class Ap extends int {
+    // workaround for bad functionality-induced joins (happens when using `Unit`)
+    pragma[nomagic]
+    Ap() { this in [0 .. 1] and this < 1 }
+  }

  private class Cc = boolean;

@@ -872,9 +876,9 @@ private module Stage1 implements StageSig {

  pragma[nomagic]
  private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
      revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
    )
  }

@@ -1327,8 +1331,8 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
      PrevStage::revFlow(node, state, apa, config) and
@@ -1337,21 +1341,21 @@ private module MkStage<StageSig PrevStage> {

    pragma[inline]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      Configuration config
    ) {
      fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
    }

    pragma[nomagic]
    private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      sourceNode(node, state, config) and
      (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
      argAp = apNone() and
-      summaryCtx = TParameterPositionNone() and
+      summaryCtx = TParamNodeNone() and
      ap = getApNil(node) and
      apa = getApprox(ap)
      or
@@ -1372,7 +1376,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
        jumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone()
      )
      or
@@ -1380,7 +1384,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1390,7 +1394,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStateStep(mid, state0, node, state, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1414,10 +1418,10 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
      if PrevStage::parameterMayFlowThrough(node, apa, config)
      then (
-        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
+        summaryCtx = TParamNodeSome(node.asNode()) and
        argAp = apSome(ap)
      ) else (
-        summaryCtx = TParameterPositionNone() and argAp = apNone()
+        summaryCtx = TParamNodeNone() and argAp = apNone()
      )
      or
      // flow out of a callable
@@ -1433,16 +1437,19 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
-        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
-        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
+      exists(
+        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
+      |
+        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate fwdFlowStore(
      NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      exists(DataFlowType contentType, ApApprox apa1 |
        fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1473,8 +1480,8 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ApNonNil ap, Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
+      Configuration config
    ) {
      fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, _, _, config)
@@ -1483,7 +1490,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
@@ -1493,7 +1500,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowIn(
      DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
    ) {
      exists(ArgNodeEx arg, boolean allowsFieldFlow |
        fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1505,64 +1512,38 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
-      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
+      Ap ap, ApApprox apa, Configuration config
    ) {
-      exists(DataFlowCallable c, ReturnKindExt kind |
+      exists(ReturnKindExt kind |
        fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
-        getApprox(argAp) = argApa and
-        c = ret.getEnclosingCallable() and
+          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
+          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
+          pragma[only_bind_into](config)) and
        kind = ret.getKind() and
-        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
-        parameterFlowThroughAllowed(p, kind)
+        parameterFlowThroughAllowed(summaryCtx, kind) and
+        argApa = getApprox(argAp) and
+        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
      )
    }

    pragma[inline]
-    private predicate fwdFlowInMayFlowThrough(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
+    private predicate fwdFlowThrough0(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
+      Ap innerArgAp, ApApprox innerArgApa, Configuration config
    ) {
-      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
-        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-      PrevStage::parameterMayFlowThrough(param, apa, config)
-    }
-
-    // dedup before joining with `flowThroughOutOfCall`
-    pragma[nomagic]
-    private predicate fwdFlowInMayFlowThroughProj(
-      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
-    }
-
-    /**
-     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
-     * in the flow covered by `fwdFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate fwdFlowThroughOutOfCall(
-      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-      ApApprox argApa, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
+      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
+      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
    }

    pragma[nomagic]
-    private predicate fwdFlowOutFromArg(
-      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
-      ApApprox apa, Configuration config
+    private predicate fwdFlowThrough(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
    ) {
-      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
-          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
-          config) and
-        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
-      )
+      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
+        config)
    }

    /**
@@ -1571,12 +1552,14 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParameterPosition pos, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
+      ParamNodeEx p, Ap ap, Configuration config
    ) {
-      exists(ParamNodeEx param |
-        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
-        pos = param.getPosition()
+      exists(ApApprox apa |
+        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
+          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+        PrevStage::parameterMayFlowThrough(p, apa, config) and
+        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
      )
    }

@@ -1596,23 +1579,31 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowConsCand(ap1, c, ap2, config)
    }

+    pragma[nomagic]
+    private predicate returnFlowsThrough0(
+      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
+      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    ) {
+      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
+        innerArgApa, config)
+    }
+
    pragma[nomagic]
    private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
      Ap ap, Configuration config
    ) {
-      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
-          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
-        kind = ret.getKind() and
-        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
+        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
+        pos = ret.getReturnPosition() and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
      Configuration config
    ) {
      exists(ApApprox argApa |
@@ -1620,7 +1611,7 @@ private module MkStage<StageSig PrevStage> {
          allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
        fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
          pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
          pragma[only_bind_into](config)) and
        if allowsFieldFlow = false then argAp instanceof ApNil else any()
      )
@@ -1639,12 +1630,13 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
      Ap ap, Configuration config
    ) {
      exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config)
+        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config) and
+        pos = ret.getReturnPosition()
      )
    }

@@ -1739,17 +1731,17 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
      )
      or
      // flow out of a callable
-      exists(ReturnKindExt kind |
-        revFlowOut(_, node, kind, state, _, _, ap, config) and
-        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
+      exists(ReturnPosition pos |
+        revFlowOut(_, node, pos, state, _, _, ap, config) and
+        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
        then (
-          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
+          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
          returnAp = apSome(ap)
        ) else (
          returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1782,47 +1774,33 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
      ApOption returnAp, Ap ap, Configuration config
    ) {
      exists(NodeEx out, boolean allowsFieldFlow |
        revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

-    /**
-     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
-     * in the flow covered by `revFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate revFlowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
-      Configuration config
-    ) {
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
-      revFlowIsReturned(call, _, _, _, _, config)
-    }
-
    pragma[nomagic]
    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
+      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
    ) {
-      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
+        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
+      parameterFlowThroughAllowed(p, pos.getKind()) and
+      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
    }

    pragma[nomagic]
-    private predicate revFlowInToReturn(
-      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
-      Configuration config
+    private predicate revFlowThrough(
+      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
+      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
    ) {
-      exists(ParamNodeEx p, boolean allowsFieldFlow |
-        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
-        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
-      )
+      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
+      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
    }

    /**
@@ -1832,12 +1810,12 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
      Configuration config
    ) {
      exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
        matchesCall(ccc, call)
      )
    }
@@ -1915,17 +1893,17 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
    ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, pos.getKind())
    }

    pragma[nomagic]
    predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnKindExt kind |
-        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, kind, _, config)
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, pos, _, config)
      )
    }

@@ -1933,20 +1911,21 @@ private module MkStage<StageSig PrevStage> {
    predicate returnMayFlowThrough(
      RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
    ) {
-      exists(ParamNodeEx p |
-        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, kind, ap, config)
+      exists(ParamNodeEx p, ReturnPosition pos |
+        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
+        kind = pos.getKind()
      )
    }

    pragma[nomagic]
-    predicate revFlowInToReturnIsReturned(
+    private predicate revFlowThroughArg(
      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
      Ap ap, Configuration config
    ) {
-      exists(ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
      )
    }

@@ -1954,7 +1933,7 @@ private module MkStage<StageSig PrevStage> {
    predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
      exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
        revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
      )
    }

@@ -1967,8 +1946,9 @@ private module MkStage<StageSig PrevStage> {
      conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
      states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
      tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
+        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
+          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
+        )
      or
      fwd = false and
      nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2823,13 +2803,12 @@ private Configuration unbindConf(Configuration conf) {

 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
-  Configuration config
+  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
 ) {
  exists(AccessPathApprox apa0 |
-    c = n.getEnclosingCallable() and
+    Stage5::parameterMayFlowThrough(p, _, _) and
    Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
      TAccessPathApproxSome(apa), apa0, config)
  )
 }
@@ -2838,10 +2817,9 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
  NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
+  exists(ParamNodeEx p |
    Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, c, pos, state, apa, config) and
-    p.isParameterOf(c, pos)
+    nodeMayUseSummary0(n, p, state, apa, config)
  )
 }

@@ -3771,8 +3749,8 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
  AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
    kind = ret.getKind() and
    apa = ap.getApprox() and
    parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4234,17 +4212,15 @@ private module FlowExploration {
      ap = TRevPartialNil() and
      exists(config.explorationLimit())
      or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
    }

  pragma[nomagic]
@@ -4252,19 +4228,17 @@ private module FlowExploration {
    NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
    TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
@@ -916,15 +916,15 @@ private module Cached {
    TDataFlowCallSome(DataFlowCall call)

  cached
-  newtype TParameterPositionOption =
-    TParameterPositionNone() or
-    TParameterPositionSome(ParameterPosition pos)
+  newtype TParamNodeOption =
+    TParamNodeNone() or
+    TParamNodeSome(ParamNode p)

  cached
  newtype TReturnCtx =
    TReturnCtxNone() or
    TReturnCtxNoFlowThrough() or
-    TReturnCtxMaybeFlowThrough(ReturnKindExt kind)
+    TReturnCtxMaybeFlowThrough(ReturnPosition pos)

  cached
  newtype TTypedContentApprox =
@@ -1343,15 +1343,15 @@ class DataFlowCallOption extends TDataFlowCallOption {
  }
 }

-/** An optional `ParameterPosition`. */
-class ParameterPositionOption extends TParameterPositionOption {
+/** An optional `ParamNode`. */
+class ParamNodeOption extends TParamNodeOption {
  string toString() {
-    this = TParameterPositionNone() and
+    this = TParamNodeNone() and
    result = "(none)"
    or
-    exists(ParameterPosition pos |
-      this = TParameterPositionSome(pos) and
-      result = pos.toString()
+    exists(ParamNode p |
+      this = TParamNodeSome(p) and
+      result = p.toString()
    )
  }
 }
@@ -1363,7 +1363,7 @@ class ParameterPositionOption extends TParameterPositionOption {
 *
 * - `TReturnCtxNone()`: no return flow.
 * - `TReturnCtxNoFlowThrough()`: return flow, but flow through is not possible.
- * - `TReturnCtxMaybeFlowThrough(ReturnKindExt kind)`: return flow, of kind `kind`, and
+ * - `TReturnCtxMaybeFlowThrough(ReturnPosition pos)`: return flow, of kind `pos`, and
 *    flow through may be possible.
 */
 class ReturnCtx extends TReturnCtx {
@@ -1374,9 +1374,9 @@ class ReturnCtx extends TReturnCtx {
    this = TReturnCtxNoFlowThrough() and
    result = "(no flow through)"
    or
-    exists(ReturnKindExt kind |
-      this = TReturnCtxMaybeFlowThrough(kind) and
-      result = kind.toString()
+    exists(ReturnPosition pos |
+      this = TReturnCtxMaybeFlowThrough(pos) and
+      result = pos.toString()
    )
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll
@@ -45,6 +45,16 @@ module Consistency {
    ) {
      none()
    }
+
+    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodeAtPosition`. */
+    predicate uniqueParameterNodeAtPositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
+      none()
+    }
+
+    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodePosition`. */
+    predicate uniqueParameterNodePositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
+      none()
+    }
  }

  private class RelevantNode extends Node {
@@ -101,9 +111,7 @@ module Consistency {
    exists(int c |
      c =
        strictcount(Node n |
-          not exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
-            n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-          ) and
+          not n.hasLocationInfo(_, _, _, _, _) and
          not any(ConsistencyConfiguration conf).missingLocationExclude(n)
        ) and
      msg = "Nodes without location: " + c
@@ -248,6 +256,7 @@ module Consistency {
  query predicate uniqueParameterNodeAtPosition(
    DataFlowCallable c, ParameterPosition pos, Node p, string msg
  ) {
+    not any(ConsistencyConfiguration conf).uniqueParameterNodeAtPositionExclude(c, pos, p) and
    isParameterNode(p, c, pos) and
    not exists(unique(Node p0 | isParameterNode(p0, c, pos))) and
    msg = "Parameters with overlapping positions."
@@ -256,6 +265,7 @@ module Consistency {
  query predicate uniqueParameterNodePosition(
    DataFlowCallable c, ParameterPosition pos, Node p, string msg
  ) {
+    not any(ConsistencyConfiguration conf).uniqueParameterNodePositionExclude(c, pos, p) and
    isParameterNode(p, c, pos) and
    not exists(unique(ParameterPosition pos0 | isParameterNode(p, c, pos0))) and
    msg = "Parameter node with multiple positions."
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -622,7 +622,11 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }

 private module Stage1 implements StageSig {
-  class Ap = Unit;
+  class Ap extends int {
+    // workaround for bad functionality-induced joins (happens when using `Unit`)
+    pragma[nomagic]
+    Ap() { this in [0 .. 1] and this < 1 }
+  }

  private class Cc = boolean;

@@ -872,9 +876,9 @@ private module Stage1 implements StageSig {

  pragma[nomagic]
  private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
      revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
    )
  }

@@ -1327,8 +1331,8 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
      PrevStage::revFlow(node, state, apa, config) and
@@ -1337,21 +1341,21 @@ private module MkStage<StageSig PrevStage> {

    pragma[inline]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      Configuration config
    ) {
      fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
    }

    pragma[nomagic]
    private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      sourceNode(node, state, config) and
      (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
      argAp = apNone() and
-      summaryCtx = TParameterPositionNone() and
+      summaryCtx = TParamNodeNone() and
      ap = getApNil(node) and
      apa = getApprox(ap)
      or
@@ -1372,7 +1376,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
        jumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone()
      )
      or
@@ -1380,7 +1384,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1390,7 +1394,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStateStep(mid, state0, node, state, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1414,10 +1418,10 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
      if PrevStage::parameterMayFlowThrough(node, apa, config)
      then (
-        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
+        summaryCtx = TParamNodeSome(node.asNode()) and
        argAp = apSome(ap)
      ) else (
-        summaryCtx = TParameterPositionNone() and argAp = apNone()
+        summaryCtx = TParamNodeNone() and argAp = apNone()
      )
      or
      // flow out of a callable
@@ -1433,16 +1437,19 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
-        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
-        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
+      exists(
+        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
+      |
+        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate fwdFlowStore(
      NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      exists(DataFlowType contentType, ApApprox apa1 |
        fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1473,8 +1480,8 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ApNonNil ap, Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
+      Configuration config
    ) {
      fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, _, _, config)
@@ -1483,7 +1490,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
@@ -1493,7 +1500,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowIn(
      DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
    ) {
      exists(ArgNodeEx arg, boolean allowsFieldFlow |
        fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1505,64 +1512,38 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
-      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
+      Ap ap, ApApprox apa, Configuration config
    ) {
-      exists(DataFlowCallable c, ReturnKindExt kind |
+      exists(ReturnKindExt kind |
        fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
-        getApprox(argAp) = argApa and
-        c = ret.getEnclosingCallable() and
+          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
+          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
+          pragma[only_bind_into](config)) and
        kind = ret.getKind() and
-        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
-        parameterFlowThroughAllowed(p, kind)
+        parameterFlowThroughAllowed(summaryCtx, kind) and
+        argApa = getApprox(argAp) and
+        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
      )
    }

    pragma[inline]
-    private predicate fwdFlowInMayFlowThrough(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
+    private predicate fwdFlowThrough0(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
+      Ap innerArgAp, ApApprox innerArgApa, Configuration config
    ) {
-      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
-        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-      PrevStage::parameterMayFlowThrough(param, apa, config)
-    }
-
-    // dedup before joining with `flowThroughOutOfCall`
-    pragma[nomagic]
-    private predicate fwdFlowInMayFlowThroughProj(
-      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
-    }
-
-    /**
-     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
-     * in the flow covered by `fwdFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate fwdFlowThroughOutOfCall(
-      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-      ApApprox argApa, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
+      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
+      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
    }

    pragma[nomagic]
-    private predicate fwdFlowOutFromArg(
-      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
-      ApApprox apa, Configuration config
+    private predicate fwdFlowThrough(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
    ) {
-      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
-          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
-          config) and
-        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
-      )
+      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
+        config)
    }

    /**
@@ -1571,12 +1552,14 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParameterPosition pos, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
+      ParamNodeEx p, Ap ap, Configuration config
    ) {
-      exists(ParamNodeEx param |
-        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
-        pos = param.getPosition()
+      exists(ApApprox apa |
+        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
+          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+        PrevStage::parameterMayFlowThrough(p, apa, config) and
+        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
      )
    }

@@ -1596,23 +1579,31 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowConsCand(ap1, c, ap2, config)
    }

+    pragma[nomagic]
+    private predicate returnFlowsThrough0(
+      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
+      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    ) {
+      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
+        innerArgApa, config)
+    }
+
    pragma[nomagic]
    private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
      Ap ap, Configuration config
    ) {
-      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
-          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
-        kind = ret.getKind() and
-        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
+        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
+        pos = ret.getReturnPosition() and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
      Configuration config
    ) {
      exists(ApApprox argApa |
@@ -1620,7 +1611,7 @@ private module MkStage<StageSig PrevStage> {
          allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
        fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
          pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
          pragma[only_bind_into](config)) and
        if allowsFieldFlow = false then argAp instanceof ApNil else any()
      )
@@ -1639,12 +1630,13 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
      Ap ap, Configuration config
    ) {
      exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config)
+        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config) and
+        pos = ret.getReturnPosition()
      )
    }

@@ -1739,17 +1731,17 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
      )
      or
      // flow out of a callable
-      exists(ReturnKindExt kind |
-        revFlowOut(_, node, kind, state, _, _, ap, config) and
-        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
+      exists(ReturnPosition pos |
+        revFlowOut(_, node, pos, state, _, _, ap, config) and
+        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
        then (
-          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
+          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
          returnAp = apSome(ap)
        ) else (
          returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1782,47 +1774,33 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
      ApOption returnAp, Ap ap, Configuration config
    ) {
      exists(NodeEx out, boolean allowsFieldFlow |
        revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

-    /**
-     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
-     * in the flow covered by `revFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate revFlowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
-      Configuration config
-    ) {
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
-      revFlowIsReturned(call, _, _, _, _, config)
-    }
-
    pragma[nomagic]
    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
+      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
    ) {
-      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
+        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
+      parameterFlowThroughAllowed(p, pos.getKind()) and
+      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
    }

    pragma[nomagic]
-    private predicate revFlowInToReturn(
-      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
-      Configuration config
+    private predicate revFlowThrough(
+      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
+      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
    ) {
-      exists(ParamNodeEx p, boolean allowsFieldFlow |
-        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
-        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
-      )
+      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
+      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
    }

    /**
@@ -1832,12 +1810,12 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
      Configuration config
    ) {
      exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
        matchesCall(ccc, call)
      )
    }
@@ -1915,17 +1893,17 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
    ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, pos.getKind())
    }

    pragma[nomagic]
    predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnKindExt kind |
-        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, kind, _, config)
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, pos, _, config)
      )
    }

@@ -1933,20 +1911,21 @@ private module MkStage<StageSig PrevStage> {
    predicate returnMayFlowThrough(
      RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
    ) {
-      exists(ParamNodeEx p |
-        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, kind, ap, config)
+      exists(ParamNodeEx p, ReturnPosition pos |
+        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
+        kind = pos.getKind()
      )
    }

    pragma[nomagic]
-    predicate revFlowInToReturnIsReturned(
+    private predicate revFlowThroughArg(
      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
      Ap ap, Configuration config
    ) {
-      exists(ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
      )
    }

@@ -1954,7 +1933,7 @@ private module MkStage<StageSig PrevStage> {
    predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
      exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
        revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
      )
    }

@@ -1967,8 +1946,9 @@ private module MkStage<StageSig PrevStage> {
      conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
      states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
      tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
+        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
+          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
+        )
      or
      fwd = false and
      nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2823,13 +2803,12 @@ private Configuration unbindConf(Configuration conf) {

 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
-  Configuration config
+  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
 ) {
  exists(AccessPathApprox apa0 |
-    c = n.getEnclosingCallable() and
+    Stage5::parameterMayFlowThrough(p, _, _) and
    Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
      TAccessPathApproxSome(apa), apa0, config)
  )
 }
@@ -2838,10 +2817,9 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
  NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
+  exists(ParamNodeEx p |
    Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, c, pos, state, apa, config) and
-    p.isParameterOf(c, pos)
+    nodeMayUseSummary0(n, p, state, apa, config)
  )
 }

@@ -3771,8 +3749,8 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
  AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
    kind = ret.getKind() and
    apa = ap.getApprox() and
    parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4234,17 +4212,15 @@ private module FlowExploration {
      ap = TRevPartialNil() and
      exists(config.explorationLimit())
      or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
    }

  pragma[nomagic]
@@ -4252,19 +4228,17 @@ private module FlowExploration {
    NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
    TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowVar.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowVar.qll
@@ -450,10 +450,8 @@ module FlowVar_internal {
    }

    override string toString() {
-      exists(Expr e |
-        this.definedByExpr(e, _) and
-        result = "assignment to " + v
-      )
+      this.definedByExpr(_, _) and
+      result = "assignment to " + v
      or
      this.definedByInitialValue(_) and
      result = "initial value of " + v
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll
@@ -54,7 +54,7 @@ class SubBasicBlock extends ControlFlowNodeBase {
   * only condition under which a `SubBasicBlock` may have multiple
   * predecessors.
   */
-  predicate firstInBB() { exists(BasicBlock bb | this.getRankInBasicBlock(bb) = 1) }
+  predicate firstInBB() { this.getRankInBasicBlock(_) = 1 }

  /**
   * Holds if this `SubBasicBlock` comes last in its basic block. This is the
--- a/cpp/ql/lib/semmle/code/cpp/dispatch/VirtualDispatchPrototype.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dispatch/VirtualDispatchPrototype.qll
@@ -70,8 +70,8 @@ module VirtualDispatch {
   * that is, `c` or one of its supertypes overrides `f`.
   */
  private predicate cannotInherit(Class c, MemberFunction f) {
-    exists(Class overridingType, MemberFunction override |
-      cannotInheritHelper(c, f, overridingType, override) and
+    exists(MemberFunction override |
+      cannotInheritHelper(c, f, _, override) and
      override.overrides+(f)
    )
  }
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
@@ -53,7 +53,7 @@ class Expr extends StmtParent, @expr {
  Declaration getEnclosingDeclaration() { result = exprEnclosingElement(this) }

  /** Gets a child of this expression. */
-  Expr getAChild() { exists(int n | result = this.getChild(n)) }
+  Expr getAChild() { result = this.getChild(_) }

  /** Gets the parent of this expression, if any. */
  Element getParent() { exprparents(underlyingElement(this), _, unresolveElement(result)) }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -622,7 +622,11 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }

 private module Stage1 implements StageSig {
-  class Ap = Unit;
+  class Ap extends int {
+    // workaround for bad functionality-induced joins (happens when using `Unit`)
+    pragma[nomagic]
+    Ap() { this in [0 .. 1] and this < 1 }
+  }

  private class Cc = boolean;

@@ -872,9 +876,9 @@ private module Stage1 implements StageSig {

  pragma[nomagic]
  private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
      revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
    )
  }

@@ -1327,8 +1331,8 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
      PrevStage::revFlow(node, state, apa, config) and
@@ -1337,21 +1341,21 @@ private module MkStage<StageSig PrevStage> {

    pragma[inline]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      Configuration config
    ) {
      fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
    }

    pragma[nomagic]
    private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      sourceNode(node, state, config) and
      (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
      argAp = apNone() and
-      summaryCtx = TParameterPositionNone() and
+      summaryCtx = TParamNodeNone() and
      ap = getApNil(node) and
      apa = getApprox(ap)
      or
@@ -1372,7 +1376,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
        jumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone()
      )
      or
@@ -1380,7 +1384,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1390,7 +1394,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStateStep(mid, state0, node, state, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1414,10 +1418,10 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
      if PrevStage::parameterMayFlowThrough(node, apa, config)
      then (
-        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
+        summaryCtx = TParamNodeSome(node.asNode()) and
        argAp = apSome(ap)
      ) else (
-        summaryCtx = TParameterPositionNone() and argAp = apNone()
+        summaryCtx = TParamNodeNone() and argAp = apNone()
      )
      or
      // flow out of a callable
@@ -1433,16 +1437,19 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
-        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
-        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
+      exists(
+        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
+      |
+        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate fwdFlowStore(
      NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      exists(DataFlowType contentType, ApApprox apa1 |
        fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1473,8 +1480,8 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ApNonNil ap, Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
+      Configuration config
    ) {
      fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, _, _, config)
@@ -1483,7 +1490,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
@@ -1493,7 +1500,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowIn(
      DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
    ) {
      exists(ArgNodeEx arg, boolean allowsFieldFlow |
        fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1505,64 +1512,38 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
-      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
+      Ap ap, ApApprox apa, Configuration config
    ) {
-      exists(DataFlowCallable c, ReturnKindExt kind |
+      exists(ReturnKindExt kind |
        fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
-        getApprox(argAp) = argApa and
-        c = ret.getEnclosingCallable() and
+          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
+          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
+          pragma[only_bind_into](config)) and
        kind = ret.getKind() and
-        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
-        parameterFlowThroughAllowed(p, kind)
+        parameterFlowThroughAllowed(summaryCtx, kind) and
+        argApa = getApprox(argAp) and
+        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
      )
    }

    pragma[inline]
-    private predicate fwdFlowInMayFlowThrough(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
+    private predicate fwdFlowThrough0(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
+      Ap innerArgAp, ApApprox innerArgApa, Configuration config
    ) {
-      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
-        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-      PrevStage::parameterMayFlowThrough(param, apa, config)
-    }
-
-    // dedup before joining with `flowThroughOutOfCall`
-    pragma[nomagic]
-    private predicate fwdFlowInMayFlowThroughProj(
-      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
-    }
-
-    /**
-     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
-     * in the flow covered by `fwdFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate fwdFlowThroughOutOfCall(
-      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-      ApApprox argApa, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
+      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
+      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
    }

    pragma[nomagic]
-    private predicate fwdFlowOutFromArg(
-      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
-      ApApprox apa, Configuration config
+    private predicate fwdFlowThrough(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
    ) {
-      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
-          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
-          config) and
-        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
-      )
+      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
+        config)
    }

    /**
@@ -1571,12 +1552,14 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParameterPosition pos, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
+      ParamNodeEx p, Ap ap, Configuration config
    ) {
-      exists(ParamNodeEx param |
-        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
-        pos = param.getPosition()
+      exists(ApApprox apa |
+        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
+          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+        PrevStage::parameterMayFlowThrough(p, apa, config) and
+        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
      )
    }

@@ -1596,23 +1579,31 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowConsCand(ap1, c, ap2, config)
    }

+    pragma[nomagic]
+    private predicate returnFlowsThrough0(
+      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
+      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    ) {
+      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
+        innerArgApa, config)
+    }
+
    pragma[nomagic]
    private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
      Ap ap, Configuration config
    ) {
-      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
-          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
-        kind = ret.getKind() and
-        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
+        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
+        pos = ret.getReturnPosition() and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
      Configuration config
    ) {
      exists(ApApprox argApa |
@@ -1620,7 +1611,7 @@ private module MkStage<StageSig PrevStage> {
          allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
        fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
          pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
          pragma[only_bind_into](config)) and
        if allowsFieldFlow = false then argAp instanceof ApNil else any()
      )
@@ -1639,12 +1630,13 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
      Ap ap, Configuration config
    ) {
      exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config)
+        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config) and
+        pos = ret.getReturnPosition()
      )
    }

@@ -1739,17 +1731,17 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
      )
      or
      // flow out of a callable
-      exists(ReturnKindExt kind |
-        revFlowOut(_, node, kind, state, _, _, ap, config) and
-        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
+      exists(ReturnPosition pos |
+        revFlowOut(_, node, pos, state, _, _, ap, config) and
+        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
        then (
-          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
+          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
          returnAp = apSome(ap)
        ) else (
          returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1782,47 +1774,33 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
      ApOption returnAp, Ap ap, Configuration config
    ) {
      exists(NodeEx out, boolean allowsFieldFlow |
        revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

-    /**
-     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
-     * in the flow covered by `revFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate revFlowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
-      Configuration config
-    ) {
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
-      revFlowIsReturned(call, _, _, _, _, config)
-    }
-
    pragma[nomagic]
    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
+      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
    ) {
-      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
+        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
+      parameterFlowThroughAllowed(p, pos.getKind()) and
+      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
    }

    pragma[nomagic]
-    private predicate revFlowInToReturn(
-      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
-      Configuration config
+    private predicate revFlowThrough(
+      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
+      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
    ) {
-      exists(ParamNodeEx p, boolean allowsFieldFlow |
-        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
-        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
-      )
+      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
+      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
    }

    /**
@@ -1832,12 +1810,12 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
      Configuration config
    ) {
      exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
        matchesCall(ccc, call)
      )
    }
@@ -1915,17 +1893,17 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
    ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, pos.getKind())
    }

    pragma[nomagic]
    predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnKindExt kind |
-        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, kind, _, config)
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, pos, _, config)
      )
    }

@@ -1933,20 +1911,21 @@ private module MkStage<StageSig PrevStage> {
    predicate returnMayFlowThrough(
      RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
    ) {
-      exists(ParamNodeEx p |
-        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, kind, ap, config)
+      exists(ParamNodeEx p, ReturnPosition pos |
+        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
+        kind = pos.getKind()
      )
    }

    pragma[nomagic]
-    predicate revFlowInToReturnIsReturned(
+    private predicate revFlowThroughArg(
      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
      Ap ap, Configuration config
    ) {
-      exists(ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
      )
    }

@@ -1954,7 +1933,7 @@ private module MkStage<StageSig PrevStage> {
    predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
      exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
        revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
      )
    }

@@ -1967,8 +1946,9 @@ private module MkStage<StageSig PrevStage> {
      conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
      states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
      tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
+        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
+          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
+        )
      or
      fwd = false and
      nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2823,13 +2803,12 @@ private Configuration unbindConf(Configuration conf) {

 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
-  Configuration config
+  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
 ) {
  exists(AccessPathApprox apa0 |
-    c = n.getEnclosingCallable() and
+    Stage5::parameterMayFlowThrough(p, _, _) and
    Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
      TAccessPathApproxSome(apa), apa0, config)
  )
 }
@@ -2838,10 +2817,9 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
  NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
+  exists(ParamNodeEx p |
    Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, c, pos, state, apa, config) and
-    p.isParameterOf(c, pos)
+    nodeMayUseSummary0(n, p, state, apa, config)
  )
 }

@@ -3771,8 +3749,8 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
  AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
    kind = ret.getKind() and
    apa = ap.getApprox() and
    parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4234,17 +4212,15 @@ private module FlowExploration {
      ap = TRevPartialNil() and
      exists(config.explorationLimit())
      or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
    }

  pragma[nomagic]
@@ -4252,19 +4228,17 @@ private module FlowExploration {
    NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
    TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -622,7 +622,11 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }

 private module Stage1 implements StageSig {
-  class Ap = Unit;
+  class Ap extends int {
+    // workaround for bad functionality-induced joins (happens when using `Unit`)
+    pragma[nomagic]
+    Ap() { this in [0 .. 1] and this < 1 }
+  }

  private class Cc = boolean;

@@ -872,9 +876,9 @@ private module Stage1 implements StageSig {

  pragma[nomagic]
  private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
      revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
    )
  }

@@ -1327,8 +1331,8 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
      PrevStage::revFlow(node, state, apa, config) and
@@ -1337,21 +1341,21 @@ private module MkStage<StageSig PrevStage> {

    pragma[inline]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      Configuration config
    ) {
      fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
    }

    pragma[nomagic]
    private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      sourceNode(node, state, config) and
      (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
      argAp = apNone() and
-      summaryCtx = TParameterPositionNone() and
+      summaryCtx = TParamNodeNone() and
      ap = getApNil(node) and
      apa = getApprox(ap)
      or
@@ -1372,7 +1376,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
        jumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone()
      )
      or
@@ -1380,7 +1384,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1390,7 +1394,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStateStep(mid, state0, node, state, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1414,10 +1418,10 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
      if PrevStage::parameterMayFlowThrough(node, apa, config)
      then (
-        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
+        summaryCtx = TParamNodeSome(node.asNode()) and
        argAp = apSome(ap)
      ) else (
-        summaryCtx = TParameterPositionNone() and argAp = apNone()
+        summaryCtx = TParamNodeNone() and argAp = apNone()
      )
      or
      // flow out of a callable
@@ -1433,16 +1437,19 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
-        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
-        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
+      exists(
+        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
+      |
+        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate fwdFlowStore(
      NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      exists(DataFlowType contentType, ApApprox apa1 |
        fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1473,8 +1480,8 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ApNonNil ap, Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
+      Configuration config
    ) {
      fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, _, _, config)
@@ -1483,7 +1490,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
@@ -1493,7 +1500,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowIn(
      DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
    ) {
      exists(ArgNodeEx arg, boolean allowsFieldFlow |
        fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1505,64 +1512,38 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
-      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
+      Ap ap, ApApprox apa, Configuration config
    ) {
-      exists(DataFlowCallable c, ReturnKindExt kind |
+      exists(ReturnKindExt kind |
        fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
-        getApprox(argAp) = argApa and
-        c = ret.getEnclosingCallable() and
+          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
+          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
+          pragma[only_bind_into](config)) and
        kind = ret.getKind() and
-        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
-        parameterFlowThroughAllowed(p, kind)
+        parameterFlowThroughAllowed(summaryCtx, kind) and
+        argApa = getApprox(argAp) and
+        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
      )
    }

    pragma[inline]
-    private predicate fwdFlowInMayFlowThrough(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
+    private predicate fwdFlowThrough0(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
+      Ap innerArgAp, ApApprox innerArgApa, Configuration config
    ) {
-      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
-        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-      PrevStage::parameterMayFlowThrough(param, apa, config)
-    }
-
-    // dedup before joining with `flowThroughOutOfCall`
-    pragma[nomagic]
-    private predicate fwdFlowInMayFlowThroughProj(
-      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
-    }
-
-    /**
-     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
-     * in the flow covered by `fwdFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate fwdFlowThroughOutOfCall(
-      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-      ApApprox argApa, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
+      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
+      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
    }

    pragma[nomagic]
-    private predicate fwdFlowOutFromArg(
-      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
-      ApApprox apa, Configuration config
+    private predicate fwdFlowThrough(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
    ) {
-      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
-          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
-          config) and
-        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
-      )
+      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
+        config)
    }

    /**
@@ -1571,12 +1552,14 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParameterPosition pos, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
+      ParamNodeEx p, Ap ap, Configuration config
    ) {
-      exists(ParamNodeEx param |
-        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
-        pos = param.getPosition()
+      exists(ApApprox apa |
+        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
+          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+        PrevStage::parameterMayFlowThrough(p, apa, config) and
+        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
      )
    }

@@ -1596,23 +1579,31 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowConsCand(ap1, c, ap2, config)
    }

+    pragma[nomagic]
+    private predicate returnFlowsThrough0(
+      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
+      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    ) {
+      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
+        innerArgApa, config)
+    }
+
    pragma[nomagic]
    private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
      Ap ap, Configuration config
    ) {
-      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
-          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
-        kind = ret.getKind() and
-        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
+        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
+        pos = ret.getReturnPosition() and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
      Configuration config
    ) {
      exists(ApApprox argApa |
@@ -1620,7 +1611,7 @@ private module MkStage<StageSig PrevStage> {
          allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
        fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
          pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
          pragma[only_bind_into](config)) and
        if allowsFieldFlow = false then argAp instanceof ApNil else any()
      )
@@ -1639,12 +1630,13 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
      Ap ap, Configuration config
    ) {
      exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config)
+        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config) and
+        pos = ret.getReturnPosition()
      )
    }

@@ -1739,17 +1731,17 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
      )
      or
      // flow out of a callable
-      exists(ReturnKindExt kind |
-        revFlowOut(_, node, kind, state, _, _, ap, config) and
-        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
+      exists(ReturnPosition pos |
+        revFlowOut(_, node, pos, state, _, _, ap, config) and
+        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
        then (
-          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
+          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
          returnAp = apSome(ap)
        ) else (
          returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1782,47 +1774,33 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
      ApOption returnAp, Ap ap, Configuration config
    ) {
      exists(NodeEx out, boolean allowsFieldFlow |
        revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

-    /**
-     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
-     * in the flow covered by `revFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate revFlowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
-      Configuration config
-    ) {
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
-      revFlowIsReturned(call, _, _, _, _, config)
-    }
-
    pragma[nomagic]
    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
+      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
    ) {
-      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
+        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
+      parameterFlowThroughAllowed(p, pos.getKind()) and
+      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
    }

    pragma[nomagic]
-    private predicate revFlowInToReturn(
-      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
-      Configuration config
+    private predicate revFlowThrough(
+      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
+      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
    ) {
-      exists(ParamNodeEx p, boolean allowsFieldFlow |
-        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
-        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
-      )
+      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
+      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
    }

    /**
@@ -1832,12 +1810,12 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
      Configuration config
    ) {
      exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
        matchesCall(ccc, call)
      )
    }
@@ -1915,17 +1893,17 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
    ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, pos.getKind())
    }

    pragma[nomagic]
    predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnKindExt kind |
-        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, kind, _, config)
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, pos, _, config)
      )
    }

@@ -1933,20 +1911,21 @@ private module MkStage<StageSig PrevStage> {
    predicate returnMayFlowThrough(
      RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
    ) {
-      exists(ParamNodeEx p |
-        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, kind, ap, config)
+      exists(ParamNodeEx p, ReturnPosition pos |
+        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
+        kind = pos.getKind()
      )
    }

    pragma[nomagic]
-    predicate revFlowInToReturnIsReturned(
+    private predicate revFlowThroughArg(
      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
      Ap ap, Configuration config
    ) {
-      exists(ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
      )
    }

@@ -1954,7 +1933,7 @@ private module MkStage<StageSig PrevStage> {
    predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
      exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
        revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
      )
    }

@@ -1967,8 +1946,9 @@ private module MkStage<StageSig PrevStage> {
      conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
      states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
      tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
+        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
+          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
+        )
      or
      fwd = false and
      nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2823,13 +2803,12 @@ private Configuration unbindConf(Configuration conf) {

 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
-  Configuration config
+  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
 ) {
  exists(AccessPathApprox apa0 |
-    c = n.getEnclosingCallable() and
+    Stage5::parameterMayFlowThrough(p, _, _) and
    Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
      TAccessPathApproxSome(apa), apa0, config)
  )
 }
@@ -2838,10 +2817,9 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
  NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
+  exists(ParamNodeEx p |
    Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, c, pos, state, apa, config) and
-    p.isParameterOf(c, pos)
+    nodeMayUseSummary0(n, p, state, apa, config)
  )
 }

@@ -3771,8 +3749,8 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
  AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
    kind = ret.getKind() and
    apa = ap.getApprox() and
    parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4234,17 +4212,15 @@ private module FlowExploration {
      ap = TRevPartialNil() and
      exists(config.explorationLimit())
      or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
    }

  pragma[nomagic]
@@ -4252,19 +4228,17 @@ private module FlowExploration {
    NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
    TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -622,7 +622,11 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }

 private module Stage1 implements StageSig {
-  class Ap = Unit;
+  class Ap extends int {
+    // workaround for bad functionality-induced joins (happens when using `Unit`)
+    pragma[nomagic]
+    Ap() { this in [0 .. 1] and this < 1 }
+  }

  private class Cc = boolean;

@@ -872,9 +876,9 @@ private module Stage1 implements StageSig {

  pragma[nomagic]
  private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
      revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
    )
  }

@@ -1327,8 +1331,8 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
      PrevStage::revFlow(node, state, apa, config) and
@@ -1337,21 +1341,21 @@ private module MkStage<StageSig PrevStage> {

    pragma[inline]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      Configuration config
    ) {
      fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
    }

    pragma[nomagic]
    private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      sourceNode(node, state, config) and
      (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
      argAp = apNone() and
-      summaryCtx = TParameterPositionNone() and
+      summaryCtx = TParamNodeNone() and
      ap = getApNil(node) and
      apa = getApprox(ap)
      or
@@ -1372,7 +1376,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
        jumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone()
      )
      or
@@ -1380,7 +1384,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1390,7 +1394,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStateStep(mid, state0, node, state, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1414,10 +1418,10 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
      if PrevStage::parameterMayFlowThrough(node, apa, config)
      then (
-        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
+        summaryCtx = TParamNodeSome(node.asNode()) and
        argAp = apSome(ap)
      ) else (
-        summaryCtx = TParameterPositionNone() and argAp = apNone()
+        summaryCtx = TParamNodeNone() and argAp = apNone()
      )
      or
      // flow out of a callable
@@ -1433,16 +1437,19 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
-        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
-        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
+      exists(
+        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
+      |
+        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate fwdFlowStore(
      NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      exists(DataFlowType contentType, ApApprox apa1 |
        fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1473,8 +1480,8 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ApNonNil ap, Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
+      Configuration config
    ) {
      fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, _, _, config)
@@ -1483,7 +1490,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
@@ -1493,7 +1500,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowIn(
      DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
    ) {
      exists(ArgNodeEx arg, boolean allowsFieldFlow |
        fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1505,64 +1512,38 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
-      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
+      Ap ap, ApApprox apa, Configuration config
    ) {
-      exists(DataFlowCallable c, ReturnKindExt kind |
+      exists(ReturnKindExt kind |
        fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
-        getApprox(argAp) = argApa and
-        c = ret.getEnclosingCallable() and
+          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
+          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
+          pragma[only_bind_into](config)) and
        kind = ret.getKind() and
-        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
-        parameterFlowThroughAllowed(p, kind)
+        parameterFlowThroughAllowed(summaryCtx, kind) and
+        argApa = getApprox(argAp) and
+        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
      )
    }

    pragma[inline]
-    private predicate fwdFlowInMayFlowThrough(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
+    private predicate fwdFlowThrough0(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
+      Ap innerArgAp, ApApprox innerArgApa, Configuration config
    ) {
-      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
-        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-      PrevStage::parameterMayFlowThrough(param, apa, config)
-    }
-
-    // dedup before joining with `flowThroughOutOfCall`
-    pragma[nomagic]
-    private predicate fwdFlowInMayFlowThroughProj(
-      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
-    }
-
-    /**
-     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
-     * in the flow covered by `fwdFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate fwdFlowThroughOutOfCall(
-      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-      ApApprox argApa, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
+      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
+      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
    }

    pragma[nomagic]
-    private predicate fwdFlowOutFromArg(
-      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
-      ApApprox apa, Configuration config
+    private predicate fwdFlowThrough(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
    ) {
-      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
-          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
-          config) and
-        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
-      )
+      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
+        config)
    }

    /**
@@ -1571,12 +1552,14 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParameterPosition pos, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
+      ParamNodeEx p, Ap ap, Configuration config
    ) {
-      exists(ParamNodeEx param |
-        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
-        pos = param.getPosition()
+      exists(ApApprox apa |
+        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
+          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+        PrevStage::parameterMayFlowThrough(p, apa, config) and
+        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
      )
    }

@@ -1596,23 +1579,31 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowConsCand(ap1, c, ap2, config)
    }

+    pragma[nomagic]
+    private predicate returnFlowsThrough0(
+      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
+      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    ) {
+      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
+        innerArgApa, config)
+    }
+
    pragma[nomagic]
    private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
      Ap ap, Configuration config
    ) {
-      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
-          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
-        kind = ret.getKind() and
-        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
+        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
+        pos = ret.getReturnPosition() and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
      Configuration config
    ) {
      exists(ApApprox argApa |
@@ -1620,7 +1611,7 @@ private module MkStage<StageSig PrevStage> {
          allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
        fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
          pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
          pragma[only_bind_into](config)) and
        if allowsFieldFlow = false then argAp instanceof ApNil else any()
      )
@@ -1639,12 +1630,13 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
      Ap ap, Configuration config
    ) {
      exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config)
+        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config) and
+        pos = ret.getReturnPosition()
      )
    }

@@ -1739,17 +1731,17 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
      )
      or
      // flow out of a callable
-      exists(ReturnKindExt kind |
-        revFlowOut(_, node, kind, state, _, _, ap, config) and
-        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
+      exists(ReturnPosition pos |
+        revFlowOut(_, node, pos, state, _, _, ap, config) and
+        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
        then (
-          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
+          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
          returnAp = apSome(ap)
        ) else (
          returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1782,47 +1774,33 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
      ApOption returnAp, Ap ap, Configuration config
    ) {
      exists(NodeEx out, boolean allowsFieldFlow |
        revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

-    /**
-     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
-     * in the flow covered by `revFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate revFlowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
-      Configuration config
-    ) {
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
-      revFlowIsReturned(call, _, _, _, _, config)
-    }
-
    pragma[nomagic]
    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
+      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
    ) {
-      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
+        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
+      parameterFlowThroughAllowed(p, pos.getKind()) and
+      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
    }

    pragma[nomagic]
-    private predicate revFlowInToReturn(
-      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
-      Configuration config
+    private predicate revFlowThrough(
+      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
+      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
    ) {
-      exists(ParamNodeEx p, boolean allowsFieldFlow |
-        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
-        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
-      )
+      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
+      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
    }

    /**
@@ -1832,12 +1810,12 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
      Configuration config
    ) {
      exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
        matchesCall(ccc, call)
      )
    }
@@ -1915,17 +1893,17 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
    ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, pos.getKind())
    }

    pragma[nomagic]
    predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnKindExt kind |
-        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, kind, _, config)
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, pos, _, config)
      )
    }

@@ -1933,20 +1911,21 @@ private module MkStage<StageSig PrevStage> {
    predicate returnMayFlowThrough(
      RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
    ) {
-      exists(ParamNodeEx p |
-        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, kind, ap, config)
+      exists(ParamNodeEx p, ReturnPosition pos |
+        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
+        kind = pos.getKind()
      )
    }

    pragma[nomagic]
-    predicate revFlowInToReturnIsReturned(
+    private predicate revFlowThroughArg(
      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
      Ap ap, Configuration config
    ) {
-      exists(ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
      )
    }

@@ -1954,7 +1933,7 @@ private module MkStage<StageSig PrevStage> {
    predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
      exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
        revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
      )
    }

@@ -1967,8 +1946,9 @@ private module MkStage<StageSig PrevStage> {
      conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
      states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
      tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
+        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
+          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
+        )
      or
      fwd = false and
      nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2823,13 +2803,12 @@ private Configuration unbindConf(Configuration conf) {

 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
-  Configuration config
+  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
 ) {
  exists(AccessPathApprox apa0 |
-    c = n.getEnclosingCallable() and
+    Stage5::parameterMayFlowThrough(p, _, _) and
    Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
      TAccessPathApproxSome(apa), apa0, config)
  )
 }
@@ -2838,10 +2817,9 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
  NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
+  exists(ParamNodeEx p |
    Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, c, pos, state, apa, config) and
-    p.isParameterOf(c, pos)
+    nodeMayUseSummary0(n, p, state, apa, config)
  )
 }

@@ -3771,8 +3749,8 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
  AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
    kind = ret.getKind() and
    apa = ap.getApprox() and
    parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4234,17 +4212,15 @@ private module FlowExploration {
      ap = TRevPartialNil() and
      exists(config.explorationLimit())
      or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
    }

  pragma[nomagic]
@@ -4252,19 +4228,17 @@ private module FlowExploration {
    NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
    TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -622,7 +622,11 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }

 private module Stage1 implements StageSig {
-  class Ap = Unit;
+  class Ap extends int {
+    // workaround for bad functionality-induced joins (happens when using `Unit`)
+    pragma[nomagic]
+    Ap() { this in [0 .. 1] and this < 1 }
+  }

  private class Cc = boolean;

@@ -872,9 +876,9 @@ private module Stage1 implements StageSig {

  pragma[nomagic]
  private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
      revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
    )
  }

@@ -1327,8 +1331,8 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
      PrevStage::revFlow(node, state, apa, config) and
@@ -1337,21 +1341,21 @@ private module MkStage<StageSig PrevStage> {

    pragma[inline]
    additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      Configuration config
    ) {
      fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
    }

    pragma[nomagic]
    private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      Ap ap, ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
+      ApApprox apa, Configuration config
    ) {
      sourceNode(node, state, config) and
      (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
      argAp = apNone() and
-      summaryCtx = TParameterPositionNone() and
+      summaryCtx = TParamNodeNone() and
      ap = getApNil(node) and
      apa = getApprox(ap)
      or
@@ -1372,7 +1376,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
        jumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone()
      )
      or
@@ -1380,7 +1384,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStep(mid, node, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1390,7 +1394,7 @@ private module MkStage<StageSig PrevStage> {
        fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
        additionalJumpStateStep(mid, state0, node, state, config) and
        cc = ccNone() and
-        summaryCtx = TParameterPositionNone() and
+        summaryCtx = TParamNodeNone() and
        argAp = apNone() and
        ap = getApNil(node) and
        apa = getApprox(ap)
@@ -1414,10 +1418,10 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
      if PrevStage::parameterMayFlowThrough(node, apa, config)
      then (
-        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
+        summaryCtx = TParamNodeSome(node.asNode()) and
        argAp = apSome(ap)
      ) else (
-        summaryCtx = TParameterPositionNone() and argAp = apNone()
+        summaryCtx = TParamNodeNone() and argAp = apNone()
      )
      or
      // flow out of a callable
@@ -1433,16 +1437,19 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
-        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
-        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
+      exists(
+        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
+      |
+        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate fwdFlowStore(
      NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      exists(DataFlowType contentType, ApApprox apa1 |
        fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1473,8 +1480,8 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ApNonNil ap, Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
+      Configuration config
    ) {
      fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, _, _, config)
@@ -1483,7 +1490,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
@@ -1493,7 +1500,7 @@ private module MkStage<StageSig PrevStage> {
    pragma[nomagic]
    private predicate fwdFlowIn(
      DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
    ) {
      exists(ArgNodeEx arg, boolean allowsFieldFlow |
        fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1505,64 +1512,38 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
-      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
+      Ap ap, ApApprox apa, Configuration config
    ) {
-      exists(DataFlowCallable c, ReturnKindExt kind |
+      exists(ReturnKindExt kind |
        fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
-        getApprox(argAp) = argApa and
-        c = ret.getEnclosingCallable() and
+          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
+          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
+          pragma[only_bind_into](config)) and
        kind = ret.getKind() and
-        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
-        parameterFlowThroughAllowed(p, kind)
+        parameterFlowThroughAllowed(summaryCtx, kind) and
+        argApa = getApprox(argAp) and
+        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
      )
    }

    pragma[inline]
-    private predicate fwdFlowInMayFlowThrough(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
+    private predicate fwdFlowThrough0(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
+      Ap innerArgAp, ApApprox innerArgApa, Configuration config
    ) {
-      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
-        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-      PrevStage::parameterMayFlowThrough(param, apa, config)
-    }
-
-    // dedup before joining with `flowThroughOutOfCall`
-    pragma[nomagic]
-    private predicate fwdFlowInMayFlowThroughProj(
-      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
-    }
-
-    /**
-     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
-     * in the flow covered by `fwdFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate fwdFlowThroughOutOfCall(
-      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-      ApApprox argApa, ApApprox apa, Configuration config
-    ) {
-      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
+      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
+      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
    }

    pragma[nomagic]
-    private predicate fwdFlowOutFromArg(
-      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
-      ApApprox apa, Configuration config
+    private predicate fwdFlowThrough(
+      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
+      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
    ) {
-      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
-          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
-          config) and
-        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
-      )
+      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
+        config)
    }

    /**
@@ -1571,12 +1552,14 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-      ParameterPosition pos, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
+      ParamNodeEx p, Ap ap, Configuration config
    ) {
-      exists(ParamNodeEx param |
-        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
-        pos = param.getPosition()
+      exists(ApApprox apa |
+        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
+          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+        PrevStage::parameterMayFlowThrough(p, apa, config) and
+        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
      )
    }

@@ -1596,23 +1579,31 @@ private module MkStage<StageSig PrevStage> {
      fwdFlowConsCand(ap1, c, ap2, config)
    }

+    pragma[nomagic]
+    private predicate returnFlowsThrough0(
+      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
+      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    ) {
+      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
+        innerArgApa, config)
+    }
+
    pragma[nomagic]
    private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
      Ap ap, Configuration config
    ) {
-      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
-        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
-          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
-        kind = ret.getKind() and
-        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
-        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
+        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
+        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
+        pos = ret.getReturnPosition() and
+        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

    pragma[nomagic]
    private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
      Configuration config
    ) {
      exists(ApApprox argApa |
@@ -1620,7 +1611,7 @@ private module MkStage<StageSig PrevStage> {
          allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
        fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
          pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
          pragma[only_bind_into](config)) and
        if allowsFieldFlow = false then argAp instanceof ApNil else any()
      )
@@ -1639,12 +1630,13 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
      Ap ap, Configuration config
    ) {
      exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config)
+        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config) and
+        pos = ret.getReturnPosition()
      )
    }

@@ -1739,17 +1731,17 @@ private module MkStage<StageSig PrevStage> {
      )
      or
      // flow through a callable
-      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
      )
      or
      // flow out of a callable
-      exists(ReturnKindExt kind |
-        revFlowOut(_, node, kind, state, _, _, ap, config) and
-        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
+      exists(ReturnPosition pos |
+        revFlowOut(_, node, pos, state, _, _, ap, config) and
+        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
        then (
-          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
+          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
          returnAp = apSome(ap)
        ) else (
          returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1782,47 +1774,33 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
      ApOption returnAp, Ap ap, Configuration config
    ) {
      exists(NodeEx out, boolean allowsFieldFlow |
        revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
        if allowsFieldFlow = false then ap instanceof ApNil else any()
      )
    }

-    /**
-     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
-     * in the flow covered by `revFlow`, where data might flow through the target
-     * callable and back out at `call`.
-     */
-    pragma[nomagic]
-    private predicate revFlowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
-      Configuration config
-    ) {
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
-      revFlowIsReturned(call, _, _, _, _, config)
-    }
-
    pragma[nomagic]
    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
+      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
    ) {
-      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
+        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
+      parameterFlowThroughAllowed(p, pos.getKind()) and
+      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
    }

    pragma[nomagic]
-    private predicate revFlowInToReturn(
-      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
-      Configuration config
+    private predicate revFlowThrough(
+      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
+      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
    ) {
-      exists(ParamNodeEx p, boolean allowsFieldFlow |
-        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
-        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
-      )
+      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
+      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
    }

    /**
@@ -1832,12 +1810,12 @@ private module MkStage<StageSig PrevStage> {
     */
    pragma[nomagic]
    private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
      Configuration config
    ) {
      exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
        matchesCall(ccc, call)
      )
    }
@@ -1915,17 +1893,17 @@ private module MkStage<StageSig PrevStage> {

    pragma[nomagic]
    private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
    ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, kind)
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, pos.getKind())
    }

    pragma[nomagic]
    predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnKindExt kind |
-        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, kind, _, config)
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, pos, _, config)
      )
    }

@@ -1933,20 +1911,21 @@ private module MkStage<StageSig PrevStage> {
    predicate returnMayFlowThrough(
      RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
    ) {
-      exists(ParamNodeEx p |
-        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, kind, ap, config)
+      exists(ParamNodeEx p, ReturnPosition pos |
+        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
+        kind = pos.getKind()
      )
    }

    pragma[nomagic]
-    predicate revFlowInToReturnIsReturned(
+    private predicate revFlowThroughArg(
      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
      Ap ap, Configuration config
    ) {
-      exists(ReturnKindExt returnKind0, Ap returnAp0 |
-        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
-        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
+        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
      )
    }

@@ -1954,7 +1933,7 @@ private module MkStage<StageSig PrevStage> {
    predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
      exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
        revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
      )
    }

@@ -1967,8 +1946,9 @@ private module MkStage<StageSig PrevStage> {
      conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
      states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
      tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
-          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
+        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
+          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
+        )
      or
      fwd = false and
      nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2823,13 +2803,12 @@ private Configuration unbindConf(Configuration conf) {

 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
-  Configuration config
+  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
 ) {
  exists(AccessPathApprox apa0 |
-    c = n.getEnclosingCallable() and
+    Stage5::parameterMayFlowThrough(p, _, _) and
    Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
      TAccessPathApproxSome(apa), apa0, config)
  )
 }
@@ -2838,10 +2817,9 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
  NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
+  exists(ParamNodeEx p |
    Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, c, pos, state, apa, config) and
-    p.isParameterOf(c, pos)
+    nodeMayUseSummary0(n, p, state, apa, config)
  )
 }

@@ -3771,8 +3749,8 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
  AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
    kind = ret.getKind() and
    apa = ap.getApprox() and
    parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4234,17 +4212,15 @@ private module FlowExploration {
      ap = TRevPartialNil() and
      exists(config.explorationLimit())
      or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
    }

  pragma[nomagic]
@@ -4252,19 +4228,17 @@ private module FlowExploration {
    NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
    TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
@@ -916,15 +916,15 @@ private module Cached {
    TDataFlowCallSome(DataFlowCall call)

  cached
-  newtype TParameterPositionOption =
-    TParameterPositionNone() or
-    TParameterPositionSome(ParameterPosition pos)
+  newtype TParamNodeOption =
+    TParamNodeNone() or
+    TParamNodeSome(ParamNode p)

  cached
  newtype TReturnCtx =
    TReturnCtxNone() or
    TReturnCtxNoFlowThrough() or
-    TReturnCtxMaybeFlowThrough(ReturnKindExt kind)
+    TReturnCtxMaybeFlowThrough(ReturnPosition pos)

  cached
  newtype TTypedContentApprox =
@@ -1343,15 +1343,15 @@ class DataFlowCallOption extends TDataFlowCallOption {
  }
 }

-/** An optional `ParameterPosition`. */
-class ParameterPositionOption extends TParameterPositionOption {
+/** An optional `ParamNode`. */
+class ParamNodeOption extends TParamNodeOption {
  string toString() {
-    this = TParameterPositionNone() and
+    this = TParamNodeNone() and
    result = "(none)"
    or
-    exists(ParameterPosition pos |
-      this = TParameterPositionSome(pos) and
-      result = pos.toString()
+    exists(ParamNode p |
+      this = TParamNodeSome(p) and
+      result = p.toString()
    )
  }
 }
@@ -1363,7 +1363,7 @@ class ParameterPositionOption extends TParameterPositionOption {
 *
 * - `TReturnCtxNone()`: no return flow.
 * - `TReturnCtxNoFlowThrough()`: return flow, but flow through is not possible.
- * - `TReturnCtxMaybeFlowThrough(ReturnKindExt kind)`: return flow, of kind `kind`, and
+ * - `TReturnCtxMaybeFlowThrough(ReturnPosition pos)`: return flow, of kind `pos`, and
 *    flow through may be possible.
 */
 class ReturnCtx extends TReturnCtx {
@@ -1374,9 +1374,9 @@ class ReturnCtx extends TReturnCtx {
    this = TReturnCtxNoFlowThrough() and
    result = "(no flow through)"
    or
-    exists(ReturnKindExt kind |
-      this = TReturnCtxMaybeFlowThrough(kind) and
-      result = kind.toString()
+    exists(ReturnPosition pos |
+      this = TReturnCtxMaybeFlowThrough(pos) and
+      result = pos.toString()
    )
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll
@@ -45,6 +45,16 @@ module Consistency {
    ) {
      none()
    }
+
+    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodeAtPosition`. */
+    predicate uniqueParameterNodeAtPositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
+      none()
+    }
+
+    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodePosition`. */
+    predicate uniqueParameterNodePositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
+      none()
+    }
  }

  private class RelevantNode extends Node {
@@ -101,9 +111,7 @@ module Consistency {
    exists(int c |
      c =
        strictcount(Node n |
-          not exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
-            n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-          ) and
+          not n.hasLocationInfo(_, _, _, _, _) and
          not any(ConsistencyConfiguration conf).missingLocationExclude(n)
        ) and
      msg = "Nodes without location: " + c
@@ -248,6 +256,7 @@ module Consistency {
  query predicate uniqueParameterNodeAtPosition(
    DataFlowCallable c, ParameterPosition pos, Node p, string msg
  ) {
+    not any(ConsistencyConfiguration conf).uniqueParameterNodeAtPositionExclude(c, pos, p) and
    isParameterNode(p, c, pos) and
    not exists(unique(Node p0 | isParameterNode(p0, c, pos))) and
    msg = "Parameters with overlapping positions."
@@ -256,6 +265,7 @@ module Consistency {
  query predicate uniqueParameterNodePosition(
    DataFlowCallable c, ParameterPosition pos, Node p, string msg
  ) {
+    not any(ConsistencyConfiguration conf).uniqueParameterNodePositionExclude(c, pos, p) and
    isParameterNode(p, c, pos) and
    not exists(unique(ParameterPosition pos0 | isParameterNode(p, c, pos0))) and
    msg = "Parameter node with multiple positions."
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll
@@ -30,6 +30,7 @@ private newtype TOpcode =
  TNegate() or
  TShiftLeft() or
  TShiftRight() or
+  TUnsignedShiftRight() or
  TBitAnd() or
  TBitOr() or
  TBitXor() or
@@ -652,6 +653,15 @@ module Opcode {
    final override string toString() { result = "ShiftRight" }
  }

+  /**
+   * The `Opcode` for a `UnsignedShiftRightInstruction`.
+   *
+   * See the `UnsignedShiftRightInstruction` documentation for more details.
+   */
+  class UnsignedShiftRight extends BinaryBitwiseOpcode, TUnsignedShiftRight {
+    final override string toString() { result = "UnsignedShiftRight" }
+  }
+
  /**
   * The `Opcode` for a `BitAndInstruction`.
   *
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
@@ -1204,6 +1204,17 @@ class ShiftRightInstruction extends BinaryBitwiseInstruction {
  ShiftRightInstruction() { this.getOpcode() instanceof Opcode::ShiftRight }
 }

+/**
+ * An instruction that shifts its left operand to the right by the number of bits specified by its
+ * right operand.
+ *
+ * Both operands must have an integer type. The result has the same type as the left operand.
+ * The leftmost bits are zero-filled.
+ */
+class UnsignedShiftRightInstruction extends BinaryBitwiseInstruction {
+  UnsignedShiftRightInstruction() { this.getOpcode() instanceof Opcode::UnsignedShiftRight }
+}
+
 /**
 * An instruction that performs a binary arithmetic operation involving at least one pointer
 * operand.
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll
@@ -45,7 +45,7 @@ class Operand extends TStageOperand {
      this = reusedPhiOperand(use, def, predecessorBlock, _)
    )
    or
-    exists(Instruction use | this = chiOperand(use, _))
+    this = chiOperand(_, _)
  }

  /** Gets a textual representation of this element. */
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
@@ -329,12 +329,12 @@ private module Cached {
  cached
  Instruction getChiInstructionTotalOperand(ChiInstruction chiInstr) {
    exists(
-      Alias::VirtualVariable vvar, OldInstruction oldInstr, Alias::MemoryLocation defLocation,
-      OldBlock defBlock, int defRank, int defOffset, OldBlock useBlock, int useRank
+      Alias::VirtualVariable vvar, OldInstruction oldInstr, OldBlock defBlock, int defRank,
+      int defOffset, OldBlock useBlock, int useRank
    |
      chiInstr = getChi(oldInstr) and
      vvar = Alias::getResultMemoryLocation(oldInstr).getVirtualVariable() and
-      hasDefinitionAtRank(vvar, defLocation, defBlock, defRank, defOffset) and
+      hasDefinitionAtRank(vvar, _, defBlock, defRank, defOffset) and
      hasUseAtRank(vvar, useBlock, useRank, oldInstr) and
      definitionReachesUse(vvar, defBlock, defRank, useBlock, useRank) and
      result = getDefinitionOrChiInstruction(defBlock, defOffset, vvar, _)
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll
@@ -1204,6 +1204,17 @@ class ShiftRightInstruction extends BinaryBitwiseInstruction {
  ShiftRightInstruction() { this.getOpcode() instanceof Opcode::ShiftRight }
 }

+/**
+ * An instruction that shifts its left operand to the right by the number of bits specified by its
+ * right operand.
+ *
+ * Both operands must have an integer type. The result has the same type as the left operand.
+ * The leftmost bits are zero-filled.
+ */
+class UnsignedShiftRightInstruction extends BinaryBitwiseInstruction {
+  UnsignedShiftRightInstruction() { this.getOpcode() instanceof Opcode::UnsignedShiftRight }
+}
+
 /**
 * An instruction that performs a binary arithmetic operation involving at least one pointer
 * operand.
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll
@@ -45,7 +45,7 @@ class Operand extends TStageOperand {
      this = reusedPhiOperand(use, def, predecessorBlock, _)
    )
    or
-    exists(Instruction use | this = chiOperand(use, _))
+    this = chiOperand(_, _)
  }

  /** Gets a textual representation of this element. */
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll
@@ -72,7 +72,19 @@ newtype TInstructionTag =
  AsmInputTag(int elementIndex) { exists(AsmStmt asm | exists(asm.getChild(elementIndex))) } or
  ThisAddressTag() or
  ThisLoadTag() or
-  StructuredBindingAccessTag()
+  StructuredBindingAccessTag() or
+  // The next three cases handle generation of the constants -1, 0 and 1 for __except handling.
+  TryExceptGenerateNegativeOne() or
+  TryExceptGenerateZero() or
+  TryExceptGenerateOne() or
+  // The next three cases handle generation of comparisons for __except handling.
+  TryExceptCompareNegativeOne() or
+  TryExceptCompareZero() or
+  TryExceptCompareOne() or
+  // The next three cases handle generation of branching for __except handling.
+  TryExceptCompareNegativeOneBranch() or
+  TryExceptCompareZeroBranch() or
+  TryExceptCompareOneBranch()

 class InstructionTag extends TInstructionTag {
  final string toString() { result = "Tag" }
@@ -224,4 +236,22 @@ string getInstructionTagId(TInstructionTag tag) {
  tag = ThisLoadTag() and result = "ThisLoad"
  or
  tag = StructuredBindingAccessTag() and result = "StructuredBindingAccess"
+  or
+  tag = TryExceptCompareNegativeOne() and result = "TryExceptCompareNegativeOne"
+  or
+  tag = TryExceptCompareZero() and result = "TryExceptCompareZero"
+  or
+  tag = TryExceptCompareOne() and result = "TryExceptCompareOne"
+  or
+  tag = TryExceptGenerateNegativeOne() and result = "TryExceptGenerateNegativeOne"
+  or
+  tag = TryExceptGenerateZero() and result = "TryExceptGenerateNegativeOne"
+  or
+  tag = TryExceptGenerateOne() and result = "TryExceptGenerateOne"
+  or
+  tag = TryExceptCompareNegativeOneBranch() and result = "TryExceptCompareNegativeOneBranch"
+  or
+  tag = TryExceptCompareZeroBranch() and result = "TryExceptCompareZeroBranch"
+  or
+  tag = TryExceptCompareOneBranch() and result = "TryExceptCompareOneBranch"
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
@@ -675,6 +675,7 @@ newtype TTranslatedElement =
  } or
  // A statement
  TTranslatedStmt(Stmt stmt) { translateStmt(stmt) } or
+  TTranslatedMicrosoftTryExceptHandler(MicrosoftTryExceptStmt stmt) or
  // A function
  TTranslatedFunction(Function func) { translateFunction(func) } or
  // A constructor init list
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll
@@ -298,11 +298,11 @@ class TranslatedStringLiteralInitialization extends TranslatedDirectInitializati
    opcode instanceof Opcode::Store and
    resultType = getTypeForPRValue(expr.getType())
    or
-    exists(int startIndex, int elementCount |
+    exists(int elementCount |
      // If the initializer string isn't large enough to fill the target, then
      // we have to generate another instruction sequence to store a constant
      // zero into the remainder of the array.
-      zeroInitRange(startIndex, elementCount) and
+      zeroInitRange(_, elementCount) and
      (
        // Create a constant zero whose size is the size of the remaining
        // space in the target array.
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll
@@ -13,6 +13,222 @@ private import TranslatedInitialization

 TranslatedStmt getTranslatedStmt(Stmt stmt) { result.getAst() = stmt }

+TranslatedMicrosoftTryExceptHandler getTranslatedMicrosoftTryExceptHandler(
+  MicrosoftTryExceptStmt tryExcept
+) {
+  result.getAst() = tryExcept.getExcept()
+}
+
+class TranslatedMicrosoftTryExceptHandler extends TranslatedElement,
+  TTranslatedMicrosoftTryExceptHandler {
+  MicrosoftTryExceptStmt tryExcept;
+
+  TranslatedMicrosoftTryExceptHandler() { this = TTranslatedMicrosoftTryExceptHandler(tryExcept) }
+
+  final override string toString() { result = tryExcept.toString() }
+
+  final override Locatable getAst() { result = tryExcept.getExcept() }
+
+  override Instruction getFirstInstruction() { result = this.getChild(0).getFirstInstruction() }
+
+  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
+    // t1 = -1
+    tag = TryExceptGenerateNegativeOne() and
+    opcode instanceof Opcode::Constant and
+    resultType = getIntType()
+    or
+    // t2 = cmp t1, condition
+    tag = TryExceptCompareNegativeOne() and
+    opcode instanceof Opcode::CompareEQ and
+    resultType = getBoolType()
+    or
+    // if t2 goto ... else goto ...
+    tag = TryExceptCompareNegativeOneBranch() and
+    opcode instanceof Opcode::ConditionalBranch and
+    resultType = getVoidType()
+    or
+    // t1 = 0
+    tag = TryExceptGenerateZero() and
+    opcode instanceof Opcode::Constant and
+    resultType = getIntType()
+    or
+    // t2 = cmp t1, condition
+    tag = TryExceptCompareZero() and
+    opcode instanceof Opcode::CompareEQ and
+    resultType = getBoolType()
+    or
+    // if t2 goto ... else goto ...
+    tag = TryExceptCompareZeroBranch() and
+    opcode instanceof Opcode::ConditionalBranch and
+    resultType = getVoidType()
+    or
+    // t1 = 1
+    tag = TryExceptGenerateOne() and
+    opcode instanceof Opcode::Constant and
+    resultType = getIntType()
+    or
+    // t2 = cmp t1, condition
+    tag = TryExceptCompareOne() and
+    opcode instanceof Opcode::CompareEQ and
+    resultType = getBoolType()
+    or
+    // if t2 goto ... else goto ...
+    tag = TryExceptCompareOneBranch() and
+    opcode instanceof Opcode::ConditionalBranch and
+    resultType = getVoidType()
+    or
+    // unwind stack
+    tag = UnwindTag() and
+    opcode instanceof Opcode::Unwind and
+    resultType = getVoidType()
+  }
+
+  final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = TryExceptCompareNegativeOne() and
+    (
+      operandTag instanceof LeftOperandTag and
+      result = this.getTranslatedCondition().getResult()
+      or
+      operandTag instanceof RightOperandTag and
+      result = this.getInstruction(TryExceptGenerateNegativeOne())
+    )
+    or
+    tag = TryExceptCompareNegativeOneBranch() and
+    operandTag instanceof ConditionOperandTag and
+    result = this.getInstruction(TryExceptCompareNegativeOne())
+    or
+    tag = TryExceptCompareZero() and
+    (
+      operandTag instanceof LeftOperandTag and
+      result = this.getTranslatedCondition().getResult()
+      or
+      operandTag instanceof RightOperandTag and
+      result = this.getInstruction(TryExceptGenerateZero())
+    )
+    or
+    tag = TryExceptCompareZeroBranch() and
+    operandTag instanceof ConditionOperandTag and
+    result = this.getInstruction(TryExceptCompareZero())
+    or
+    tag = TryExceptCompareOne() and
+    (
+      operandTag instanceof LeftOperandTag and
+      result = this.getTranslatedCondition().getResult()
+      or
+      operandTag instanceof RightOperandTag and
+      result = this.getInstruction(TryExceptGenerateOne())
+    )
+    or
+    tag = TryExceptCompareOneBranch() and
+    operandTag instanceof ConditionOperandTag and
+    result = this.getInstruction(TryExceptCompareOne())
+  }
+
+  override string getInstructionConstantValue(InstructionTag tag) {
+    tag = TryExceptGenerateNegativeOne() and
+    result = "-1"
+    or
+    tag = TryExceptGenerateZero() and
+    result = "0"
+    or
+    tag = TryExceptGenerateOne() and
+    result = "1"
+  }
+
+  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
+    // Generate -1 -> Compare condition
+    tag = TryExceptGenerateNegativeOne() and
+    kind instanceof GotoEdge and
+    result = this.getInstruction(TryExceptCompareNegativeOne())
+    or
+    // Compare condition -> Branch
+    tag = TryExceptCompareNegativeOne() and
+    kind instanceof GotoEdge and
+    result = this.getInstruction(TryExceptCompareNegativeOneBranch())
+    or
+    // Branch -> Unwind or Generate 0
+    tag = TryExceptCompareNegativeOneBranch() and
+    (
+      kind instanceof TrueEdge and
+      // TODO: This is not really correct. The semantics of `EXCEPTION_CONTINUE_EXECUTION` is that
+      // we should continue execution at the point where the exception occurred. But we don't have
+      // any instruction to model this behavior.
+      result = this.getInstruction(UnwindTag())
+      or
+      kind instanceof FalseEdge and
+      result = this.getInstruction(TryExceptGenerateZero())
+    )
+    or
+    // Generate 0 -> Compare condition
+    tag = TryExceptGenerateZero() and
+    kind instanceof GotoEdge and
+    result = this.getInstruction(TryExceptCompareZero())
+    or
+    // Compare condition -> Branch
+    tag = TryExceptCompareZero() and
+    kind instanceof GotoEdge and
+    result = this.getInstruction(TryExceptCompareZeroBranch())
+    or
+    // Branch -> Unwind or Generate 1
+    tag = TryExceptCompareZeroBranch() and
+    (
+      kind instanceof TrueEdge and
+      result = this.getInstruction(UnwindTag())
+      or
+      kind instanceof FalseEdge and
+      result = this.getInstruction(TryExceptGenerateOne())
+    )
+    or
+    // Generate 1 -> Compare condition
+    tag = TryExceptGenerateOne() and
+    kind instanceof GotoEdge and
+    result = this.getInstruction(TryExceptCompareOne())
+    or
+    // Compare condition -> Branch
+    tag = TryExceptCompareOne() and
+    kind instanceof GotoEdge and
+    result = this.getInstruction(TryExceptCompareOneBranch())
+    or
+    // Branch -> Handler (the condition value is always 0, -1 or 1, and we've checked for 0 or -1 already.)
+    tag = TryExceptCompareOneBranch() and
+    (
+      kind instanceof TrueEdge and
+      result = this.getTranslatedHandler().getFirstInstruction()
+    )
+    or
+    // Unwind -> Parent
+    tag = UnwindTag() and
+    kind instanceof GotoEdge and
+    result = this.getParent().getChildSuccessor(this)
+  }
+
+  override Instruction getChildSuccessor(TranslatedElement child) {
+    child = this.getTranslatedCondition() and
+    result = this.getInstruction(TryExceptGenerateNegativeOne())
+    or
+    child = this.getTranslatedHandler() and
+    result = this.getParent().getChildSuccessor(this)
+  }
+
+  private TranslatedExpr getTranslatedCondition() {
+    result = getTranslatedExpr(tryExcept.getCondition())
+  }
+
+  private TranslatedStmt getTranslatedHandler() {
+    result = getTranslatedStmt(tryExcept.getExcept())
+  }
+
+  override TranslatedElement getChild(int id) {
+    id = 0 and
+    result = this.getTranslatedCondition()
+    or
+    id = 1 and
+    result = this.getTranslatedHandler()
+  }
+
+  final override Function getFunction() { result = tryExcept.getEnclosingFunction() }
+}
+
 abstract class TranslatedStmt extends TranslatedElement, TTranslatedStmt {
  Stmt stmt;

@@ -249,15 +465,57 @@ class TranslatedUnreachableReturnStmt extends TranslatedReturnStmt {
 }

 /**
- * The IR translation of a C++ `try` statement.
+ * A C/C++ `try` statement, or a `__try __except` or `__try __finally` statement.
+ */
+private class TryOrMicrosoftTryStmt extends Stmt {
+  TryOrMicrosoftTryStmt() {
+    this instanceof TryStmt or
+    this instanceof MicrosoftTryStmt
+  }
+
+  /** Gets the number of `catch block`s of this statement. */
+  int getNumberOfCatchClauses() {
+    result = this.(TryStmt).getNumberOfCatchClauses()
+    or
+    this instanceof MicrosoftTryExceptStmt and
+    result = 1
+    or
+    this instanceof MicrosoftTryFinallyStmt and
+    result = 0
+  }
+
+  /** Gets the `body` statement of this statement. */
+  Stmt getStmt() {
+    result = this.(TryStmt).getStmt()
+    or
+    result = this.(MicrosoftTryStmt).getStmt()
+  }
+
+  /** Gets the `i`th translated handler of this statement. */
+  TranslatedElement getTranslatedHandler(int index) {
+    result = getTranslatedStmt(this.(TryStmt).getChild(index + 1))
+    or
+    index = 0 and
+    result = getTranslatedMicrosoftTryExceptHandler(this)
+  }
+
+  /** Gets the `finally` statement (usually a BlockStmt), if any. */
+  Stmt getFinally() { result = this.(MicrosoftTryFinallyStmt).getFinally() }
+}
+
+/**
+ * The IR translation of a C++ `try` (or a `__try __except` or `__try __finally`) statement.
 */
 class TranslatedTryStmt extends TranslatedStmt {
-  override TryStmt stmt;
+  override TryOrMicrosoftTryStmt stmt;

  override TranslatedElement getChild(int id) {
    id = 0 and result = getBody()
    or
    result = getHandler(id - 1)
+    or
+    id = stmt.getNumberOfCatchClauses() + 1 and
+    result = this.getFinally()
  }

  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
@@ -269,8 +527,20 @@ class TranslatedTryStmt extends TranslatedStmt {
  override Instruction getFirstInstruction() { result = getBody().getFirstInstruction() }

  override Instruction getChildSuccessor(TranslatedElement child) {
-    // All children go to the successor of the `try`.
-    child = getAChild() and result = getParent().getChildSuccessor(this)
+    // All non-finally children go to the successor of the `try` if
+    // there is no finally block, but if there is a finally block
+    // then we go to that one.
+    child = [this.getBody(), this.getHandler(_)] and
+    (
+      not exists(this.getFinally()) and
+      result = this.getParent().getChildSuccessor(this)
+      or
+      result = this.getFinally().getFirstInstruction()
+    )
+    or
+    // And after the finally block we go to the successor of the `try`.
+    child = this.getFinally() and
+    result = this.getParent().getChildSuccessor(this)
  }

  final Instruction getNextHandler(TranslatedHandler handler) {
@@ -290,9 +560,9 @@ class TranslatedTryStmt extends TranslatedStmt {
    result = getHandler(0).getFirstInstruction()
  }

-  private TranslatedHandler getHandler(int index) {
-    result = getTranslatedStmt(stmt.getChild(index + 1))
-  }
+  private TranslatedElement getHandler(int index) { result = stmt.getTranslatedHandler(index) }
+
+  private TranslatedStmt getFinally() { result = getTranslatedStmt(stmt.getFinally()) }

  private TranslatedStmt getBody() { result = getTranslatedStmt(stmt.getStmt()) }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
@@ -1204,6 +1204,17 @@ class ShiftRightInstruction extends BinaryBitwiseInstruction {
  ShiftRightInstruction() { this.getOpcode() instanceof Opcode::ShiftRight }
 }

+/**
+ * An instruction that shifts its left operand to the right by the number of bits specified by its
+ * right operand.
+ *
+ * Both operands must have an integer type. The result has the same type as the left operand.
+ * The leftmost bits are zero-filled.
+ */
+class UnsignedShiftRightInstruction extends BinaryBitwiseInstruction {
+  UnsignedShiftRightInstruction() { this.getOpcode() instanceof Opcode::UnsignedShiftRight }
+}
+
 /**
 * An instruction that performs a binary arithmetic operation involving at least one pointer
 * operand.
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll
@@ -45,7 +45,7 @@ class Operand extends TStageOperand {
      this = reusedPhiOperand(use, def, predecessorBlock, _)
    )
    or
-    exists(Instruction use | this = chiOperand(use, _))
+    this = chiOperand(_, _)
  }

  /** Gets a textual representation of this element. */
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -329,12 +329,12 @@ private module Cached {
  cached
  Instruction getChiInstructionTotalOperand(ChiInstruction chiInstr) {
    exists(
-      Alias::VirtualVariable vvar, OldInstruction oldInstr, Alias::MemoryLocation defLocation,
-      OldBlock defBlock, int defRank, int defOffset, OldBlock useBlock, int useRank
+      Alias::VirtualVariable vvar, OldInstruction oldInstr, OldBlock defBlock, int defRank,
+      int defOffset, OldBlock useBlock, int useRank
    |
      chiInstr = getChi(oldInstr) and
      vvar = Alias::getResultMemoryLocation(oldInstr).getVirtualVariable() and
-      hasDefinitionAtRank(vvar, defLocation, defBlock, defRank, defOffset) and
+      hasDefinitionAtRank(vvar, _, defBlock, defRank, defOffset) and
      hasUseAtRank(vvar, useBlock, useRank, oldInstr) and
      definitionReachesUse(vvar, defBlock, defRank, useBlock, useRank) and
      result = getDefinitionOrChiInstruction(defBlock, defOffset, vvar, _)
--- a/cpp/ql/lib/semmle/code/cpp/ir/internal/IRCppLanguage.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/internal/IRCppLanguage.qll
@@ -67,9 +67,7 @@ class Class = Cpp::Class; // Used for inheritance conversions

 predicate getIdentityString = Print::getIdentityString/1;

-predicate hasCaseEdge(string minValue, string maxValue) {
-  exists(Cpp::SwitchCase switchCase | hasCaseEdge(switchCase, minValue, maxValue))
-}
+predicate hasCaseEdge(string minValue, string maxValue) { hasCaseEdge(_, minValue, maxValue) }

 predicate hasPositionalArgIndex(int argIndex) {
  exists(Cpp::FunctionCall call | exists(call.getArgument(argIndex))) or
--- a/cpp/ql/lib/semmle/code/cpp/metrics/MetricClass.qll
+++ b/cpp/ql/lib/semmle/code/cpp/metrics/MetricClass.qll
@@ -99,10 +99,10 @@ class MetricClass extends Class {
  }

  /** Gets any method that accesses some local field. */
-  Function getAccessingMethod() { exists(Field f | this.accessesLocalField(result, f)) }
+  Function getAccessingMethod() { this.accessesLocalField(result, _) }

  /** Gets any field that is accessed by a local method. */
-  Field getAccessedField() { exists(Function func | this.accessesLocalField(func, result)) }
+  Field getAccessedField() { this.accessesLocalField(_, result) }

  /** Gets the Henderson-Sellers lack-of-cohesion metric. */
  float getLackOfCohesionHS() {
@@ -517,10 +517,10 @@ private predicate dependsOnClassSimple(Class source, Class dest) {
    )
    or
    // a class depends on classes for which a call to its member function is done from a function
-    exists(MemberFunction target, MemberFunction f, Locatable l |
+    exists(MemberFunction target, MemberFunction f |
      f.getDeclaringType() = source and
      f instanceof MemberFunction and
-      f.calls(target, l) and
+      f.calls(target, _) and
      target instanceof MemberFunction and
      target.getDeclaringType() = dest
    )
--- a/cpp/ql/lib/semmle/code/cpp/models/interfaces/Allocation.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/interfaces/Allocation.qll
@@ -133,13 +133,15 @@ abstract class HeuristicAllocationExpr extends Expr {

  /**
   * Gets a constant multiplier for the allocation size given by `getSizeExpr`,
-   * in bytes.
+   * in bytes. This predicate should be used with caution as it can be
+   * inaccurate for allocations identified using heuristics.
   */
  int getSizeMult() { none() }

  /**
   * Gets the size of this allocation in bytes, if it is a fixed size and that
-   * size can be determined.
+   * size can be determined. This predicate should be used with caution as it
+   * can be inaccurate for allocations identified using heuristics.
   */
  int getSizeBytes() { none() }

--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
@@ -296,7 +296,7 @@ private predicate analyzableExpr(Expr e) {
    or
    // Also allow variable accesses, provided that they have SSA
    // information.
-    exists(RangeSsaDefinition def, StackVariable v | e = def.getAUse(v))
+    exists(RangeSsaDefinition def | e = def.getAUse(_))
    or
    e instanceof UnsignedBitwiseAndExpr
    or
--- a/cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll
+++ b/cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll
@@ -92,7 +92,7 @@ private class ArgvSource extends LocalFlowSource {
    exists(Function main, Parameter argv |
      main.hasGlobalName("main") and
      main.getParameter(1) = argv and
-      this.asExpr() = argv.getAnAccess()
+      this.asParameter() = argv
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/security/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/security/TaintTrackingImpl.qll
@@ -127,9 +127,9 @@ deprecated private predicate betweenFunctionsValueMoveTo(
  not unreachable(src) and
  not unreachable(dest) and
  (
-    exists(Call call, Function called, int i |
+    exists(Call call, int i |
      src = call.getArgument(i) and
-      resolveCallWithParam(call, called, i, dest) and
+      resolveCallWithParam(call, _, i, dest) and
      destFromArg = true
    )
    or
@@ -151,8 +151,8 @@ deprecated private predicate betweenFunctionsValueMoveTo(
    )
    or
    // If a parameter of type reference is tainted inside a function, taint the argument too
-    exists(Call call, Function f, int pi, Parameter p |
-      resolveCallWithParam(call, f, pi, p) and
+    exists(Call call, int pi, Parameter p |
+      resolveCallWithParam(call, _, pi, p) and
      p.getType() instanceof ReferenceType and
      src = p and
      dest = call.getArgument(pi) and
--- a/cpp/ql/lib/semmle/code/cpp/stmts/Stmt.qll
+++ b/cpp/ql/lib/semmle/code/cpp/stmts/Stmt.qll
@@ -34,7 +34,7 @@ class Stmt extends StmtParent, @stmt {
  }

  /** Gets a child of this statement. */
-  Element getAChild() { exists(int n | result = this.getChild(n)) }
+  Element getAChild() { result = this.getChild(_) }

  /** Gets the parent of this statement, if any. */
  StmtParent getParent() { stmtparents(underlyingElement(this), _, unresolveElement(result)) }
--- a/cpp/ql/lib/semmle/code/cpp/valuenumbering/GlobalValueNumberingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/valuenumbering/GlobalValueNumberingImpl.qll
@@ -183,7 +183,7 @@ private newtype GvnBase =
  // global variable will only get the same value number if they are
  // guaranteed to have the same value.
  GVN_OtherVariable(Variable x, ControlFlowNode dominator) { mk_OtherVariable(x, dominator, _) } or
-  GVN_FieldAccess(GVN s, Field f) {
+  deprecated GVN_FieldAccess(GVN s, Field f) {
    mk_DotFieldAccess(s, f, _) or
    mk_PointerFieldAccess_with_deref(s, f, _) or
    mk_ImplicitThisFieldAccess_with_deref(s, f, _)
@@ -192,7 +192,7 @@ private newtype GvnBase =
  // time the pointer was dereferenced, so we need to include a definition
  // location. As a crude (but safe) approximation, we use
  // `mostRecentSideEffect` to compute a definition location.
-  GVN_Deref(GVN p, ControlFlowNode dominator) {
+  deprecated GVN_Deref(GVN p, ControlFlowNode dominator) {
    mk_Deref(p, dominator, _) or
    mk_PointerFieldAccess(p, _, dominator, _) or
    mk_ImplicitThisFieldAccess_with_qualifier(p, _, dominator, _)
@@ -201,10 +201,12 @@ private newtype GvnBase =
    mk_ThisExpr(fcn, _) or
    mk_ImplicitThisFieldAccess(fcn, _, _, _)
  } or
-  GVN_Conversion(Type t, GVN child) { mk_Conversion(t, child, _) } or
-  GVN_BinaryOp(GVN lhs, GVN rhs, string opname) { mk_BinaryOp(lhs, rhs, opname, _) } or
-  GVN_UnaryOp(GVN child, string opname) { mk_UnaryOp(child, opname, _) } or
-  GVN_ArrayAccess(GVN x, GVN i, ControlFlowNode dominator) { mk_ArrayAccess(x, i, dominator, _) } or
+  deprecated GVN_Conversion(Type t, GVN child) { mk_Conversion(t, child, _) } or
+  deprecated GVN_BinaryOp(GVN lhs, GVN rhs, string opname) { mk_BinaryOp(lhs, rhs, opname, _) } or
+  deprecated GVN_UnaryOp(GVN child, string opname) { mk_UnaryOp(child, opname, _) } or
+  deprecated GVN_ArrayAccess(GVN x, GVN i, ControlFlowNode dominator) {
+    mk_ArrayAccess(x, i, dominator, _)
+  } or
  // Any expression that is not handled by the cases above is
  // given a unique number based on the expression itself.
  GVN_Unanalyzable(Expr e) { not analyzableExpr(e) }
@@ -340,7 +342,7 @@ private predicate analyzableDotFieldAccess(DotFieldAccess access) {
  not analyzableConst(access)
 }

-private predicate mk_DotFieldAccess(GVN qualifier, Field target, DotFieldAccess access) {
+deprecated private predicate mk_DotFieldAccess(GVN qualifier, Field target, DotFieldAccess access) {
  analyzableDotFieldAccess(access) and
  target = access.getTarget() and
  qualifier = globalValueNumber(access.getQualifier().getFullyConverted())
@@ -353,7 +355,7 @@ private predicate analyzablePointerFieldAccess(PointerFieldAccess access) {
  not analyzableConst(access)
 }

-private predicate mk_PointerFieldAccess(
+deprecated private predicate mk_PointerFieldAccess(
  GVN qualifier, Field target, ControlFlowNode dominator, PointerFieldAccess access
 ) {
  analyzablePointerFieldAccess(access) and
@@ -366,7 +368,7 @@ private predicate mk_PointerFieldAccess(
 * `obj->field` is equivalent to `(*obj).field`, so we need to wrap an
 * extra `GVN_Deref` around the qualifier.
 */
-private predicate mk_PointerFieldAccess_with_deref(
+deprecated private predicate mk_PointerFieldAccess_with_deref(
  GVN new_qualifier, Field target, PointerFieldAccess access
 ) {
  exists(GVN qualifier, ControlFlowNode dominator |
@@ -391,7 +393,7 @@ private predicate mk_ImplicitThisFieldAccess(
  fcn = access.getEnclosingFunction()
 }

-private predicate mk_ImplicitThisFieldAccess_with_qualifier(
+deprecated private predicate mk_ImplicitThisFieldAccess_with_qualifier(
  GVN qualifier, Field target, ControlFlowNode dominator, ImplicitThisFieldAccess access
 ) {
  exists(Function fcn |
@@ -400,7 +402,7 @@ private predicate mk_ImplicitThisFieldAccess_with_qualifier(
  )
 }

-private predicate mk_ImplicitThisFieldAccess_with_deref(
+deprecated private predicate mk_ImplicitThisFieldAccess_with_deref(
  GVN new_qualifier, Field target, ImplicitThisFieldAccess access
 ) {
  exists(GVN qualifier, ControlFlowNode dominator |
@@ -434,7 +436,7 @@ private predicate analyzableConversion(Conversion conv) {
  not analyzableConst(conv)
 }

-private predicate mk_Conversion(Type t, GVN child, Conversion conv) {
+deprecated private predicate mk_Conversion(Type t, GVN child, Conversion conv) {
  analyzableConversion(conv) and
  t = conv.getUnspecifiedType() and
  child = globalValueNumber(conv.getExpr())
@@ -448,7 +450,7 @@ private predicate analyzableBinaryOp(BinaryOperation op) {
  not analyzableConst(op)
 }

-private predicate mk_BinaryOp(GVN lhs, GVN rhs, string opname, BinaryOperation op) {
+deprecated private predicate mk_BinaryOp(GVN lhs, GVN rhs, string opname, BinaryOperation op) {
  analyzableBinaryOp(op) and
  lhs = globalValueNumber(op.getLeftOperand().getFullyConverted()) and
  rhs = globalValueNumber(op.getRightOperand().getFullyConverted()) and
@@ -463,7 +465,7 @@ private predicate analyzableUnaryOp(UnaryOperation op) {
  not analyzableConst(op)
 }

-private predicate mk_UnaryOp(GVN child, string opname, UnaryOperation op) {
+deprecated private predicate mk_UnaryOp(GVN child, string opname, UnaryOperation op) {
  analyzableUnaryOp(op) and
  child = globalValueNumber(op.getOperand().getFullyConverted()) and
  opname = op.getOperator()
@@ -486,7 +488,9 @@ private predicate analyzableArrayAccess(ArrayExpr ae) {
  not analyzableConst(ae)
 }

-private predicate mk_ArrayAccess(GVN base, GVN offset, ControlFlowNode dominator, ArrayExpr ae) {
+deprecated private predicate mk_ArrayAccess(
+  GVN base, GVN offset, ControlFlowNode dominator, ArrayExpr ae
+) {
  analyzableArrayAccess(ae) and
  base = globalValueNumber(ae.getArrayBase().getFullyConverted()) and
  offset = globalValueNumber(ae.getArrayOffset().getFullyConverted()) and
@@ -499,7 +503,7 @@ private predicate analyzablePointerDereferenceExpr(PointerDereferenceExpr deref)
  not analyzableConst(deref)
 }

-private predicate mk_Deref(GVN p, ControlFlowNode dominator, PointerDereferenceExpr deref) {
+deprecated private predicate mk_Deref(GVN p, ControlFlowNode dominator, PointerDereferenceExpr deref) {
  analyzablePointerDereferenceExpr(deref) and
  p = globalValueNumber(deref.getOperand().getFullyConverted()) and
  dominator = mostRecentSideEffect(deref)
--- a/cpp/ql/lib/semmle/code/cpp/valuenumbering/HashCons.qll
+++ b/cpp/ql/lib/semmle/code/cpp/valuenumbering/HashCons.qll
@@ -475,9 +475,7 @@ private predicate mk_NonmemberFunctionCall(Function fcn, HC_Args args, FunctionC
  fc.getTarget() = fcn and
  analyzableNonmemberFunctionCall(fc) and
  (
-    exists(HashCons head, HC_Args tail |
-      mk_ArgConsInner(head, tail, fc.getNumberOfArguments() - 1, args, fc)
-    )
+    mk_ArgConsInner(_, _, fc.getNumberOfArguments() - 1, args, fc)
    or
    fc.getNumberOfArguments() = 0 and
    args = HC_EmptyArgs()
@@ -494,9 +492,7 @@ private predicate analyzableExprCall(ExprCall ec) {
 private predicate mk_ExprCall(HashCons hc, HC_Args args, ExprCall ec) {
  hc.getAnExpr() = ec.getExpr() and
  (
-    exists(HashCons head, HC_Args tail |
-      mk_ArgConsInner(head, tail, ec.getNumberOfArguments() - 1, args, ec)
-    )
+    mk_ArgConsInner(_, _, ec.getNumberOfArguments() - 1, args, ec)
    or
    ec.getNumberOfArguments() = 0 and
    args = HC_EmptyArgs()
@@ -516,9 +512,7 @@ private predicate mk_MemberFunctionCall(Function fcn, HashCons qual, HC_Args arg
  analyzableMemberFunctionCall(fc) and
  hashCons(fc.getQualifier().getFullyConverted()) = qual and
  (
-    exists(HashCons head, HC_Args tail |
-      mk_ArgConsInner(head, tail, fc.getNumberOfArguments() - 1, args, fc)
-    )
+    mk_ArgConsInner(_, _, fc.getNumberOfArguments() - 1, args, fc)
    or
    fc.getNumberOfArguments() = 0 and
    args = HC_EmptyArgs()
@@ -541,10 +535,8 @@ private predicate mk_ArgCons(HashCons hc, int i, HC_Args list, Call c) {
  analyzableCall(c) and
  hc = hashCons(c.getArgument(i).getFullyConverted()) and
  (
-    exists(HashCons head, HC_Args tail |
-      mk_ArgConsInner(head, tail, i - 1, list, c) and
-      i > 0
-    )
+    mk_ArgConsInner(_, _, i - 1, list, c) and
+    i > 0
    or
    i = 0 and
    list = HC_EmptyArgs()
--- a/Show More
+++ b/Show More