Restore queries to old state

QL4QL: Add DependencyPath.ql query

.github/labeler.yml

@@ -43,3 +43,11 @@ documentation:
 "QL-for-QL":
   - ql/**/*
   - .github/workflows/ql-for-ql*
+
+# Since these are all shared files that need to be synced, just pick _one_ copy of each.
+"DataFlow Library":
+  - "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll"
+  - "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll"
+  - "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
+  - "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll"
+  - "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll"

.github/workflows/atm-check-queries-run.yml

@@ -0,0 +1,56 @@
+name: ATM Check Queries Run
+
+env:
+  DB_PATH: test_db
+  ATM_MODEL_PACK: javascript/ql/experimental/adaptivethreatmodeling/src
+  QUERY_SUITE: codeql-suites/javascript-atm-code-scanning.qls
+
+on:
+  pull_request:
+    paths:
+      - ".github/workflows/atm-check-queries-run.yml"
+      - "javascript/ql/experimental/adaptivethreatmodeling/**"
+  workflow_dispatch:
+
+jobs:
+  run-atm-queries:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install CodeQL CLI
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh extensions install github/gh-codeql
+          gh codeql download
+
+      - name: Install ATM model pack
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -exu
+          
+          # Install ATM model pack
+          gh codeql pack install ${ATM_MODEL_PACK}
+
+          # Retrieve model checksum
+          model_checksum=$(gh codeql resolve extensions ${ATM_MODEL_PACK}/${QUERY_SUITE} | jq -r '.models[0].checksum')
+
+          # Trust the model so that we can use it in the ATM boosted queries
+          mkdir -p "$HOME/.config/codeql"
+          echo "--insecurely-execute-ml-model-checksums ${model_checksum}" >> "$HOME/.config/codeql/config"
+
+      - name: Create test DB
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh codeql database create ${RUNNER_TEMP}/${DB_PATH} --source-root config/atm/ --language javascript 
+
+      - name: Run ATM query suite
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh codeql database run-queries -vv -- ${RUNNER_TEMP}/${DB_PATH} ${ATM_MODEL_PACK}/${QUERY_SUITE}
+      

.github/workflows/atm-model-integration-tests.yml

@@ -0,0 +1,12 @@
+name: ATM Model Integration Tests
+
+on:
+  workflow_dispatch:
+
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: foo
+        run: echo "Hello world"

.github/workflows/go-tests.yml

@@ -43,7 +43,7 @@ jobs:
           env QHELP_OUT_DIR=qhelp-out make qhelp-to-markdown
 
       - name: Upload qhelp markdown
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: qhelp-markdown
           path: go/qhelp-out/**/*.md

.github/workflows/qhelp-pr-preview.yml

@@ -27,7 +27,7 @@ on:
       - main
       - "rc/*"
     paths:
-      - "ruby/**/*.qhelp"
+      - "**/*.qhelp"
 
 jobs:
   qhelp:
@@ -52,7 +52,7 @@ jobs:
         id: changes
         run: |
           (git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.qhelp$' | grep -z -v '.inc.qhelp';
-           git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.inc.qhelp$' | xargs --null -rn1 basename | xargs --null -rn1 git grep -z -l) |
+           git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.inc.qhelp$' | xargs --null -rn1 basename -z | xargs --null -rn1 git grep -z -l) |
            grep -z '.qhelp$' | grep -z -v '^-' | sort -z -u > "${RUNNER_TEMP}/paths.txt"
 
       - name: QHelp preview

.github/workflows/ruby-build.yml

@@ -96,8 +96,8 @@ jobs:
       - name: Build Query Pack
         run: |
           codeql pack create ../shared/ssa --output target/packs
+          codeql pack create ../misc/suite-helpers --output target/packs
           codeql pack create ql/lib --output target/packs
-          codeql pack install ql/src
           codeql pack create ql/src --output target/packs
           PACK_FOLDER=$(readlink -f target/packs/codeql/ruby-queries/*)
           codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src
@@ -202,7 +202,7 @@ jobs:
           echo 'name: sample-tests
           version: 0.0.0
           dependencies:
-            codeql/ruby-all: 0.0.1
+            codeql/ruby-all: "*"
           extractor: ruby
           tests: .
           ' > qlpack.yml

.github/workflows/swift-autobuilder.yml

@@ -0,0 +1,27 @@
+name: "Swift: Build and test Xcode autobuilder"
+
+on:
+  pull_request:
+    paths:
+      - "swift/xcode-autobuilder/**"
+      - "misc/bazel/**"
+      - "*.bazel*"
+      - .github/workflows/swift-autobuilder.yml
+    branches:
+      - main
+
+jobs:
+  autobuilder:
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: bazelbuild/setup-bazelisk@v2
+      - uses: actions/setup-python@v4
+        with:
+          python-version-file: 'swift/.python-version'
+      - name: Build the Xcode autobuilder
+        run: |
+          bazel build //swift/xcode-autobuilder
+      - name: Test the Xcode autobuilder
+        run: |
+          bazel test //swift/xcode-autobuilder/tests

.github/workflows/swift-codegen.yml

@@ -10,6 +10,9 @@ on:
       - .github/actions/fetch-codeql/action.yml
     branches:
       - main
+defaults:
+  run:
+    working-directory: swift
 
 jobs:
   codegen:
@@ -18,7 +21,9 @@ jobs:
       - uses: actions/checkout@v3
       - uses: ./.github/actions/fetch-codeql
       - uses: bazelbuild/setup-bazelisk@v2
-      - uses: actions/setup-python@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version-file: 'swift/.python-version'
       - uses: pre-commit/action@v3.0.0
         name: Check that python code is properly formatted
         with:

.github/workflows/swift-integration-tests.yml

@@ -28,7 +28,9 @@ jobs:
       - uses: actions/checkout@v3
       - uses: ./.github/actions/fetch-codeql
       - uses: bazelbuild/setup-bazelisk@v2
-      - uses: actions/setup-python@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version-file: 'swift/.python-version'
       - name: Build Swift extractor
         run: |
           bazel run //swift:create-extractor-pack

.github/workflows/swift-qltest.yml

@@ -23,16 +23,30 @@ jobs:
       - uses: ./.github/actions/fetch-codeql
       - name: Check QL formatting
         run: find ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 codeql query format --check-only
+  qltest-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: bazelbuild/setup-bazelisk@v2
+      - uses: actions/setup-python@v4
+        with:
+          python-version-file: 'swift/.python-version'
+      - name: Test qltest.sh
+        run: |
+          bazel test //swift/tools/test/qltest
   qltest:
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
-        os : [ubuntu-20.04, macos-latest]
+        os: [ ubuntu-20.04, macos-latest ]
     steps:
       - uses: actions/checkout@v3
       - uses: ./.github/actions/fetch-codeql
       - uses: bazelbuild/setup-bazelisk@v2
+      - uses: actions/setup-python@v4
+        with:
+          python-version-file: 'swift/.python-version'
       - name: Build Swift extractor
         run: |
           bazel run //swift:create-extractor-pack

CODEOWNERS

@@ -20,9 +20,9 @@
 /java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
 
 # CodeQL tools and associated docs
-/docs/codeql-cli/ @github/codeql-cli-reviewers
-/docs/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
-/docs/ql-language-reference/ @github/codeql-frontend-reviewers
+/docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
+/docs/codeql/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
+/docs/codeql/ql-language-reference/ @github/codeql-frontend-reviewers
 /docs/query-*-style-guide.md @github/codeql-analysis-reviewers
 
 # QL for QL reviewers

README.md

@@ -4,8 +4,7 @@ This open source repository contains the standard CodeQL libraries and queries t
 
 ## How do I learn CodeQL and run queries?
 
-There is [extensive documentation](https://codeql.github.com/docs/) on getting started with writing CodeQL.
-You can use the [CodeQL for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) extension or the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com (Semmle Legacy product) to try out your queries on any open source project that's currently being analyzed.
+There is [extensive documentation](https://codeql.github.com/docs/) on getting started with writing CodeQL using the [CodeQL extension for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) and the [CodeQL CLI](https://codeql.github.com/docs/codeql-cli/).
 
 ## Contributing
 

change-notes/1.20/analysis-javascript.md

@@ -52,7 +52,7 @@
 | Unneeded defensive code | More true positive and fewer false positive results | This query now recognizes additional defensive code patterns. |
 | Unsafe dynamic method access              | Fewer false positive results | This query no longer flags concatenated strings as unsafe method names. |
 | Unused parameter                           | Fewer false positive results | This query no longer flags parameters with leading underscore. |
-| Unused variable, import, function or class | Fewer false positive results | This query now flags fewer variables that are implictly used by JSX elements. It no longer flags variables with a leading underscore and variables in dead code. |
+| Unused variable, import, function or class | Fewer false positive results | This query now flags fewer variables that are implicitly used by JSX elements. It no longer flags variables with a leading underscore and variables in dead code. |
 | Unvalidated dynamic method call           | More true positive results | This query now flags concatenated strings as unvalidated method names in more cases. |
 | Useless assignment to property. | Fewer false positive results | This query now treats assignments with complex right-hand sides correctly. |
 | Useless conditional | Fewer results | Additional defensive coding patterns are now ignored. |

change-notes/1.23/analysis-cpp.md

@@ -19,7 +19,7 @@ The following changes in version 1.23 affect C/C++ analysis in all applications.
 | Hard-coded Japanese era start date in call (`cpp/japanese-era/constructor-or-method-with-exact-era-date`) | Deprecated | This query has been deprecated.  Use the new combined query Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) instead. |
 | Hard-coded Japanese era start date in struct (`cpp/japanese-era/struct-with-exact-era-date`) | Deprecated | This query has been deprecated.  Use the new combined query Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) instead. |
 | Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) | More correct results | This query now checks for the beginning date of the Reiwa era (1st May 2019). |
-| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | Fixed false positive results triggrered by mismatching declarations of a formatting function. |
+| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | Fixed false positive results triggered by mismatching declarations of a formatting function. |
 | Sign check of bitwise operation (`cpp/bitwise-sign-check`) | Fewer false positive results | Results involving `>=` or `<=` are no longer reported. |
 | Too few arguments to formatting function (`cpp/wrong-number-format-arguments`) | Fewer false positive results | Fixed false positive results triggered by mismatching declarations of a formatting function. |
 | Too many arguments to formatting function (`cpp/too-many-format-arguments`) | Fewer false positive results | Fixed false positive results triggered by mismatching declarations of a formatting function. |

change-notes/1.24/analysis-javascript.md

@@ -91,7 +91,7 @@
 
 ## Changes to libraries
 
-* The predicates `RegExpTerm.getSuccessor` and `RegExpTerm.getPredecessor` have been changed to reflect textual, not operational, matching order. This only makes a difference in lookbehind assertions, which are operationally matched backwards. Previously, `getSuccessor` would mimick this, so in an assertion `(?<=ab)` the term `b` would be considered the predecessor, not the successor, of `a`. Textually, however, `a` is still matched before `b`, and this is the order we now follow.
+* The predicates `RegExpTerm.getSuccessor` and `RegExpTerm.getPredecessor` have been changed to reflect textual, not operational, matching order. This only makes a difference in lookbehind assertions, which are operationally matched backwards. Previously, `getSuccessor` would mimic this, so in an assertion `(?<=ab)` the term `b` would be considered the predecessor, not the successor, of `a`. Textually, however, `a` is still matched before `b`, and this is the order we now follow.
 * An extensible model of the `EventEmitter` pattern has been implemented.
 * Taint-tracking configurations now interact differently with the `data` flow label, which may affect queries
   that combine taint-tracking and flow labels.

codeql-workspace.yml

@@ -4,6 +4,7 @@ provide:
   - "*/ql/test/qlpack.yml"
   - "*/ql/examples/qlpack.yml"
   - "*/ql/consistency-queries/qlpack.yml"
+  - "*/upgrades/qlpack.yml"
   - "shared/*/qlpack.yml"
   - "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml"
   - "go/ql/config/legacy-support/qlpack.yml"
@@ -25,9 +26,3 @@ provide:
   - "ruby/extractor-pack/codeql-extractor.yml"
   - "swift/extractor-pack/codeql-extractor.yml"
   - "ql/extractor-pack/codeql-extractor.ym"
-
-versionPolicies:
-  default:
-    requireChangeNotes: true
-    committedPrereleaseSuffix: dev
-    committedVersion: nextPatchRelease

config/atm/ml-powered-queries-repo/add-note.js

@@ -0,0 +1,21 @@
+const mongoose = require('mongoose');
+
+Logger = require('./logger').Logger;
+Note = require('./models/note').Note;
+
+(async () => {
+  if (process.argv.length != 5) {
+    Logger.log("Creates a private note.  Usage: node add-note.js <token> <title> <body>")
+    return;
+  }
+
+  // Open the default mongoose connection
+  await mongoose.connect('mongodb://localhost:27017/notes', { useFindAndModify: false });
+
+  const [userToken, title, body] = process.argv.slice(2);
+  await Note.create({ title, body, userToken });
+
+  Logger.log(`Created private note with title ${title} and body ${body} belonging to user with token ${userToken}.`);
+
+  await mongoose.connection.close();
+})();

config/atm/ml-powered-queries-repo/app.js

@@ -0,0 +1,68 @@
+const bodyParser = require('body-parser');
+const express = require('express');
+const mongoose = require('mongoose');
+
+const notesApi = require('./notes-api');
+const usersApi = require('./users-api');
+
+const addSampleData = module.exports.addSampleData = async () => {
+  const [userA, userB] = await User.create([
+    {
+      name: "A",
+      token: "tokenA"
+    },
+    {
+      name: "B",
+      token: "tokenB"
+    }
+  ]);
+
+  await Note.create([
+    {
+      title: "Public note belonging to A",
+      body: "This is a public note belonging to A",
+      isPublic: true,
+      ownerToken: userA.token
+    },
+    {
+      title: "Public note belonging to B",
+      body: "This is a public note belonging to B",
+      isPublic: true,
+      ownerToken: userB.token
+    },
+    {
+      title: "Private note belonging to A",
+      body: "This is a private note belonging to A",
+      ownerToken: userA.token
+    },
+    {
+      title: "Private note belonging to B",
+      body: "This is a private note belonging to B",
+      ownerToken: userB.token
+    }
+  ]);
+}
+
+module.exports.startApp = async () => {
+  // Open the default mongoose connection
+  await mongoose.connect('mongodb://mongo:27017/notes', { useFindAndModify: false });
+  // Drop contents of DB
+  mongoose.connection.dropDatabase();
+  // Add some sample data
+  await addSampleData();
+
+  const app = express();
+
+  app.use(bodyParser.json());
+  app.use(bodyParser.urlencoded());
+
+  app.get('/', async (_req, res) => {
+    res.send('Hello World');
+  });
+
+  app.use('/api/notes', notesApi.router);
+  app.use('/api/users', usersApi.router);
+
+  app.listen(3000);
+  Logger.log('Express started on port 3000');
+};

config/atm/ml-powered-queries-repo/index.js

@@ -0,0 +1,7 @@
+const startApp = require('./app').startApp;
+
+Logger = require('./logger').Logger;
+Note = require('./models/note').Note;
+User = require('./models/user').User;
+
+startApp();

config/atm/ml-powered-queries-repo/logger.js

@@ -0,0 +1,5 @@
+module.exports.Logger = class {
+  log(message, ...objs) {
+    console.log(message, objs);
+  }
+};

config/atm/ml-powered-queries-repo/models/note.js

@@ -0,0 +1,8 @@
+const mongoose = require('mongoose');
+
+module.exports.Note = mongoose.model('Note', new mongoose.Schema({
+  title: String,
+  body: String,
+  ownerToken: String,
+  isPublic: Boolean
+}));

config/atm/ml-powered-queries-repo/models/user.js

@@ -0,0 +1,6 @@
+const mongoose = require('mongoose');
+
+module.exports.User = mongoose.model('User', new mongoose.Schema({
+  name: String,
+  token: String
+}));

config/atm/ml-powered-queries-repo/notes-api.js

@@ -0,0 +1,44 @@
+const express = require('express')
+
+const router = module.exports.router = express.Router();
+
+function serializeNote(note) {
+  return {
+    title: note.title,
+    body: note.body
+  };
+}
+
+router.post('/find', async (req, res) => {
+  const notes = await Note.find({
+    ownerToken: req.body.token
+  }).exec();
+  res.json({
+    notes: notes.map(serializeNote)
+  });
+});
+
+router.get('/findPublic', async (_req, res) => {
+  const notes = await Note.find({
+    isPublic: true
+  }).exec();
+  res.json({
+    notes: notes.map(serializeNote)
+  });
+});
+
+router.post('/findVisible', async (req, res) => {
+  const notes = await Note.find({
+    $or: [
+      {
+        isPublic: true
+      },
+      {
+        ownerToken: req.body.token
+      }
+    ]
+  }).exec();
+  res.json({
+    notes: notes.map(serializeNote)
+  });
+});

config/atm/ml-powered-queries-repo/read-notes.js

@@ -0,0 +1,37 @@
+const mongoose = require('mongoose');
+
+Logger = require('./logger').Logger;
+Note = require('./models/note').Note;
+User = require('./models/user').User;
+
+(async () => {
+  if (process.argv.length != 3) {
+    Logger.log("Outputs all notes visible to a user.  Usage: node read-notes.js <token>")
+    return;
+  }
+
+  // Open the default mongoose connection
+  await mongoose.connect('mongodb://localhost:27017/notes', { useFindAndModify: false });
+
+  const ownerToken = process.argv[2];
+
+  const user = await User.findOne({
+    token: ownerToken
+  }).exec();
+
+  const notes = await Note.find({
+    $or: [
+      { isPublic: true },
+      { ownerToken }
+    ]
+  }).exec();
+
+  notes.map(note => {
+    Logger.log("Title:" + note.title);
+    Logger.log("By:" + user.name);
+    Logger.log("Body:" + note.body);
+    Logger.log();
+  });
+
+  await mongoose.connection.close();
+})();

config/atm/ml-powered-queries-repo/users-api.js

@@ -0,0 +1,25 @@
+const express = require('express')
+
+Logger = require('./logger').Logger;
+const router = module.exports.router = express.Router();
+
+router.post('/updateName', async (req, res) => {
+  Logger.log("/updateName called with new name", req.body.name);
+  await User.findOneAndUpdate({
+    token: req.body.token
+  }, {
+    name: req.body.name
+  }).exec();
+  res.json({
+    name: req.body.name
+  });
+});
+
+router.post('/getName', async (req, res) => {
+  const user = await User.findOne({
+    token: req.body.token
+  }).exec();
+  res.json({
+    name: user.name
+  });
+});

config/identical-files.json

@@ -33,8 +33,9 @@
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForLibraries.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForRegExp.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForHttpClientLibraries.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForPathname.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl.qll"
   ],
   "DataFlow Java/C++/C#/Python Common": [
@@ -69,7 +70,6 @@
     "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttrackingforlibraries/TaintTrackingImpl.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
   ],
   "DataFlow Java/C++/C#/Python Consistency checks": [

cpp/ql/examples/qlpack.yml

@@ -1,6 +1,4 @@
 name: codeql/cpp-examples
-groups: 
-  - cpp
-  - examples
+version: 0.0.2
 dependencies:
   codeql/cpp-all: "*"

cpp/ql/lib/BUILD.bazel

@@ -1,15 +0,0 @@
-package(default_visibility = ["//cpp:__pkg__"])
-
-load("@rules_pkg//:mappings.bzl", "pkg_files")
-
-pkg_files(
-    name = "dbscheme",
-    srcs = ["semmlecode.cpp.dbscheme"],
-    prefix = "cpp",
-)
-
-pkg_files(
-    name = "dbscheme-stats",
-    srcs = ["semmlecode.cpp.dbscheme.stats"],
-    prefix = "cpp",
-)

cpp/ql/lib/CHANGELOG.md

@@ -1,157 +0,0 @@
-## 0.3.5
-
-## 0.3.4
-
-### Deprecated APIs
-
-* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. 
-  The old name still exists as a deprecated alias.
-
-### New Features
-
-* Added support for getting the link targets of global and namespace variables.
-* Added a `BlockAssignExpr` class, which models a `memcpy`-like operation used in compiler generated copy/move constructors and assignment operations.
-
-### Minor Analysis Improvements
-
-* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
-
-## 0.3.3
-
-### New Features
-
-* Added a predicate `getValueConstant` to `AttributeArgument` that yields the argument value as an `Expr` when the value is a constant expression.
-* A new class predicate `MustFlowConfiguration::allowInterproceduralFlow` has been added to the `semmle.code.cpp.ir.dataflow.MustFlow` library. The new predicate can be overridden to disable interprocedural flow.
-* Added subclasses of `BuiltInOperations` for `__builtin_bit_cast`, `__builtin_shuffle`, `__has_unique_object_representations`, `__is_aggregate`, and `__is_assignable`.
-
-### Major Analysis Improvements
-
-* The IR dataflow library now includes flow through global variables. This enables new findings in many scenarios.
-
-## 0.3.2
-
-### Bug Fixes
-
-* Under certain circumstances a variable declaration that is not also a definition could be associated with a `Variable` that did not have the definition as a `VariableDeclarationEntry`. This is now fixed, and a unique `Variable` will exist that has both the declaration and the definition as a `VariableDeclarationEntry`.
-
-## 0.3.1
-
-### Minor Analysis Improvements
-
-* `AnalysedExpr::isNullCheck` and `AnalysedExpr::isValidCheck` have been updated to handle variable accesses on the left-hand side of the C++ logical "and", and variable declarations in conditions.
-
-## 0.3.0
-
-### Deprecated APIs
-
-* The `BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new `BarrierGuard` parameterized module.
-
-### Bug Fixes
-
-* `UserType.getADeclarationEntry()` now yields all forward declarations when the user type is a `class`, `struct`, or `union`.
-
-## 0.2.3
-
-### New Features
-
-* An `isBraced` predicate was added to the `Initializer` class which holds when a C++ braced initializer was used in the initialization.
-
-## 0.2.2
-
-### Deprecated APIs
-
- * The `AnalysedString` class in the `StringAnalysis` module has been replaced with `AnalyzedString`, to follow our style guide. The old name still exists as a deprecated alias.
-
-### New Features
-
-* A `getInitialization` predicate was added to the `ConstexprIfStmt`, `IfStmt`, and `SwitchStmt` classes that yields the C++17-style initializer of the `if` or `switch` statement when it exists.
-
-## 0.2.1
-
-## 0.2.0
-
-### Breaking Changes
-
-* The signature of `allowImplicitRead` on `DataFlow::Configuration` and `TaintTracking::Configuration` has changed from `allowImplicitRead(DataFlow::Node node, DataFlow::Content c)` to `allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)`.
-
-### Minor Analysis Improvements
-
-* More Windows pool allocation functions are now detected as `AllocationFunction`s.
-* The `semmle.code.cpp.commons.Buffer` library has been enhanced to handle array members of classes that do not specify a size.
-
-## 0.1.0
-
-### Breaking Changes
-
-* The recently added flow-state versions of `isBarrierIn`, `isBarrierOut`, `isSanitizerIn`, and `isSanitizerOut` in the data flow and taint tracking libraries have been removed.
-
-### New Features
-
-* A new library `semmle.code.cpp.security.PrivateData` has been added. The new library heuristically detects variables and functions dealing with sensitive private data, such as e-mail addresses and credit card numbers.
-
-### Minor Analysis Improvements
-
-* The `semmle.code.cpp.security.SensitiveExprs` library has been enhanced with some additional rules for detecting credentials.
-
-## 0.0.13
-
-## 0.0.12
-
-### Breaking Changes
-
-* The flow state variants of `isBarrier` and `isAdditionalFlowStep` are no longer exposed in the taint tracking library. The `isSanitizer` and `isAdditionalTaintStep` predicates should be used instead.
-
-### Deprecated APIs
-
-* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. 
-  The old name still exists as a deprecated alias.
-
-### New Features
-
-* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.
-
-### Minor Analysis Improvements
-
-* `DefaultOptions::exits` now holds for C11 functions with the `_Noreturn` or `noreturn` specifier.
-* `hasImplicitCopyConstructor` and `hasImplicitCopyAssignmentOperator` now correctly handle implicitly-deleted operators in templates.
-* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
-
-## 0.0.11
-
-### Minor Analysis Improvements
-
-* Many queries now support structured bindings, as structured bindings are now handled in the IR translation.
-
-## 0.0.10
-
-### New Features
-
-* Added a `isStructuredBinding` predicate to the `Variable` class which holds when the variable is declared as part of a structured binding declaration.
-
-## 0.0.9
-
-
-## 0.0.8
-
-### Deprecated APIs
-
-* The `codeql/cpp-upgrades` CodeQL pack has been removed. All upgrades scripts have been merged into the `codeql/cpp-all` CodeQL pack.
-
-### Minor Analysis Improvements
-
-* `FormatLiteral::getMaxConvertedLength` now uses range analysis to provide a
-  more accurate length for integers formatted with `%x`
-
-## 0.0.7
-
-## 0.0.6
-
-## 0.0.5
-
-## 0.0.4
-
-### New Features
-
-* The QL library `semmle.code.cpp.commons.Exclusions` now contains a predicate
-  `isFromSystemMacroDefinition` for identifying code that originates from a
-  macro outside the project being analyzed.

cpp/ql/lib/DefaultOptions.qll

@@ -54,13 +54,11 @@ class Options extends string {
    *
    * By default, this holds for `exit`, `_exit`, `abort`, `__assert_fail`,
    * `longjmp`, `__builtin_unreachable` and any function with a
-   * `noreturn` attribute or specifier.
+   * `noreturn` attribute.
    */
   predicate exits(Function f) {
     f.getAnAttribute().hasName("noreturn")
     or
-    f.getASpecifier().hasName("noreturn")
-    or
     f.hasGlobalOrStdName([
         "exit", "_exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
       ])
@@ -75,7 +73,7 @@ class Options extends string {
    *   __assume(0);
    * ```
    * (note that in this case if the hint is wrong and the expression is reached at
-   * runtime, the program's behavior is undefined)
+   * runtime, the program's behaviour is undefined)
    */
   predicate exprExits(Expr e) {
     e.(AssumeExpr).getChild(0).(CompileTimeConstantInt).getIntValue() = 0 or

cpp/ql/lib/Options.qll

@@ -39,7 +39,7 @@ class CustomOptions extends Options {
    *
    * By default, this holds for `exit`, `_exit`, `abort`, `__assert_fail`,
    * `longjmp`, `error`, `__builtin_unreachable` and any function with a
-   * `noreturn` attribute or specifier.
+   * `noreturn` attribute.
    */
   override predicate exits(Function f) { Options.super.exits(f) }
 
@@ -50,7 +50,7 @@ class CustomOptions extends Options {
    *   __assume(0);
    * ```
    * (note that in this case if the hint is wrong and the expression is reached at
-   * runtime, the program's behavior is undefined)
+   * runtime, the program's behaviour is undefined)
    */
   override predicate exprExits(Expr e) { Options.super.exprExits(e) }
 

cpp/ql/lib/change-notes/2022-09-06-additional-builtin-support.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added subclasses of `BuiltInOperations` for `__is_same`, `__is_function`, `__is_layout_compatible`, `__is_pointer_interconvertible_base_of`, `__is_array`, `__array_rank`, `__array_extent`, `__is_arithmetic`, `__is_complete_type`, `__is_compound`, `__is_const`, `__is_floating_point`, `__is_fundamental`, `__is_integral`, `__is_lvalue_reference`, `__is_member_function_pointer`, `__is_member_object_pointer`, `__is_member_pointer`, `__is_object`, `__is_pointer`, `__is_reference`, `__is_rvalue_reference`, `__is_scalar`, `__is_signed`, `__is_unsigned`, `__is_void`, and `__is_volatile`.

cpp/ql/lib/change-notes/2022-09-08-implicit-read-flowstates.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.

cpp/ql/lib/change-notes/2022-09-12-uppercase.md

@@ -1,5 +0,0 @@
----
-category: deprecated
----
-* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. 
-  The old name still exists as a deprecated alias.

cpp/ql/lib/change-notes/released/0.0.10.md

@@ -1,5 +0,0 @@
-## 0.0.10
-
-### New Features
-
-* Added a `isStructuredBinding` predicate to the `Variable` class which holds when the variable is declared as part of a structured binding declaration.

cpp/ql/lib/change-notes/released/0.0.11.md

@@ -1,5 +0,0 @@
-## 0.0.11
-
-### Minor Analysis Improvements
-
-* Many queries now support structured bindings, as structured bindings are now handled in the IR translation.

cpp/ql/lib/change-notes/released/0.0.12.md

@@ -1,20 +0,0 @@
-## 0.0.12
-
-### Breaking Changes
-
-* The flow state variants of `isBarrier` and `isAdditionalFlowStep` are no longer exposed in the taint tracking library. The `isSanitizer` and `isAdditionalTaintStep` predicates should be used instead.
-
-### Deprecated APIs
-
-* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. 
-  The old name still exists as a deprecated alias.
-
-### New Features
-
-* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.
-
-### Minor Analysis Improvements
-
-* `DefaultOptions::exits` now holds for C11 functions with the `_Noreturn` or `noreturn` specifier.
-* `hasImplicitCopyConstructor` and `hasImplicitCopyAssignmentOperator` now correctly handle implicitly-deleted operators in templates.
-* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.

cpp/ql/lib/change-notes/released/0.0.13.md

@@ -1 +0,0 @@
-## 0.0.13

cpp/ql/lib/change-notes/released/0.0.4.md

@@ -1,7 +0,0 @@
-## 0.0.4
-
-### New Features
-
-* The QL library `semmle.code.cpp.commons.Exclusions` now contains a predicate
-  `isFromSystemMacroDefinition` for identifying code that originates from a
-  macro outside the project being analyzed.

cpp/ql/lib/change-notes/released/0.0.5.md

@@ -1 +0,0 @@
-## 0.0.5

cpp/ql/lib/change-notes/released/0.0.6.md

@@ -1 +0,0 @@
-## 0.0.6

cpp/ql/lib/change-notes/released/0.0.7.md

@@ -1 +0,0 @@
-## 0.0.7

cpp/ql/lib/change-notes/released/0.0.8.md

@@ -1,10 +0,0 @@
-## 0.0.8
-
-### Deprecated APIs
-
-* The `codeql/cpp-upgrades` CodeQL pack has been removed. All upgrades scripts have been merged into the `codeql/cpp-all` CodeQL pack.
-
-### Minor Analysis Improvements
-
-* `FormatLiteral::getMaxConvertedLength` now uses range analysis to provide a
-  more accurate length for integers formatted with `%x`

cpp/ql/lib/change-notes/released/0.0.9.md

@@ -1,2 +0,0 @@
-## 0.0.9
-

cpp/ql/lib/change-notes/released/0.1.0.md

@@ -1,13 +0,0 @@
-## 0.1.0
-
-### Breaking Changes
-
-* The recently added flow-state versions of `isBarrierIn`, `isBarrierOut`, `isSanitizerIn`, and `isSanitizerOut` in the data flow and taint tracking libraries have been removed.
-
-### New Features
-
-* A new library `semmle.code.cpp.security.PrivateData` has been added. The new library heuristically detects variables and functions dealing with sensitive private data, such as e-mail addresses and credit card numbers.
-
-### Minor Analysis Improvements
-
-* The `semmle.code.cpp.security.SensitiveExprs` library has been enhanced with some additional rules for detecting credentials.

cpp/ql/lib/change-notes/released/0.2.0.md

@@ -1,10 +0,0 @@
-## 0.2.0
-
-### Breaking Changes
-
-* The signature of `allowImplicitRead` on `DataFlow::Configuration` and `TaintTracking::Configuration` has changed from `allowImplicitRead(DataFlow::Node node, DataFlow::Content c)` to `allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)`.
-
-### Minor Analysis Improvements
-
-* More Windows pool allocation functions are now detected as `AllocationFunction`s.
-* The `semmle.code.cpp.commons.Buffer` library has been enhanced to handle array members of classes that do not specify a size.

cpp/ql/lib/change-notes/released/0.2.1.md

@@ -1 +0,0 @@
-## 0.2.1

cpp/ql/lib/change-notes/released/0.2.2.md

@@ -1,9 +0,0 @@
-## 0.2.2
-
-### Deprecated APIs
-
- * The `AnalysedString` class in the `StringAnalysis` module has been replaced with `AnalyzedString`, to follow our style guide. The old name still exists as a deprecated alias.
-
-### New Features
-
-* A `getInitialization` predicate was added to the `ConstexprIfStmt`, `IfStmt`, and `SwitchStmt` classes that yields the C++17-style initializer of the `if` or `switch` statement when it exists.

cpp/ql/lib/change-notes/released/0.2.3.md

@@ -1,5 +0,0 @@
-## 0.2.3
-
-### New Features
-
-* An `isBraced` predicate was added to the `Initializer` class which holds when a C++ braced initializer was used in the initialization.

cpp/ql/lib/change-notes/released/0.3.0.md

@@ -1,9 +0,0 @@
-## 0.3.0
-
-### Deprecated APIs
-
-* The `BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new `BarrierGuard` parameterized module.
-
-### Bug Fixes
-
-* `UserType.getADeclarationEntry()` now yields all forward declarations when the user type is a `class`, `struct`, or `union`.

cpp/ql/lib/change-notes/released/0.3.1.md

@@ -1,5 +0,0 @@
-## 0.3.1
-
-### Minor Analysis Improvements
-
-* `AnalysedExpr::isNullCheck` and `AnalysedExpr::isValidCheck` have been updated to handle variable accesses on the left-hand side of the C++ logical "and", and variable declarations in conditions.

cpp/ql/lib/change-notes/released/0.3.2.md

@@ -1,5 +0,0 @@
-## 0.3.2
-
-### Bug Fixes
-
-* Under certain circumstances a variable declaration that is not also a definition could be associated with a `Variable` that did not have the definition as a `VariableDeclarationEntry`. This is now fixed, and a unique `Variable` will exist that has both the declaration and the definition as a `VariableDeclarationEntry`.

cpp/ql/lib/change-notes/released/0.3.3.md

@@ -1,11 +0,0 @@
-## 0.3.3
-
-### New Features
-
-* Added a predicate `getValueConstant` to `AttributeArgument` that yields the argument value as an `Expr` when the value is a constant expression.
-* A new class predicate `MustFlowConfiguration::allowInterproceduralFlow` has been added to the `semmle.code.cpp.ir.dataflow.MustFlow` library. The new predicate can be overridden to disable interprocedural flow.
-* Added subclasses of `BuiltInOperations` for `__builtin_bit_cast`, `__builtin_shuffle`, `__has_unique_object_representations`, `__is_aggregate`, and `__is_assignable`.
-
-### Major Analysis Improvements
-
-* The IR dataflow library now includes flow through global variables. This enables new findings in many scenarios.

cpp/ql/lib/change-notes/released/0.3.4.md

@@ -1,15 +0,0 @@
-## 0.3.4
-
-### Deprecated APIs
-
-* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. 
-  The old name still exists as a deprecated alias.
-
-### New Features
-
-* Added support for getting the link targets of global and namespace variables.
-* Added a `BlockAssignExpr` class, which models a `memcpy`-like operation used in compiler generated copy/move constructors and assignment operations.
-
-### Minor Analysis Improvements
-
-* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.

cpp/ql/lib/change-notes/released/0.3.5.md

@@ -1 +0,0 @@
-## 0.3.5

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +0,0 @@
----
-lastReleaseVersion: 0.3.5

cpp/ql/lib/cpp.qll

@@ -69,4 +69,6 @@ import semmle.code.cpp.Comments
 import semmle.code.cpp.Preprocessor
 import semmle.code.cpp.Iteration
 import semmle.code.cpp.NameQualifiers
+import semmle.code.cpp.ObjectiveC
+import semmle.code.cpp.exprs.ObjectiveC
 import DefaultOptions

cpp/ql/lib/experimental/semmle/code/cpp/dataflow/ProductFlow.qll

@@ -1,165 +0,0 @@
-import experimental.semmle.code.cpp.ir.dataflow.DataFlow
-import experimental.semmle.code.cpp.ir.dataflow.DataFlow2
-
-module ProductFlow {
-  abstract class Configuration extends string {
-    bindingset[this]
-    Configuration() { any() }
-
-    /**
-     * Holds if `(source1, source2)` is a relevant data flow source.
-     *
-     * `source1` and `source2` must belong to the same callable.
-     */
-    predicate isSourcePair(DataFlow::Node source1, DataFlow::Node source2) { none() }
-
-    /**
-     * Holds if `(source1, source2)` is a relevant data flow source with initial states `state1`
-     * and `state2`, respectively.
-     *
-     * `source1` and `source2` must belong to the same callable.
-     */
-    predicate isSourcePair(
-      DataFlow::Node source1, string state1, DataFlow::Node source2, string state2
-    ) {
-      state1 = "" and
-      state2 = "" and
-      this.isSourcePair(source1, source2)
-    }
-
-    /**
-     * Holds if `(sink1, sink2)` is a relevant data flow sink.
-     *
-     * `sink1` and `sink2` must belong to the same callable.
-     */
-    predicate isSinkPair(DataFlow::Node sink1, DataFlow::Node sink2) { none() }
-
-    /**
-     * Holds if `(sink1, sink2)` is a relevant data flow sink with final states `state1`
-     * and `state2`, respectively.
-     *
-     * `sink1` and `sink2` must belong to the same callable.
-     */
-    predicate isSinkPair(
-      DataFlow::Node sink1, DataFlow::FlowState state1, DataFlow::Node sink2,
-      DataFlow::FlowState state2
-    ) {
-      state1 = "" and
-      state2 = "" and
-      this.isSinkPair(sink1, sink2)
-    }
-
-    predicate hasFlowPath(
-      DataFlow::PathNode source1, DataFlow2::PathNode source2, DataFlow::PathNode sink1,
-      DataFlow2::PathNode sink2
-    ) {
-      reachable(this, source1, source2, sink1, sink2)
-    }
-  }
-
-  private import Internal
-
-  module Internal {
-    class Conf1 extends DataFlow::Configuration {
-      Conf1() { this = "Conf1" }
-
-      override predicate isSource(DataFlow::Node source, string state) {
-        exists(Configuration conf | conf.isSourcePair(source, state, _, _))
-      }
-
-      override predicate isSink(DataFlow::Node sink, string state) {
-        exists(Configuration conf | conf.isSinkPair(sink, state, _, _))
-      }
-    }
-
-    class Conf2 extends DataFlow2::Configuration {
-      Conf2() { this = "Conf2" }
-
-      override predicate isSource(DataFlow::Node source, string state) {
-        exists(Configuration conf, DataFlow::Node source1 |
-          conf.isSourcePair(source1, _, source, state) and
-          any(Conf1 c).hasFlow(source1, _)
-        )
-      }
-
-      override predicate isSink(DataFlow::Node sink, string state) {
-        exists(Configuration conf, DataFlow::Node sink1 |
-          conf.isSinkPair(sink1, _, sink, state) and any(Conf1 c).hasFlow(_, sink1)
-        )
-      }
-    }
-  }
-
-  private predicate reachableInterprocEntry(
-    Configuration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2,
-    DataFlow::PathNode node1, DataFlow2::PathNode node2
-  ) {
-    conf.isSourcePair(node1.getNode(), _, node2.getNode(), _) and
-    node1 = source1 and
-    node2 = source2
-    or
-    exists(
-      DataFlow::PathNode midEntry1, DataFlow2::PathNode midEntry2, DataFlow::PathNode midExit1,
-      DataFlow2::PathNode midExit2
-    |
-      reachableInterprocEntry(conf, source1, source2, midEntry1, midEntry2) and
-      interprocEdgePair(midExit1, midExit2, node1, node2) and
-      localPathStep1*(midEntry1, midExit1) and
-      localPathStep2*(midEntry2, midExit2)
-    )
-  }
-
-  private predicate localPathStep1(DataFlow::PathNode pred, DataFlow::PathNode succ) {
-    DataFlow::PathGraph::edges(pred, succ) and
-    pragma[only_bind_out](pred.getNode().getEnclosingCallable()) =
-      pragma[only_bind_out](succ.getNode().getEnclosingCallable())
-  }
-
-  private predicate localPathStep2(DataFlow2::PathNode pred, DataFlow2::PathNode succ) {
-    DataFlow2::PathGraph::edges(pred, succ) and
-    pragma[only_bind_out](pred.getNode().getEnclosingCallable()) =
-      pragma[only_bind_out](succ.getNode().getEnclosingCallable())
-  }
-
-  pragma[nomagic]
-  private predicate interprocEdge1(
-    Declaration predDecl, Declaration succDecl, DataFlow::PathNode pred1, DataFlow::PathNode succ1
-  ) {
-    DataFlow::PathGraph::edges(pred1, succ1) and
-    predDecl != succDecl and
-    pred1.getNode().getEnclosingCallable() = predDecl and
-    succ1.getNode().getEnclosingCallable() = succDecl
-  }
-
-  pragma[nomagic]
-  private predicate interprocEdge2(
-    Declaration predDecl, Declaration succDecl, DataFlow2::PathNode pred2, DataFlow2::PathNode succ2
-  ) {
-    DataFlow2::PathGraph::edges(pred2, succ2) and
-    predDecl != succDecl and
-    pred2.getNode().getEnclosingCallable() = predDecl and
-    succ2.getNode().getEnclosingCallable() = succDecl
-  }
-
-  private predicate interprocEdgePair(
-    DataFlow::PathNode pred1, DataFlow2::PathNode pred2, DataFlow::PathNode succ1,
-    DataFlow2::PathNode succ2
-  ) {
-    exists(Declaration predDecl, Declaration succDecl |
-      interprocEdge1(predDecl, succDecl, pred1, succ1) and
-      interprocEdge2(predDecl, succDecl, pred2, succ2)
-    )
-  }
-
-  private predicate reachable(
-    Configuration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2,
-    DataFlow::PathNode sink1, DataFlow2::PathNode sink2
-  ) {
-    exists(DataFlow::PathNode mid1, DataFlow2::PathNode mid2 |
-      reachableInterprocEntry(conf, source1, source2, mid1, mid2) and
-      conf.isSinkPair(sink1.getNode(), _, sink2.getNode(), _) and
-      localPathStep1*(mid1, sink1) and
-      localPathStep2*(mid2, sink2)
-    )
-  }
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/DataFlow.qll

@@ -1,26 +0,0 @@
-/**
- * Provides a library for local (intra-procedural) and global (inter-procedural)
- * data flow analysis: deciding whether data can flow from a _source_ to a
- * _sink_. This library differs from the one in `semmle.code.cpp.dataflow` in that
- * this library uses the IR (Intermediate Representation) library, which provides
- * a more precise semantic representation of the program, whereas the other dataflow
- * library uses the more syntax-oriented ASTs. This library should provide more accurate
- * results than the AST-based library in most scenarios.
- *
- * Unless configured otherwise, _flow_ means that the exact value of
- * the source may reach the sink. We do not track flow across pointer
- * dereferences or array indexing.
- *
- * To use global (interprocedural) data flow, extend the class
- * `DataFlow::Configuration` as documented on that class. To use local
- * (intraprocedural) data flow between expressions, call
- * `DataFlow::localExprFlow`. For more general cases of local data flow, call
- * `DataFlow::localFlow` or `DataFlow::localFlowStep` with arguments of type
- * `DataFlow::Node`.
- */
-
-import cpp
-
-module DataFlow {
-  import experimental.semmle.code.cpp.ir.dataflow.internal.DataFlowImpl
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/DataFlow2.qll

@@ -1,16 +0,0 @@
-/**
- * Provides a `DataFlow2` module, which is a copy of the `DataFlow` module. Use
- * this class when data-flow configurations must depend on each other. Two
- * classes extending `DataFlow::Configuration` should never depend on each
- * other, but one of them should instead depend on a
- * `DataFlow2::Configuration`, a `DataFlow3::Configuration`, or a
- * `DataFlow4::Configuration`.
- *
- * See `semmle.code.cpp.ir.dataflow.DataFlow` for the full documentation.
- */
-
-import cpp
-
-module DataFlow2 {
-  import experimental.semmle.code.cpp.ir.dataflow.internal.DataFlowImpl2
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/DataFlow3.qll

@@ -1,16 +0,0 @@
-/**
- * Provides a `DataFlow3` module, which is a copy of the `DataFlow` module. Use
- * this class when data-flow configurations must depend on each other. Two
- * classes extending `DataFlow::Configuration` should never depend on each
- * other, but one of them should instead depend on a
- * `DataFlow2::Configuration`, a `DataFlow3::Configuration`, or a
- * `DataFlow4::Configuration`.
- *
- * See `semmle.code.cpp.ir.dataflow.DataFlow` for the full documentation.
- */
-
-import cpp
-
-module DataFlow3 {
-  import experimental.semmle.code.cpp.ir.dataflow.internal.DataFlowImpl3
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/DataFlow4.qll

@@ -1,16 +0,0 @@
-/**
- * Provides a `DataFlow4` module, which is a copy of the `DataFlow` module. Use
- * this class when data-flow configurations must depend on each other. Two
- * classes extending `DataFlow::Configuration` should never depend on each
- * other, but one of them should instead depend on a
- * `DataFlow2::Configuration`, a `DataFlow3::Configuration`, or a
- * `DataFlow4::Configuration`.
- *
- * See `semmle.code.cpp.ir.dataflow.DataFlow` for the full documentation.
- */
-
-import cpp
-
-module DataFlow4 {
-  import experimental.semmle.code.cpp.ir.dataflow.internal.DataFlowImpl4
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/ResolveCall.qll

@@ -1,23 +0,0 @@
-/**
- * Provides a predicate for non-contextual virtual dispatch and function
- * pointer resolution.
- */
-
-import cpp
-private import semmle.code.cpp.ir.ValueNumbering
-private import internal.DataFlowDispatch
-private import semmle.code.cpp.ir.IR
-
-/**
- * Resolve potential target function(s) for `call`.
- *
- * If `call` is a call through a function pointer (`ExprCall`) or its target is
- * a virtual member function, simple data flow analysis is performed in order
- * to identify the possible target(s).
- */
-Function resolveCall(Call call) {
-  exists(CallInstruction callInstruction |
-    callInstruction.getAst() = call and
-    result = viableCallable(callInstruction)
-  )
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/TaintTracking.qll

@@ -1,23 +0,0 @@
-/**
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) taint-tracking analyses.
- *
- * We define _taint propagation_ informally to mean that a substantial part of
- * the information from the source is preserved at the sink. For example, taint
- * propagates from `x` to `x + 100`, but it does not propagate from `x` to `x >
- * 100` since we consider a single bit of information to be too little.
- *
- * To use global (interprocedural) taint tracking, extend the class
- * `TaintTracking::Configuration` as documented on that class. To use local
- * (intraprocedural) taint tracking between expressions, call
- * `TaintTracking::localExprTaint`. For more general cases of local taint
- * tracking, call `TaintTracking::localTaint` or
- * `TaintTracking::localTaintStep` with arguments of type `DataFlow::Node`.
- */
-
-import semmle.code.cpp.ir.dataflow.DataFlow
-import semmle.code.cpp.ir.dataflow.DataFlow2
-
-module TaintTracking {
-  import experimental.semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTrackingImpl
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/TaintTracking2.qll

@@ -1,15 +0,0 @@
-/**
- * Provides a `TaintTracking2` module, which is a copy of the `TaintTracking`
- * module. Use this class when data-flow configurations or taint-tracking
- * configurations must depend on each other. Two classes extending
- * `DataFlow::Configuration` should never depend on each other, but one of them
- * should instead depend on a `DataFlow2::Configuration`, a
- * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`. The
- * `TaintTracking::Configuration` class extends `DataFlow::Configuration`, and
- * `TaintTracking2::Configuration` extends `DataFlow2::Configuration`.
- *
- * See `semmle.code.cpp.ir.dataflow.TaintTracking` for the full documentation.
- */
-module TaintTracking2 {
-  import experimental.semmle.code.cpp.ir.dataflow.internal.tainttracking2.TaintTrackingImpl
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/TaintTracking3.qll

@@ -1,15 +0,0 @@
-/**
- * Provides a `TaintTracking3` module, which is a copy of the `TaintTracking`
- * module. Use this class when data-flow configurations or taint-tracking
- * configurations must depend on each other. Two classes extending
- * `DataFlow::Configuration` should never depend on each other, but one of them
- * should instead depend on a `DataFlow2::Configuration`, a
- * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`. The
- * `TaintTracking::Configuration` class extends `DataFlow::Configuration`, and
- * `TaintTracking2::Configuration` extends `DataFlow2::Configuration`.
- *
- * See `semmle.code.cpp.ir.dataflow.TaintTracking` for the full documentation.
- */
-module TaintTracking3 {
-  import experimental.semmle.code.cpp.ir.dataflow.internal.tainttracking3.TaintTrackingImpl
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll

@@ -1,273 +0,0 @@
-private import cpp
-private import semmle.code.cpp.ir.IR
-private import experimental.semmle.code.cpp.ir.dataflow.DataFlow
-private import experimental.semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
-private import experimental.semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
-private import DataFlowImplCommon as DataFlowImplCommon
-
-/**
- * Gets a function that might be called by `call`.
- */
-cached
-Function viableCallable(CallInstruction call) {
-  DataFlowImplCommon::forceCachingInSameStage() and
-  result = call.getStaticCallTarget()
-  or
-  // If the target of the call does not have a body in the snapshot, it might
-  // be because the target is just a header declaration, and the real target
-  // will be determined at run time when the caller and callee are linked
-  // together by the operating system's dynamic linker. In case a _unique_
-  // function with the right signature is present in the database, we return
-  // that as a potential callee.
-  exists(string qualifiedName, int nparams |
-    callSignatureWithoutBody(qualifiedName, nparams, call) and
-    functionSignatureWithBody(qualifiedName, nparams, result) and
-    strictcount(Function other | functionSignatureWithBody(qualifiedName, nparams, other)) = 1
-  )
-  or
-  // Virtual dispatch
-  result = call.(VirtualDispatch::DataSensitiveCall).resolve()
-}
-
-/**
- * Provides virtual dispatch support compatible with the original
- * implementation of `semmle.code.cpp.security.TaintTracking`.
- */
-private module VirtualDispatch {
-  /** A call that may dispatch differently depending on the qualifier value. */
-  abstract class DataSensitiveCall extends DataFlowCall {
-    /**
-     * Gets the node whose value determines the target of this call. This node
-     * could be the qualifier of a virtual dispatch or the function-pointer
-     * expression in a call to a function pointer. What they have in common is
-     * that we need to find out which data flows there, and then it's up to the
-     * `resolve` predicate to stitch that information together and resolve the
-     * call.
-     */
-    abstract DataFlow::Node getDispatchValue();
-
-    /** Gets a candidate target for this call. */
-    abstract Function resolve();
-
-    /**
-     * Whether `src` can flow to this call.
-     *
-     * Searches backwards from `getDispatchValue()` to `src`. The `allowFromArg`
-     * parameter is true when the search is allowed to continue backwards into
-     * a parameter; non-recursive callers should pass `_` for `allowFromArg`.
-     */
-    predicate flowsFrom(DataFlow::Node src, boolean allowFromArg) {
-      src = this.getDispatchValue() and allowFromArg = true
-      or
-      exists(DataFlow::Node other, boolean allowOtherFromArg |
-        this.flowsFrom(other, allowOtherFromArg)
-      |
-        // Call argument
-        exists(DataFlowCall call, Position i |
-          other
-              .(DataFlow::ParameterNode)
-              .isParameterOf(pragma[only_bind_into](call).getStaticCallTarget(), i) and
-          src.(ArgumentNode).argumentOf(call, pragma[only_bind_into](pragma[only_bind_out](i)))
-        ) and
-        allowOtherFromArg = true and
-        allowFromArg = true
-        or
-        // Call return
-        exists(DataFlowCall call, ReturnKind returnKind |
-          other = getAnOutNode(call, returnKind) and
-          returnNodeWithKindAndEnclosingCallable(src, returnKind, call.getStaticCallTarget())
-        ) and
-        allowFromArg = false
-        or
-        // Local flow
-        DataFlow::localFlowStep(src, other) and
-        allowFromArg = allowOtherFromArg
-        or
-        // Flow from global variable to load.
-        exists(LoadInstruction load, GlobalOrNamespaceVariable var |
-          var = src.asVariable() and
-          other.asInstruction() = load and
-          addressOfGlobal(load.getSourceAddress(), var) and
-          // The `allowFromArg` concept doesn't play a role when `src` is a
-          // global variable, so we just set it to a single arbitrary value for
-          // performance.
-          allowFromArg = true
-        )
-        or
-        // Flow from store to global variable.
-        exists(StoreInstruction store, GlobalOrNamespaceVariable var |
-          var = other.asVariable() and
-          store = src.asInstruction() and
-          storeIntoGlobal(store, var) and
-          // Setting `allowFromArg` to `true` like in the base case means we
-          // treat a store to a global variable like the dispatch itself: flow
-          // may come from anywhere.
-          allowFromArg = true
-        )
-      )
-    }
-  }
-
-  pragma[noinline]
-  private predicate storeIntoGlobal(StoreInstruction store, GlobalOrNamespaceVariable var) {
-    addressOfGlobal(store.getDestinationAddress(), var)
-  }
-
-  /** Holds if `addressInstr` is an instruction that produces the address of `var`. */
-  private predicate addressOfGlobal(Instruction addressInstr, GlobalOrNamespaceVariable var) {
-    // Access directly to the global variable
-    addressInstr.(VariableAddressInstruction).getAstVariable() = var
-    or
-    // Access to a field on a global union
-    exists(FieldAddressInstruction fa |
-      fa = addressInstr and
-      fa.getObjectAddress().(VariableAddressInstruction).getAstVariable() = var and
-      fa.getField().getDeclaringType() instanceof Union
-    )
-  }
-
-  /**
-   * A ReturnNode with its ReturnKind and its enclosing callable.
-   *
-   * Used to fix a join ordering issue in flowsFrom.
-   */
-  pragma[noinline]
-  private predicate returnNodeWithKindAndEnclosingCallable(
-    ReturnNode node, ReturnKind kind, DataFlowCallable callable
-  ) {
-    node.getKind() = kind and
-    node.getEnclosingCallable() = callable
-  }
-
-  /** Call through a function pointer. */
-  private class DataSensitiveExprCall extends DataSensitiveCall {
-    DataSensitiveExprCall() { not exists(this.getStaticCallTarget()) }
-
-    override DataFlow::Node getDispatchValue() { result.asInstruction() = this.getCallTarget() }
-
-    override Function resolve() {
-      exists(FunctionInstruction fi |
-        this.flowsFrom(DataFlow::instructionNode(fi), _) and
-        result = fi.getFunctionSymbol()
-      ) and
-      (
-        this.getNumberOfArguments() <= result.getEffectiveNumberOfParameters() and
-        this.getNumberOfArguments() >= result.getEffectiveNumberOfParameters()
-        or
-        result.isVarargs()
-      )
-    }
-  }
-
-  /** Call to a virtual function. */
-  private class DataSensitiveOverriddenFunctionCall extends DataSensitiveCall {
-    DataSensitiveOverriddenFunctionCall() {
-      exists(this.getStaticCallTarget().(VirtualFunction).getAnOverridingFunction())
-    }
-
-    override DataFlow::Node getDispatchValue() { result.asInstruction() = this.getThisArgument() }
-
-    override MemberFunction resolve() {
-      exists(Class overridingClass |
-        this.overrideMayAffectCall(overridingClass, result) and
-        this.hasFlowFromCastFrom(overridingClass)
-      )
-    }
-
-    /**
-     * Holds if `this` is a virtual function call whose static target is
-     * overridden by `overridingFunction` in `overridingClass`.
-     */
-    pragma[noinline]
-    private predicate overrideMayAffectCall(Class overridingClass, MemberFunction overridingFunction) {
-      overridingFunction.getAnOverriddenFunction+() = this.getStaticCallTarget().(VirtualFunction) and
-      overridingFunction.getDeclaringType() = overridingClass
-    }
-
-    /**
-     * Holds if the qualifier of `this` has flow from an upcast from
-     * `derivedClass`.
-     */
-    pragma[noinline]
-    private predicate hasFlowFromCastFrom(Class derivedClass) {
-      exists(ConvertToBaseInstruction toBase |
-        this.flowsFrom(DataFlow::instructionNode(toBase), _) and
-        derivedClass = toBase.getDerivedClass()
-      )
-    }
-  }
-}
-
-/**
- * Holds if `f` is a function with a body that has name `qualifiedName` and
- * `nparams` parameter count. See `functionSignature`.
- */
-private predicate functionSignatureWithBody(string qualifiedName, int nparams, Function f) {
-  functionSignature(f, qualifiedName, nparams) and
-  exists(f.getBlock())
-}
-
-/**
- * Holds if the target of `call` is a function _with no definition_ that has
- * name `qualifiedName` and `nparams` parameter count. See `functionSignature`.
- */
-pragma[noinline]
-private predicate callSignatureWithoutBody(string qualifiedName, int nparams, CallInstruction call) {
-  exists(Function target |
-    target = call.getStaticCallTarget() and
-    not exists(target.getBlock()) and
-    functionSignature(target, qualifiedName, nparams)
-  )
-}
-
-/**
- * Holds if `f` has name `qualifiedName` and `nparams` parameter count. This is
- * an approximation of its signature for the purpose of matching functions that
- * might be the same across link targets.
- */
-private predicate functionSignature(Function f, string qualifiedName, int nparams) {
-  qualifiedName = f.getQualifiedName() and
-  nparams = f.getNumberOfParameters() and
-  not f.isStatic()
-}
-
-/**
- * Holds if the set of viable implementations that can be called by `call`
- * might be improved by knowing the call context.
- */
-predicate mayBenefitFromCallContext(CallInstruction call, Function f) {
-  mayBenefitFromCallContext(call, f, _)
-}
-
-/**
- * Holds if `call` is a call through a function pointer, and the pointer
- * value is given as the `arg`'th argument to `f`.
- */
-private predicate mayBenefitFromCallContext(
-  VirtualDispatch::DataSensitiveCall call, Function f, int arg
-) {
-  f = pragma[only_bind_out](call).getEnclosingCallable() and
-  exists(InitializeParameterInstruction init |
-    not exists(call.getStaticCallTarget()) and
-    init.getEnclosingFunction() = f and
-    call.flowsFrom(DataFlow::instructionNode(init), _) and
-    init.getParameter().getIndex() = arg
-  )
-}
-
-/**
- * Gets a viable dispatch target of `call` in the context `ctx`. This is
- * restricted to those `call`s for which a context might make a difference.
- */
-Function viableImplInCallContext(CallInstruction call, CallInstruction ctx) {
-  result = viableCallable(call) and
-  exists(int i, Function f |
-    mayBenefitFromCallContext(pragma[only_bind_into](call), f, i) and
-    f = ctx.getStaticCallTarget() and
-    result = ctx.getArgument(i).getUnconvertedResultExpression().(FunctionAccess).getTarget()
-  )
-}
-
-/** Holds if arguments at position `apos` match parameters at position `ppos`. */
-pragma[inline]
-predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll

@@ -1,235 +0,0 @@
-/**
- * Provides consistency queries for checking invariants in the language-specific
- * data-flow classes and predicates.
- */
-
-private import DataFlowImplSpecific::Private
-private import DataFlowImplSpecific::Public
-private import tainttracking1.TaintTrackingParameter::Private
-private import tainttracking1.TaintTrackingParameter::Public
-
-module Consistency {
-  private newtype TConsistencyConfiguration = MkConsistencyConfiguration()
-
-  /** A class for configuring the consistency queries. */
-  class ConsistencyConfiguration extends TConsistencyConfiguration {
-    string toString() { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `uniqueEnclosingCallable`. */
-    predicate uniqueEnclosingCallableExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `uniqueNodeLocation`. */
-    predicate uniqueNodeLocationExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `missingLocation`. */
-    predicate missingLocationExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `postWithInFlow`. */
-    predicate postWithInFlowExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `argHasPostUpdate`. */
-    predicate argHasPostUpdateExclude(ArgumentNode n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `reverseRead`. */
-    predicate reverseReadExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `postHasUniquePre`. */
-    predicate postHasUniquePreExclude(PostUpdateNode n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `uniquePostUpdate`. */
-    predicate uniquePostUpdateExclude(Node n) { none() }
-
-    /** Holds if `(call, ctx)` should be excluded from the consistency test `viableImplInCallContextTooLargeExclude`. */
-    predicate viableImplInCallContextTooLargeExclude(
-      DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable
-    ) {
-      none()
-    }
-  }
-
-  private class RelevantNode extends Node {
-    RelevantNode() {
-      this instanceof ArgumentNode or
-      this instanceof ParameterNode or
-      this instanceof ReturnNode or
-      this = getAnOutNode(_, _) or
-      simpleLocalFlowStep(this, _) or
-      simpleLocalFlowStep(_, this) or
-      jumpStep(this, _) or
-      jumpStep(_, this) or
-      storeStep(this, _, _) or
-      storeStep(_, _, this) or
-      readStep(this, _, _) or
-      readStep(_, _, this) or
-      defaultAdditionalTaintStep(this, _) or
-      defaultAdditionalTaintStep(_, this)
-    }
-  }
-
-  query predicate uniqueEnclosingCallable(Node n, string msg) {
-    exists(int c |
-      n instanceof RelevantNode and
-      c = count(nodeGetEnclosingCallable(n)) and
-      c != 1 and
-      not any(ConsistencyConfiguration conf).uniqueEnclosingCallableExclude(n) and
-      msg = "Node should have one enclosing callable but has " + c + "."
-    )
-  }
-
-  query predicate uniqueType(Node n, string msg) {
-    exists(int c |
-      n instanceof RelevantNode and
-      c = count(getNodeType(n)) and
-      c != 1 and
-      msg = "Node should have one type but has " + c + "."
-    )
-  }
-
-  query predicate uniqueNodeLocation(Node n, string msg) {
-    exists(int c |
-      c =
-        count(string filepath, int startline, int startcolumn, int endline, int endcolumn |
-          n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-        ) and
-      c != 1 and
-      not any(ConsistencyConfiguration conf).uniqueNodeLocationExclude(n) and
-      msg = "Node should have one location but has " + c + "."
-    )
-  }
-
-  query predicate missingLocation(string msg) {
-    exists(int c |
-      c =
-        strictcount(Node n |
-          not exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
-            n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-          ) and
-          not any(ConsistencyConfiguration conf).missingLocationExclude(n)
-        ) and
-      msg = "Nodes without location: " + c
-    )
-  }
-
-  query predicate uniqueNodeToString(Node n, string msg) {
-    exists(int c |
-      c = count(n.toString()) and
-      c != 1 and
-      msg = "Node should have one toString but has " + c + "."
-    )
-  }
-
-  query predicate missingToString(string msg) {
-    exists(int c |
-      c = strictcount(Node n | not exists(n.toString())) and
-      msg = "Nodes without toString: " + c
-    )
-  }
-
-  query predicate parameterCallable(ParameterNode p, string msg) {
-    exists(DataFlowCallable c | isParameterNode(p, c, _) and c != nodeGetEnclosingCallable(p)) and
-    msg = "Callable mismatch for parameter."
-  }
-
-  query predicate localFlowIsLocal(Node n1, Node n2, string msg) {
-    simpleLocalFlowStep(n1, n2) and
-    nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
-    msg = "Local flow step does not preserve enclosing callable."
-  }
-
-  private DataFlowType typeRepr() { result = getNodeType(_) }
-
-  query predicate compatibleTypesReflexive(DataFlowType t, string msg) {
-    t = typeRepr() and
-    not compatibleTypes(t, t) and
-    msg = "Type compatibility predicate is not reflexive."
-  }
-
-  query predicate unreachableNodeCCtx(Node n, DataFlowCall call, string msg) {
-    isUnreachableInCall(n, call) and
-    exists(DataFlowCallable c |
-      c = nodeGetEnclosingCallable(n) and
-      not viableCallable(call) = c
-    ) and
-    msg = "Call context for isUnreachableInCall is inconsistent with call graph."
-  }
-
-  query predicate localCallNodes(DataFlowCall call, Node n, string msg) {
-    (
-      n = getAnOutNode(call, _) and
-      msg = "OutNode and call does not share enclosing callable."
-      or
-      n.(ArgumentNode).argumentOf(call, _) and
-      msg = "ArgumentNode and call does not share enclosing callable."
-    ) and
-    nodeGetEnclosingCallable(n) != call.getEnclosingCallable()
-  }
-
-  // This predicate helps the compiler forget that in some languages
-  // it is impossible for a result of `getPreUpdateNode` to be an
-  // instance of `PostUpdateNode`.
-  private Node getPre(PostUpdateNode n) {
-    result = n.getPreUpdateNode()
-    or
-    none()
-  }
-
-  query predicate postIsNotPre(PostUpdateNode n, string msg) {
-    getPre(n) = n and
-    msg = "PostUpdateNode should not equal its pre-update node."
-  }
-
-  query predicate postHasUniquePre(PostUpdateNode n, string msg) {
-    not any(ConsistencyConfiguration conf).postHasUniquePreExclude(n) and
-    exists(int c |
-      c = count(n.getPreUpdateNode()) and
-      c != 1 and
-      msg = "PostUpdateNode should have one pre-update node but has " + c + "."
-    )
-  }
-
-  query predicate uniquePostUpdate(Node n, string msg) {
-    not any(ConsistencyConfiguration conf).uniquePostUpdateExclude(n) and
-    1 < strictcount(PostUpdateNode post | post.getPreUpdateNode() = n) and
-    msg = "Node has multiple PostUpdateNodes."
-  }
-
-  query predicate postIsInSameCallable(PostUpdateNode n, string msg) {
-    nodeGetEnclosingCallable(n) != nodeGetEnclosingCallable(n.getPreUpdateNode()) and
-    msg = "PostUpdateNode does not share callable with its pre-update node."
-  }
-
-  private predicate hasPost(Node n) { exists(PostUpdateNode post | post.getPreUpdateNode() = n) }
-
-  query predicate reverseRead(Node n, string msg) {
-    exists(Node n2 | readStep(n, _, n2) and hasPost(n2) and not hasPost(n)) and
-    not any(ConsistencyConfiguration conf).reverseReadExclude(n) and
-    msg = "Origin of readStep is missing a PostUpdateNode."
-  }
-
-  query predicate argHasPostUpdate(ArgumentNode n, string msg) {
-    not hasPost(n) and
-    not any(ConsistencyConfiguration c).argHasPostUpdateExclude(n) and
-    msg = "ArgumentNode is missing PostUpdateNode."
-  }
-
-  // This predicate helps the compiler forget that in some languages
-  // it is impossible for a `PostUpdateNode` to be the target of
-  // `simpleLocalFlowStep`.
-  private predicate isPostUpdateNode(Node n) { n instanceof PostUpdateNode or none() }
-
-  query predicate postWithInFlow(Node n, string msg) {
-    isPostUpdateNode(n) and
-    not clearsContent(n, _) and
-    simpleLocalFlowStep(_, n) and
-    not any(ConsistencyConfiguration c).postWithInFlowExclude(n) and
-    msg = "PostUpdateNode should not be the target of local flow."
-  }
-
-  query predicate viableImplInCallContextTooLarge(
-    DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable
-  ) {
-    callable = viableImplInCallContext(call, ctx) and
-    not callable = viableCallable(call) and
-    not any(ConsistencyConfiguration c).viableImplInCallContextTooLargeExclude(call, ctx, callable)
-  }
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplSpecific.qll

@@ -1,11 +0,0 @@
-/**
- * Provides IR-specific definitions for use in the data flow library.
- */
-module Private {
-  import DataFlowPrivate
-  import DataFlowDispatch
-}
-
-module Public {
-  import DataFlowUtil
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -1,560 +0,0 @@
-private import cpp as Cpp
-private import DataFlowUtil
-private import semmle.code.cpp.ir.IR
-private import DataFlowDispatch
-private import DataFlowImplConsistency
-private import semmle.code.cpp.ir.internal.IRCppLanguage
-private import SsaInternals as Ssa
-
-/** Gets the callable in which this node occurs. */
-DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }
-
-/** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
-predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) {
-  p.isParameterOf(c, pos)
-}
-
-/** Holds if `arg` is an `ArgumentNode` of `c` with position `pos`. */
-predicate isArgumentNode(ArgumentNode arg, DataFlowCall c, ArgumentPosition pos) {
-  arg.argumentOf(c, pos)
-}
-
-/**
- * A data flow node that occurs as the argument of a call and is passed as-is
- * to the callable. Instance arguments (`this` pointer) and read side effects
- * on parameters are also included.
- */
-abstract class ArgumentNode extends Node {
-  /**
-   * Holds if this argument occurs at the given position in the given call.
-   * The instance argument is considered to have index `-1`.
-   */
-  abstract predicate argumentOf(DataFlowCall call, ArgumentPosition pos);
-
-  /** Gets the call in which this node is an argument. */
-  DataFlowCall getCall() { this.argumentOf(result, _) }
-}
-
-/**
- * A data flow node that occurs as the argument to a call, or an
- * implicit `this` pointer argument.
- */
-private class PrimaryArgumentNode extends ArgumentNode, OperandNode {
-  override ArgumentOperand op;
-
-  PrimaryArgumentNode() { exists(CallInstruction call | op = call.getAnArgumentOperand()) }
-
-  override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
-    op = call.getArgumentOperand(pos.(DirectPosition).getIndex())
-  }
-
-  override string toStringImpl() { result = argumentOperandToString(op) }
-}
-
-private string argumentOperandToString(ArgumentOperand op) {
-  exists(Expr unconverted |
-    unconverted = op.getDef().getUnconvertedResultExpression() and
-    result = unconverted.toString()
-  )
-  or
-  // Certain instructions don't map to an unconverted result expression. For these cases
-  // we fall back to a simpler naming scheme. This can happen in IR-generated constructors.
-  not exists(op.getDef().getUnconvertedResultExpression()) and
-  (
-    result = "Argument " + op.(PositionalArgumentOperand).getIndex()
-    or
-    op instanceof ThisArgumentOperand and result = "Argument this"
-  )
-}
-
-private class SideEffectArgumentNode extends ArgumentNode, SideEffectOperandNode {
-  override predicate argumentOf(DataFlowCall dfCall, ArgumentPosition pos) {
-    this.getCallInstruction() = dfCall and
-    pos.(IndirectionPosition).getArgumentIndex() = this.getArgumentIndex() and
-    pos.(IndirectionPosition).getIndirectionIndex() = super.getIndirectionIndex()
-  }
-
-  override string toStringImpl() {
-    result = argumentOperandToString(this.getAddressOperand()) + " indirection"
-  }
-}
-
-/** A parameter position represented by an integer. */
-class ParameterPosition = Position;
-
-/** An argument position represented by an integer. */
-class ArgumentPosition = Position;
-
-class Position extends TPosition {
-  abstract string toString();
-}
-
-class DirectPosition extends Position, TDirectPosition {
-  int index;
-
-  DirectPosition() { this = TDirectPosition(index) }
-
-  override string toString() { if index = -1 then result = "this" else result = index.toString() }
-
-  int getIndex() { result = index }
-}
-
-class IndirectionPosition extends Position, TIndirectionPosition {
-  int argumentIndex;
-  int indirectionIndex;
-
-  IndirectionPosition() { this = TIndirectionPosition(argumentIndex, indirectionIndex) }
-
-  override string toString() {
-    if argumentIndex = -1
-    then if indirectionIndex > 0 then result = "this indirection" else result = "this"
-    else
-      if indirectionIndex > 0
-      then result = argumentIndex.toString() + " indirection"
-      else result = argumentIndex.toString()
-  }
-
-  int getArgumentIndex() { result = argumentIndex }
-
-  int getIndirectionIndex() { result = indirectionIndex }
-}
-
-newtype TPosition =
-  TDirectPosition(int index) { exists(any(CallInstruction c).getArgument(index)) } or
-  TIndirectionPosition(int argumentIndex, int indirectionIndex) {
-    hasOperandAndIndex(_, any(CallInstruction call).getArgumentOperand(argumentIndex),
-      indirectionIndex)
-  }
-
-private newtype TReturnKind =
-  TNormalReturnKind(int index) {
-    exists(IndirectReturnNode return |
-      return.getAddressOperand() = any(ReturnValueInstruction r).getReturnAddressOperand() and
-      index = return.getIndirectionIndex() - 1 // We subtract one because the return loads the value.
-    )
-  } or
-  TIndirectReturnKind(int argumentIndex, int indirectionIndex) {
-    exists(IndirectReturnNode return, ReturnIndirectionInstruction returnInd |
-      returnInd.hasIndex(argumentIndex) and
-      return.getAddressOperand() = returnInd.getSourceAddressOperand() and
-      indirectionIndex = return.getIndirectionIndex() - 1 // We subtract one because the return loads the value.
-    )
-  }
-
-/**
- * A return kind. A return kind describes how a value can be returned
- * from a callable. For C++, this is simply a function return.
- */
-class ReturnKind extends TReturnKind {
-  /** Gets a textual representation of this return kind. */
-  abstract string toString();
-}
-
-private class NormalReturnKind extends ReturnKind, TNormalReturnKind {
-  int index;
-
-  NormalReturnKind() { this = TNormalReturnKind(index) }
-
-  override string toString() { result = "indirect return" }
-}
-
-private class IndirectReturnKind extends ReturnKind, TIndirectReturnKind {
-  int argumentIndex;
-  int indirectionIndex;
-
-  IndirectReturnKind() { this = TIndirectReturnKind(argumentIndex, indirectionIndex) }
-
-  override string toString() { result = "indirect outparam[" + argumentIndex.toString() + "]" }
-}
-
-/** A data flow node that occurs as the result of a `ReturnStmt`. */
-class ReturnNode extends Node instanceof IndirectReturnNode {
-  /** Gets the kind of this returned value. */
-  abstract ReturnKind getKind();
-}
-
-/**
- * This predicate represents an annoying hack that we have to do. We use the
- * `ReturnIndirectionInstruction` to determine which variables need flow back
- * out of a function. However, the IR will unconditionally create those for a
- * variable passed to a function even though the variable was never updated by
- * the function. And if a function has too many `ReturnNode`s the dataflow
- * library lowers its precision for that function by disabling field flow.
- *
- * So we those eliminate `ReturnNode`s that would have otherwise been created
- * by this unconditional `ReturnIndirectionInstruction` by requiring that there
- * must exist an SSA definition of the IR variable in the function.
- */
-private predicate hasNonInitializeParameterDef(IRVariable v) {
-  exists(Ssa::Def def |
-    not def.getDefiningInstruction() instanceof InitializeParameterInstruction and
-    v = def.getSourceVariable().getBaseVariable().(Ssa::BaseIRVariable).getIRVariable()
-  )
-}
-
-class ReturnIndirectionNode extends IndirectReturnNode, ReturnNode {
-  override ReturnKind getKind() {
-    exists(int argumentIndex, ReturnIndirectionInstruction returnInd |
-      returnInd.hasIndex(argumentIndex) and
-      this.getAddressOperand() = returnInd.getSourceAddressOperand() and
-      result = TIndirectReturnKind(argumentIndex, this.getIndirectionIndex() - 1) and
-      hasNonInitializeParameterDef(returnInd.getIRVariable())
-    )
-    or
-    this.getAddressOperand() = any(ReturnValueInstruction r).getReturnAddressOperand() and
-    result = TNormalReturnKind(this.getIndirectionIndex() - 1)
-  }
-}
-
-private Operand fullyConvertedCallStep(Operand op) {
-  not exists(getANonConversionUse(op)) and
-  exists(Instruction instr |
-    conversionFlow(op, instr, _) and
-    result = getAUse(instr)
-  )
-}
-
-/**
- * Gets the instruction that uses this operand, if the instruction is not
- * ignored for dataflow purposes.
- */
-private Instruction getUse(Operand op) {
-  result = op.getUse() and
-  not Ssa::ignoreOperand(op)
-}
-
-/** Gets a use of the instruction `instr` that is not ignored for dataflow purposes. */
-Operand getAUse(Instruction instr) {
-  result = instr.getAUse() and
-  not Ssa::ignoreOperand(result)
-}
-
-/**
- * Gets a use of `operand` that is:
- * - not ignored for dataflow purposes, and
- * - not a conversion-like instruction.
- */
-private Instruction getANonConversionUse(Operand operand) {
-  result = getUse(operand) and
-  not conversionFlow(_, result, _)
-}
-
-/**
- * Gets the operand that represents the first use of the value of `call` following
- * a sequnce of conversion-like instructions.
- */
-predicate operandForfullyConvertedCall(Operand operand, CallInstruction call) {
-  exists(getANonConversionUse(operand)) and
-  (
-    operand = getAUse(call)
-    or
-    operand = fullyConvertedCallStep*(getAUse(call))
-  )
-}
-
-/**
- * Gets the instruction that represents the first use of the value of `call` following
- * a sequnce of conversion-like instructions.
- *
- * This predicate only holds if there is no suitable operand (i.e., no operand of a non-
- * conversion instruction) to use to represent the value of `call` after conversions.
- */
-predicate instructionForfullyConvertedCall(Instruction instr, CallInstruction call) {
-  not operandForfullyConvertedCall(_, call) and
-  (
-    // If there is no use of the call then we pick the call instruction
-    not exists(getAUse(call)) and
-    instr = call
-    or
-    // Otherwise, flow to the first non-conversion use.
-    exists(Operand operand | operand = fullyConvertedCallStep*(getAUse(call)) |
-      instr = getANonConversionUse(operand)
-    )
-  )
-}
-
-/** Holds if `node` represents the output node for `call`. */
-private predicate simpleOutNode(Node node, CallInstruction call) {
-  operandForfullyConvertedCall(node.asOperand(), call)
-  or
-  instructionForfullyConvertedCall(node.asInstruction(), call)
-}
-
-/** A data flow node that represents the output of a call. */
-class OutNode extends Node {
-  OutNode() {
-    // Return values not hidden behind indirections
-    simpleOutNode(this, _)
-    or
-    // Return values hidden behind indirections
-    this instanceof IndirectReturnOutNode
-    or
-    // Modified arguments hidden behind indirections
-    this instanceof IndirectArgumentOutNode
-  }
-
-  /** Gets the underlying call. */
-  abstract DataFlowCall getCall();
-
-  abstract ReturnKind getReturnKind();
-}
-
-private class DirectCallOutNode extends OutNode {
-  CallInstruction call;
-
-  DirectCallOutNode() { simpleOutNode(this, call) }
-
-  override DataFlowCall getCall() { result = call }
-
-  override ReturnKind getReturnKind() { result = TNormalReturnKind(0) }
-}
-
-private class IndirectCallOutNode extends OutNode, IndirectReturnOutNode {
-  override DataFlowCall getCall() { result = this.getCallInstruction() }
-
-  override ReturnKind getReturnKind() { result = TNormalReturnKind(this.getIndirectionIndex()) }
-}
-
-private class SideEffectOutNode extends OutNode, IndirectArgumentOutNode {
-  override DataFlowCall getCall() { result = this.getCallInstruction() }
-
-  override ReturnKind getReturnKind() {
-    result = TIndirectReturnKind(this.getArgumentIndex(), this.getIndirectionIndex())
-  }
-}
-
-/**
- * Gets a node that can read the value returned from `call` with return kind
- * `kind`.
- */
-OutNode getAnOutNode(DataFlowCall call, ReturnKind kind) {
-  result.getCall() = call and
-  result.getReturnKind() = kind
-}
-
-/**
- * Holds if data can flow from `node1` to `node2` in a way that loses the
- * calling context. For example, this would happen with flow through a
- * global or static variable.
- */
-predicate jumpStep(Node n1, Node n2) {
-  exists(Cpp::GlobalOrNamespaceVariable v |
-    v =
-      n1.asInstruction()
-          .(StoreInstruction)
-          .getResultAddress()
-          .(VariableAddressInstruction)
-          .getAstVariable() and
-    v = n2.asVariable()
-    or
-    v =
-      n2.asInstruction()
-          .(LoadInstruction)
-          .getSourceAddress()
-          .(VariableAddressInstruction)
-          .getAstVariable() and
-    v = n1.asVariable()
-  )
-}
-
-/**
- * Holds if data can flow from `node1` to `node2` via an assignment to `f`.
- * Thus, `node2` references an object with a field `f` that contains the
- * value of `node1`.
- */
-predicate storeStep(Node node1, Content c, PostFieldUpdateNode node2) {
-  exists(int indirectionIndex1, int numberOfLoads, StoreInstruction store |
-    nodeHasInstruction(node1, store, pragma[only_bind_into](indirectionIndex1)) and
-    node2.getIndirectionIndex() = 0 and
-    numberOfLoadsFromOperand(node2.getFieldAddress(), store.getDestinationAddressOperand(),
-      numberOfLoads)
-  |
-    exists(FieldContent fc | fc = c |
-      fc.getField() = node2.getUpdatedField() and
-      fc.getIndirectionIndex() = 1 + indirectionIndex1 + numberOfLoads
-    )
-    or
-    exists(UnionContent uc | uc = c |
-      uc.getAField() = node2.getUpdatedField() and
-      uc.getIndirectionIndex() = 1 + indirectionIndex1 + numberOfLoads
-    )
-  )
-}
-
-/**
- * Holds if `operandFrom` flows to `operandTo` using a sequence of conversion-like
- * operations and exactly `n` `LoadInstruction` operations.
- */
-private predicate numberOfLoadsFromOperandRec(Operand operandFrom, Operand operandTo, int ind) {
-  exists(LoadInstruction load | load.getSourceAddressOperand() = operandFrom |
-    operandTo = operandFrom and ind = 0
-    or
-    numberOfLoadsFromOperand(load.getAUse(), operandTo, ind - 1)
-  )
-  or
-  exists(Operand op, Instruction instr |
-    instr = op.getDef() and
-    conversionFlow(operandFrom, instr, _) and
-    numberOfLoadsFromOperand(op, operandTo, ind)
-  )
-}
-
-/**
- * Holds if `operandFrom` flows to `operandTo` using a sequence of conversion-like
- * operations and exactly `n` `LoadInstruction` operations.
- */
-private predicate numberOfLoadsFromOperand(Operand operandFrom, Operand operandTo, int n) {
-  numberOfLoadsFromOperandRec(operandFrom, operandTo, n)
-  or
-  not any(LoadInstruction load).getSourceAddressOperand() = operandFrom and
-  not conversionFlow(operandFrom, _, _) and
-  operandFrom = operandTo and
-  n = 0
-}
-
-// Needed to join on both an operand and an index at the same time.
-pragma[noinline]
-predicate nodeHasOperand(Node node, Operand operand, int indirectionIndex) {
-  node.asOperand() = operand and indirectionIndex = 0
-  or
-  hasOperandAndIndex(node, operand, indirectionIndex)
-}
-
-// Needed to join on both an instruction and an index at the same time.
-pragma[noinline]
-predicate nodeHasInstruction(Node node, Instruction instr, int indirectionIndex) {
-  node.asInstruction() = instr and indirectionIndex = 0
-  or
-  hasInstructionAndIndex(node, instr, indirectionIndex)
-}
-
-/**
- * Holds if data can flow from `node1` to `node2` via a read of `f`.
- * Thus, `node1` references an object with a field `f` whose value ends up in
- * `node2`.
- */
-predicate readStep(Node node1, Content c, Node node2) {
-  exists(FieldAddress fa1, Operand operand, int numberOfLoads, int indirectionIndex2 |
-    nodeHasOperand(node2, operand, indirectionIndex2) and
-    nodeHasOperand(node1, fa1.getObjectAddressOperand(), _) and
-    numberOfLoadsFromOperand(fa1, operand, numberOfLoads)
-  |
-    exists(FieldContent fc | fc = c |
-      fc.getField() = fa1.getField() and
-      fc.getIndirectionIndex() = indirectionIndex2 + numberOfLoads
-    )
-    or
-    exists(UnionContent uc | uc = c |
-      uc.getAField() = fa1.getField() and
-      uc.getIndirectionIndex() = indirectionIndex2 + numberOfLoads
-    )
-  )
-}
-
-/**
- * Holds if values stored inside content `c` are cleared at node `n`.
- */
-predicate clearsContent(Node n, Content c) {
-  none() // stub implementation
-}
-
-/**
- * Holds if the value that is being tracked is expected to be stored inside content `c`
- * at node `n`.
- */
-predicate expectsContent(Node n, ContentSet c) { none() }
-
-/** Gets the type of `n` used for type pruning. */
-IRType getNodeType(Node n) {
-  suppressUnusedNode(n) and
-  result instanceof IRVoidType // stub implementation
-}
-
-/** Gets a string representation of a type returned by `getNodeType`. */
-string ppReprType(IRType t) { none() } // stub implementation
-
-/**
- * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
- * a node of type `t1` to a node of type `t2`.
- */
-pragma[inline]
-predicate compatibleTypes(IRType t1, IRType t2) {
-  any() // stub implementation
-}
-
-private predicate suppressUnusedNode(Node n) { any() }
-
-//////////////////////////////////////////////////////////////////////////////
-// Java QL library compatibility wrappers
-//////////////////////////////////////////////////////////////////////////////
-/** A node that performs a type cast. */
-class CastNode extends Node {
-  CastNode() { none() } // stub implementation
-}
-
-/**
- * A function that may contain code or a variable that may contain itself. When
- * flow crosses from one _enclosing callable_ to another, the interprocedural
- * data-flow library discards call contexts and inserts a node in the big-step
- * relation used for human-readable path explanations.
- */
-class DataFlowCallable = Cpp::Declaration;
-
-class DataFlowExpr = Expr;
-
-class DataFlowType = IRType;
-
-/** A function call relevant for data flow. */
-class DataFlowCall extends CallInstruction {
-  Function getEnclosingCallable() { result = this.getEnclosingFunction() }
-}
-
-predicate isUnreachableInCall(Node n, DataFlowCall call) { none() } // stub implementation
-
-int accessPathLimit() { result = 5 }
-
-/**
- * Holds if access paths with `c` at their head always should be tracked at high
- * precision. This disables adaptive access path precision for such access paths.
- */
-predicate forceHighPrecision(Content c) { none() }
-
-/** The unit type. */
-private newtype TUnit = TMkUnit()
-
-/** The trivial type with a single element. */
-class Unit extends TUnit {
-  /** Gets a textual representation of this element. */
-  string toString() { result = "unit" }
-}
-
-/** Holds if `n` should be hidden from path explanations. */
-predicate nodeIsHidden(Node n) { n instanceof OperandNode and not n instanceof ArgumentNode }
-
-class LambdaCallKind = Unit;
-
-/** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */
-predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) { none() }
-
-/** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
-predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { none() }
-
-/** Extra data-flow steps needed for lambda flow analysis. */
-predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }
-
-/**
- * Holds if flow is allowed to pass from parameter `p` and back to itself as a
- * side-effect, resulting in a summary from `p` to itself.
- *
- * One example would be to allow flow like `p.foo = p.bar;`, which is disallowed
- * by default as a heuristic.
- */
-predicate allowParameterReturnInSelf(ParameterNode p) { none() }
-
-private class MyConsistencyConfiguration extends Consistency::ConsistencyConfiguration {
-  override predicate argHasPostUpdateExclude(ArgumentNode n) {
-    // The rules for whether an IR argument gets a post-update node are too
-    // complex to model here.
-    any()
-  }
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/ModelUtil.qll

@@ -1,93 +0,0 @@
-/**
- * Provides predicates for mapping the `FunctionInput` and `FunctionOutput`
- * classes used in function models to the corresponding instructions.
- */
-
-private import semmle.code.cpp.ir.IR
-private import experimental.semmle.code.cpp.ir.dataflow.DataFlow
-private import experimental.semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
-private import SsaInternals as Ssa
-
-/**
- * Gets the instruction that goes into `input` for `call`.
- */
-DataFlow::Node callInput(CallInstruction call, FunctionInput input) {
-  // An argument or qualifier
-  exists(int index |
-    result.asOperand() = call.getArgumentOperand(index) and
-    input.isParameterOrQualifierAddress(index)
-  )
-  or
-  // A value pointed to by an argument or qualifier
-  exists(int index, int indirectionIndex |
-    hasOperandAndIndex(result, call.getArgumentOperand(index), indirectionIndex) and
-    input.isParameterDerefOrQualifierObject(index, indirectionIndex)
-  )
-  or
-  exists(int ind |
-    result = getIndirectReturnOutNode(call, ind) and
-    input.isReturnValueDeref(ind)
-  )
-}
-
-/**
- * Gets the instruction that holds the `output` for `call`.
- */
-Node callOutput(CallInstruction call, FunctionOutput output) {
-  // The return value
-  result.asInstruction() = call and
-  output.isReturnValue()
-  or
-  // The side effect of a call on the value pointed to by an argument or qualifier
-  exists(int index, int indirectionIndex |
-    result.(IndirectArgumentOutNode).getArgumentIndex() = index and
-    result.(IndirectArgumentOutNode).getIndirectionIndex() + 1 = indirectionIndex and
-    result.(IndirectArgumentOutNode).getCallInstruction() = call and
-    output.isParameterDerefOrQualifierObject(index, indirectionIndex)
-  )
-  or
-  exists(int ind |
-    result = getIndirectReturnOutNode(call, ind) and
-    output.isReturnValueDeref(ind)
-  )
-}
-
-DataFlow::Node callInput(CallInstruction call, FunctionInput input, int d) {
-  exists(DataFlow::Node n | n = callInput(call, input) and d > 0 |
-    // An argument or qualifier
-    hasOperandAndIndex(result, n.asOperand(), d)
-    or
-    exists(Operand operand, int indirectionIndex |
-      // A value pointed to by an argument or qualifier
-      hasOperandAndIndex(n, operand, indirectionIndex) and
-      hasOperandAndIndex(result, operand, indirectionIndex + d)
-    )
-  )
-}
-
-private IndirectReturnOutNode getIndirectReturnOutNode(CallInstruction call, int d) {
-  result.getCallInstruction() = call and
-  result.getIndirectionIndex() = d
-}
-
-/**
- * Gets the instruction that holds the `output` for `call`.
- */
-bindingset[d]
-Node callOutput(CallInstruction call, FunctionOutput output, int d) {
-  exists(DataFlow::Node n | n = callOutput(call, output) and d > 0 |
-    // The return value
-    result = getIndirectReturnOutNode(n.asInstruction(), d)
-    or
-    // If there isn't an indirect out node for the call with indirection `d` then
-    // we conflate this with the underlying `CallInstruction`.
-    not exists(getIndirectReturnOutNode(call, d)) and
-    n.asInstruction() = result.asInstruction()
-    or
-    // The side effect of a call on the value pointed to by an argument or qualifier
-    exists(Operand operand, int indirectionIndex |
-      Ssa::outNodeHasAddressAndIndex(n, operand, indirectionIndex) and
-      Ssa::outNodeHasAddressAndIndex(result, operand, indirectionIndex + d)
-    )
-  )
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/PrintIRLocalFlow.qll

@@ -1,136 +0,0 @@
-private import cpp
-// The `ValueNumbering` library has to be imported right after `cpp` to ensure
-// that the cached IR gets the same checksum here as it does in queries that use
-// `ValueNumbering` without `DataFlow`.
-private import semmle.code.cpp.ir.ValueNumbering
-private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.dataflow.DataFlow
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
-private import PrintIRUtilities
-
-/**
- * Gets the local dataflow from other nodes in the same function to this node.
- */
-private string getFromFlow(DataFlow::Node useNode, int order1, int order2) {
-  exists(DataFlow::Node defNode, string prefix |
-    (
-      simpleLocalFlowStep(defNode, useNode) and prefix = ""
-      or
-      any(DataFlow::Configuration cfg).isAdditionalFlowStep(defNode, useNode) and
-      defNode.getEnclosingCallable() = useNode.getEnclosingCallable() and
-      prefix = "+"
-    ) and
-    if defNode.asInstruction() = useNode.asOperand().getAnyDef()
-    then
-      // Shorthand for flow from the def of this operand.
-      result = prefix + "def" and
-      order1 = -1 and
-      order2 = 0
-    else
-      if defNode.asOperand().getUse() = useNode.asInstruction()
-      then
-        // Shorthand for flow from an operand of this instruction
-        result = prefix + defNode.asOperand().getDumpId() and
-        order1 = -1 and
-        order2 = defNode.asOperand().getDumpSortOrder()
-      else result = prefix + nodeId(defNode, order1, order2)
-  )
-}
-
-/**
- * Gets the local dataflow from this node to other nodes in the same function.
- */
-private string getToFlow(DataFlow::Node defNode, int order1, int order2) {
-  exists(DataFlow::Node useNode, string prefix |
-    (
-      simpleLocalFlowStep(defNode, useNode) and prefix = ""
-      or
-      any(DataFlow::Configuration cfg).isAdditionalFlowStep(defNode, useNode) and
-      defNode.getEnclosingCallable() = useNode.getEnclosingCallable() and
-      prefix = "+"
-    ) and
-    if useNode.asInstruction() = defNode.asOperand().getUse()
-    then
-      // Shorthand for flow to this operand's instruction.
-      result = prefix + "result" and
-      order1 = -1 and
-      order2 = 0
-    else result = prefix + nodeId(useNode, order1, order2)
-  )
-}
-
-/**
- * Gets the properties of the dataflow node `node`.
- */
-private string getNodeProperty(DataFlow::Node node, string key) {
-  // List dataflow into and out of this node. Flow into this node is printed as `src->@`, and flow
-  // out of this node is printed as `@->dest`.
-  key = "flow" and
-  result =
-    strictconcat(string flow, boolean to, int order1, int order2 |
-      flow = getFromFlow(node, order1, order2) + "->@" and to = false
-      or
-      flow = "@->" + getToFlow(node, order1, order2) and to = true
-    |
-      flow, ", " order by to, order1, order2, flow
-    )
-  or
-  // Is this node a dataflow sink?
-  key = "sink" and
-  any(DataFlow::Configuration cfg).isSink(node) and
-  result = "true"
-  or
-  // Is this node a dataflow source?
-  key = "source" and
-  any(DataFlow::Configuration cfg).isSource(node) and
-  result = "true"
-  or
-  // Is this node a dataflow barrier, and if so, what kind?
-  key = "barrier" and
-  result =
-    strictconcat(string kind |
-      any(DataFlow::Configuration cfg).isBarrier(node) and kind = "full"
-      or
-      any(DataFlow::Configuration cfg).isBarrierIn(node) and kind = "in"
-      or
-      any(DataFlow::Configuration cfg).isBarrierOut(node) and kind = "out"
-    |
-      kind, ", "
-    )
-  or
-  // Is there partial flow from a source to this node?
-  // This property will only be emitted if partial flow is enabled by overriding
-  // `DataFlow::Configration::explorationLimit()`.
-  key = "pflow" and
-  result =
-    strictconcat(DataFlow::PartialPathNode sourceNode, DataFlow::PartialPathNode destNode, int dist,
-      int order1, int order2 |
-      any(DataFlow::Configuration cfg).hasPartialFlow(sourceNode, destNode, dist) and
-      destNode.getNode() = node and
-      // Only print flow from a source in the same function.
-      sourceNode.getNode().getEnclosingCallable() = node.getEnclosingCallable()
-    |
-      nodeId(sourceNode.getNode(), order1, order2) + "+" + dist.toString(), ", "
-      order by
-        order1, order2, dist desc
-    )
-}
-
-/**
- * Property provider for local IR dataflow.
- */
-class LocalFlowPropertyProvider extends IRPropertyProvider {
-  override string getOperandProperty(Operand operand, string key) {
-    exists(DataFlow::Node node |
-      operand = node.asOperand() and
-      result = getNodeProperty(node, key)
-    )
-  }
-
-  override string getInstructionProperty(Instruction instruction, string key) {
-    exists(DataFlow::Node node |
-      instruction = node.asInstruction() and
-      result = getNodeProperty(node, key)
-    )
-  }
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/PrintIRStoreSteps.qll

@@ -1,33 +0,0 @@
-/**
- * Print the dataflow local store steps in IR dumps.
- */
-
-private import cpp
-// The `ValueNumbering` library has to be imported right after `cpp` to ensure
-// that the cached IR gets the same checksum here as it does in queries that use
-// `ValueNumbering` without `DataFlow`.
-private import semmle.code.cpp.ir.ValueNumbering
-private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.dataflow.DataFlow
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
-private import PrintIRUtilities
-
-/**
- * Property provider for local IR dataflow store steps.
- */
-class LocalFlowPropertyProvider extends IRPropertyProvider {
-  override string getInstructionProperty(Instruction instruction, string key) {
-    exists(DataFlow::Node objectNode, Content content |
-      key = "content[" + content.toString() + "]" and
-      instruction = objectNode.asInstruction() and
-      result =
-        strictconcat(string element, DataFlow::Node fieldNode |
-          storeStep(fieldNode, content, objectNode) and
-          element = nodeId(fieldNode, _, _)
-        |
-          element, ", "
-        )
-    )
-  }
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/PrintIRUtilities.qll

@@ -1,39 +0,0 @@
-/**
- * Shared utilities used when printing dataflow annotations in IR dumps.
- */
-
-private import cpp
-// The `ValueNumbering` library has to be imported right after `cpp` to ensure
-// that the cached IR gets the same checksum here as it does in queries that use
-// `ValueNumbering` without `DataFlow`.
-private import semmle.code.cpp.ir.ValueNumbering
-private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.dataflow.DataFlow
-
-/**
- * Gets a short ID for an IR dataflow node.
- * - For `Instruction`s, this is just the result ID of the instruction (e.g. `m128`).
- * - For `Operand`s, this is the label of the operand, prefixed with the result ID of the
- *   instruction and a dot (e.g. `m128.left`).
- * - For `Variable`s, this is the qualified name of the variable.
- */
-string nodeId(DataFlow::Node node, int order1, int order2) {
-  exists(Instruction instruction | instruction = node.asInstruction() |
-    result = instruction.getResultId() and
-    order1 = instruction.getBlock().getDisplayIndex() and
-    order2 = instruction.getDisplayIndexInBlock()
-  )
-  or
-  exists(Operand operand, Instruction instruction |
-    operand = node.asOperand() and
-    instruction = operand.getUse()
-  |
-    result = instruction.getResultId() + "." + operand.getDumpId() and
-    order1 = instruction.getBlock().getDisplayIndex() and
-    order2 = instruction.getDisplayIndexInBlock()
-  )
-  or
-  result = "var(" + node.asVariable().getQualifiedName() + ")" and
-  order1 = 1000000 and
-  order2 = 0
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -1,547 +0,0 @@
-private import codeql.ssa.Ssa as SsaImplCommon
-private import semmle.code.cpp.ir.IR
-private import DataFlowUtil
-private import DataFlowImplCommon as DataFlowImplCommon
-private import semmle.code.cpp.models.interfaces.Allocation as Alloc
-private import semmle.code.cpp.models.interfaces.DataFlow as DataFlow
-private import semmle.code.cpp.ir.internal.IRCppLanguage
-private import DataFlowPrivate
-private import ssa0.SsaInternals as SsaInternals0
-import SsaInternalsCommon
-
-private module SourceVariables {
-  int getMaxIndirectionForIRVariable(IRVariable var) {
-    exists(Type type, boolean isGLValue |
-      var.getLanguageType().hasType(type, isGLValue) and
-      if isGLValue = true
-      then result = 1 + getMaxIndirectionsForType(type)
-      else result = getMaxIndirectionsForType(type)
-    )
-  }
-
-  class BaseSourceVariable = SsaInternals0::BaseSourceVariable;
-
-  class BaseIRVariable = SsaInternals0::BaseIRVariable;
-
-  class BaseCallVariable = SsaInternals0::BaseCallVariable;
-
-  cached
-  private newtype TSourceVariable =
-    TSourceIRVariable(BaseIRVariable baseVar, int ind) {
-      ind = [0 .. getMaxIndirectionForIRVariable(baseVar.getIRVariable())]
-    } or
-    TCallVariable(AllocationInstruction call, int ind) {
-      ind = [0 .. countIndirectionsForCppType(getResultLanguageType(call))]
-    }
-
-  abstract class SourceVariable extends TSourceVariable {
-    int ind;
-
-    bindingset[ind]
-    SourceVariable() { any() }
-
-    abstract string toString();
-
-    int getIndirection() { result = ind }
-
-    abstract BaseSourceVariable getBaseVariable();
-  }
-
-  class SourceIRVariable extends SourceVariable, TSourceIRVariable {
-    BaseIRVariable var;
-
-    SourceIRVariable() { this = TSourceIRVariable(var, ind) }
-
-    IRVariable getIRVariable() { result = var.getIRVariable() }
-
-    override BaseIRVariable getBaseVariable() { result.getIRVariable() = this.getIRVariable() }
-
-    override string toString() {
-      ind = 0 and
-      result = this.getIRVariable().toString()
-      or
-      ind > 0 and
-      result = this.getIRVariable().toString() + " indirection"
-    }
-  }
-
-  class CallVariable extends SourceVariable, TCallVariable {
-    AllocationInstruction call;
-
-    CallVariable() { this = TCallVariable(call, ind) }
-
-    AllocationInstruction getCall() { result = call }
-
-    override BaseCallVariable getBaseVariable() { result.getCallInstruction() = call }
-
-    override string toString() {
-      ind = 0 and
-      result = "Call"
-      or
-      ind > 0 and
-      result = "Call indirection"
-    }
-  }
-}
-
-import SourceVariables
-
-predicate hasIndirectOperand(Operand op, int indirectionIndex) {
-  exists(CppType type, int m |
-    not ignoreOperand(op) and
-    type = getLanguageType(op) and
-    m = countIndirectionsForCppType(type) and
-    indirectionIndex = [1 .. m]
-  )
-}
-
-predicate hasIndirectInstruction(Instruction instr, int indirectionIndex) {
-  exists(CppType type, int m |
-    not ignoreInstruction(instr) and
-    type = getResultLanguageType(instr) and
-    m = countIndirectionsForCppType(type) and
-    indirectionIndex = [1 .. m]
-  )
-}
-
-cached
-private newtype TDefOrUseImpl =
-  TDefImpl(Operand address, int indirectionIndex) {
-    isDef(_, _, address, _, _, indirectionIndex) and
-    // We only include the definition if the SSA pruning stage
-    // concluded that the definition is live after the write.
-    any(SsaInternals0::Def def).getAddressOperand() = address
-  } or
-  TUseImpl(Operand operand, int indirectionIndex) {
-    isUse(_, operand, _, _, indirectionIndex) and
-    not isDef(_, _, operand, _, _, _)
-  }
-
-abstract private class DefOrUseImpl extends TDefOrUseImpl {
-  /** Gets a textual representation of this element. */
-  abstract string toString();
-
-  /** Gets the block of this definition or use. */
-  abstract IRBlock getBlock();
-
-  /** Holds if this definition or use has index `index` in block `block`. */
-  abstract predicate hasIndexInBlock(IRBlock block, int index);
-
-  final predicate hasIndexInBlock(IRBlock block, int index, SourceVariable sv) {
-    this.hasIndexInBlock(block, index) and
-    sv = this.getSourceVariable()
-  }
-
-  /** Gets the location of this element. */
-  abstract Cpp::Location getLocation();
-
-  /**
-   * Gets the index (i.e., the number of loads required) of this
-   * definition or use.
-   *
-   * Note that this is _not_ the definition's (or use's) index in
-   * the enclosing basic block. To obtain this index, use
-   * `DefOrUseImpl::hasIndexInBlock/2` or `DefOrUseImpl::hasIndexInBlock/3`.
-   */
-  abstract int getIndirectionIndex();
-
-  /**
-   * Gets the instruction that computes the base of this definition or use.
-   * This is always a `VariableAddressInstruction` or an `AllocationInstruction`.
-   */
-  abstract Instruction getBase();
-
-  final BaseSourceVariable getBaseSourceVariable() {
-    exists(IRVariable var |
-      result.(BaseIRVariable).getIRVariable() = var and
-      instructionHasIRVariable(this.getBase(), var)
-    )
-    or
-    result.(BaseCallVariable).getCallInstruction() = this.getBase()
-  }
-
-  /** Gets the variable that is defined or used. */
-  final SourceVariable getSourceVariable() {
-    exists(BaseSourceVariable v, int ind |
-      sourceVariableHasBaseAndIndex(result, v, ind) and
-      defOrUseHasSourceVariable(this, v, ind)
-    )
-  }
-}
-
-pragma[noinline]
-private predicate instructionHasIRVariable(VariableAddressInstruction vai, IRVariable var) {
-  vai.getIRVariable() = var
-}
-
-private predicate defOrUseHasSourceVariable(DefOrUseImpl defOrUse, BaseSourceVariable bv, int ind) {
-  defHasSourceVariable(defOrUse, bv, ind)
-  or
-  useHasSourceVariable(defOrUse, bv, ind)
-}
-
-pragma[noinline]
-private predicate defHasSourceVariable(DefImpl def, BaseSourceVariable bv, int ind) {
-  bv = def.getBaseSourceVariable() and
-  ind = def.getIndirection()
-}
-
-pragma[noinline]
-private predicate useHasSourceVariable(UseImpl use, BaseSourceVariable bv, int ind) {
-  bv = use.getBaseSourceVariable() and
-  ind = use.getIndirection()
-}
-
-pragma[noinline]
-private predicate sourceVariableHasBaseAndIndex(SourceVariable v, BaseSourceVariable bv, int ind) {
-  v.getBaseVariable() = bv and
-  v.getIndirection() = ind
-}
-
-class DefImpl extends DefOrUseImpl, TDefImpl {
-  Operand address;
-  int ind;
-
-  DefImpl() { this = TDefImpl(address, ind) }
-
-  override Instruction getBase() { isDef(_, _, address, result, _, _) }
-
-  Operand getAddressOperand() { result = address }
-
-  int getIndirection() { isDef(_, _, address, _, result, ind) }
-
-  override int getIndirectionIndex() { result = ind }
-
-  Instruction getDefiningInstruction() { isDef(_, result, address, _, _, _) }
-
-  override string toString() { result = "DefImpl" }
-
-  override IRBlock getBlock() { result = this.getDefiningInstruction().getBlock() }
-
-  override Cpp::Location getLocation() { result = this.getDefiningInstruction().getLocation() }
-
-  final override predicate hasIndexInBlock(IRBlock block, int index) {
-    this.getDefiningInstruction() = block.getInstruction(index)
-  }
-
-  predicate isCertain() { isDef(true, _, address, _, _, ind) }
-}
-
-class UseImpl extends DefOrUseImpl, TUseImpl {
-  Operand operand;
-  int ind;
-
-  UseImpl() { this = TUseImpl(operand, ind) }
-
-  Operand getOperand() { result = operand }
-
-  override string toString() { result = "UseImpl" }
-
-  final override predicate hasIndexInBlock(IRBlock block, int index) {
-    operand.getUse() = block.getInstruction(index)
-  }
-
-  final override IRBlock getBlock() { result = operand.getUse().getBlock() }
-
-  final override Cpp::Location getLocation() { result = operand.getLocation() }
-
-  final int getIndirection() { isUse(_, operand, _, result, ind) }
-
-  override int getIndirectionIndex() { result = ind }
-
-  override Instruction getBase() { isUse(_, operand, result, _, ind) }
-
-  predicate isCertain() { isUse(true, operand, _, _, ind) }
-}
-
-/**
- * Holds if `defOrUse1` is a definition which is first read by `use`,
- * or if `defOrUse1` is a use and `use` is a next subsequent use.
- *
- * In both cases, `use` can either be an explicit use written in the
- * source file, or it can be a phi node as computed by the SSA library.
- */
-predicate adjacentDefRead(DefOrUse defOrUse1, UseOrPhi use) {
-  exists(IRBlock bb1, int i1, SourceVariable v |
-    defOrUse1.asDefOrUse().hasIndexInBlock(bb1, i1, v)
-  |
-    exists(IRBlock bb2, int i2 |
-      adjacentDefRead(_, pragma[only_bind_into](bb1), pragma[only_bind_into](i1),
-        pragma[only_bind_into](bb2), pragma[only_bind_into](i2))
-    |
-      use.asDefOrUse().(UseImpl).hasIndexInBlock(bb2, i2, v)
-    )
-    or
-    exists(PhiNode phi |
-      lastRefRedef(_, bb1, i1, phi) and
-      use.asPhi() = phi and
-      phi.getSourceVariable() = pragma[only_bind_into](v)
-    )
-  )
-}
-
-private predicate useToNode(UseOrPhi use, Node nodeTo) {
-  exists(UseImpl useImpl |
-    useImpl = use.asDefOrUse() and
-    nodeHasOperand(nodeTo, useImpl.getOperand(), useImpl.getIndirectionIndex())
-  )
-  or
-  nodeTo.(SsaPhiNode).getPhiNode() = use.asPhi()
-}
-
-pragma[noinline]
-predicate outNodeHasAddressAndIndex(
-  IndirectArgumentOutNode out, Operand address, int indirectionIndex
-) {
-  out.getAddressOperand() = address and
-  out.getIndirectionIndex() = indirectionIndex
-}
-
-private predicate defToNode(Node nodeFrom, Def def) {
-  nodeHasInstruction(nodeFrom, def.getDefiningInstruction(), def.getIndirectionIndex())
-}
-
-private predicate nodeToDefOrUse(Node nodeFrom, SsaDefOrUse defOrUse) {
-  // Node -> Def
-  defToNode(nodeFrom, defOrUse)
-  or
-  // Node -> Use
-  useToNode(defOrUse, nodeFrom)
-}
-
-/**
- * Perform a single conversion-like step from `nFrom` to `nTo`. This relation
- * only holds when there is no use-use relation out of `nTo`.
- */
-private predicate indirectConversionFlowStep(Node nFrom, Node nTo) {
-  not exists(UseOrPhi defOrUse |
-    nodeToDefOrUse(nTo, defOrUse) and
-    adjacentDefRead(defOrUse, _)
-  ) and
-  exists(Operand op1, Operand op2, int indirectionIndex, Instruction instr |
-    hasOperandAndIndex(nFrom, op1, pragma[only_bind_into](indirectionIndex)) and
-    hasOperandAndIndex(nTo, op2, pragma[only_bind_into](indirectionIndex)) and
-    instr = op2.getDef() and
-    conversionFlow(op1, instr, _)
-  )
-}
-
-/**
- * The reason for this predicate is a bit annoying:
- * We cannot mark a `PointerArithmeticInstruction` that computes an offset based on some SSA
- * variable `x` as a use of `x` since this creates taint-flow in the following example:
- * ```c
- * int x = array[source]
- * sink(*array)
- * ```
- * This is because `source` would flow from the operand of `PointerArithmeticInstruction` to the
- * result of the instruction, and into the `IndirectOperand` that represents the value of `*array`.
- * Then, via use-use flow, flow will arrive at `*array` in `sink(*array)`.
- *
- * So this predicate recurses back along conversions and `PointerArithmeticInstruction`s to find the
- * first use that has provides use-use flow, and uses that target as the target of the `nodeFrom`.
- */
-private predicate adjustForPointerArith(Node nodeFrom, UseOrPhi use) {
-  nodeFrom = any(PostUpdateNode pun).getPreUpdateNode() and
-  exists(DefOrUse defOrUse, Node adjusted |
-    indirectConversionFlowStep*(adjusted, nodeFrom) and
-    nodeToDefOrUse(adjusted, defOrUse) and
-    adjacentDefRead(defOrUse, use)
-  )
-}
-
-/** Holds if there is def-use or use-use flow from `nodeFrom` to `nodeTo`. */
-predicate ssaFlow(Node nodeFrom, Node nodeTo) {
-  // `nodeFrom = any(PostUpdateNode pun).getPreUpdateNode()` is implied by adjustedForPointerArith.
-  exists(UseOrPhi use |
-    adjustForPointerArith(nodeFrom, use) and
-    useToNode(use, nodeTo)
-  )
-  or
-  not nodeFrom = any(PostUpdateNode pun).getPreUpdateNode() and
-  exists(DefOrUse defOrUse1, UseOrPhi use |
-    nodeToDefOrUse(nodeFrom, defOrUse1) and
-    adjacentDefRead(defOrUse1, use) and
-    useToNode(use, nodeTo)
-  )
-}
-
-/** Holds if `nodeTo` receives flow from the phi node `nodeFrom`. */
-predicate fromPhiNode(SsaPhiNode nodeFrom, Node nodeTo) {
-  exists(PhiNode phi, SourceVariable sv, IRBlock bb1, int i1, UseOrPhi use |
-    phi = nodeFrom.getPhiNode() and
-    phi.definesAt(sv, bb1, i1) and
-    useToNode(use, nodeTo)
-  |
-    exists(IRBlock bb2, int i2 |
-      use.asDefOrUse().hasIndexInBlock(bb2, i2, sv) and
-      adjacentDefRead(phi, bb1, i1, bb2, i2)
-    )
-    or
-    exists(PhiNode phiTo |
-      lastRefRedef(phi, _, _, phiTo) and
-      nodeTo.(SsaPhiNode).getPhiNode() = phiTo
-    )
-  )
-}
-
-private SsaInternals0::SourceVariable getOldSourceVariable(SourceVariable v) {
-  v.getBaseVariable().(BaseIRVariable).getIRVariable() =
-    result.getBaseVariable().(SsaInternals0::BaseIRVariable).getIRVariable()
-  or
-  v.getBaseVariable().(BaseCallVariable).getCallInstruction() =
-    result.getBaseVariable().(SsaInternals0::BaseCallVariable).getCallInstruction()
-}
-
-/**
- * Holds if there is a write at index `i` in basic block `bb` to variable `v` that's
- * subsequently read (as determined by the SSA pruning stage).
- */
-private predicate variableWriteCand(IRBlock bb, int i, SourceVariable v) {
-  exists(SsaInternals0::Def def, SsaInternals0::SourceVariable v0 |
-    def.asDefOrUse().hasIndexInBlock(bb, i, v0) and
-    v0 = getOldSourceVariable(v)
-  )
-}
-
-private module SsaInput implements SsaImplCommon::InputSig {
-  import InputSigCommon
-  import SourceVariables
-
-  /**
-   * Holds if the `i`'th write in block `bb` writes to the variable `v`.
-   * `certain` is `true` if the write is guaranteed to overwrite the entire variable.
-   */
-  predicate variableWrite(IRBlock bb, int i, SourceVariable v, boolean certain) {
-    DataFlowImplCommon::forceCachingInSameStage() and
-    variableWriteCand(bb, i, v) and
-    exists(DefImpl def | def.hasIndexInBlock(bb, i, v) |
-      if def.isCertain() then certain = true else certain = false
-    )
-  }
-
-  /**
-   * Holds if the `i`'th read in block `bb` reads to the variable `v`.
-   * `certain` is `true` if the read is guaranteed. For C++, this is always the case.
-   */
-  predicate variableRead(IRBlock bb, int i, SourceVariable v, boolean certain) {
-    exists(UseImpl use | use.hasIndexInBlock(bb, i, v) |
-      if use.isCertain() then certain = true else certain = false
-    )
-  }
-}
-
-/**
- * The final SSA predicates used for dataflow purposes.
- */
-cached
-module SsaCached {
-  /**
-   * Holds if `def` is accessed at index `i1` in basic block `bb1` (either a read
-   * or a write), `def` is read at index `i2` in basic block `bb2`, and there is a
-   * path between them without any read of `def`.
-   */
-  cached
-  predicate adjacentDefRead(Definition def, IRBlock bb1, int i1, IRBlock bb2, int i2) {
-    SsaImpl::adjacentDefRead(def, bb1, i1, bb2, i2)
-  }
-
-  /**
-   * Holds if the node at index `i` in `bb` is a last reference to SSA definition
-   * `def`. The reference is last because it can reach another write `next`,
-   * without passing through another read or write.
-   */
-  cached
-  predicate lastRefRedef(Definition def, IRBlock bb, int i, Definition next) {
-    SsaImpl::lastRefRedef(def, bb, i, next)
-  }
-}
-
-cached
-private newtype TSsaDefOrUse =
-  TDefOrUse(DefOrUseImpl defOrUse) {
-    defOrUse instanceof UseImpl
-    or
-    // Like in the pruning stage, we only include definition that's live after the
-    // write as the final definitions computed by SSA.
-    exists(Definition def, SourceVariable sv, IRBlock bb, int i |
-      def.definesAt(sv, bb, i) and
-      defOrUse.(DefImpl).hasIndexInBlock(bb, i, sv)
-    )
-  } or
-  TPhi(PhiNode phi)
-
-abstract private class SsaDefOrUse extends TSsaDefOrUse {
-  string toString() { none() }
-
-  DefOrUseImpl asDefOrUse() { none() }
-
-  PhiNode asPhi() { none() }
-
-  abstract Location getLocation();
-}
-
-class DefOrUse extends TDefOrUse, SsaDefOrUse {
-  DefOrUseImpl defOrUse;
-
-  DefOrUse() { this = TDefOrUse(defOrUse) }
-
-  final override DefOrUseImpl asDefOrUse() { result = defOrUse }
-
-  final override Location getLocation() { result = defOrUse.getLocation() }
-
-  final SourceVariable getSourceVariable() { result = defOrUse.getSourceVariable() }
-
-  override string toString() { result = defOrUse.toString() }
-}
-
-class Phi extends TPhi, SsaDefOrUse {
-  PhiNode phi;
-
-  Phi() { this = TPhi(phi) }
-
-  final override PhiNode asPhi() { result = phi }
-
-  final override Location getLocation() { result = phi.getBasicBlock().getLocation() }
-
-  override string toString() { result = "Phi" }
-}
-
-class UseOrPhi extends SsaDefOrUse {
-  UseOrPhi() {
-    this.asDefOrUse() instanceof UseImpl
-    or
-    this instanceof Phi
-  }
-
-  final override Location getLocation() {
-    result = this.asDefOrUse().getLocation() or result = this.(Phi).getLocation()
-  }
-}
-
-class Def extends DefOrUse {
-  override DefImpl defOrUse;
-
-  Operand getAddressOperand() { result = defOrUse.getAddressOperand() }
-
-  Instruction getAddress() { result = this.getAddressOperand().getDef() }
-
-  /**
-   * This predicate ensures that joins go from `defOrUse` to the result
-   * instead of the other way around.
-   */
-  pragma[inline]
-  int getIndirectionIndex() {
-    pragma[only_bind_into](result) = pragma[only_bind_out](defOrUse).getIndirectionIndex()
-  }
-
-  Instruction getDefiningInstruction() { result = defOrUse.getDefiningInstruction() }
-}
-
-private module SsaImpl = SsaImplCommon::Make<SsaInput>;
-
-class PhiNode = SsaImpl::PhiNode;
-
-class Definition = SsaImpl::Definition;
-
-import SsaCached

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -1,268 +0,0 @@
-import cpp as Cpp
-import semmle.code.cpp.ir.IR
-import semmle.code.cpp.ir.internal.IRCppLanguage
-private import semmle.code.cpp.ir.implementation.raw.internal.SideEffects as SideEffects
-private import DataFlowImplCommon as DataFlowImplCommon
-private import DataFlowUtil
-
-/**
- * Holds if `operand` is an operand that is not used by the dataflow library.
- * Ignored operands are not recognizd as uses by SSA, and they don't have a
- * corresponding `(Indirect)OperandNode`.
- */
-predicate ignoreOperand(Operand operand) {
-  operand = any(Instruction instr | ignoreInstruction(instr)).getAnOperand()
-}
-
-/**
- * Holds if `instr` is an instruction that is not used by the dataflow library.
- * Ignored instructions are not recognized as reads/writes by SSA, and they
- * don't have a corresponding `(Indirect)InstructionNode`.
- */
-predicate ignoreInstruction(Instruction instr) {
-  DataFlowImplCommon::forceCachingInSameStage() and
-  (
-    instr instanceof WriteSideEffectInstruction or
-    instr instanceof PhiInstruction or
-    instr instanceof ReadSideEffectInstruction or
-    instr instanceof ChiInstruction or
-    instr instanceof InitializeIndirectionInstruction
-  )
-}
-
-/**
- * Gets the C++ type of `this` in the member function `f`.
- * The result is a glvalue if `isGLValue` is true, and
- * a prvalue if `isGLValue` is false.
- */
-bindingset[isGLValue]
-private CppType getThisType(Cpp::MemberFunction f, boolean isGLValue) {
-  result.hasType(f.getTypeOfThis(), isGLValue)
-}
-
-/**
- * Gets the C++ type of the instruction `i`.
- *
- * This is equivalent to `i.getResultLanguageType()` with the exception
- * of instructions that directly references a `this` IRVariable. In this
- * case, `i.getResultLanguageType()` gives an unknown type, whereas the
- * predicate gives the expected type (i.e., a potentially cv-qualified
- * type `A*` where `A` is the declaring type of the member function that
- * contains `i`).
- */
-cached
-CppType getResultLanguageType(Instruction i) {
-  if i.(VariableAddressInstruction).getIRVariable() instanceof IRThisVariable
-  then
-    if i.isGLValue()
-    then result = getThisType(i.getEnclosingFunction(), true)
-    else result = getThisType(i.getEnclosingFunction(), false)
-  else result = i.getResultLanguageType()
-}
-
-/**
- * Gets the C++ type of the operand `operand`.
- * This is equivalent to the type of the operand's defining instruction.
- *
- * See `getResultLanguageType` for a description of this behavior.
- */
-CppType getLanguageType(Operand operand) { result = getResultLanguageType(operand.getDef()) }
-
-/**
- * Gets the maximum number of indirections a glvalue of type `type` can have.
- * For example:
- * - If `type = int`, the result is 1
- * - If `type = MyStruct`, the result is 1
- * - If `type = char*`, the result is 2
- */
-int getMaxIndirectionsForType(Type type) {
-  result = countIndirectionsForCppType(getTypeForGLValue(type))
-}
-
-/**
- * Gets the maximum number of indirections a value of type `type` can have.
- *
- * Note that this predicate is intended to be called on unspecified types
- * (i.e., `countIndirections(e.getUnspecifiedType())`).
- */
-private int countIndirections(Type t) {
-  result =
-    1 +
-      countIndirections([t.(Cpp::PointerType).getBaseType(), t.(Cpp::ReferenceType).getBaseType()])
-  or
-  not t instanceof Cpp::PointerType and
-  not t instanceof Cpp::ReferenceType and
-  result = 0
-}
-
-/**
- * Gets the maximum number of indirections a value of C++
- * type `langType` can have.
- */
-int countIndirectionsForCppType(LanguageType langType) {
-  exists(Type type | langType.hasType(type, true) |
-    result = 1 + countIndirections(type.getUnspecifiedType())
-  )
-  or
-  exists(Type type | langType.hasType(type, false) |
-    result = countIndirections(type.getUnspecifiedType())
-  )
-}
-
-/**
- * A `CallInstruction` that calls an allocation function such
- * as `malloc` or `operator new`.
- */
-class AllocationInstruction extends CallInstruction {
-  AllocationInstruction() { this.getStaticCallTarget() instanceof Cpp::AllocationFunction }
-}
-
-/**
- * Holds if `i` is a base instruction that starts a sequence of uses
- * of some variable that SSA can handle.
- *
- * This is either when `i` is a `VariableAddressInstruction` or when
- * `i` is a fresh allocation produced by an `AllocationInstruction`.
- */
-private predicate isSourceVariableBase(Instruction i) {
-  i instanceof VariableAddressInstruction or i instanceof AllocationInstruction
-}
-
-/**
- * Holds if the value pointed to by `operand` can potentially be
- * modified be the caller.
- */
-predicate isModifiableByCall(ArgumentOperand operand) {
-  exists(CallInstruction call, int index, CppType type |
-    type = getLanguageType(operand) and
-    call.getArgumentOperand(index) = operand and
-    if index = -1
-    then not call.getStaticCallTarget() instanceof Cpp::ConstMemberFunction
-    else not SideEffects::isConstPointerLike(any(Type t | type.hasType(t, _)))
-  )
-}
-
-cached
-private module Cached {
-  /**
-   * Holds if `op` is a use of an SSA variable rooted at `base` with `ind` number
-   * of indirections.
-   *
-   * `certain` is `true` if the operand is guaranteed to read the variable, and
-   * `indirectionIndex` specifies the number of loads required to read the variable.
-   */
-  cached
-  predicate isUse(boolean certain, Operand op, Instruction base, int ind, int indirectionIndex) {
-    not ignoreOperand(op) and
-    certain = true and
-    exists(LanguageType type, int m, int ind0 |
-      type = getLanguageType(op) and
-      m = countIndirectionsForCppType(type) and
-      isUseImpl(op, base, ind0) and
-      ind = ind0 + [0 .. m] and
-      indirectionIndex = ind - ind0
-    )
-  }
-
-  /**
-   * Holds if `operand` is a use of an SSA variable rooted at `base`, and the
-   * path from `base` to `operand` passes through `ind` load-like instructions.
-   */
-  private predicate isUseImpl(Operand operand, Instruction base, int ind) {
-    DataFlowImplCommon::forceCachingInSameStage() and
-    ind = 0 and
-    operand.getDef() = base and
-    isSourceVariableBase(base)
-    or
-    exists(Operand mid, Instruction instr |
-      isUseImpl(mid, base, ind) and
-      instr = operand.getDef() and
-      conversionFlow(mid, instr, false)
-    )
-    or
-    exists(int ind0 |
-      isUseImpl(operand.getDef().(LoadInstruction).getSourceAddressOperand(), base, ind0)
-      or
-      isUseImpl(operand.getDef().(InitializeParameterInstruction).getAnOperand(), base, ind0)
-    |
-      ind0 = ind - 1
-    )
-  }
-
-  /**
-   * Holds if `address` is an address of an SSA variable rooted at `base`,
-   * and `instr` is a definition of the SSA variable with `ind` number of indirections.
-   *
-   * `certain` is `true` if `instr` is guaranteed to write to the variable, and
-   * `indirectionIndex` specifies the number of loads required to read the variable
-   * after the write operation.
-   */
-  cached
-  predicate isDef(
-    boolean certain, Instruction instr, Operand address, Instruction base, int ind,
-    int indirectionIndex
-  ) {
-    certain = true and
-    exists(int ind0, CppType type, int m |
-      address =
-        [
-          instr.(StoreInstruction).getDestinationAddressOperand(),
-          instr.(InitializeParameterInstruction).getAnOperand(),
-          instr.(InitializeDynamicAllocationInstruction).getAllocationAddressOperand(),
-          instr.(UninitializedInstruction).getAnOperand()
-        ]
-    |
-      isDefImpl(address, base, ind0) and
-      type = getLanguageType(address) and
-      m = countIndirectionsForCppType(type) and
-      ind = ind0 + [1 .. m] and
-      indirectionIndex = ind - (ind0 + 1)
-    )
-  }
-
-  /**
-   * Holds if `address` is a use of an SSA variable rooted at `base`, and the
-   * path from `base` to `address` passes through `ind` load-like instructions.
-   *
-   * Note: Unlike `isUseImpl`, this predicate recurses through pointer-arithmetic
-   * instructions.
-   */
-  private predicate isDefImpl(Operand address, Instruction base, int ind) {
-    DataFlowImplCommon::forceCachingInSameStage() and
-    ind = 0 and
-    address.getDef() = base and
-    isSourceVariableBase(base)
-    or
-    exists(Operand mid, Instruction instr |
-      isDefImpl(mid, base, ind) and
-      instr = address.getDef() and
-      conversionFlow(mid, instr, _)
-    )
-    or
-    exists(int ind0 |
-      isDefImpl(address.getDef().(LoadInstruction).getSourceAddressOperand(), base, ind0)
-      or
-      isDefImpl(address.getDef().(InitializeParameterInstruction).getAnOperand(), base, ind0)
-    |
-      ind0 = ind - 1
-    )
-  }
-}
-
-import Cached
-
-/**
- * Inputs to the shared SSA library's parameterized module that is shared
- * between the SSA pruning stage, and the final SSA stage.
- */
-module InputSigCommon {
-  class BasicBlock = IRBlock;
-
-  BasicBlock getImmediateBasicBlockDominator(BasicBlock bb) { result.immediatelyDominates(bb) }
-
-  BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
-
-  class ExitBasicBlock extends IRBlock {
-    ExitBasicBlock() { this.getLastInstruction() instanceof ExitFunctionInstruction }
-  }
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

@@ -1,208 +0,0 @@
-private import semmle.code.cpp.ir.IR
-private import experimental.semmle.code.cpp.ir.dataflow.DataFlow
-private import ModelUtil
-private import semmle.code.cpp.models.interfaces.DataFlow
-private import semmle.code.cpp.models.interfaces.SideEffect
-private import DataFlowUtil
-private import DataFlowPrivate
-private import semmle.code.cpp.models.Models
-
-/**
- * Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
- * (intra-procedural) step.
- */
-predicate localTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-  DataFlow::localFlowStep(nodeFrom, nodeTo)
-  or
-  localAdditionalTaintStep(nodeFrom, nodeTo)
-}
-
-/**
- * Holds if taint can flow in one local step from `nodeFrom` to `nodeTo` excluding
- * local data flow steps. That is, `nodeFrom` and `nodeTo` are likely to represent
- * different objects.
- */
-cached
-predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-  operandToInstructionTaintStep(nodeFrom.asOperand(), nodeTo.asInstruction())
-  or
-  modeledTaintStep(nodeFrom, nodeTo)
-  or
-  // Flow from `op` to `*op`.
-  exists(Operand operand, int indirectionIndex |
-    nodeHasOperand(nodeFrom, operand, indirectionIndex) and
-    nodeHasOperand(nodeTo, operand, indirectionIndex - 1)
-  )
-  or
-  // Flow from `instr` to `*instr`.
-  exists(Instruction instr, int indirectionIndex |
-    nodeHasInstruction(nodeFrom, instr, indirectionIndex) and
-    nodeHasInstruction(nodeTo, instr, indirectionIndex - 1)
-  )
-  or
-  // Flow from (the indirection of) an operand of a pointer arithmetic instruction to the
-  // indirection of the pointer arithmetic instruction. This provides flow from `source`
-  // in `x[source]` to the result of the associated load instruction.
-  exists(PointerArithmeticInstruction pai, int indirectionIndex |
-    nodeHasOperand(nodeFrom, pai.getAnOperand(), pragma[only_bind_into](indirectionIndex)) and
-    hasInstructionAndIndex(nodeTo, pai, indirectionIndex + 1)
-  )
-}
-
-/**
- * Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
- * (intra-procedural) step.
- */
-private predicate operandToInstructionTaintStep(Operand opFrom, Instruction instrTo) {
-  // Taint can flow through expressions that alter the value but preserve
-  // more than one bit of it _or_ expressions that follow data through
-  // pointer indirections.
-  instrTo.getAnOperand() = opFrom and
-  (
-    instrTo instanceof ArithmeticInstruction
-    or
-    instrTo instanceof BitwiseInstruction
-    or
-    instrTo instanceof PointerArithmeticInstruction
-  )
-  or
-  // The `CopyInstruction` case is also present in non-taint data flow, but
-  // that uses `getDef` rather than `getAnyDef`. For taint, we want flow
-  // from a definition of `myStruct` to a `myStruct.myField` expression.
-  instrTo.(LoadInstruction).getSourceAddressOperand() = opFrom
-  or
-  // Unary instructions tend to preserve enough information in practice that we
-  // want taint to flow through.
-  // The exception is `FieldAddressInstruction`. Together with the rules below for
-  // `LoadInstruction`s and `ChiInstruction`s, flow through `FieldAddressInstruction`
-  // could cause flow into one field to come out an unrelated field.
-  // This would happen across function boundaries, where the IR would not be able to
-  // match loads to stores.
-  instrTo.(UnaryInstruction).getUnaryOperand() = opFrom and
-  (
-    not instrTo instanceof FieldAddressInstruction
-    or
-    instrTo.(FieldAddressInstruction).getField().getDeclaringType() instanceof Union
-  )
-}
-
-/**
- * Holds if taint may propagate from `source` to `sink` in zero or more local
- * (intra-procedural) steps.
- */
-pragma[inline]
-predicate localTaint(DataFlow::Node source, DataFlow::Node sink) { localTaintStep*(source, sink) }
-
-/**
- * Holds if taint can flow from `i1` to `i2` in zero or more
- * local (intra-procedural) steps.
- */
-pragma[inline]
-predicate localInstructionTaint(Instruction i1, Instruction i2) {
-  localTaint(DataFlow::instructionNode(i1), DataFlow::instructionNode(i2))
-}
-
-/**
- * Holds if taint can flow from `e1` to `e2` in zero or more
- * local (intra-procedural) steps.
- */
-pragma[inline]
-predicate localExprTaint(Expr e1, Expr e2) {
-  localTaint(DataFlow::exprNode(e1), DataFlow::exprNode(e2))
-}
-
-/**
- * Holds if the additional step from `src` to `sink` should be included in all
- * global taint flow configurations.
- */
-predicate defaultAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
-  localAdditionalTaintStep(src, sink)
-}
-
-/**
- * Holds if default `TaintTracking::Configuration`s should allow implicit reads
- * of `c` at sinks and inputs to additional taint steps.
- */
-bindingset[node]
-predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { none() }
-
-/**
- * Holds if `node` should be a sanitizer in all global taint flow configurations
- * but not in local taint.
- */
-predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
-
-/**
- * Holds if taint can flow from `instrIn` to `instrOut` through a call to a
- * modeled function.
- */
-predicate modeledTaintStep(DataFlow::Node nodeIn, DataFlow::Node nodeOut) {
-  // Normal taint steps
-  exists(CallInstruction call, TaintFunction func, FunctionInput modelIn, FunctionOutput modelOut |
-    call.getStaticCallTarget() = func and
-    func.hasTaintFlow(modelIn, modelOut)
-  |
-    (
-      nodeIn = callInput(call, modelIn)
-      or
-      exists(int n |
-        modelIn.isParameterDerefOrQualifierObject(n) and
-        if n = -1
-        then nodeIn = callInput(call, any(InQualifierAddress inQualifier))
-        else nodeIn = callInput(call, any(InParameter inParam | inParam.getIndex() = n))
-      )
-    ) and
-    nodeOut = callOutput(call, modelOut)
-    or
-    exists(int d |
-      nodeIn = callInput(call, modelIn, d)
-      or
-      exists(int n |
-        d = 1 and
-        modelIn.isParameterDerefOrQualifierObject(n) and
-        if n = -1
-        then nodeIn = callInput(call, any(InQualifierAddress inQualifier))
-        else nodeIn = callInput(call, any(InParameter inParam | inParam.getIndex() = n))
-      )
-    |
-      call.getStaticCallTarget() = func and
-      func.hasTaintFlow(modelIn, modelOut) and
-      nodeOut = callOutput(call, modelOut, d)
-    )
-  )
-  or
-  // Taint flow from one argument to another and data flow from an argument to a
-  // return value. This happens in functions like `strcat` and `memcpy`. We
-  // could model this flow in two separate steps, but that would add reverse
-  // flow from the write side-effect to the call instruction, which may not be
-  // desirable.
-  exists(
-    CallInstruction call, Function func, FunctionInput modelIn, OutParameterDeref modelMidOut,
-    int indexMid, InParameter modelMidIn, OutReturnValue modelOut
-  |
-    nodeIn = callInput(call, modelIn) and
-    nodeOut = callOutput(call, modelOut) and
-    call.getStaticCallTarget() = func and
-    func.(TaintFunction).hasTaintFlow(modelIn, modelMidOut) and
-    func.(DataFlowFunction).hasDataFlow(modelMidIn, modelOut) and
-    modelMidOut.isParameterDeref(indexMid) and
-    modelMidIn.isParameter(indexMid)
-  )
-  or
-  // Taint flow from a pointer argument to an output, when the model specifies flow from the deref
-  // to that output, but the deref is not modeled in the IR for the caller.
-  exists(
-    CallInstruction call, DataFlow::SideEffectOperandNode indirectArgument, Function func,
-    FunctionInput modelIn, FunctionOutput modelOut
-  |
-    indirectArgument = callInput(call, modelIn) and
-    indirectArgument.getAddressOperand() = nodeIn.asOperand() and
-    call.getStaticCallTarget() = func and
-    (
-      func.(DataFlowFunction).hasDataFlow(modelIn, modelOut)
-      or
-      func.(TaintFunction).hasTaintFlow(modelIn, modelOut)
-    ) and
-    nodeOut = callOutput(call, modelOut)
-  )
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/ssa0/SsaInternals.qll

@@ -1,314 +0,0 @@
-/**
- * This module defines an initial SSA pruning stage that doesn't take
- * indirections into account.
- */
-
-private import codeql.ssa.Ssa as SsaImplCommon
-private import semmle.code.cpp.ir.IR
-private import experimental.semmle.code.cpp.ir.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
-private import semmle.code.cpp.models.interfaces.Allocation as Alloc
-private import semmle.code.cpp.models.interfaces.DataFlow as DataFlow
-private import semmle.code.cpp.ir.implementation.raw.internal.SideEffects as SideEffects
-private import semmle.code.cpp.ir.internal.IRCppLanguage
-private import experimental.semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
-private import experimental.semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
-private import experimental.semmle.code.cpp.ir.dataflow.internal.SsaInternalsCommon
-
-private module SourceVariables {
-  newtype TBaseSourceVariable =
-    // Each IR variable gets its own source variable
-    TBaseIRVariable(IRVariable var) or
-    // Each allocation gets its own source variable
-    TBaseCallVariable(AllocationInstruction call)
-
-  abstract class BaseSourceVariable extends TBaseSourceVariable {
-    abstract string toString();
-
-    abstract DataFlowType getType();
-  }
-
-  class BaseIRVariable extends BaseSourceVariable, TBaseIRVariable {
-    IRVariable var;
-
-    IRVariable getIRVariable() { result = var }
-
-    BaseIRVariable() { this = TBaseIRVariable(var) }
-
-    override string toString() { result = var.toString() }
-
-    override DataFlowType getType() { result = var.getIRType() }
-  }
-
-  class BaseCallVariable extends BaseSourceVariable, TBaseCallVariable {
-    AllocationInstruction call;
-
-    BaseCallVariable() { this = TBaseCallVariable(call) }
-
-    AllocationInstruction getCallInstruction() { result = call }
-
-    override string toString() { result = call.toString() }
-
-    override DataFlowType getType() { result = call.getResultIRType() }
-  }
-
-  private newtype TSourceVariable =
-    TSourceIRVariable(BaseIRVariable baseVar) or
-    TCallVariable(AllocationInstruction call)
-
-  abstract class SourceVariable extends TSourceVariable {
-    abstract string toString();
-
-    abstract BaseSourceVariable getBaseVariable();
-  }
-
-  class SourceIRVariable extends SourceVariable, TSourceIRVariable {
-    BaseIRVariable var;
-
-    SourceIRVariable() { this = TSourceIRVariable(var) }
-
-    IRVariable getIRVariable() { result = var.getIRVariable() }
-
-    override BaseIRVariable getBaseVariable() { result.getIRVariable() = this.getIRVariable() }
-
-    override string toString() { result = this.getIRVariable().toString() }
-  }
-
-  class CallVariable extends SourceVariable, TCallVariable {
-    AllocationInstruction call;
-
-    CallVariable() { this = TCallVariable(call) }
-
-    AllocationInstruction getCall() { result = call }
-
-    override BaseCallVariable getBaseVariable() { result.getCallInstruction() = call }
-
-    override string toString() { result = "Call" }
-  }
-}
-
-import SourceVariables
-
-private newtype TDefOrUseImpl =
-  TDefImpl(Operand address) { isDef(_, _, address, _, _, _) } or
-  TUseImpl(Operand operand) {
-    isUse(_, operand, _, _, _) and
-    not isDef(_, _, operand, _, _, _)
-  }
-
-abstract private class DefOrUseImpl extends TDefOrUseImpl {
-  /** Gets a textual representation of this element. */
-  abstract string toString();
-
-  /** Gets the block of this definition or use. */
-  abstract IRBlock getBlock();
-
-  /** Holds if this definition or use has index `index` in block `block`. */
-  abstract predicate hasIndexInBlock(IRBlock block, int index);
-
-  final predicate hasIndexInBlock(IRBlock block, int index, SourceVariable sv) {
-    this.hasIndexInBlock(block, index) and
-    sv = this.getSourceVariable()
-  }
-
-  /** Gets the location of this element. */
-  abstract Cpp::Location getLocation();
-
-  abstract Instruction getBase();
-
-  final BaseSourceVariable getBaseSourceVariable() {
-    exists(IRVariable var |
-      result.(BaseIRVariable).getIRVariable() = var and
-      instructionHasIRVariable(this.getBase(), var)
-    )
-    or
-    result.(BaseCallVariable).getCallInstruction() = this.getBase()
-  }
-
-  /** Gets the variable that is defined or used. */
-  final SourceVariable getSourceVariable() {
-    exists(BaseSourceVariable v |
-      sourceVariableHasBaseAndIndex(result, v) and
-      defOrUseHasSourceVariable(this, v)
-    )
-  }
-}
-
-pragma[noinline]
-private predicate instructionHasIRVariable(VariableAddressInstruction vai, IRVariable var) {
-  vai.getIRVariable() = var
-}
-
-private predicate defOrUseHasSourceVariable(DefOrUseImpl defOrUse, BaseSourceVariable bv) {
-  defHasSourceVariable(defOrUse, bv)
-  or
-  useHasSourceVariable(defOrUse, bv)
-}
-
-pragma[noinline]
-private predicate defHasSourceVariable(DefImpl def, BaseSourceVariable bv) {
-  bv = def.getBaseSourceVariable()
-}
-
-pragma[noinline]
-private predicate useHasSourceVariable(UseImpl use, BaseSourceVariable bv) {
-  bv = use.getBaseSourceVariable()
-}
-
-pragma[noinline]
-private predicate sourceVariableHasBaseAndIndex(SourceVariable v, BaseSourceVariable bv) {
-  v.getBaseVariable() = bv
-}
-
-class DefImpl extends DefOrUseImpl, TDefImpl {
-  Operand address;
-
-  DefImpl() { this = TDefImpl(address) }
-
-  override Instruction getBase() { isDef(_, _, address, result, _, _) }
-
-  Operand getAddressOperand() { result = address }
-
-  Instruction getDefiningInstruction() { isDef(_, result, address, _, _, _) }
-
-  override string toString() { result = address.toString() }
-
-  override IRBlock getBlock() { result = this.getDefiningInstruction().getBlock() }
-
-  override Cpp::Location getLocation() { result = this.getDefiningInstruction().getLocation() }
-
-  final override predicate hasIndexInBlock(IRBlock block, int index) {
-    this.getDefiningInstruction() = block.getInstruction(index)
-  }
-
-  predicate isCertain() { isDef(true, _, address, _, _, _) }
-}
-
-class UseImpl extends DefOrUseImpl, TUseImpl {
-  Operand operand;
-
-  UseImpl() { this = TUseImpl(operand) }
-
-  Operand getOperand() { result = operand }
-
-  override string toString() { result = operand.toString() }
-
-  final override predicate hasIndexInBlock(IRBlock block, int index) {
-    operand.getUse() = block.getInstruction(index)
-  }
-
-  final override IRBlock getBlock() { result = operand.getUse().getBlock() }
-
-  final override Cpp::Location getLocation() { result = operand.getLocation() }
-
-  override Instruction getBase() { isUse(_, operand, result, _, _) }
-
-  predicate isCertain() { isUse(true, operand, _, _, _) }
-}
-
-private module SsaInput implements SsaImplCommon::InputSig {
-  import InputSigCommon
-  import SourceVariables
-
-  /**
-   * Holds if the `i`'th write in block `bb` writes to the variable `v`.
-   * `certain` is `true` if the write is guaranteed to overwrite the entire variable.
-   */
-  predicate variableWrite(IRBlock bb, int i, SourceVariable v, boolean certain) {
-    DataFlowImplCommon::forceCachingInSameStage() and
-    exists(DefImpl def | def.hasIndexInBlock(bb, i, v) |
-      if def.isCertain() then certain = true else certain = false
-    )
-  }
-
-  /**
-   * Holds if the `i`'th read in block `bb` reads to the variable `v`.
-   * `certain` is `true` if the read is guaranteed.
-   */
-  predicate variableRead(IRBlock bb, int i, SourceVariable v, boolean certain) {
-    exists(UseImpl use | use.hasIndexInBlock(bb, i, v) |
-      if use.isCertain() then certain = true else certain = false
-    )
-  }
-}
-
-private newtype TSsaDefOrUse =
-  TDefOrUse(DefOrUseImpl defOrUse) {
-    defOrUse instanceof UseImpl
-    or
-    // If `defOrUse` is a definition we only include it if the
-    // SSA library concludes that it's live after the write.
-    exists(Definition def, SourceVariable sv, IRBlock bb, int i |
-      def.definesAt(sv, bb, i) and
-      defOrUse.(DefImpl).hasIndexInBlock(bb, i, sv)
-    )
-  } or
-  TPhi(PhiNode phi)
-
-abstract private class SsaDefOrUse extends TSsaDefOrUse {
-  string toString() { result = "SsaDefOrUse" }
-
-  DefOrUseImpl asDefOrUse() { none() }
-
-  PhiNode asPhi() { none() }
-
-  abstract Location getLocation();
-}
-
-class DefOrUse extends TDefOrUse, SsaDefOrUse {
-  DefOrUseImpl defOrUse;
-
-  DefOrUse() { this = TDefOrUse(defOrUse) }
-
-  final override DefOrUseImpl asDefOrUse() { result = defOrUse }
-
-  final override Location getLocation() { result = defOrUse.getLocation() }
-
-  final SourceVariable getSourceVariable() { result = defOrUse.getSourceVariable() }
-}
-
-class Phi extends TPhi, SsaDefOrUse {
-  PhiNode phi;
-
-  Phi() { this = TPhi(phi) }
-
-  final override PhiNode asPhi() { result = phi }
-
-  final override Location getLocation() { result = phi.getBasicBlock().getLocation() }
-}
-
-class UseOrPhi extends SsaDefOrUse {
-  UseOrPhi() {
-    this.asDefOrUse() instanceof UseImpl
-    or
-    this instanceof Phi
-  }
-
-  final override Location getLocation() {
-    result = this.asDefOrUse().getLocation() or result = this.(Phi).getLocation()
-  }
-
-  override string toString() {
-    result = this.asDefOrUse().toString()
-    or
-    this instanceof Phi and
-    result = "Phi"
-  }
-}
-
-class Def extends DefOrUse {
-  override DefImpl defOrUse;
-
-  Operand getAddressOperand() { result = defOrUse.getAddressOperand() }
-
-  Instruction getAddress() { result = this.getAddressOperand().getDef() }
-
-  Instruction getDefiningInstruction() { result = defOrUse.getDefiningInstruction() }
-
-  override string toString() { result = this.asDefOrUse().toString() + " (def)" }
-}
-
-private module SsaImpl = SsaImplCommon::Make<SsaInput>;
-
-class PhiNode = SsaImpl::PhiNode;
-
-class Definition = SsaImpl::Definition;

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

@@ -1,191 +0,0 @@
-/**
- * Provides an implementation of global (interprocedural) taint tracking.
- * This file re-exports the local (intraprocedural) taint-tracking analysis
- * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
- * exposed through the `Configuration` class. For some languages, this file
- * exists in several identical copies, allowing queries to use multiple
- * `Configuration` classes that depend on each other without introducing
- * mutual recursion among those configurations.
- */
-
-import TaintTrackingParameter::Public
-private import TaintTrackingParameter::Private
-
-/**
- * A configuration of interprocedural taint tracking analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the taint tracking library must define its own unique extension of
- * this abstract class.
- *
- * A taint-tracking configuration is a special data flow configuration
- * (`DataFlow::Configuration`) that allows for flow through nodes that do not
- * necessarily preserve values but are still relevant from a taint tracking
- * perspective. (For example, string concatenation, where one of the operands
- * is tainted.)
- *
- * To create a configuration, extend this class with a subclass whose
- * characteristic predicate is a unique singleton string. For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends TaintTracking::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isSanitizer`.
- *   // Optionally override `isSanitizerIn`.
- *   // Optionally override `isSanitizerOut`.
- *   // Optionally override `isSanitizerGuard`.
- *   // Optionally override `isAdditionalTaintStep`.
- * }
- * ```
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but it is unsupported to depend on
- * another `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
- * overridden predicates that define sources, sinks, or additional steps.
- * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
- * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
- */
-abstract class Configuration extends DataFlow::Configuration {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant taint source.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant taint source with the given initial
-   * `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink accepting `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) { none() }
-
-  /** Holds if the node `node` is a taint sanitizer. */
-  predicate isSanitizer(DataFlow::Node node) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node) {
-    this.isSanitizer(node) or
-    defaultTaintSanitizer(node)
-  }
-
-  /**
-   * Holds if the node `node` is a taint sanitizer when the flow state is
-   * `state`.
-   */
-  predicate isSanitizer(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizer(node, state)
-  }
-
-  /** Holds if taint propagation into `node` is prohibited. */
-  predicate isSanitizerIn(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
-
-  /** Holds if taint propagation out of `node` is prohibited. */
-  predicate isSanitizerOut(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
-
-  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
-   * Holds if taint propagation through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
-
-  deprecated final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
-  }
-
-  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
-   * Holds if taint propagation through nodes guarded by `guard` is prohibited
-   * when the flow state is `state`.
-   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
-    none()
-  }
-
-  deprecated final override predicate isBarrierGuard(
-    DataFlow::BarrierGuard guard, DataFlow::FlowState state
-  ) {
-    this.isSanitizerGuard(guard, state)
-  }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   */
-  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-  final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    this.isAdditionalTaintStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2)
-  }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalTaintStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    none()
-  }
-
-  final override predicate isAdditionalFlowStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    this.isAdditionalTaintStep(node1, state1, node2, state2)
-  }
-
-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    (
-      this.isSink(node) or
-      this.isSink(node, _) or
-      this.isAdditionalTaintStep(node, _) or
-      this.isAdditionalTaintStep(node, _, _, _)
-    ) and
-    defaultImplicitTaintRead(node, c)
-  }
-
-  /**
-   * Holds if taint may flow from `source` to `sink` for this configuration.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-    super.hasFlow(source, sink)
-  }
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingParameter.qll

@@ -1,5 +0,0 @@
-import experimental.semmle.code.cpp.ir.dataflow.internal.TaintTrackingUtil as Public
-
-module Private {
-  import experimental.semmle.code.cpp.ir.dataflow.DataFlow::DataFlow as DataFlow
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

@@ -1,191 +0,0 @@
-/**
- * Provides an implementation of global (interprocedural) taint tracking.
- * This file re-exports the local (intraprocedural) taint-tracking analysis
- * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
- * exposed through the `Configuration` class. For some languages, this file
- * exists in several identical copies, allowing queries to use multiple
- * `Configuration` classes that depend on each other without introducing
- * mutual recursion among those configurations.
- */
-
-import TaintTrackingParameter::Public
-private import TaintTrackingParameter::Private
-
-/**
- * A configuration of interprocedural taint tracking analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the taint tracking library must define its own unique extension of
- * this abstract class.
- *
- * A taint-tracking configuration is a special data flow configuration
- * (`DataFlow::Configuration`) that allows for flow through nodes that do not
- * necessarily preserve values but are still relevant from a taint tracking
- * perspective. (For example, string concatenation, where one of the operands
- * is tainted.)
- *
- * To create a configuration, extend this class with a subclass whose
- * characteristic predicate is a unique singleton string. For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends TaintTracking::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isSanitizer`.
- *   // Optionally override `isSanitizerIn`.
- *   // Optionally override `isSanitizerOut`.
- *   // Optionally override `isSanitizerGuard`.
- *   // Optionally override `isAdditionalTaintStep`.
- * }
- * ```
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but it is unsupported to depend on
- * another `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
- * overridden predicates that define sources, sinks, or additional steps.
- * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
- * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
- */
-abstract class Configuration extends DataFlow::Configuration {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant taint source.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant taint source with the given initial
-   * `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink accepting `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) { none() }
-
-  /** Holds if the node `node` is a taint sanitizer. */
-  predicate isSanitizer(DataFlow::Node node) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node) {
-    this.isSanitizer(node) or
-    defaultTaintSanitizer(node)
-  }
-
-  /**
-   * Holds if the node `node` is a taint sanitizer when the flow state is
-   * `state`.
-   */
-  predicate isSanitizer(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizer(node, state)
-  }
-
-  /** Holds if taint propagation into `node` is prohibited. */
-  predicate isSanitizerIn(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
-
-  /** Holds if taint propagation out of `node` is prohibited. */
-  predicate isSanitizerOut(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
-
-  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
-   * Holds if taint propagation through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
-
-  deprecated final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
-  }
-
-  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
-   * Holds if taint propagation through nodes guarded by `guard` is prohibited
-   * when the flow state is `state`.
-   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
-    none()
-  }
-
-  deprecated final override predicate isBarrierGuard(
-    DataFlow::BarrierGuard guard, DataFlow::FlowState state
-  ) {
-    this.isSanitizerGuard(guard, state)
-  }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   */
-  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-  final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    this.isAdditionalTaintStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2)
-  }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalTaintStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    none()
-  }
-
-  final override predicate isAdditionalFlowStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    this.isAdditionalTaintStep(node1, state1, node2, state2)
-  }
-
-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    (
-      this.isSink(node) or
-      this.isSink(node, _) or
-      this.isAdditionalTaintStep(node, _) or
-      this.isAdditionalTaintStep(node, _, _, _)
-    ) and
-    defaultImplicitTaintRead(node, c)
-  }
-
-  /**
-   * Holds if taint may flow from `source` to `sink` for this configuration.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-    super.hasFlow(source, sink)
-  }
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingParameter.qll

@@ -1,5 +0,0 @@
-import experimental.semmle.code.cpp.ir.dataflow.internal.TaintTrackingUtil as Public
-
-module Private {
-  import experimental.semmle.code.cpp.ir.dataflow.DataFlow2::DataFlow2 as DataFlow
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll

@@ -1,191 +0,0 @@
-/**
- * Provides an implementation of global (interprocedural) taint tracking.
- * This file re-exports the local (intraprocedural) taint-tracking analysis
- * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
- * exposed through the `Configuration` class. For some languages, this file
- * exists in several identical copies, allowing queries to use multiple
- * `Configuration` classes that depend on each other without introducing
- * mutual recursion among those configurations.
- */
-
-import TaintTrackingParameter::Public
-private import TaintTrackingParameter::Private
-
-/**
- * A configuration of interprocedural taint tracking analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the taint tracking library must define its own unique extension of
- * this abstract class.
- *
- * A taint-tracking configuration is a special data flow configuration
- * (`DataFlow::Configuration`) that allows for flow through nodes that do not
- * necessarily preserve values but are still relevant from a taint tracking
- * perspective. (For example, string concatenation, where one of the operands
- * is tainted.)
- *
- * To create a configuration, extend this class with a subclass whose
- * characteristic predicate is a unique singleton string. For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends TaintTracking::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isSanitizer`.
- *   // Optionally override `isSanitizerIn`.
- *   // Optionally override `isSanitizerOut`.
- *   // Optionally override `isSanitizerGuard`.
- *   // Optionally override `isAdditionalTaintStep`.
- * }
- * ```
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but it is unsupported to depend on
- * another `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
- * overridden predicates that define sources, sinks, or additional steps.
- * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
- * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
- */
-abstract class Configuration extends DataFlow::Configuration {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant taint source.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant taint source with the given initial
-   * `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink accepting `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) { none() }
-
-  /** Holds if the node `node` is a taint sanitizer. */
-  predicate isSanitizer(DataFlow::Node node) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node) {
-    this.isSanitizer(node) or
-    defaultTaintSanitizer(node)
-  }
-
-  /**
-   * Holds if the node `node` is a taint sanitizer when the flow state is
-   * `state`.
-   */
-  predicate isSanitizer(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizer(node, state)
-  }
-
-  /** Holds if taint propagation into `node` is prohibited. */
-  predicate isSanitizerIn(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
-
-  /** Holds if taint propagation out of `node` is prohibited. */
-  predicate isSanitizerOut(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
-
-  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
-   * Holds if taint propagation through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
-
-  deprecated final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
-  }
-
-  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
-   * Holds if taint propagation through nodes guarded by `guard` is prohibited
-   * when the flow state is `state`.
-   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
-    none()
-  }
-
-  deprecated final override predicate isBarrierGuard(
-    DataFlow::BarrierGuard guard, DataFlow::FlowState state
-  ) {
-    this.isSanitizerGuard(guard, state)
-  }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   */
-  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-  final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    this.isAdditionalTaintStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2)
-  }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalTaintStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    none()
-  }
-
-  final override predicate isAdditionalFlowStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    this.isAdditionalTaintStep(node1, state1, node2, state2)
-  }
-
-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    (
-      this.isSink(node) or
-      this.isSink(node, _) or
-      this.isAdditionalTaintStep(node, _) or
-      this.isAdditionalTaintStep(node, _, _, _)
-    ) and
-    defaultImplicitTaintRead(node, c)
-  }
-
-  /**
-   * Holds if taint may flow from `source` to `sink` for this configuration.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-    super.hasFlow(source, sink)
-  }
-}

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingParameter.qll

@@ -1,5 +0,0 @@
-import experimental.semmle.code.cpp.ir.dataflow.internal.TaintTrackingUtil as Public
-
-module Private {
-  import experimental.semmle.code.cpp.ir.dataflow.DataFlow3::DataFlow3 as DataFlow
-}

cpp/ql/lib/experimental/semmle/code/cpp/models/interfaces/SimpleRangeAnalysisDefinition.qll

@@ -37,7 +37,7 @@ abstract class SimpleRangeAnalysisDefinition extends RangeSsaDefinition {
    * dependencies. Without this information, range analysis might work for
    * simple cases but will go into infinite loops on complex code.
    *
-   * For example, when modeling the definition by reference in a call to an
+   * For example, when modelling the definition by reference in a call to an
    * overloaded `operator=`, written as `v = e`, the definition of `(this, v)`
    * depends on `e`.
    */

cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/Bound.qll

@@ -28,10 +28,6 @@ private newtype TBound =
       i.(LoadInstruction).getSourceAddress() instanceof FieldAddressInstruction
       or
       i.getAUse() instanceof ArgumentOperand
-      or
-      i instanceof PointerArithmeticInstruction
-      or
-      i.getAUse() instanceof AddressOperand
     )
   }
 
@@ -77,7 +73,7 @@ class ValueNumberBound extends Bound, TBoundValueNumber {
     this = TBoundValueNumber(valueNumber(result)) and delta = 0
   }
 
-  override string toString() { result = "ValueNumberBound" }
+  override string toString() { result = vn.getExampleInstruction().toString() }
 
   override Location getLocation() { result = vn.getLocation() }
 

cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/InBoundsPointerDeref.qll

@@ -5,7 +5,7 @@
  * `Instruction` level), and then using the array length analysis and the range
  * analysis together to prove that some of these pointer dereferences are safe.
  *
- * The analysis is soundy, i.e. it is sound if no undefined behavior is present
+ * The analysis is soundy, i.e. it is sound if no undefined behaviour is present
  * in the program.
  * Furthermore, it crucially depends on the soundiness of the range analysis and
  * the array length analysis.

cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll

@@ -4,7 +4,7 @@
 
 import cpp
 import semmle.code.cpp.dataflow.TaintTracking
-import semmle.code.cpp.security.PrivateData
+import experimental.semmle.code.cpp.security.PrivateData
 import semmle.code.cpp.security.FileWrite
 import semmle.code.cpp.security.BufferWrite
 

cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateData.qll

@@ -0,0 +1,52 @@
+/**
+ * Provides classes and predicates for identifying private data and functions for security.
+ *
+ * 'Private' data in general is anything that would compromise user privacy if exposed. This
+ * library tries to guess where private data may either be stored in a variable or produced by a
+ * function.
+ *
+ * This library is not concerned with credentials. See `SensitiveActions` for expressions related
+ * to credentials.
+ */
+
+import cpp
+
+/** A string for `match` that identifies strings that look like they represent private data. */
+private string privateNames() {
+  result =
+    [
+      // Inspired by the list on https://cwe.mitre.org/data/definitions/359.html
+      // Government identifiers, such as Social Security Numbers
+      "%social%security%number%",
+      // Contact information, such as home addresses and telephone numbers
+      "%postcode%", "%zipcode%",
+      // result = "%telephone%" or
+      // Geographic location - where the user is (or was)
+      "%latitude%", "%longitude%",
+      // Financial data - such as credit card numbers, salary, bank accounts, and debts
+      "%creditcard%", "%salary%", "%bankaccount%",
+      // Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc.
+      // result = "%email%" or
+      // result = "%mobile%" or
+      "%employer%",
+      // Health - medical conditions, insurance status, prescription records
+      "%medical%"
+    ]
+}
+
+/** An expression that might contain private data. */
+abstract class PrivateDataExpr extends Expr { }
+
+/** A functiond call that might produce private data. */
+class PrivateFunctionCall extends PrivateDataExpr, FunctionCall {
+  PrivateFunctionCall() {
+    exists(string s | this.getTarget().getName().toLowerCase() = s | s.matches(privateNames()))
+  }
+}
+
+/** An access to a variable that might contain private data. */
+class PrivateVariableAccess extends PrivateDataExpr, VariableAccess {
+  PrivateVariableAccess() {
+    exists(string s | this.getTarget().getName().toLowerCase() = s | s.matches(privateNames()))
+  }
+}

cpp/ql/lib/experimental/semmle/code/cpp/semantic/Semantic.qll

@@ -1,7 +0,0 @@
-import SemanticExpr
-import SemanticBound
-import SemanticSSA
-import SemanticGuard
-import SemanticCFG
-import SemanticType
-import SemanticOpcode

cpp/ql/lib/experimental/semmle/code/cpp/semantic/SemanticBound.qll

@@ -1,42 +0,0 @@
-/**
- * Semantic wrapper around the language-specific bounds library.
- */
-
-private import SemanticExpr
-private import SemanticExprSpecific::SemanticExprConfig as Specific
-private import SemanticSSA
-
-/**
- * A valid base for an expression bound.
- *
- * Can be either a variable (`SemSsaBound`) or zero (`SemZeroBound`).
- */
-class SemBound instanceof Specific::Bound {
-  final string toString() { result = super.toString() }
-
-  final SemExpr getExpr(int delta) { result = Specific::getBoundExpr(this, delta) }
-}
-
-/**
- * A bound that is a constant zero.
- */
-class SemZeroBound extends SemBound {
-  SemZeroBound() { Specific::zeroBound(this) }
-}
-
-/**
- * A bound that is an SSA definition.
- */
-class SemSsaBound extends SemBound {
-  /**
-   * The variables whose value is used as the bound.
-   *
-   * Can be multi-valued in some implementations. If so, all variables will be equivalent.
-   */
-  SemSsaVariable var;
-
-  SemSsaBound() { Specific::ssaBound(this, var) }
-
-  /** Gets a variable whose value is used as the bound. */
-  final SemSsaVariable getAVariable() { result = var }
-}

cpp/ql/lib/experimental/semmle/code/cpp/semantic/SemanticCFG.qll

@@ -1,22 +0,0 @@
-/**
- * Semantic interface to the control flow graph.
- */
-
-private import Semantic
-private import SemanticExprSpecific::SemanticExprConfig as Specific
-
-/**
- * A basic block in the control-flow graph.
- */
-class SemBasicBlock extends Specific::BasicBlock {
-  /** Holds if this block (transitively) dominates `otherblock`. */
-  final predicate bbDominates(SemBasicBlock otherBlock) { Specific::bbDominates(this, otherBlock) }
-
-  /** Holds if this block has dominance information. */
-  final predicate hasDominanceInformation() { Specific::hasDominanceInformation(this) }
-
-  /** Gets an expression that is evaluated in this basic block. */
-  final SemExpr getAnExpr() { result.getBasicBlock() = this }
-
-  final int getUniqueId() { result = Specific::getBasicBlockUniqueId(this) }
-}

cpp/ql/lib/experimental/semmle/code/cpp/semantic/SemanticExpr.qll

@@ -1,309 +0,0 @@
-/**
- * Semantic interface for expressions.
- */
-
-private import Semantic
-private import SemanticExprSpecific::SemanticExprConfig as Specific
-
-/**
- * An language-neutral expression.
- *
- * The expression computes a value of type `getSemType()`. The actual computation is determined by
- * the expression's opcode (`getOpcode()`).
- */
-class SemExpr instanceof Specific::Expr {
-  final string toString() { result = super.toString() }
-
-  final Specific::Location getLocation() { result = super.getLocation() }
-
-  Opcode getOpcode() { result instanceof Opcode::Unknown }
-
-  SemType getSemType() { result = Specific::getUnknownExprType(this) }
-
-  final SemBasicBlock getBasicBlock() { result = Specific::getExprBasicBlock(this) }
-}
-
-/** An expression with an opcode other than `Unknown`. */
-abstract private class SemKnownExpr extends SemExpr {
-  Opcode opcode;
-  SemType type;
-
-  final override Opcode getOpcode() { result = opcode }
-
-  final override SemType getSemType() { result = type }
-}
-
-/** An expression that returns a literal value. */
-class SemLiteralExpr extends SemKnownExpr {
-  SemLiteralExpr() {
-    Specific::integerLiteral(this, type, _) and opcode instanceof Opcode::Constant
-    or
-    Specific::largeIntegerLiteral(this, type, _) and opcode instanceof Opcode::Constant
-    or
-    Specific::booleanLiteral(this, type, _) and opcode instanceof Opcode::Constant
-    or
-    Specific::floatingPointLiteral(this, type, _) and opcode instanceof Opcode::Constant
-    or
-    Specific::nullLiteral(this, type) and opcode instanceof Opcode::Constant
-    or
-    Specific::stringLiteral(this, type, _) and opcode instanceof Opcode::StringConstant
-  }
-}
-
-/** An expression that returns a numeric literal value. */
-class SemNumericLiteralExpr extends SemLiteralExpr {
-  SemNumericLiteralExpr() {
-    Specific::integerLiteral(this, _, _)
-    or
-    Specific::largeIntegerLiteral(this, _, _)
-    or
-    Specific::floatingPointLiteral(this, _, _)
-  }
-
-  /**
-   * Gets an approximation of the value of the literal, as a `float`.
-   *
-   * If the value can be precisely represented as a `float`, the result will be exact. If the actual
-   * value cannot be precisely represented (for example, it is an integer with more than 53
-   * significant bits), then the result is an approximation.
-   */
-  float getApproximateFloatValue() { none() }
-}
-
-/** An expression that returns an integer literal value. */
-class SemIntegerLiteralExpr extends SemNumericLiteralExpr {
-  SemIntegerLiteralExpr() {
-    Specific::integerLiteral(this, _, _)
-    or
-    Specific::largeIntegerLiteral(this, _, _)
-  }
-
-  /**
-   * Gets the value of the literal, if it can be represented as an `int`.
-   *
-   * If the value is outside the range of an `int`, use `getApproximateFloatValue()` to get a value
-   * that is equal to the actual integer value, within rounding error.
-   */
-  final int getIntValue() { Specific::integerLiteral(this, _, result) }
-
-  final override float getApproximateFloatValue() {
-    result = getIntValue()
-    or
-    Specific::largeIntegerLiteral(this, _, result)
-  }
-}
-
-/**
- * An expression that returns a floating-point literal value.
- */
-class SemFloatingPointLiteralExpr extends SemNumericLiteralExpr {
-  float value;
-
-  SemFloatingPointLiteralExpr() { Specific::floatingPointLiteral(this, _, value) }
-
-  final override float getApproximateFloatValue() { result = value }
-
-  /** Gets the value of the literal. */
-  final float getFloatValue() { result = value }
-}
-
-/**
- * An expression that consumes two operands.
- */
-class SemBinaryExpr extends SemKnownExpr {
-  SemExpr leftOperand;
-  SemExpr rightOperand;
-
-  SemBinaryExpr() { Specific::binaryExpr(this, opcode, type, leftOperand, rightOperand) }
-
-  /** Gets the left operand. */
-  final SemExpr getLeftOperand() { result = leftOperand }
-
-  /** Gets the right operand. */
-  final SemExpr getRightOperand() { result = rightOperand }
-
-  /** Holds if `a` and `b` are the two operands, in either order. */
-  final predicate hasOperands(SemExpr a, SemExpr b) {
-    a = getLeftOperand() and b = getRightOperand()
-    or
-    a = getRightOperand() and b = getLeftOperand()
-  }
-
-  /** Gets the two operands. */
-  final SemExpr getAnOperand() { result = getLeftOperand() or result = getRightOperand() }
-}
-
-/** An expression that performs and ordered comparison of two operands. */
-class SemRelationalExpr extends SemBinaryExpr {
-  SemRelationalExpr() {
-    opcode instanceof Opcode::CompareLT
-    or
-    opcode instanceof Opcode::CompareLE
-    or
-    opcode instanceof Opcode::CompareGT
-    or
-    opcode instanceof Opcode::CompareGE
-  }
-
-  /**
-   * Get the operand that will be less than the other operand if the result of the comparison is
-   * `true`.
-   *
-   * For `x < y` or `x <= y`, this will return `x`.
-   * For `x > y` or `x >= y`, this will return `y`.`
-   */
-  final SemExpr getLesserOperand() {
-    if opcode instanceof Opcode::CompareLT or opcode instanceof Opcode::CompareLE
-    then result = getLeftOperand()
-    else result = getRightOperand()
-  }
-
-  /**
-   * Get the operand that will be greater than the other operand if the result of the comparison is
-   * `true`.
-   *
-   * For `x < y` or `x <= y`, this will return `y`.
-   * For `x > y` or `x >= y`, this will return `x`.`
-   */
-  final SemExpr getGreaterOperand() {
-    if opcode instanceof Opcode::CompareGT or opcode instanceof Opcode::CompareGE
-    then result = getLeftOperand()
-    else result = getRightOperand()
-  }
-
-  /** Holds if this comparison returns `false` if the two operands are equal. */
-  final predicate isStrict() {
-    opcode instanceof Opcode::CompareLT or opcode instanceof Opcode::CompareGT
-  }
-}
-
-class SemAddExpr extends SemBinaryExpr {
-  SemAddExpr() { opcode instanceof Opcode::Add or opcode instanceof Opcode::PointerAdd }
-}
-
-class SemSubExpr extends SemBinaryExpr {
-  SemSubExpr() { opcode instanceof Opcode::Sub or opcode instanceof Opcode::PointerSub }
-}
-
-class SemMulExpr extends SemBinaryExpr {
-  SemMulExpr() { opcode instanceof Opcode::Mul }
-}
-
-class SemDivExpr extends SemBinaryExpr {
-  SemDivExpr() { opcode instanceof Opcode::Div }
-}
-
-class SemRemExpr extends SemBinaryExpr {
-  SemRemExpr() { opcode instanceof Opcode::Rem }
-}
-
-class SemShiftLeftExpr extends SemBinaryExpr {
-  SemShiftLeftExpr() { opcode instanceof Opcode::ShiftLeft }
-}
-
-class SemShiftRightExpr extends SemBinaryExpr {
-  SemShiftRightExpr() { opcode instanceof Opcode::ShiftRight }
-}
-
-class SemShiftRightUnsignedExpr extends SemBinaryExpr {
-  SemShiftRightUnsignedExpr() { opcode instanceof Opcode::ShiftRightUnsigned }
-}
-
-class SemBitAndExpr extends SemBinaryExpr {
-  SemBitAndExpr() { opcode instanceof Opcode::BitAnd }
-}
-
-class SemBitOrExpr extends SemBinaryExpr {
-  SemBitOrExpr() { opcode instanceof Opcode::BitOr }
-}
-
-class SemBitXorExpr extends SemBinaryExpr {
-  SemBitXorExpr() { opcode instanceof Opcode::BitXor }
-}
-
-class SemUnaryExpr extends SemKnownExpr {
-  SemExpr operand;
-
-  SemUnaryExpr() { Specific::unaryExpr(this, opcode, type, operand) }
-
-  final SemExpr getOperand() { result = operand }
-}
-
-class SemBoxExpr extends SemUnaryExpr {
-  SemBoxExpr() { opcode instanceof Opcode::Box }
-}
-
-class SemUnboxExpr extends SemUnaryExpr {
-  SemUnboxExpr() { opcode instanceof Opcode::Unbox }
-}
-
-class SemConvertExpr extends SemUnaryExpr {
-  SemConvertExpr() { opcode instanceof Opcode::Convert }
-}
-
-class SemCopyValueExpr extends SemUnaryExpr {
-  SemCopyValueExpr() { opcode instanceof Opcode::CopyValue }
-}
-
-class SemNegateExpr extends SemUnaryExpr {
-  SemNegateExpr() { opcode instanceof Opcode::Negate }
-}
-
-class SemBitComplementExpr extends SemUnaryExpr {
-  SemBitComplementExpr() { opcode instanceof Opcode::BitComplement }
-}
-
-class SemLogicalNotExpr extends SemUnaryExpr {
-  SemLogicalNotExpr() { opcode instanceof Opcode::LogicalNot }
-}
-
-class SemAddOneExpr extends SemUnaryExpr {
-  SemAddOneExpr() { opcode instanceof Opcode::AddOne }
-}
-
-class SemSubOneExpr extends SemUnaryExpr {
-  SemSubOneExpr() { opcode instanceof Opcode::SubOne }
-}
-
-private class SemNullaryExpr extends SemKnownExpr {
-  SemNullaryExpr() { Specific::nullaryExpr(this, opcode, type) }
-}
-
-class SemInitializeParameterExpr extends SemNullaryExpr {
-  SemInitializeParameterExpr() { opcode instanceof Opcode::InitializeParameter }
-}
-
-class SemLoadExpr extends SemNullaryExpr {
-  SemLoadExpr() { opcode instanceof Opcode::Load }
-
-  final SemSsaVariable getDef() { result.getAUse() = this }
-}
-
-class SemSsaLoadExpr extends SemLoadExpr {
-  SemSsaLoadExpr() { exists(getDef()) }
-}
-
-class SemNonSsaLoadExpr extends SemLoadExpr {
-  SemNonSsaLoadExpr() { not exists(getDef()) }
-}
-
-class SemStoreExpr extends SemUnaryExpr {
-  SemStoreExpr() { opcode instanceof Opcode::Store }
-}
-
-class SemConditionalExpr extends SemKnownExpr {
-  SemExpr condition;
-  SemExpr trueResult;
-  SemExpr falseResult;
-
-  SemConditionalExpr() {
-    opcode instanceof Opcode::Conditional and
-    Specific::conditionalExpr(this, type, condition, trueResult, falseResult)
-  }
-
-  final SemExpr getBranchExpr(boolean branch) {
-    branch = true and result = trueResult
-    or
-    branch = false and result = falseResult
-  }
-}

cpp/ql/lib/experimental/semmle/code/cpp/semantic/SemanticExprSpecific.qll

@@ -1,329 +0,0 @@
-/**
- * C++-specific implementation of the semantic interface.
- */
-
-private import cpp as Cpp
-private import semmle.code.cpp.ir.IR as IR
-private import Semantic
-private import experimental.semmle.code.cpp.rangeanalysis.Bound as IRBound
-private import semmle.code.cpp.controlflow.IRGuards as IRGuards
-
-module SemanticExprConfig {
-  class Location = Cpp::Location;
-
-  class Expr = IR::Instruction;
-
-  SemBasicBlock getExprBasicBlock(Expr e) { result = getSemanticBasicBlock(e.getBlock()) }
-
-  private predicate anyConstantExpr(Expr expr, SemType type, string value) {
-    exists(IR::ConstantInstruction instr | instr = expr |
-      type = getSemanticType(instr.getResultIRType()) and
-      value = instr.getValue()
-    )
-  }
-
-  predicate integerLiteral(Expr expr, SemIntegerType type, int value) {
-    exists(string valueString |
-      anyConstantExpr(expr, type, valueString) and
-      value = valueString.toInt()
-    )
-  }
-
-  predicate largeIntegerLiteral(Expr expr, SemIntegerType type, float approximateFloatValue) {
-    exists(string valueString |
-      anyConstantExpr(expr, type, valueString) and
-      not exists(valueString.toInt()) and
-      approximateFloatValue = valueString.toFloat()
-    )
-  }
-
-  predicate floatingPointLiteral(Expr expr, SemFloatingPointType type, float value) {
-    exists(string valueString |
-      anyConstantExpr(expr, type, valueString) and value = valueString.toFloat()
-    )
-  }
-
-  predicate booleanLiteral(Expr expr, SemBooleanType type, boolean value) {
-    exists(string valueString |
-      anyConstantExpr(expr, type, valueString) and
-      (
-        valueString = "true" and value = true
-        or
-        valueString = "false" and value = false
-      )
-    )
-  }
-
-  predicate nullLiteral(Expr expr, SemAddressType type) { anyConstantExpr(expr, type, _) }
-
-  predicate stringLiteral(Expr expr, SemType type, string value) {
-    anyConstantExpr(expr, type, value) and expr instanceof IR::StringConstantInstruction
-  }
-
-  predicate binaryExpr(Expr expr, Opcode opcode, SemType type, Expr leftOperand, Expr rightOperand) {
-    exists(IR::BinaryInstruction instr | instr = expr |
-      type = getSemanticType(instr.getResultIRType()) and
-      leftOperand = instr.getLeft() and
-      rightOperand = instr.getRight() and
-      // REVIEW: Merge the two `Opcode` types.
-      opcode.toString() = instr.getOpcode().toString()
-    )
-  }
-
-  predicate unaryExpr(Expr expr, Opcode opcode, SemType type, Expr operand) {
-    type = getSemanticType(expr.getResultIRType()) and
-    (
-      exists(IR::UnaryInstruction instr | instr = expr |
-        operand = instr.getUnary() and
-        // REVIEW: Merge the two operand types.
-        opcode.toString() = instr.getOpcode().toString()
-      )
-      or
-      exists(IR::StoreInstruction instr | instr = expr |
-        operand = instr.getSourceValue() and
-        opcode instanceof Opcode::Store
-      )
-    )
-  }
-
-  predicate nullaryExpr(Expr expr, Opcode opcode, SemType type) {
-    type = getSemanticType(expr.getResultIRType()) and
-    (
-      expr instanceof IR::LoadInstruction and opcode instanceof Opcode::Load
-      or
-      expr instanceof IR::InitializeParameterInstruction and
-      opcode instanceof Opcode::InitializeParameter
-    )
-  }
-
-  predicate conditionalExpr(
-    Expr expr, SemType type, Expr condition, Expr trueResult, Expr falseResult
-  ) {
-    none()
-  }
-
-  SemType getUnknownExprType(Expr expr) { result = getSemanticType(expr.getResultIRType()) }
-
-  class BasicBlock = IR::IRBlock;
-
-  predicate bbDominates(BasicBlock dominator, BasicBlock dominated) {
-    dominator.dominates(dominated)
-  }
-
-  predicate hasDominanceInformation(BasicBlock block) { any() }
-
-  private predicate id(Cpp::Locatable x, Cpp::Locatable y) { x = y }
-
-  private predicate idOf(Cpp::Locatable x, int y) = equivalenceRelation(id/2)(x, y)
-
-  int getBasicBlockUniqueId(BasicBlock block) { idOf(block.getFirstInstruction().getAst(), result) }
-
-  newtype TSsaVariable =
-    TSsaInstruction(IR::Instruction instr) { instr.hasMemoryResult() } or
-    TSsaOperand(IR::Operand op) { op.isDefinitionInexact() }
-
-  class SsaVariable extends TSsaVariable {
-    string toString() { none() }
-
-    Location getLocation() { none() }
-
-    IR::Instruction asInstruction() { none() }
-
-    IR::Operand asOperand() { none() }
-  }
-
-  class SsaInstructionVariable extends SsaVariable, TSsaInstruction {
-    IR::Instruction instr;
-
-    SsaInstructionVariable() { this = TSsaInstruction(instr) }
-
-    final override string toString() { result = instr.toString() }
-
-    final override Location getLocation() { result = instr.getLocation() }
-
-    final override IR::Instruction asInstruction() { result = instr }
-  }
-
-  class SsaOperand extends SsaVariable, TSsaOperand {
-    IR::Operand op;
-
-    SsaOperand() { this = TSsaOperand(op) }
-
-    final override string toString() { result = op.toString() }
-
-    final override Location getLocation() { result = op.getLocation() }
-
-    final override IR::Operand asOperand() { result = op }
-  }
-
-  predicate explicitUpdate(SsaVariable v, Expr sourceExpr) { v.asInstruction() = sourceExpr }
-
-  predicate phi(SsaVariable v) { v.asInstruction() instanceof IR::PhiInstruction }
-
-  SsaVariable getAPhiInput(SsaVariable v) {
-    exists(IR::PhiInstruction instr | v.asInstruction() = instr |
-      result.asInstruction() = instr.getAnInput()
-      or
-      result.asOperand() = instr.getAnInputOperand()
-    )
-  }
-
-  Expr getAUse(SsaVariable v) { result.(IR::LoadInstruction).getSourceValue() = v.asInstruction() }
-
-  SemType getSsaVariableType(SsaVariable v) {
-    result = getSemanticType(v.asInstruction().getResultIRType())
-  }
-
-  BasicBlock getSsaVariableBasicBlock(SsaVariable v) {
-    result = v.asInstruction().getBlock()
-    or
-    result = v.asOperand().getUse().getBlock()
-  }
-
-  private newtype TReadPosition =
-    TReadPositionBlock(IR::IRBlock block) or
-    TReadPositionPhiInputEdge(IR::IRBlock pred, IR::IRBlock succ) {
-      exists(IR::PhiInputOperand input |
-        pred = input.getPredecessorBlock() and
-        succ = input.getUse().getBlock()
-      )
-    }
-
-  class SsaReadPosition extends TReadPosition {
-    string toString() { none() }
-
-    Location getLocation() { none() }
-
-    predicate hasRead(SsaVariable v) { none() }
-  }
-
-  private class SsaReadPositionBlock extends SsaReadPosition, TReadPositionBlock {
-    IR::IRBlock block;
-
-    SsaReadPositionBlock() { this = TReadPositionBlock(block) }
-
-    final override string toString() { result = block.toString() }
-
-    final override Location getLocation() { result = block.getLocation() }
-
-    final override predicate hasRead(SsaVariable v) {
-      exists(IR::Operand operand |
-        operand.getDef() = v.asInstruction() and
-        not operand instanceof IR::PhiInputOperand and
-        operand.getUse().getBlock() = block
-      )
-    }
-  }
-
-  private class SsaReadPositionPhiInputEdge extends SsaReadPosition, TReadPositionPhiInputEdge {
-    IR::IRBlock pred;
-    IR::IRBlock succ;
-
-    SsaReadPositionPhiInputEdge() { this = TReadPositionPhiInputEdge(pred, succ) }
-
-    final override string toString() { result = pred.toString() + "->" + succ.toString() }
-
-    final override Location getLocation() { result = succ.getLocation() }
-
-    final override predicate hasRead(SsaVariable v) {
-      exists(IR::PhiInputOperand operand |
-        operand.getDef() = v.asInstruction() and
-        operand.getPredecessorBlock() = pred and
-        operand.getUse().getBlock() = succ
-      )
-    }
-  }
-
-  predicate hasReadOfSsaVariable(SsaReadPosition pos, SsaVariable v) { pos.hasRead(v) }
-
-  predicate readBlock(SsaReadPosition pos, BasicBlock block) { pos = TReadPositionBlock(block) }
-
-  predicate phiInputEdge(SsaReadPosition pos, BasicBlock origBlock, BasicBlock phiBlock) {
-    pos = TReadPositionPhiInputEdge(origBlock, phiBlock)
-  }
-
-  predicate phiInput(SsaReadPosition pos, SsaVariable phi, SsaVariable input) {
-    exists(IR::PhiInputOperand operand |
-      pos = TReadPositionPhiInputEdge(operand.getPredecessorBlock(), operand.getUse().getBlock())
-    |
-      phi.asInstruction() = operand.getUse() and
-      (
-        input.asInstruction() = operand.getDef()
-        or
-        input.asOperand() = operand
-      )
-    )
-  }
-
-  class Bound instanceof IRBound::Bound {
-    string toString() { result = super.toString() }
-
-    final Location getLocation() { result = super.getLocation() }
-  }
-
-  private class ValueNumberBound extends Bound {
-    IRBound::ValueNumberBound bound;
-
-    ValueNumberBound() { bound = this }
-
-    override string toString() { result = bound.toString() }
-  }
-
-  predicate zeroBound(Bound bound) { bound instanceof IRBound::ZeroBound }
-
-  predicate ssaBound(Bound bound, SsaVariable v) {
-    v.asInstruction() = bound.(IRBound::ValueNumberBound).getValueNumber().getAnInstruction()
-  }
-
-  Expr getBoundExpr(Bound bound, int delta) {
-    result = bound.(IRBound::Bound).getInstruction(delta)
-  }
-
-  class Guard = IRGuards::IRGuardCondition;
-
-  predicate guard(Guard guard, BasicBlock block) { block = guard.getBlock() }
-
-  Expr getGuardAsExpr(Guard guard) { result = guard }
-
-  predicate equalityGuard(Guard guard, Expr e1, Expr e2, boolean polarity) {
-    guard.comparesEq(e1.getAUse(), e2.getAUse(), 0, true, polarity)
-  }
-
-  predicate guardDirectlyControlsBlock(Guard guard, BasicBlock controlled, boolean branch) {
-    guard.controls(controlled, branch)
-  }
-
-  predicate guardHasBranchEdge(Guard guard, BasicBlock bb1, BasicBlock bb2, boolean branch) {
-    guard.controlsEdge(bb1, bb2, branch)
-  }
-
-  Guard comparisonGuard(Expr e) { result = e }
-
-  predicate implies_v2(Guard g1, boolean b1, Guard g2, boolean b2) {
-    none() // TODO
-  }
-}
-
-SemExpr getSemanticExpr(IR::Instruction instr) { result = instr }
-
-IR::Instruction getCppInstruction(SemExpr e) { e = result }
-
-SemBasicBlock getSemanticBasicBlock(IR::IRBlock block) { result = block }
-
-IR::IRBlock getCppBasicBlock(SemBasicBlock block) { block = result }
-
-SemSsaVariable getSemanticSsaVariable(IR::Instruction instr) {
-  result.(SemanticExprConfig::SsaVariable).asInstruction() = instr
-}
-
-IR::Instruction getCppSsaVariableInstruction(SemSsaVariable var) {
-  var.(SemanticExprConfig::SsaVariable).asInstruction() = result
-}
-
-SemBound getSemanticBound(IRBound::Bound bound) { result = bound }
-
-IRBound::Bound getCppBound(SemBound bound) { bound = result }
-
-SemGuard getSemanticGuard(IRGuards::IRGuardCondition guard) { result = guard }
-
-IRGuards::IRGuardCondition getCppGuard(SemGuard guard) { guard = result }