C++: Fix ql-for-ql alerts.

Dataflow:  Add additional annotation.

.github/workflows/go-tests.yml

@@ -43,7 +43,7 @@ jobs:
           env QHELP_OUT_DIR=qhelp-out make qhelp-to-markdown
 
       - name: Upload qhelp markdown
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: qhelp-markdown
           path: go/qhelp-out/**/*.md

.github/workflows/qhelp-pr-preview.yml

@@ -27,7 +27,7 @@ on:
       - main
       - "rc/*"
     paths:
-      - "ruby/**/*.qhelp"
+      - "**/*.qhelp"
 
 jobs:
   qhelp:
@@ -52,7 +52,7 @@ jobs:
         id: changes
         run: |
           (git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.qhelp$' | grep -z -v '.inc.qhelp';
-           git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.inc.qhelp$' | xargs --null -rn1 basename | xargs --null -rn1 git grep -z -l) |
+           git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.inc.qhelp$' | xargs --null -rn1 basename -z | xargs --null -rn1 git grep -z -l) |
            grep -z '.qhelp$' | grep -z -v '^-' | sort -z -u > "${RUNNER_TEMP}/paths.txt"
 
       - name: QHelp preview

README.md

@@ -4,8 +4,7 @@ This open source repository contains the standard CodeQL libraries and queries t
 
 ## How do I learn CodeQL and run queries?
 
-There is [extensive documentation](https://codeql.github.com/docs/) on getting started with writing CodeQL.
-You can use the [CodeQL for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) extension or the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com (Semmle Legacy product) to try out your queries on any open source project that's currently being analyzed.
+There is [extensive documentation](https://codeql.github.com/docs/) on getting started with writing CodeQL using the [CodeQL extension for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) and the [CodeQL CLI](https://codeql.github.com/docs/codeql-cli/).
 
 ## Contributing
 

config/identical-files.json

@@ -8,11 +8,11 @@
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll",
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForOnActivityResult.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/DataFlowImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/DataFlowImpl2.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/DataFlowImpl3.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/DataFlowImpl4.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/DataFlowImplLocal.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll",
@@ -33,13 +33,14 @@
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForLibraries.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForRegExp.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForHttpClientLibraries.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForPathname.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl.qll"
   ],
   "DataFlow Java/C++/C#/Python Common": [
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/DataFlowImplCommon.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
     "cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
@@ -48,8 +49,8 @@
     "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplCommon.qll"
   ],
   "TaintTracking::Configuration Java/C++/C#/Python": [
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/tainttracking1/TaintTrackingImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/tainttracking2/TaintTrackingImpl.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
@@ -69,12 +70,11 @@
     "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttrackingforlibraries/TaintTrackingImpl.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
   ],
   "DataFlow Java/C++/C#/Python Consistency checks": [
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/DataFlowImplConsistency.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
     "cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
@@ -115,7 +115,7 @@
   ],
   "C++ SubBasicBlocks": [
     "cpp/ql/lib/semmle/code/cpp/controlflow/SubBasicBlocks.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll"
+    "cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/SubBasicBlocks.qll"
   ],
   "IR Instruction": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll",

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,22 @@
+## 0.4.1
+
+No user-facing changes.
+
+## 0.4.0
+
+### Deprecated APIs
+
+* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. 
+  The old name still exists as a deprecated alias.
+
+### New Features
+
+* Added subclasses of `BuiltInOperations` for `__is_same`, `__is_function`, `__is_layout_compatible`, `__is_pointer_interconvertible_base_of`, `__is_array`, `__array_rank`, `__array_extent`, `__is_arithmetic`, `__is_complete_type`, `__is_compound`, `__is_const`, `__is_floating_point`, `__is_fundamental`, `__is_integral`, `__is_lvalue_reference`, `__is_member_function_pointer`, `__is_member_object_pointer`, `__is_member_pointer`, `__is_object`, `__is_pointer`, `__is_reference`, `__is_rvalue_reference`, `__is_scalar`, `__is_signed`, `__is_unsigned`, `__is_void`, and `__is_volatile`.
+
+### Bug Fixes
+
+* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
+
 ## 0.3.5
 
 ## 0.3.4

cpp/ql/lib/change-notes/2022-09-08-implicit-read-flowstates.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.

cpp/ql/lib/change-notes/2022-09-12-uppercase.md

@@ -1,5 +0,0 @@
----
-category: deprecated
----
-* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. 
-  The old name still exists as a deprecated alias.

cpp/ql/lib/change-notes/released/0.4.0.md

@@ -1,4 +1,14 @@
----
-category: feature
----
+## 0.4.0
+
+### Deprecated APIs
+
+* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. 
+  The old name still exists as a deprecated alias.
+
+### New Features
+
 * Added subclasses of `BuiltInOperations` for `__is_same`, `__is_function`, `__is_layout_compatible`, `__is_pointer_interconvertible_base_of`, `__is_array`, `__array_rank`, `__array_extent`, `__is_arithmetic`, `__is_complete_type`, `__is_compound`, `__is_const`, `__is_floating_point`, `__is_fundamental`, `__is_integral`, `__is_lvalue_reference`, `__is_member_function_pointer`, `__is_member_object_pointer`, `__is_member_pointer`, `__is_object`, `__is_pointer`, `__is_reference`, `__is_rvalue_reference`, `__is_scalar`, `__is_signed`, `__is_unsigned`, `__is_void`, and `__is_volatile`.
+
+### Bug Fixes
+
+* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.

cpp/ql/lib/change-notes/released/0.4.1.md

@@ -0,0 +1,3 @@
+## 0.4.1
+
+No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.5
+lastReleaseVersion: 0.4.1

cpp/ql/lib/experimental/semmle/code/cpp/dataflow/ProductFlow.qll

@@ -20,7 +20,8 @@ module ProductFlow {
      * `source1` and `source2` must belong to the same callable.
      */
     predicate isSourcePair(
-      DataFlow::Node source1, string state1, DataFlow::Node source2, string state2
+      DataFlow::Node source1, DataFlow::FlowState state1, DataFlow::Node source2,
+      DataFlow::FlowState state2
     ) {
       state1 = "" and
       state2 = "" and
@@ -49,6 +50,101 @@ module ProductFlow {
       this.isSinkPair(sink1, sink2)
     }
 
+    /**
+     * Holds if data flow through `node` is prohibited through the first projection of the product
+     * dataflow graph when the flow state is `state`.
+     */
+    predicate isBarrier1(DataFlow::Node node, DataFlow::FlowState state) {
+      this.isBarrier1(node) and state = ""
+    }
+
+    /**
+     * Holds if data flow through `node` is prohibited through the second projection of the product
+     * dataflow graph when the flow state is `state`.
+     */
+    predicate isBarrier2(DataFlow::Node node, DataFlow::FlowState state) {
+      this.isBarrier2(node) and state = ""
+    }
+
+    /**
+     * Holds if data flow through `node` is prohibited through the first projection of the product
+     * dataflow graph.
+     */
+    predicate isBarrier1(DataFlow::Node node) { none() }
+
+    /**
+     * Holds if data flow through `node` is prohibited through the second projection of the product
+     * dataflow graph.
+     */
+    predicate isBarrier2(DataFlow::Node node) { none() }
+
+    /**
+     * Holds if data flow out of `node` is prohibited in the first projection of the product
+     * dataflow graph.
+     */
+    predicate isBarrierOut1(DataFlow::Node node) { none() }
+
+    /**
+     * Holds if data flow out of `node` is prohibited in the second projection of the product
+     * dataflow graph.
+     */
+    predicate isBarrierOut2(DataFlow::Node node) { none() }
+
+    /*
+     * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
+     * the first projection of the product dataflow graph.
+     */
+
+    predicate isAdditionalFlowStep1(DataFlow::Node node1, DataFlow::Node node2) { none() }
+
+    /**
+     * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
+     * the first projection of the product dataflow graph.
+     *
+     * This step is only applicable in `state1` and updates the flow state to `state2`.
+     */
+    predicate isAdditionalFlowStep1(
+      DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
+      DataFlow::FlowState state2
+    ) {
+      state1 instanceof DataFlow::FlowStateEmpty and
+      state2 instanceof DataFlow::FlowStateEmpty and
+      this.isAdditionalFlowStep1(node1, node2)
+    }
+
+    /**
+     * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
+     * the second projection of the product dataflow graph.
+     */
+    predicate isAdditionalFlowStep2(DataFlow::Node node1, DataFlow::Node node2) { none() }
+
+    /**
+     * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
+     * the second projection of the product dataflow graph.
+     *
+     * This step is only applicable in `state1` and updates the flow state to `state2`.
+     */
+    predicate isAdditionalFlowStep2(
+      DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
+      DataFlow::FlowState state2
+    ) {
+      state1 instanceof DataFlow::FlowStateEmpty and
+      state2 instanceof DataFlow::FlowStateEmpty and
+      this.isAdditionalFlowStep2(node1, node2)
+    }
+
+    /**
+     * Holds if data flow into `node` is prohibited in the first projection of the product
+     * dataflow graph.
+     */
+    predicate isBarrierIn1(DataFlow::Node node) { none() }
+
+    /**
+     * Holds if data flow into `node` is prohibited in the second projection of the product
+     * dataflow graph.
+     */
+    predicate isBarrierIn2(DataFlow::Node node) { none() }
+
     predicate hasFlowPath(
       DataFlow::PathNode source1, DataFlow2::PathNode source2, DataFlow::PathNode sink1,
       DataFlow2::PathNode sink2
@@ -63,38 +159,78 @@ module ProductFlow {
     class Conf1 extends DataFlow::Configuration {
       Conf1() { this = "Conf1" }
 
-      override predicate isSource(DataFlow::Node source, string state) {
+      override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
         exists(Configuration conf | conf.isSourcePair(source, state, _, _))
       }
 
-      override predicate isSink(DataFlow::Node sink, string state) {
+      override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
         exists(Configuration conf | conf.isSinkPair(sink, state, _, _))
       }
+
+      override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
+        exists(Configuration conf | conf.isBarrier1(node, state))
+      }
+
+      override predicate isBarrierOut(DataFlow::Node node) {
+        exists(Configuration conf | conf.isBarrierOut1(node))
+      }
+
+      override predicate isAdditionalFlowStep(
+        DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
+        DataFlow::FlowState state2
+      ) {
+        exists(Configuration conf | conf.isAdditionalFlowStep1(node1, state1, node2, state2))
+      }
+
+      override predicate isBarrierIn(DataFlow::Node node) {
+        exists(Configuration conf | conf.isBarrierIn1(node))
+      }
     }
 
     class Conf2 extends DataFlow2::Configuration {
       Conf2() { this = "Conf2" }
 
-      override predicate isSource(DataFlow::Node source, string state) {
-        exists(Configuration conf, DataFlow::Node source1 |
-          conf.isSourcePair(source1, _, source, state) and
-          any(Conf1 c).hasFlow(source1, _)
+      override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
+        exists(Configuration conf, DataFlow::PathNode source1 |
+          conf.isSourcePair(source1.getNode(), source1.getState(), source, state) and
+          any(Conf1 c).hasFlowPath(source1, _)
         )
       }
 
-      override predicate isSink(DataFlow::Node sink, string state) {
-        exists(Configuration conf, DataFlow::Node sink1 |
-          conf.isSinkPair(sink1, _, sink, state) and any(Conf1 c).hasFlow(_, sink1)
+      override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
+        exists(Configuration conf, DataFlow::PathNode sink1 |
+          conf.isSinkPair(sink1.getNode(), sink1.getState(), sink, state) and
+          any(Conf1 c).hasFlowPath(_, sink1)
         )
       }
+
+      override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
+        exists(Configuration conf | conf.isBarrier2(node, state))
+      }
+
+      override predicate isBarrierOut(DataFlow::Node node) {
+        exists(Configuration conf | conf.isBarrierOut2(node))
+      }
+
+      override predicate isAdditionalFlowStep(
+        DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
+        DataFlow::FlowState state2
+      ) {
+        exists(Configuration conf | conf.isAdditionalFlowStep2(node1, state1, node2, state2))
+      }
+
+      override predicate isBarrierIn(DataFlow::Node node) {
+        exists(Configuration conf | conf.isBarrierIn2(node))
+      }
     }
   }
 
+  pragma[nomagic]
   private predicate reachableInterprocEntry(
     Configuration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2,
     DataFlow::PathNode node1, DataFlow2::PathNode node2
   ) {
-    conf.isSourcePair(node1.getNode(), _, node2.getNode(), _) and
+    conf.isSourcePair(node1.getNode(), node1.getState(), node2.getNode(), node2.getState()) and
     node1 = source1 and
     node2 = source2
     or
@@ -157,7 +293,7 @@ module ProductFlow {
   ) {
     exists(DataFlow::PathNode mid1, DataFlow2::PathNode mid2 |
       reachableInterprocEntry(conf, source1, source2, mid1, mid2) and
-      conf.isSinkPair(sink1.getNode(), _, sink2.getNode(), _) and
+      conf.isSinkPair(sink1.getNode(), sink1.getState(), sink2.getNode(), sink2.getState()) and
       localPathStep1*(mid1, sink1) and
       localPathStep2*(mid2, sink2)
     )

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -163,7 +163,9 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -558,13 +560,16 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
+pragma[nomagic]
+private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
+
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  read(_, tc.getContent(), _, config) and
+  hasReadStep(tc.getContent(), config) and
   stepFilter(node1, node2, config)
 }
 
@@ -598,13 +603,9 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
-  class ApApprox = Unit;
-
   class Ap = Unit;
 
-  class ApOption = Unit;
-
-  class Cc = boolean;
+  private class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -613,7 +614,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -753,7 +754,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -837,13 +838,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  predicate viableReturnPosOutNodeCandFwd1(
+  additional predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -859,7 +860,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  predicate viableParamArgNodeCandFwd1(
+  additional predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -906,7 +907,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate revFlowState(FlowState state, Configuration config) {
+  additional predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -998,7 +999,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate stats(
+  additional predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1259,7 +1260,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    predicate fwdFlow(
+    additional predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1483,7 +1484,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    predicate revFlow(
+    additional predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1661,7 +1662,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1674,11 +1675,13 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
+    additional predicate revFlowAlias(NodeEx node, Configuration config) {
+      revFlow(node, _, _, _, _, config)
+    }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1699,7 +1702,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1741,7 +1744,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate stats(
+    additional predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2926,12 +2929,17 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
+  pragma[nomagic]
+  private PathNodeImpl getANonHiddenSuccessor0() {
+    result = this.getASuccessorIfHidden*() and
     not result.isHidden()
   }
 
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
+    not this.isHidden()
+  }
+
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -163,7 +163,9 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -558,13 +560,16 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
+pragma[nomagic]
+private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
+
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  read(_, tc.getContent(), _, config) and
+  hasReadStep(tc.getContent(), config) and
   stepFilter(node1, node2, config)
 }
 
@@ -598,13 +603,9 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
-  class ApApprox = Unit;
-
   class Ap = Unit;
 
-  class ApOption = Unit;
-
-  class Cc = boolean;
+  private class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -613,7 +614,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -753,7 +754,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -837,13 +838,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  predicate viableReturnPosOutNodeCandFwd1(
+  additional predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -859,7 +860,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  predicate viableParamArgNodeCandFwd1(
+  additional predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -906,7 +907,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate revFlowState(FlowState state, Configuration config) {
+  additional predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -998,7 +999,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate stats(
+  additional predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1259,7 +1260,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    predicate fwdFlow(
+    additional predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1483,7 +1484,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    predicate revFlow(
+    additional predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1661,7 +1662,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1674,11 +1675,13 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
+    additional predicate revFlowAlias(NodeEx node, Configuration config) {
+      revFlow(node, _, _, _, _, config)
+    }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1699,7 +1702,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1741,7 +1744,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate stats(
+    additional predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2926,12 +2929,17 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
+  pragma[nomagic]
+  private PathNodeImpl getANonHiddenSuccessor0() {
+    result = this.getASuccessorIfHidden*() and
     not result.isHidden()
   }
 
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
+    not this.isHidden()
+  }
+
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -163,7 +163,9 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -558,13 +560,16 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
+pragma[nomagic]
+private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
+
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  read(_, tc.getContent(), _, config) and
+  hasReadStep(tc.getContent(), config) and
   stepFilter(node1, node2, config)
 }
 
@@ -598,13 +603,9 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
-  class ApApprox = Unit;
-
   class Ap = Unit;
 
-  class ApOption = Unit;
-
-  class Cc = boolean;
+  private class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -613,7 +614,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -753,7 +754,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -837,13 +838,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  predicate viableReturnPosOutNodeCandFwd1(
+  additional predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -859,7 +860,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  predicate viableParamArgNodeCandFwd1(
+  additional predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -906,7 +907,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate revFlowState(FlowState state, Configuration config) {
+  additional predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -998,7 +999,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate stats(
+  additional predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1259,7 +1260,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    predicate fwdFlow(
+    additional predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1483,7 +1484,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    predicate revFlow(
+    additional predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1661,7 +1662,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1674,11 +1675,13 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
+    additional predicate revFlowAlias(NodeEx node, Configuration config) {
+      revFlow(node, _, _, _, _, config)
+    }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1699,7 +1702,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1741,7 +1744,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate stats(
+    additional predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2926,12 +2929,17 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
+  pragma[nomagic]
+  private PathNodeImpl getANonHiddenSuccessor0() {
+    result = this.getASuccessorIfHidden*() and
     not result.isHidden()
   }
 
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
+    not this.isHidden()
+  }
+
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -163,7 +163,9 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -558,13 +560,16 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
+pragma[nomagic]
+private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
+
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  read(_, tc.getContent(), _, config) and
+  hasReadStep(tc.getContent(), config) and
   stepFilter(node1, node2, config)
 }
 
@@ -598,13 +603,9 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
-  class ApApprox = Unit;
-
   class Ap = Unit;
 
-  class ApOption = Unit;
-
-  class Cc = boolean;
+  private class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -613,7 +614,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -753,7 +754,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -837,13 +838,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  predicate viableReturnPosOutNodeCandFwd1(
+  additional predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -859,7 +860,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  predicate viableParamArgNodeCandFwd1(
+  additional predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -906,7 +907,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate revFlowState(FlowState state, Configuration config) {
+  additional predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -998,7 +999,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate stats(
+  additional predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1259,7 +1260,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    predicate fwdFlow(
+    additional predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1483,7 +1484,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    predicate revFlow(
+    additional predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1661,7 +1662,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1674,11 +1675,13 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
+    additional predicate revFlowAlias(NodeEx node, Configuration config) {
+      revFlow(node, _, _, _, _, config)
+    }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1699,7 +1702,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1741,7 +1744,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate stats(
+    additional predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2926,12 +2929,17 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
+  pragma[nomagic]
+  private PathNodeImpl getANonHiddenSuccessor0() {
+    result = this.getASuccessorIfHidden*() and
     not result.isHidden()
   }
 
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
+    not this.isHidden()
+  }
+
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -137,7 +137,7 @@ private newtype TReturnKind =
     exists(IndirectReturnNode return, ReturnIndirectionInstruction returnInd |
       returnInd.hasIndex(argumentIndex) and
       return.getAddressOperand() = returnInd.getSourceAddressOperand() and
-      indirectionIndex = return.getIndirectionIndex() - 1 // We subtract one because the return loads the value.
+      indirectionIndex = return.getIndirectionIndex()
     )
   }
 
@@ -197,7 +197,7 @@ class ReturnIndirectionNode extends IndirectReturnNode, ReturnNode {
     exists(int argumentIndex, ReturnIndirectionInstruction returnInd |
       returnInd.hasIndex(argumentIndex) and
       this.getAddressOperand() = returnInd.getSourceAddressOperand() and
-      result = TIndirectReturnKind(argumentIndex, this.getIndirectionIndex() - 1) and
+      result = TIndirectReturnKind(argumentIndex, this.getIndirectionIndex()) and
       hasNonInitializeParameterDef(returnInd.getIRVariable())
     )
     or
@@ -365,7 +365,7 @@ predicate jumpStep(Node n1, Node n2) {
 predicate storeStep(Node node1, Content c, PostFieldUpdateNode node2) {
   exists(int indirectionIndex1, int numberOfLoads, StoreInstruction store |
     nodeHasInstruction(node1, store, pragma[only_bind_into](indirectionIndex1)) and
-    node2.getIndirectionIndex() = 0 and
+    node2.getIndirectionIndex() = 1 and
     numberOfLoadsFromOperand(node2.getFieldAddress(), store.getDestinationAddressOperand(),
       numberOfLoads)
   |
@@ -465,20 +465,20 @@ predicate clearsContent(Node n, Content c) {
 predicate expectsContent(Node n, ContentSet c) { none() }
 
 /** Gets the type of `n` used for type pruning. */
-IRType getNodeType(Node n) {
+DataFlowType getNodeType(Node n) {
   suppressUnusedNode(n) and
-  result instanceof IRVoidType // stub implementation
+  result instanceof VoidType // stub implementation
 }
 
 /** Gets a string representation of a type returned by `getNodeType`. */
-string ppReprType(IRType t) { none() } // stub implementation
+string ppReprType(DataFlowType t) { none() } // stub implementation
 
 /**
  * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
  * a node of type `t1` to a node of type `t2`.
  */
 pragma[inline]
-predicate compatibleTypes(IRType t1, IRType t2) {
+predicate compatibleTypes(DataFlowType t1, DataFlowType t2) {
   any() // stub implementation
 }
 
@@ -502,7 +502,7 @@ class DataFlowCallable = Cpp::Declaration;
 
 class DataFlowExpr = Expr;
 
-class DataFlowType = IRType;
+class DataFlowType = Type;
 
 /** A function call relevant for data flow. */
 class DataFlowCall extends CallInstruction {

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -38,13 +38,12 @@ private module Cached {
     TVariableNode(Variable var) or
     TPostFieldUpdateNode(FieldAddress operand, int indirectionIndex) {
       indirectionIndex =
-        [0 .. Ssa::countIndirectionsForCppType(operand.getObjectAddress().getResultLanguageType()) -
-            1]
+        [1 .. Ssa::countIndirectionsForCppType(operand.getObjectAddress().getResultLanguageType())]
     } or
     TSsaPhiNode(Ssa::PhiNode phi) or
     TIndirectArgumentOutNode(ArgumentOperand operand, int indirectionIndex) {
       Ssa::isModifiableByCall(operand) and
-      indirectionIndex = [0 .. Ssa::countIndirectionsForCppType(operand.getLanguageType()) - 1]
+      indirectionIndex = [1 .. Ssa::countIndirectionsForCppType(operand.getLanguageType())]
     } or
     TIndirectOperand(Operand op, int indirectionIndex) {
       Ssa::hasIndirectOperand(op, indirectionIndex)
@@ -113,7 +112,7 @@ class Node extends TIRDataFlowNode {
   Declaration getFunction() { none() } // overridden in subclasses
 
   /** Gets the type of this node. */
-  IRType getType() { none() } // overridden in subclasses
+  DataFlowType getType() { none() } // overridden in subclasses
 
   /** Gets the instruction corresponding to this node, if any. */
   Instruction asInstruction() { result = this.(InstructionNode).getInstruction() }
@@ -230,7 +229,13 @@ class Node extends TIRDataFlowNode {
   Expr asIndirectArgument() { result = this.asIndirectArgument(_) }
 
   /** Gets the positional parameter corresponding to this node, if any. */
-  Parameter asParameter() { result = asParameter(0) }
+  Parameter asParameter() { result = this.asParameter(0) }
+
+  /**
+   * Gets the uninitialized local variable corresponding to this node, if
+   * any.
+   */
+  LocalVariable asUninitialized() { result = this.(UninitializedNode).getLocalVariable() }
 
   /**
    * Gets the positional parameter corresponding to the node that represents
@@ -273,7 +278,7 @@ class Node extends TIRDataFlowNode {
   /**
    * Gets an upper bound on the type of this node.
    */
-  IRType getTypeBound() { result = this.getType() }
+  DataFlowType getTypeBound() { result = this.getType() }
 
   /** Gets the location of this element. */
   cached
@@ -322,7 +327,7 @@ class InstructionNode extends Node, TInstructionNode {
 
   override Declaration getFunction() { result = instr.getEnclosingFunction() }
 
-  override IRType getType() { result = instr.getResultIRType() }
+  override DataFlowType getType() { result = instr.getResultType() }
 
   final override Location getLocationImpl() { result = instr.getLocation() }
 
@@ -348,13 +353,32 @@ class OperandNode extends Node, TOperandNode {
 
   override Declaration getFunction() { result = op.getUse().getEnclosingFunction() }
 
-  override IRType getType() { result = op.getIRType() }
+  override DataFlowType getType() { result = op.getType() }
 
   final override Location getLocationImpl() { result = op.getLocation() }
 
   override string toStringImpl() { result = this.getOperand().toString() }
 }
 
+/**
+ * Returns `t`, but stripped of the `n` outermost pointers, references, etc.
+ *
+ * For example, `stripPointers(int*&, 2)` is `int` and `stripPointers(int*, 0)` is `int*`.
+ */
+private Type stripPointers(Type t, int n) {
+  result = t and n = 0
+  or
+  result = stripPointers(t.(PointerType).getBaseType(), n - 1)
+  or
+  result = stripPointers(t.(ArrayType).getBaseType(), n - 1)
+  or
+  result = stripPointers(t.(ReferenceType).getBaseType(), n - 1)
+  or
+  result = stripPointers(t.(PointerToMemberType).getBaseType(), n - 1)
+  or
+  result = stripPointers(t.(FunctionPointerIshType).getBaseType(), n - 1)
+}
+
 /**
  * INTERNAL: do not use.
  *
@@ -370,8 +394,6 @@ class PostFieldUpdateNode extends TPostFieldUpdateNode, PartialDefinitionNode {
 
   override Declaration getEnclosingCallable() { result = this.getFunction() }
 
-  override IRType getType() { result = fieldAddress.getIRType() }
-
   FieldAddress getFieldAddress() { result = fieldAddress }
 
   Field getUpdatedField() { result = fieldAddress.getField() }
@@ -379,10 +401,8 @@ class PostFieldUpdateNode extends TPostFieldUpdateNode, PartialDefinitionNode {
   int getIndirectionIndex() { result = indirectionIndex }
 
   override Node getPreUpdateNode() {
-    // + 1 because we're storing into an lvalue, and the original node should be the rvalue of
-    // the same address.
     hasOperandAndIndex(result, pragma[only_bind_into](fieldAddress).getObjectAddressOperand(),
-      indirectionIndex + 1)
+      indirectionIndex)
   }
 
   override Expr getDefinedExpr() {
@@ -411,11 +431,26 @@ class SsaPhiNode extends Node, TSsaPhiNode {
 
   override Declaration getFunction() { result = phi.getBasicBlock().getEnclosingFunction() }
 
-  override IRType getType() { result instanceof IRVoidType }
+  override DataFlowType getType() { result = this.getAnInput().getType() }
 
   final override Location getLocationImpl() { result = phi.getBasicBlock().getLocation() }
 
   override string toStringImpl() { result = "Phi" }
+
+  /**
+   * Gets a node that is used as input to this phi node.
+   * `fromBackEdge` is true if data flows along a back-edge,
+   * and `false` otherwise.
+   */
+  final Node getAnInput(boolean fromBackEdge) {
+    localFlowStep(result, this) and
+    if phi.getBasicBlock().dominates(getBasicBlock(result))
+    then fromBackEdge = true
+    else fromBackEdge = false
+  }
+
+  /** Gets a node that is used as input to this phi node. */
+  final Node getAnInput() { result = this.getAnInput(_) }
 }
 
 /**
@@ -439,8 +474,6 @@ class SideEffectOperandNode extends Node, IndirectOperand {
 
   override Function getFunction() { result = call.getEnclosingFunction() }
 
-  override IRType getType() { result instanceof IRVoidType }
-
   Expr getArgument() { result = call.getArgument(argumentIndex).getUnconvertedResultExpression() }
 }
 
@@ -463,8 +496,6 @@ class IndirectParameterNode extends Node, IndirectInstruction {
 
   override Function getFunction() { result = this.getInstruction().getEnclosingFunction() }
 
-  override IRType getType() { result instanceof IRVoidType }
-
   override string toStringImpl() {
     result = this.getParameter().toString() + " indirection"
     or
@@ -489,8 +520,6 @@ class IndirectReturnNode extends IndirectOperand {
   Operand getAddressOperand() { result = operand }
 
   override Declaration getEnclosingCallable() { result = this.getFunction() }
-
-  override IRType getType() { result instanceof IRVoidType }
 }
 
 /**
@@ -521,9 +550,7 @@ class IndirectArgumentOutNode extends Node, TIndirectArgumentOutNode, PostUpdate
 
   override Function getFunction() { result = this.getCallInstruction().getEnclosingFunction() }
 
-  override IRType getType() { result instanceof IRVoidType }
-
-  override Node getPreUpdateNode() { hasOperandAndIndex(result, operand, indirectionIndex + 1) }
+  override Node getPreUpdateNode() { hasOperandAndIndex(result, operand, indirectionIndex) }
 
   override string toStringImpl() {
     // This string should be unique enough to be helpful but common enough to
@@ -579,6 +606,38 @@ class IndirectReturnOutNode extends Node {
   int getIndirectionIndex() { result = indirectionIndex }
 }
 
+private PointerType getGLValueType(Type t, int indirectionIndex) {
+  result.getBaseType() = stripPointers(t, indirectionIndex - 1)
+}
+
+bindingset[isGLValue]
+private DataFlowType getTypeImpl(Type t, int indirectionIndex, boolean isGLValue) {
+  if isGLValue = true
+  then
+    result = getGLValueType(t, indirectionIndex)
+    or
+    // Ideally, the above case would cover all glvalue cases. However, consider the case where
+    // the database consists only of:
+    // ```
+    // void test() {
+    //   int* x;
+    //   x = nullptr;
+    // }
+    // ```
+    // and we want to compute the type of `*x` in the assignment `x = nullptr`. Here, `x` is an lvalue
+    // of type int* (which morally is an int**). So when we call `getTypeImpl` it will be with the
+    // parameters:
+    // - t = int*
+    // - indirectionIndex = 1 (when we want to model the dataflow node corresponding to *x)
+    // - isGLValue = true
+    // In this case, `getTypeImpl(t, indirectionIndex, isGLValue)` should give back `int**`. In this
+    // case, however, `int**` does not exist in the database. So instead we return int* (which is
+    // wrong, but at least we have a type).
+    not exists(getGLValueType(t, indirectionIndex)) and
+    result = stripPointers(t, indirectionIndex - 1)
+  else result = stripPointers(t, indirectionIndex)
+}
+
 /**
  * INTERNAL: Do not use.
  *
@@ -600,7 +659,11 @@ class IndirectOperand extends Node, TIndirectOperand {
 
   override Declaration getEnclosingCallable() { result = this.getFunction() }
 
-  override IRType getType() { result = this.getOperand().getIRType() }
+  override DataFlowType getType() {
+    exists(boolean isGLValue | if operand.isGLValue() then isGLValue = true else isGLValue = false |
+      result = getTypeImpl(operand.getType().getUnspecifiedType(), indirectionIndex, isGLValue)
+    )
+  }
 
   final override Location getLocationImpl() { result = this.getOperand().getLocation() }
 
@@ -609,6 +672,25 @@ class IndirectOperand extends Node, TIndirectOperand {
   }
 }
 
+/**
+ * The value of an uninitialized local variable, viewed as a node in a data
+ * flow graph.
+ */
+class UninitializedNode extends Node {
+  LocalVariable v;
+
+  UninitializedNode() {
+    exists(Ssa::Def def |
+      def.getDefiningInstruction() instanceof UninitializedInstruction and
+      Ssa::nodeToDefOrUse(this, def) and
+      v = def.getSourceVariable().getBaseVariable().(Ssa::BaseIRVariable).getIRVariable().getAst()
+    )
+  }
+
+  /** Gets the uninitialized local variable corresponding to this node. */
+  LocalVariable getLocalVariable() { result = v }
+}
+
 /**
  * INTERNAL: Do not use.
  *
@@ -630,7 +712,11 @@ class IndirectInstruction extends Node, TIndirectInstruction {
 
   override Declaration getEnclosingCallable() { result = this.getFunction() }
 
-  override IRType getType() { result = this.getInstruction().getResultIRType() }
+  override DataFlowType getType() {
+    exists(boolean isGLValue | if instr.isGLValue() then isGLValue = true else isGLValue = false |
+      result = getTypeImpl(instr.getResultType().getUnspecifiedType(), indirectionIndex, isGLValue)
+    )
+  }
 
   final override Location getLocationImpl() { result = this.getInstruction().getLocation() }
 
@@ -801,7 +887,7 @@ class ThisParameterNode extends ParameterNode, InstructionNode {
 }
 
 pragma[noinline]
-private predicate indirectPostionHasArgumentIndexAndIndex(
+private predicate indirectPositionHasArgumentIndexAndIndex(
   IndirectionPosition pos, int argumentIndex, int indirectionIndex
 ) {
   pos.getArgumentIndex() = argumentIndex and
@@ -821,7 +907,7 @@ class ParameterIndirectionNode extends ParameterNode instanceof IndirectParamete
   override predicate isParameterOf(Function f, ParameterPosition pos) {
     IndirectParameterNode.super.getEnclosingCallable() = f and
     exists(int argumentIndex, int indirectionIndex |
-      indirectPostionHasArgumentIndexAndIndex(pos, argumentIndex, indirectionIndex) and
+      indirectPositionHasArgumentIndexAndIndex(pos, argumentIndex, indirectionIndex) and
       indirectParameterNodeHasArgumentIndexAndIndex(this, argumentIndex, indirectionIndex)
     )
   }
@@ -844,6 +930,8 @@ abstract class PostUpdateNode extends Node {
    * Gets the node before the state update.
    */
   abstract Node getPreUpdateNode();
+
+  final override DataFlowType getType() { result = this.getPreUpdateNode().getType() }
 }
 
 /**
@@ -907,7 +995,7 @@ class VariableNode extends Node, TVariableNode {
     result = v
   }
 
-  override IRType getType() { result.getCanonicalLanguageType().hasUnspecifiedType(v.getType(), _) }
+  override DataFlowType getType() { result = v.getType() }
 
   final override Location getLocationImpl() { result = v.getLocation() }
 
@@ -1060,7 +1148,7 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
       store.getDestinationAddressOperand() = address
     )
     or
-    Ssa::outNodeHasAddressAndIndex(nodeFrom, address, indirectionIndex - 1)
+    Ssa::outNodeHasAddressAndIndex(nodeFrom, address, indirectionIndex)
   )
 }
 

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/ModelUtil.qll

@@ -41,7 +41,7 @@ Node callOutput(CallInstruction call, FunctionOutput output) {
   // The side effect of a call on the value pointed to by an argument or qualifier
   exists(int index, int indirectionIndex |
     result.(IndirectArgumentOutNode).getArgumentIndex() = index and
-    result.(IndirectArgumentOutNode).getIndirectionIndex() + 1 = indirectionIndex and
+    result.(IndirectArgumentOutNode).getIndirectionIndex() = indirectionIndex and
     result.(IndirectArgumentOutNode).getCallInstruction() = call and
     output.isParameterDerefOrQualifierObject(index, indirectionIndex)
   )

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -301,7 +301,12 @@ private predicate defToNode(Node nodeFrom, Def def) {
   nodeHasInstruction(nodeFrom, def.getDefiningInstruction(), def.getIndirectionIndex())
 }
 
-private predicate nodeToDefOrUse(Node nodeFrom, SsaDefOrUse defOrUse) {
+/**
+ * INTERNAL: Do not use.
+ *
+ * Holds if `nodeFrom` is the node that correspond to the definition or use `defOrUse`.
+ */
+predicate nodeToDefOrUse(Node nodeFrom, SsaDefOrUse defOrUse) {
   // Node -> Def
   defToNode(nodeFrom, defOrUse)
   or

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -11,7 +11,9 @@ private import DataFlowUtil
  * corresponding `(Indirect)OperandNode`.
  */
 predicate ignoreOperand(Operand operand) {
-  operand = any(Instruction instr | ignoreInstruction(instr)).getAnOperand()
+  operand = any(Instruction instr | ignoreInstruction(instr)).getAnOperand() or
+  operand = any(Instruction instr | ignoreInstruction(instr)).getAUse() or
+  operand instanceof MemoryOperand
 }
 
 /**

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/ssa0/SsaInternals.qll

@@ -36,7 +36,7 @@ private module SourceVariables {
 
     override string toString() { result = var.toString() }
 
-    override DataFlowType getType() { result = var.getIRType() }
+    override DataFlowType getType() { result = var.getType() }
   }
 
   class BaseCallVariable extends BaseSourceVariable, TBaseCallVariable {
@@ -48,7 +48,7 @@ private module SourceVariables {
 
     override string toString() { result = call.toString() }
 
-    override DataFlowType getType() { result = call.getResultIRType() }
+    override DataFlowType getType() { result = call.getResultType() }
   }
 
   private newtype TSourceVariable =

cpp/ql/lib/experimental/semmle/code/cpp/semantic/SemanticExprSpecific.qll

@@ -7,6 +7,7 @@ private import semmle.code.cpp.ir.IR as IR
 private import Semantic
 private import experimental.semmle.code.cpp.rangeanalysis.Bound as IRBound
 private import semmle.code.cpp.controlflow.IRGuards as IRGuards
+private import semmle.code.cpp.ir.ValueNumbering
 
 module SemanticExprConfig {
   class Location = Cpp::Location;
@@ -120,7 +121,15 @@ module SemanticExprConfig {
 
   newtype TSsaVariable =
     TSsaInstruction(IR::Instruction instr) { instr.hasMemoryResult() } or
-    TSsaOperand(IR::Operand op) { op.isDefinitionInexact() }
+    TSsaOperand(IR::Operand op) { op.isDefinitionInexact() } or
+    TSsaPointerArithmeticGuard(IR::PointerArithmeticInstruction instr) {
+      exists(Guard g, IR::Operand use | use = instr.getAUse() |
+        g.comparesLt(use, _, _, _, _) or
+        g.comparesLt(_, use, _, _, _) or
+        g.comparesEq(use, _, _, _, _) or
+        g.comparesEq(_, use, _, _, _)
+      )
+    }
 
   class SsaVariable extends TSsaVariable {
     string toString() { none() }
@@ -129,6 +138,8 @@ module SemanticExprConfig {
 
     IR::Instruction asInstruction() { none() }
 
+    IR::PointerArithmeticInstruction asPointerArithGuard() { none() }
+
     IR::Operand asOperand() { none() }
   }
 
@@ -144,6 +155,18 @@ module SemanticExprConfig {
     final override IR::Instruction asInstruction() { result = instr }
   }
 
+  class SsaPointerArithmeticGuard extends SsaVariable, TSsaPointerArithmeticGuard {
+    IR::PointerArithmeticInstruction instr;
+
+    SsaPointerArithmeticGuard() { this = TSsaPointerArithmeticGuard(instr) }
+
+    final override string toString() { result = instr.toString() }
+
+    final override Location getLocation() { result = instr.getLocation() }
+
+    final override IR::PointerArithmeticInstruction asPointerArithGuard() { result = instr }
+  }
+
   class SsaOperand extends SsaVariable, TSsaOperand {
     IR::Operand op;
 
@@ -168,7 +191,11 @@ module SemanticExprConfig {
     )
   }
 
-  Expr getAUse(SsaVariable v) { result.(IR::LoadInstruction).getSourceValue() = v.asInstruction() }
+  Expr getAUse(SsaVariable v) {
+    result.(IR::LoadInstruction).getSourceValue() = v.asInstruction()
+    or
+    result = valueNumber(v.asPointerArithGuard()).getAnInstruction()
+  }
 
   SemType getSsaVariableType(SsaVariable v) {
     result = getSemanticType(v.asInstruction().getResultIRType())
@@ -208,7 +235,9 @@ module SemanticExprConfig {
 
     final override predicate hasRead(SsaVariable v) {
       exists(IR::Operand operand |
-        operand.getDef() = v.asInstruction() and
+        operand.getDef() = v.asInstruction() or
+        operand.getDef() = valueNumber(v.asPointerArithGuard()).getAnInstruction()
+      |
         not operand instanceof IR::PhiInputOperand and
         operand.getUse().getBlock() = block
       )
@@ -227,7 +256,9 @@ module SemanticExprConfig {
 
     final override predicate hasRead(SsaVariable v) {
       exists(IR::PhiInputOperand operand |
-        operand.getDef() = v.asInstruction() and
+        operand.getDef() = v.asInstruction() or
+        operand.getDef() = valueNumber(v.asPointerArithGuard()).getAnInstruction()
+      |
         operand.getPredecessorBlock() = pred and
         operand.getUse().getBlock() = succ
       )

cpp/ql/lib/experimental/semmle/code/cpp/semantic/SemanticSSA.qll

@@ -10,7 +10,7 @@ class SemSsaVariable instanceof Specific::SsaVariable {
 
   final Specific::Location getLocation() { result = super.getLocation() }
 
-  final SemLoadExpr getAUse() { result = Specific::getAUse(this) }
+  final SemExpr getAUse() { result = Specific::getAUse(this) }
 
   final SemType getType() { result = Specific::getSsaVariableType(this) }
 

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.4.0-dev
+version: 0.4.2-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/commons/Strcat.qll

@@ -6,7 +6,7 @@ import cpp
  * A function that concatenates the string from its second argument
  * to the string from its first argument, for example `strcat`.
  */
-class StrcatFunction extends Function {
+deprecated class StrcatFunction extends Function {
   StrcatFunction() {
     getName() =
       [

cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow.qll

@@ -4,10 +4,7 @@
  * _sink_.
  *
  * Unless configured otherwise, _flow_ means that the exact value of
- * the source may reach the sink. We do not track flow across pointer
- * dereferences or array indexing. To track these types of flow, where the
- * exact value may not be preserved, import
- * `semmle.code.cpp.dataflow.TaintTracking`.
+ * the source may reach the sink.
  *
  * To use global (interprocedural) data flow, extend the class
  * `DataFlow::Configuration` as documented on that class. To use local
@@ -17,8 +14,4 @@
  * `DataFlow::Node`.
  */
 
-import cpp
-
-module DataFlow {
-  import semmle.code.cpp.dataflow.internal.DataFlowImpl
-}
+import semmle.code.cpp.ir.dataflow.DataFlow

cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow2.qll

@@ -9,8 +9,4 @@
  * See `semmle.code.cpp.dataflow.DataFlow` for the full documentation.
  */
 
-import cpp
-
-module DataFlow2 {
-  import semmle.code.cpp.dataflow.internal.DataFlowImpl2
-}
+import semmle.code.cpp.ir.dataflow.DataFlow2

cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow3.qll

@@ -9,8 +9,4 @@
  * See `semmle.code.cpp.dataflow.DataFlow` for the full documentation.
  */
 
-import cpp
-
-module DataFlow3 {
-  import semmle.code.cpp.dataflow.internal.DataFlowImpl3
-}
+import semmle.code.cpp.ir.dataflow.DataFlow3

cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow4.qll

@@ -9,8 +9,4 @@
  * See `semmle.code.cpp.dataflow.DataFlow` for the full documentation.
  */
 
-import cpp
-
-module DataFlow4 {
-  import semmle.code.cpp.dataflow.internal.DataFlowImpl4
-}
+import semmle.code.cpp.ir.dataflow.DataFlow4

cpp/ql/lib/semmle/code/cpp/dataflow/StackAddress.qll

@@ -95,6 +95,11 @@ predicate stackPointerFlowsToUse(Expr use, Type useType, Expr source, boolean is
 cached
 private PointerType getExprPtrType(Expr use) { result = use.getUnspecifiedType() }
 
+/**
+ * Holds if `use` has type `useType` and `source` is an access to a stack variable
+ * that flows to `use`. `isLocal` is `true` if `use` is accessed via a parameter, and
+ * `false` otherwise.
+ */
 predicate stackReferenceFlowsToUse(Expr use, Type useType, Expr source, boolean isLocal) {
   // Stack variables
   exists(StackVariable var |

cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking.qll

@@ -15,9 +15,4 @@
  * `TaintTracking::localTaintStep` with arguments of type `DataFlow::Node`.
  */
 
-import semmle.code.cpp.dataflow.DataFlow
-import semmle.code.cpp.dataflow.DataFlow2
-
-module TaintTracking {
-  import semmle.code.cpp.dataflow.internal.tainttracking1.TaintTrackingImpl
-}
+import semmle.code.cpp.ir.dataflow.TaintTracking

cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking2.qll

@@ -10,6 +10,5 @@
  *
  * See `semmle.code.cpp.dataflow.TaintTracking` for the full documentation.
  */
-module TaintTracking2 {
-  import semmle.code.cpp.dataflow.internal.tainttracking2.TaintTrackingImpl
-}
+
+import semmle.code.cpp.ir.dataflow.TaintTracking2

cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking3.qll

@@ -0,0 +1,14 @@
+/**
+ * Provides a `TaintTracking3` module, which is a copy of the `TaintTracking`
+ * module. Use this class when data-flow configurations or taint-tracking
+ * configurations must depend on each other. Two classes extending
+ * `DataFlow::Configuration` should never depend on each other, but one of them
+ * should instead depend on a `DataFlow2::Configuration`, a
+ * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`. The
+ * `TaintTracking::Configuration` class extends `DataFlow::Configuration`, and
+ * `TaintTracking2::Configuration` extends `DataFlow2::Configuration`.
+ *
+ * See `semmle.code.cpp.dataflow.TaintTracking` for the full documentation.
+ */
+
+import semmle.code.cpp.ir.dataflow.TaintTracking3

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingParameter.qll

@@ -1,5 +0,0 @@
-import semmle.code.cpp.dataflow.internal.TaintTrackingUtil as Public
-
-module Private {
-  import semmle.code.cpp.dataflow.DataFlow::DataFlow as DataFlow
-}

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll

@@ -1,5 +0,0 @@
-import semmle.code.cpp.dataflow.internal.TaintTrackingUtil as Public
-
-module Private {
-  import semmle.code.cpp.dataflow.DataFlow2::DataFlow2 as DataFlow
-}

cpp/ql/lib/semmle/code/cpp/dataflow/old/DataFlow.qll

@@ -0,0 +1,25 @@
+/**
+ * Provides a library for local (intra-procedural) and global (inter-procedural)
+ * data flow analysis: deciding whether data can flow from a _source_ to a
+ * _sink_.
+ *
+ * Unless configured otherwise, _flow_ means that the exact value of
+ * the source may reach the sink.
+ *
+ * To use global (interprocedural) data flow, extend the class
+ * `DataFlow::Configuration` as documented on that class. To use local
+ * (intraprocedural) data flow between expressions, call
+ * `DataFlow::localExprFlow`. For more general cases of local data flow, call
+ * `DataFlow::localFlow` or `DataFlow::localFlowStep` with arguments of type
+ * `DataFlow::Node`.
+ */
+
+import cpp
+
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) data flow analyses.
+ */
+module DataFlow {
+  import semmle.code.cpp.dataflow.old.internal.DataFlowImpl
+}

cpp/ql/lib/semmle/code/cpp/dataflow/old/DataFlow2.qll

@@ -0,0 +1,20 @@
+/**
+ * Provides a `DataFlow2` module, which is a copy of the `DataFlow` module. Use
+ * this class when data-flow configurations must depend on each other. Two
+ * classes extending `DataFlow::Configuration` should never depend on each
+ * other, but one of them should instead depend on a
+ * `DataFlow2::Configuration`, a `DataFlow3::Configuration`, or a
+ * `DataFlow4::Configuration`.
+ *
+ * See `semmle.code.cpp.ir.dataflow.DataFlow` for the full documentation.
+ */
+
+import cpp
+
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) data flow analyses.
+ */
+module DataFlow {
+  import semmle.code.cpp.dataflow.old.internal.DataFlowImpl2
+}

cpp/ql/lib/semmle/code/cpp/dataflow/old/DataFlow3.qll

@@ -0,0 +1,20 @@
+/**
+ * Provides a `DataFlow3` module, which is a copy of the `DataFlow` module. Use
+ * this class when data-flow configurations must depend on each other. Two
+ * classes extending `DataFlow::Configuration` should never depend on each
+ * other, but one of them should instead depend on a
+ * `DataFlow2::Configuration`, a `DataFlow3::Configuration`, or a
+ * `DataFlow4::Configuration`.
+ *
+ * See `semmle.code.cpp.ir.dataflow.DataFlow` for the full documentation.
+ */
+
+import cpp
+
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) data flow analyses.
+ */
+module DataFlow {
+  import semmle.code.cpp.dataflow.old.internal.DataFlowImpl3
+}

cpp/ql/lib/semmle/code/cpp/dataflow/old/DataFlow4.qll

@@ -0,0 +1,20 @@
+/**
+ * Provides a `DataFlow4` module, which is a copy of the `DataFlow` module. Use
+ * this class when data-flow configurations must depend on each other. Two
+ * classes extending `DataFlow::Configuration` should never depend on each
+ * other, but one of them should instead depend on a
+ * `DataFlow2::Configuration`, a `DataFlow3::Configuration`, or a
+ * `DataFlow4::Configuration`.
+ *
+ * See `semmle.code.cpp.ir.dataflow.DataFlow` for the full documentation.
+ */
+
+import cpp
+
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) data flow analyses.
+ */
+module DataFlow {
+  import semmle.code.cpp.dataflow.old.internal.DataFlowImpl4
+}

cpp/ql/lib/semmle/code/cpp/dataflow/old/RecursionPrevention.qll

@@ -0,0 +1,39 @@
+/**
+ * DEPRECATED: Recursion through `DataFlow::Configuration` is impossible in
+ * any supported tooling. There is no need for this module because it's
+ * impossible to accidentally depend on recursion through
+ * `DataFlow::Configuration` in current releases.
+ *
+ * When this module is imported, recursive use of `DataFlow::Configuration` is
+ * disallowed. Importing this module will guarantee the absence of such
+ * recursion, which is unsupported and will be unconditionally disallowed in a
+ * future release.
+ *
+ * Recursive use of `DataFlow{2..4}::Configuration` is always disallowed, so no
+ * import is needed for those.
+ */
+
+import cpp
+private import semmle.code.cpp.dataflow.DataFlow
+
+/**
+ * This class exists to prevent mutual recursion between the user-overridden
+ * member predicates of `Configuration` and the rest of the data-flow library.
+ * Good performance cannot be guaranteed in the presence of such recursion, so
+ * it should be replaced by using more than one copy of the data flow library.
+ * Four copies are available: `DataFlow` through `DataFlow4`.
+ */
+abstract private class ConfigurationRecursionPrevention extends DataFlow::Configuration {
+  bindingset[this]
+  ConfigurationRecursionPrevention() { any() }
+
+  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
+    strictcount(DataFlow::Node n | this.isSource(n)) < 0
+    or
+    strictcount(DataFlow::Node n | this.isSink(n)) < 0
+    or
+    strictcount(DataFlow::Node n1, DataFlow::Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
+    or
+    super.hasFlow(source, sink)
+  }
+}

cpp/ql/lib/semmle/code/cpp/dataflow/old/TaintTracking.qll

@@ -0,0 +1,18 @@
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) taint-tracking analyses.
+ *
+ * We define _taint propagation_ informally to mean that a substantial part of
+ * the information from the source is preserved at the sink. For example, taint
+ * propagates from `x` to `x + 100`, but it does not propagate from `x` to `x >
+ * 100` since we consider a single bit of information to be too little.
+ *
+ * To use global (interprocedural) taint tracking, extend the class
+ * `TaintTracking::Configuration` as documented on that class. To use local
+ * (intraprocedural) taint tracking between expressions, call
+ * `TaintTracking::localExprTaint`. For more general cases of local taint
+ * tracking, call `TaintTracking::localTaint` or
+ * `TaintTracking::localTaintStep` with arguments of type `DataFlow::Node`.
+ */
+
+import semmle.code.cpp.ir.dataflow.TaintTracking

cpp/ql/lib/semmle/code/cpp/dataflow/old/TaintTracking2.qll

@@ -0,0 +1,14 @@
+/**
+ * Provides a `TaintTracking2` module, which is a copy of the `TaintTracking`
+ * module. Use this class when data-flow configurations or taint-tracking
+ * configurations must depend on each other. Two classes extending
+ * `DataFlow::Configuration` should never depend on each other, but one of them
+ * should instead depend on a `DataFlow2::Configuration`, a
+ * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`. The
+ * `TaintTracking::Configuration` class extends `DataFlow::Configuration`, and
+ * `TaintTracking2::Configuration` extends `DataFlow2::Configuration`.
+ *
+ * See `semmle.code.cpp.ir.dataflow.TaintTracking` for the full documentation.
+ */
+
+import semmle.code.cpp.ir.dataflow.TaintTracking2

cpp/ql/lib/semmle/code/cpp/dataflow/old/TaintTracking3.qll

@@ -0,0 +1,14 @@
+/**
+ * Provides a `TaintTracking3` module, which is a copy of the `TaintTracking`
+ * module. Use this class when data-flow configurations or taint-tracking
+ * configurations must depend on each other. Two classes extending
+ * `DataFlow::Configuration` should never depend on each other, but one of them
+ * should instead depend on a `DataFlow2::Configuration`, a
+ * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`. The
+ * `TaintTracking::Configuration` class extends `DataFlow::Configuration`, and
+ * `TaintTracking2::Configuration` extends `DataFlow2::Configuration`.
+ *
+ * See `semmle.code.cpp.ir.dataflow.TaintTracking` for the full documentation.
+ */
+
+import semmle.code.cpp.ir.dataflow.TaintTracking3

cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/DataFlowDispatch.qll

@@ -1,6 +1,6 @@
 private import cpp
-private import semmle.code.cpp.dataflow.internal.DataFlowPrivate
-private import semmle.code.cpp.dataflow.internal.DataFlowUtil
+private import DataFlowPrivate
+private import DataFlowUtil
 
 /**
  * Gets a function that might be called by `call`.

cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/DataFlowImpl.qll

@@ -163,7 +163,9 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -558,13 +560,16 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
+pragma[nomagic]
+private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
+
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  read(_, tc.getContent(), _, config) and
+  hasReadStep(tc.getContent(), config) and
   stepFilter(node1, node2, config)
 }
 
@@ -598,13 +603,9 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
-  class ApApprox = Unit;
-
   class Ap = Unit;
 
-  class ApOption = Unit;
-
-  class Cc = boolean;
+  private class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -613,7 +614,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -753,7 +754,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -837,13 +838,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  predicate viableReturnPosOutNodeCandFwd1(
+  additional predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -859,7 +860,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  predicate viableParamArgNodeCandFwd1(
+  additional predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -906,7 +907,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate revFlowState(FlowState state, Configuration config) {
+  additional predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -998,7 +999,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate stats(
+  additional predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1259,7 +1260,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    predicate fwdFlow(
+    additional predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1483,7 +1484,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    predicate revFlow(
+    additional predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1661,7 +1662,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1674,11 +1675,13 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
+    additional predicate revFlowAlias(NodeEx node, Configuration config) {
+      revFlow(node, _, _, _, _, config)
+    }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1699,7 +1702,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1741,7 +1744,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate stats(
+    additional predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2926,12 +2929,17 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
+  pragma[nomagic]
+  private PathNodeImpl getANonHiddenSuccessor0() {
+    result = this.getASuccessorIfHidden*() and
     not result.isHidden()
   }
 
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
+    not this.isHidden()
+  }
+
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {

cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/DataFlowImpl2.qll

@@ -163,7 +163,9 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -558,13 +560,16 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
+pragma[nomagic]
+private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
+
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  read(_, tc.getContent(), _, config) and
+  hasReadStep(tc.getContent(), config) and
   stepFilter(node1, node2, config)
 }
 
@@ -598,13 +603,9 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
-  class ApApprox = Unit;
-
   class Ap = Unit;
 
-  class ApOption = Unit;
-
-  class Cc = boolean;
+  private class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -613,7 +614,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -753,7 +754,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -837,13 +838,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  predicate viableReturnPosOutNodeCandFwd1(
+  additional predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -859,7 +860,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  predicate viableParamArgNodeCandFwd1(
+  additional predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -906,7 +907,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate revFlowState(FlowState state, Configuration config) {
+  additional predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -998,7 +999,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate stats(
+  additional predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1259,7 +1260,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    predicate fwdFlow(
+    additional predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1483,7 +1484,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    predicate revFlow(
+    additional predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1661,7 +1662,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1674,11 +1675,13 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
+    additional predicate revFlowAlias(NodeEx node, Configuration config) {
+      revFlow(node, _, _, _, _, config)
+    }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1699,7 +1702,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1741,7 +1744,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate stats(
+    additional predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2926,12 +2929,17 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
+  pragma[nomagic]
+  private PathNodeImpl getANonHiddenSuccessor0() {
+    result = this.getASuccessorIfHidden*() and
     not result.isHidden()
   }
 
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
+    not this.isHidden()
+  }
+
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {

cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/DataFlowImpl3.qll

@@ -163,7 +163,9 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -558,13 +560,16 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
+pragma[nomagic]
+private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
+
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  read(_, tc.getContent(), _, config) and
+  hasReadStep(tc.getContent(), config) and
   stepFilter(node1, node2, config)
 }
 
@@ -598,13 +603,9 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
-  class ApApprox = Unit;
-
   class Ap = Unit;
 
-  class ApOption = Unit;
-
-  class Cc = boolean;
+  private class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -613,7 +614,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -753,7 +754,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -837,13 +838,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  predicate viableReturnPosOutNodeCandFwd1(
+  additional predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -859,7 +860,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  predicate viableParamArgNodeCandFwd1(
+  additional predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -906,7 +907,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate revFlowState(FlowState state, Configuration config) {
+  additional predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -998,7 +999,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate stats(
+  additional predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1259,7 +1260,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    predicate fwdFlow(
+    additional predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1483,7 +1484,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    predicate revFlow(
+    additional predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1661,7 +1662,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1674,11 +1675,13 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
+    additional predicate revFlowAlias(NodeEx node, Configuration config) {
+      revFlow(node, _, _, _, _, config)
+    }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1699,7 +1702,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1741,7 +1744,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate stats(
+    additional predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2926,12 +2929,17 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
+  pragma[nomagic]
+  private PathNodeImpl getANonHiddenSuccessor0() {
+    result = this.getASuccessorIfHidden*() and
     not result.isHidden()
   }
 
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
+    not this.isHidden()
+  }
+
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {

cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/DataFlowImpl4.qll

@@ -163,7 +163,9 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -558,13 +560,16 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
+pragma[nomagic]
+private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
+
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  read(_, tc.getContent(), _, config) and
+  hasReadStep(tc.getContent(), config) and
   stepFilter(node1, node2, config)
 }
 
@@ -598,13 +603,9 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
-  class ApApprox = Unit;
-
   class Ap = Unit;
 
-  class ApOption = Unit;
-
-  class Cc = boolean;
+  private class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -613,7 +614,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -753,7 +754,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -837,13 +838,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  predicate viableReturnPosOutNodeCandFwd1(
+  additional predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -859,7 +860,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  predicate viableParamArgNodeCandFwd1(
+  additional predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -906,7 +907,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate revFlowState(FlowState state, Configuration config) {
+  additional predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -998,7 +999,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate stats(
+  additional predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1259,7 +1260,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    predicate fwdFlow(
+    additional predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1483,7 +1484,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    predicate revFlow(
+    additional predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1661,7 +1662,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1674,11 +1675,13 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
+    additional predicate revFlowAlias(NodeEx node, Configuration config) {
+      revFlow(node, _, _, _, _, config)
+    }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1699,7 +1702,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1741,7 +1744,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate stats(
+    additional predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2926,12 +2929,17 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
+  pragma[nomagic]
+  private PathNodeImpl getANonHiddenSuccessor0() {
+    result = this.getASuccessorIfHidden*() and
     not result.isHidden()
   }
 
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
+    not this.isHidden()
+  }
+
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {

cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/DataFlowImplLocal.qll

@@ -163,7 +163,9 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -558,13 +560,16 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
+pragma[nomagic]
+private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
+
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  read(_, tc.getContent(), _, config) and
+  hasReadStep(tc.getContent(), config) and
   stepFilter(node1, node2, config)
 }
 
@@ -598,13 +603,9 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
-  class ApApprox = Unit;
-
   class Ap = Unit;
 
-  class ApOption = Unit;
-
-  class Cc = boolean;
+  private class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -613,7 +614,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -753,7 +754,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -837,13 +838,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  predicate viableReturnPosOutNodeCandFwd1(
+  additional predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -859,7 +860,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  predicate viableParamArgNodeCandFwd1(
+  additional predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -906,7 +907,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate revFlowState(FlowState state, Configuration config) {
+  additional predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -998,7 +999,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate stats(
+  additional predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1259,7 +1260,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    predicate fwdFlow(
+    additional predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1483,7 +1484,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    predicate revFlow(
+    additional predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1661,7 +1662,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1674,11 +1675,13 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
+    additional predicate revFlowAlias(NodeEx node, Configuration config) {
+      revFlow(node, _, _, _, _, config)
+    }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1699,7 +1702,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1741,7 +1744,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate stats(
+    additional predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2926,12 +2929,17 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
+  pragma[nomagic]
+  private PathNodeImpl getANonHiddenSuccessor0() {
+    result = this.getASuccessorIfHidden*() and
     not result.isHidden()
   }
 
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
+    not this.isHidden()
+  }
+
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {

cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/DataFlowUtil.qll

@@ -3,10 +3,10 @@
  */
 
 private import cpp
-private import semmle.code.cpp.dataflow.internal.FlowVar
+private import FlowVar
 private import semmle.code.cpp.models.interfaces.DataFlow
 private import semmle.code.cpp.controlflow.Guards
-private import semmle.code.cpp.dataflow.internal.AddressFlow
+private import AddressFlow
 
 cached
 private newtype TNode =

cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/FlowVar.qll

@@ -4,8 +4,8 @@
 
 import cpp
 private import semmle.code.cpp.controlflow.SSA
-private import semmle.code.cpp.dataflow.internal.SubBasicBlocks
-private import semmle.code.cpp.dataflow.internal.AddressFlow
+private import SubBasicBlocks
+private import AddressFlow
 private import semmle.code.cpp.models.implementations.Iterator
 private import semmle.code.cpp.models.interfaces.PointerWrapper
 

cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/TaintTrackingUtil.qll

@@ -14,7 +14,7 @@ private import semmle.code.cpp.models.interfaces.Iterator
 private import semmle.code.cpp.models.interfaces.PointerWrapper
 
 private module DataFlow {
-  import semmle.code.cpp.dataflow.internal.DataFlowUtil
+  import DataFlowUtil
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/tainttracking1/TaintTrackingParameter.qll

@@ -0,0 +1,5 @@
+import semmle.code.cpp.dataflow.old.internal.TaintTrackingUtil as Public
+
+module Private {
+  import semmle.code.cpp.dataflow.old.DataFlow::DataFlow as DataFlow
+}

cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/tainttracking2/TaintTrackingParameter.qll

@@ -0,0 +1,5 @@
+import semmle.code.cpp.dataflow.old.internal.TaintTrackingUtil as Public
+
+module Private {
+  import semmle.code.cpp.dataflow.old.DataFlow2::DataFlow as DataFlow
+}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll

@@ -282,7 +282,7 @@ private module Cached {
   cached
   predicate additionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
     exists(CallInstruction call, Function func, FunctionInput modelIn, FunctionOutput modelOut |
-      n1.asOperand() = callInput(call, modelIn) and
+      n1 = callInput(call, modelIn) and
       (
         func.(TaintFunction).hasTaintFlow(modelIn, modelOut)
         or

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll

@@ -1,8 +1,8 @@
 private import cpp
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.DataFlow
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
+private import DataFlowPrivate
+private import DataFlowUtil
 private import DataFlowImplCommon as DataFlowImplCommon
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -163,7 +163,9 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -558,13 +560,16 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
+pragma[nomagic]
+private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
+
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  read(_, tc.getContent(), _, config) and
+  hasReadStep(tc.getContent(), config) and
   stepFilter(node1, node2, config)
 }
 
@@ -598,13 +603,9 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
-  class ApApprox = Unit;
-
   class Ap = Unit;
 
-  class ApOption = Unit;
-
-  class Cc = boolean;
+  private class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -613,7 +614,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -753,7 +754,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -837,13 +838,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  predicate viableReturnPosOutNodeCandFwd1(
+  additional predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -859,7 +860,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  predicate viableParamArgNodeCandFwd1(
+  additional predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -906,7 +907,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate revFlowState(FlowState state, Configuration config) {
+  additional predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -998,7 +999,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate stats(
+  additional predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1259,7 +1260,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    predicate fwdFlow(
+    additional predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1483,7 +1484,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    predicate revFlow(
+    additional predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1661,7 +1662,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1674,11 +1675,13 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
+    additional predicate revFlowAlias(NodeEx node, Configuration config) {
+      revFlow(node, _, _, _, _, config)
+    }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1699,7 +1702,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1741,7 +1744,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate stats(
+    additional predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2926,12 +2929,17 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
+  pragma[nomagic]
+  private PathNodeImpl getANonHiddenSuccessor0() {
+    result = this.getASuccessorIfHidden*() and
     not result.isHidden()
   }
 
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
+    not this.isHidden()
+  }
+
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -163,7 +163,9 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -558,13 +560,16 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
+pragma[nomagic]
+private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
+
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  read(_, tc.getContent(), _, config) and
+  hasReadStep(tc.getContent(), config) and
   stepFilter(node1, node2, config)
 }
 
@@ -598,13 +603,9 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
-  class ApApprox = Unit;
-
   class Ap = Unit;
 
-  class ApOption = Unit;
-
-  class Cc = boolean;
+  private class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -613,7 +614,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -753,7 +754,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -837,13 +838,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  predicate viableReturnPosOutNodeCandFwd1(
+  additional predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -859,7 +860,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  predicate viableParamArgNodeCandFwd1(
+  additional predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -906,7 +907,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate revFlowState(FlowState state, Configuration config) {
+  additional predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -998,7 +999,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate stats(
+  additional predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1259,7 +1260,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    predicate fwdFlow(
+    additional predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1483,7 +1484,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    predicate revFlow(
+    additional predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1661,7 +1662,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1674,11 +1675,13 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
+    additional predicate revFlowAlias(NodeEx node, Configuration config) {
+      revFlow(node, _, _, _, _, config)
+    }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1699,7 +1702,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1741,7 +1744,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate stats(
+    additional predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2926,12 +2929,17 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
+  pragma[nomagic]
+  private PathNodeImpl getANonHiddenSuccessor0() {
+    result = this.getASuccessorIfHidden*() and
     not result.isHidden()
   }
 
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
+    not this.isHidden()
+  }
+
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -163,7 +163,9 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -558,13 +560,16 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
+pragma[nomagic]
+private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
+
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  read(_, tc.getContent(), _, config) and
+  hasReadStep(tc.getContent(), config) and
   stepFilter(node1, node2, config)
 }
 
@@ -598,13 +603,9 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
-  class ApApprox = Unit;
-
   class Ap = Unit;
 
-  class ApOption = Unit;
-
-  class Cc = boolean;
+  private class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -613,7 +614,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -753,7 +754,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -837,13 +838,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  predicate viableReturnPosOutNodeCandFwd1(
+  additional predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -859,7 +860,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  predicate viableParamArgNodeCandFwd1(
+  additional predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -906,7 +907,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate revFlowState(FlowState state, Configuration config) {
+  additional predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -998,7 +999,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate stats(
+  additional predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1259,7 +1260,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    predicate fwdFlow(
+    additional predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1483,7 +1484,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    predicate revFlow(
+    additional predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1661,7 +1662,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1674,11 +1675,13 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
+    additional predicate revFlowAlias(NodeEx node, Configuration config) {
+      revFlow(node, _, _, _, _, config)
+    }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1699,7 +1702,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1741,7 +1744,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate stats(
+    additional predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2926,12 +2929,17 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
+  pragma[nomagic]
+  private PathNodeImpl getANonHiddenSuccessor0() {
+    result = this.getASuccessorIfHidden*() and
     not result.isHidden()
   }
 
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
+    not this.isHidden()
+  }
+
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -163,7 +163,9 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
@@ -558,13 +560,16 @@ private predicate expectsContentEx(NodeEx n, Content c) {
 pragma[nomagic]
 private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
 
+pragma[nomagic]
+private predicate hasReadStep(Content c, Configuration config) { read(_, c, _, config) }
+
 pragma[nomagic]
 private predicate store(
   NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
   store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
     contentType) and
-  read(_, tc.getContent(), _, config) and
+  hasReadStep(tc.getContent(), config) and
   stepFilter(node1, node2, config)
 }
 
@@ -598,13 +603,9 @@ private predicate hasSinkCallCtx(Configuration config) {
 }
 
 private module Stage1 implements StageSig {
-  class ApApprox = Unit;
-
   class Ap = Unit;
 
-  class ApOption = Unit;
-
-  class Cc = boolean;
+  private class Cc = boolean;
 
   /* Begin: Stage 1 logic. */
   /**
@@ -613,7 +614,7 @@ private module Stage1 implements StageSig {
    * The Boolean `cc` records whether the node is reached through an
    * argument in a call.
    */
-  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
     sourceNode(node, _, config) and
     if hasSourceCallCtx(config) then cc = true else cc = false
     or
@@ -753,7 +754,7 @@ private module Stage1 implements StageSig {
    * the enclosing callable in order to reach a sink.
    */
   pragma[nomagic]
-  predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
+  private predicate revFlow(NodeEx node, boolean toReturn, Configuration config) {
     revFlow0(node, toReturn, config) and
     fwdFlow(node, config)
   }
@@ -837,13 +838,13 @@ private module Stage1 implements StageSig {
    * by `revFlow`.
    */
   pragma[nomagic]
-  predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+  additional predicate revFlowIsReadAndStored(Content c, Configuration conf) {
     revFlowConsCand(c, conf) and
     revFlowStore(c, _, _, conf)
   }
 
   pragma[nomagic]
-  predicate viableReturnPosOutNodeCandFwd1(
+  additional predicate viableReturnPosOutNodeCandFwd1(
     DataFlowCall call, ReturnPosition pos, NodeEx out, Configuration config
   ) {
     fwdFlowReturnPosition(pos, _, config) and
@@ -859,7 +860,7 @@ private module Stage1 implements StageSig {
   }
 
   pragma[nomagic]
-  predicate viableParamArgNodeCandFwd1(
+  additional predicate viableParamArgNodeCandFwd1(
     DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
   ) {
     viableParamArgEx(call, p, arg) and
@@ -906,7 +907,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate revFlowState(FlowState state, Configuration config) {
+  additional predicate revFlowState(FlowState state, Configuration config) {
     exists(NodeEx node |
       sinkNode(node, state, config) and
       revFlow(node, _, pragma[only_bind_into](config)) and
@@ -998,7 +999,7 @@ private module Stage1 implements StageSig {
     )
   }
 
-  predicate stats(
+  additional predicate stats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
   ) {
     fwd = true and
@@ -1259,7 +1260,7 @@ private module MkStage<StageSig PrevStage> {
      * argument.
      */
     pragma[nomagic]
-    predicate fwdFlow(
+    additional predicate fwdFlow(
       NodeEx node, FlowState state, Cc cc, ApOption argAp, Ap ap, Configuration config
     ) {
       fwdFlow0(node, state, cc, argAp, ap, config) and
@@ -1483,7 +1484,7 @@ private module MkStage<StageSig PrevStage> {
      * the access path of the returned value.
      */
     pragma[nomagic]
-    predicate revFlow(
+    additional predicate revFlow(
       NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
     ) {
       revFlow0(node, state, toReturn, returnAp, ap, config) and
@@ -1661,7 +1662,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate revFlow(NodeEx node, FlowState state, Configuration config) {
+    additional predicate revFlow(NodeEx node, FlowState state, Configuration config) {
       revFlow(node, state, _, _, _, config)
     }
 
@@ -1674,11 +1675,13 @@ private module MkStage<StageSig PrevStage> {
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) }
+    additional predicate revFlowAlias(NodeEx node, Configuration config) {
+      revFlow(node, _, _, _, _, config)
+    }
 
     // use an alias as a workaround for bad functionality-induced joins
     pragma[nomagic]
-    predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
+    additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap, Configuration config) {
       revFlow(node, state, ap, config)
     }
 
@@ -1699,7 +1702,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    additional predicate consCand(TypedContent tc, Ap ap, Configuration config) {
       revConsCand(tc, ap, config) and
       validAp(ap, config)
     }
@@ -1741,7 +1744,7 @@ private module MkStage<StageSig PrevStage> {
       )
     }
 
-    predicate stats(
+    additional predicate stats(
       boolean fwd, int nodes, int fields, int conscand, int states, int tuples, Configuration config
     ) {
       fwd = true and
@@ -2926,12 +2929,17 @@ abstract private class PathNodeImpl extends PathNode {
     result = this.getASuccessorImpl()
   }
 
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
+  pragma[nomagic]
+  private PathNodeImpl getANonHiddenSuccessor0() {
+    result = this.getASuccessorIfHidden*() and
     not result.isHidden()
   }
 
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getANonHiddenSuccessor0() and
+    not this.isHidden()
+  }
+
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -1,8 +1,10 @@
-private import cpp
+private import cpp as Cpp
 private import DataFlowUtil
 private import semmle.code.cpp.ir.IR
 private import DataFlowDispatch
 private import DataFlowImplConsistency
+private import semmle.code.cpp.ir.internal.IRCppLanguage
+private import SsaInternals as Ssa
 
 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }
@@ -22,7 +24,7 @@ predicate isArgumentNode(ArgumentNode arg, DataFlowCall c, ArgumentPosition pos)
  * to the callable. Instance arguments (`this` pointer) and read side effects
  * on parameters are also included.
  */
-abstract class ArgumentNode extends OperandNode {
+abstract class ArgumentNode extends Node {
   /**
    * Holds if this argument occurs at the given position in the given call.
    * The instance argument is considered to have index `-1`.
@@ -37,7 +39,7 @@ abstract class ArgumentNode extends OperandNode {
  * A data flow node that occurs as the argument to a call, or an
  * implicit `this` pointer argument.
  */
-private class PrimaryArgumentNode extends ArgumentNode {
+private class PrimaryArgumentNode extends ArgumentNode, OperandNode {
   override ArgumentOperand op;
 
   PrimaryArgumentNode() { exists(CallInstruction call | op = call.getAnArgumentOperand()) }
@@ -46,49 +48,34 @@ private class PrimaryArgumentNode extends ArgumentNode {
     op = call.getArgumentOperand(pos.(DirectPosition).getIndex())
   }
 
-  override string toString() {
-    exists(Expr unconverted |
-      unconverted = op.getDef().getUnconvertedResultExpression() and
-      result = unconverted.toString()
-    )
-    or
-    // Certain instructions don't map to an unconverted result expression. For these cases
-    // we fall back to a simpler naming scheme. This can happen in IR-generated constructors.
-    not exists(op.getDef().getUnconvertedResultExpression()) and
-    (
-      result = "Argument " + op.(PositionalArgumentOperand).getIndex()
-      or
-      op instanceof ThisArgumentOperand and result = "Argument this"
-    )
-  }
+  override string toStringImpl() { result = argumentOperandToString(op) }
 }
 
-/**
- * A data flow node representing the read side effect of a call on a
- * specific parameter.
- */
-private class SideEffectArgumentNode extends ArgumentNode {
-  override SideEffectOperand op;
-  ReadSideEffectInstruction read;
+private string argumentOperandToString(ArgumentOperand op) {
+  exists(Expr unconverted |
+    unconverted = op.getDef().getUnconvertedResultExpression() and
+    result = unconverted.toString()
+  )
+  or
+  // Certain instructions don't map to an unconverted result expression. For these cases
+  // we fall back to a simpler naming scheme. This can happen in IR-generated constructors.
+  not exists(op.getDef().getUnconvertedResultExpression()) and
+  (
+    result = "Argument " + op.(PositionalArgumentOperand).getIndex()
+    or
+    op instanceof ThisArgumentOperand and result = "Argument this"
+  )
+}
 
-  SideEffectArgumentNode() { op = read.getSideEffectOperand() }
-
-  override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
-    read.getPrimaryInstruction() = call and
-    pos.(IndirectionPosition).getIndex() = read.getIndex()
+private class SideEffectArgumentNode extends ArgumentNode, SideEffectOperandNode {
+  override predicate argumentOf(DataFlowCall dfCall, ArgumentPosition pos) {
+    this.getCallInstruction() = dfCall and
+    pos.(IndirectionPosition).getArgumentIndex() = this.getArgumentIndex() and
+    pos.(IndirectionPosition).getIndirectionIndex() = super.getIndirectionIndex()
   }
 
-  override string toString() {
-    result = read.getArgumentDef().getUnconvertedResultExpression().toString() + " indirection"
-    or
-    // Some instructions don't map to an unconverted result expression. For these cases
-    // we fall back to a simpler naming scheme. This can happen in IR-generated constructors.
-    not exists(read.getArgumentDef().getUnconvertedResultExpression()) and
-    (
-      if read.getIndex() = -1
-      then result = "Argument this indirection"
-      else result = "Argument " + read.getIndex() + " indirection"
-    )
+  override string toStringImpl() {
+    result = argumentOperandToString(this.getAddressOperand()) + " indirection"
   }
 }
 
@@ -102,47 +89,57 @@ class Position extends TPosition {
   abstract string toString();
 }
 
-class DirectPosition extends TDirectPosition {
+class DirectPosition extends Position, TDirectPosition {
   int index;
 
   DirectPosition() { this = TDirectPosition(index) }
 
-  string toString() {
-    index = -1 and
-    result = "this"
-    or
-    index != -1 and
-    result = index.toString()
-  }
+  override string toString() { if index = -1 then result = "this" else result = index.toString() }
 
   int getIndex() { result = index }
 }
 
-class IndirectionPosition extends TIndirectionPosition {
-  int index;
+class IndirectionPosition extends Position, TIndirectionPosition {
+  int argumentIndex;
+  int indirectionIndex;
 
-  IndirectionPosition() { this = TIndirectionPosition(index) }
+  IndirectionPosition() { this = TIndirectionPosition(argumentIndex, indirectionIndex) }
 
-  string toString() {
-    index = -1 and
-    result = "this"
-    or
-    index != -1 and
-    result = index.toString()
+  override string toString() {
+    if argumentIndex = -1
+    then if indirectionIndex > 0 then result = "this indirection" else result = "this"
+    else
+      if indirectionIndex > 0
+      then result = argumentIndex.toString() + " indirection"
+      else result = argumentIndex.toString()
   }
 
-  int getIndex() { result = index }
+  int getArgumentIndex() { result = argumentIndex }
+
+  int getIndirectionIndex() { result = indirectionIndex }
 }
 
 newtype TPosition =
   TDirectPosition(int index) { exists(any(CallInstruction c).getArgument(index)) } or
-  TIndirectionPosition(int index) {
-    exists(ReadSideEffectInstruction instr | instr.getIndex() = index)
+  TIndirectionPosition(int argumentIndex, int indirectionIndex) {
+    hasOperandAndIndex(_, any(CallInstruction call).getArgumentOperand(argumentIndex),
+      indirectionIndex)
   }
 
 private newtype TReturnKind =
-  TNormalReturnKind() or
-  TIndirectReturnKind(ParameterIndex index)
+  TNormalReturnKind(int index) {
+    exists(IndirectReturnNode return |
+      return.getAddressOperand() = any(ReturnValueInstruction r).getReturnAddressOperand() and
+      index = return.getIndirectionIndex() - 1 // We subtract one because the return loads the value.
+    )
+  } or
+  TIndirectReturnKind(int argumentIndex, int indirectionIndex) {
+    exists(IndirectReturnNode return, ReturnIndirectionInstruction returnInd |
+      returnInd.hasIndex(argumentIndex) and
+      return.getAddressOperand() = returnInd.getSourceAddressOperand() and
+      indirectionIndex = return.getIndirectionIndex()
+    )
+  }
 
 /**
  * A return kind. A return kind describes how a value can be returned
@@ -154,53 +151,146 @@ class ReturnKind extends TReturnKind {
 }
 
 private class NormalReturnKind extends ReturnKind, TNormalReturnKind {
-  override string toString() { result = "return" }
+  int index;
+
+  NormalReturnKind() { this = TNormalReturnKind(index) }
+
+  override string toString() { result = "indirect return" }
 }
 
 private class IndirectReturnKind extends ReturnKind, TIndirectReturnKind {
-  ParameterIndex index;
+  int argumentIndex;
+  int indirectionIndex;
 
-  IndirectReturnKind() { this = TIndirectReturnKind(index) }
+  IndirectReturnKind() { this = TIndirectReturnKind(argumentIndex, indirectionIndex) }
 
-  override string toString() { result = "outparam[" + index.toString() + "]" }
+  override string toString() { result = "indirect outparam[" + argumentIndex.toString() + "]" }
 }
 
 /** A data flow node that occurs as the result of a `ReturnStmt`. */
-class ReturnNode extends InstructionNode {
-  Instruction primary;
-
-  ReturnNode() {
-    exists(ReturnValueInstruction ret | instr = ret and primary = ret)
-    or
-    exists(ReturnIndirectionInstruction rii | instr = rii and primary = rii)
-  }
-
+class ReturnNode extends Node instanceof IndirectReturnNode {
   /** Gets the kind of this returned value. */
   abstract ReturnKind getKind();
 }
 
-class ReturnValueNode extends ReturnNode {
-  override ReturnValueInstruction primary;
-
-  override ReturnKind getKind() { result = TNormalReturnKind() }
+/**
+ * This predicate represents an annoying hack that we have to do. We use the
+ * `ReturnIndirectionInstruction` to determine which variables need flow back
+ * out of a function. However, the IR will unconditionally create those for a
+ * variable passed to a function even though the variable was never updated by
+ * the function. And if a function has too many `ReturnNode`s the dataflow
+ * library lowers its precision for that function by disabling field flow.
+ *
+ * So we those eliminate `ReturnNode`s that would have otherwise been created
+ * by this unconditional `ReturnIndirectionInstruction` by requiring that there
+ * must exist an SSA definition of the IR variable in the function.
+ */
+private predicate hasNonInitializeParameterDef(IRVariable v) {
+  exists(Ssa::Def def |
+    not def.getDefiningInstruction() instanceof InitializeParameterInstruction and
+    v = def.getSourceVariable().getBaseVariable().(Ssa::BaseIRVariable).getIRVariable()
+  )
 }
 
-class ReturnIndirectionNode extends ReturnNode {
-  override ReturnIndirectionInstruction primary;
-
+class ReturnIndirectionNode extends IndirectReturnNode, ReturnNode {
   override ReturnKind getKind() {
-    exists(int index |
-      primary.hasIndex(index) and
-      result = TIndirectReturnKind(index)
+    exists(int argumentIndex, ReturnIndirectionInstruction returnInd |
+      returnInd.hasIndex(argumentIndex) and
+      this.getAddressOperand() = returnInd.getSourceAddressOperand() and
+      result = TIndirectReturnKind(argumentIndex, this.getIndirectionIndex()) and
+      hasNonInitializeParameterDef(returnInd.getIRVariable())
     )
+    or
+    this.getAddressOperand() = any(ReturnValueInstruction r).getReturnAddressOperand() and
+    result = TNormalReturnKind(this.getIndirectionIndex() - 1)
   }
 }
 
+private Operand fullyConvertedCallStep(Operand op) {
+  not exists(getANonConversionUse(op)) and
+  exists(Instruction instr |
+    conversionFlow(op, instr, _) and
+    result = getAUse(instr)
+  )
+}
+
+/**
+ * Gets the instruction that uses this operand, if the instruction is not
+ * ignored for dataflow purposes.
+ */
+private Instruction getUse(Operand op) {
+  result = op.getUse() and
+  not Ssa::ignoreOperand(op)
+}
+
+/** Gets a use of the instruction `instr` that is not ignored for dataflow purposes. */
+Operand getAUse(Instruction instr) {
+  result = instr.getAUse() and
+  not Ssa::ignoreOperand(result)
+}
+
+/**
+ * Gets a use of `operand` that is:
+ * - not ignored for dataflow purposes, and
+ * - not a conversion-like instruction.
+ */
+private Instruction getANonConversionUse(Operand operand) {
+  result = getUse(operand) and
+  not conversionFlow(_, result, _)
+}
+
+/**
+ * Gets the operand that represents the first use of the value of `call` following
+ * a sequnce of conversion-like instructions.
+ */
+predicate operandForfullyConvertedCall(Operand operand, CallInstruction call) {
+  exists(getANonConversionUse(operand)) and
+  (
+    operand = getAUse(call)
+    or
+    operand = fullyConvertedCallStep*(getAUse(call))
+  )
+}
+
+/**
+ * Gets the instruction that represents the first use of the value of `call` following
+ * a sequnce of conversion-like instructions.
+ *
+ * This predicate only holds if there is no suitable operand (i.e., no operand of a non-
+ * conversion instruction) to use to represent the value of `call` after conversions.
+ */
+predicate instructionForfullyConvertedCall(Instruction instr, CallInstruction call) {
+  not operandForfullyConvertedCall(_, call) and
+  (
+    // If there is no use of the call then we pick the call instruction
+    not exists(getAUse(call)) and
+    instr = call
+    or
+    // Otherwise, flow to the first non-conversion use.
+    exists(Operand operand | operand = fullyConvertedCallStep*(getAUse(call)) |
+      instr = getANonConversionUse(operand)
+    )
+  )
+}
+
+/** Holds if `node` represents the output node for `call`. */
+private predicate simpleOutNode(Node node, CallInstruction call) {
+  operandForfullyConvertedCall(node.asOperand(), call)
+  or
+  instructionForfullyConvertedCall(node.asInstruction(), call)
+}
+
 /** A data flow node that represents the output of a call. */
-class OutNode extends InstructionNode {
+class OutNode extends Node {
   OutNode() {
-    instr instanceof CallInstruction or
-    instr instanceof WriteSideEffectInstruction
+    // Return values not hidden behind indirections
+    simpleOutNode(this, _)
+    or
+    // Return values hidden behind indirections
+    this instanceof IndirectReturnOutNode
+    or
+    // Modified arguments hidden behind indirections
+    this instanceof IndirectArgumentOutNode
   }
 
   /** Gets the underlying call. */
@@ -209,20 +299,28 @@ class OutNode extends InstructionNode {
   abstract ReturnKind getReturnKind();
 }
 
-private class CallOutNode extends OutNode {
-  override CallInstruction instr;
+private class DirectCallOutNode extends OutNode {
+  CallInstruction call;
 
-  override DataFlowCall getCall() { result = instr }
+  DirectCallOutNode() { simpleOutNode(this, call) }
 
-  override ReturnKind getReturnKind() { result instanceof NormalReturnKind }
+  override DataFlowCall getCall() { result = call }
+
+  override ReturnKind getReturnKind() { result = TNormalReturnKind(0) }
 }
 
-private class SideEffectOutNode extends OutNode {
-  override WriteSideEffectInstruction instr;
+private class IndirectCallOutNode extends OutNode, IndirectReturnOutNode {
+  override DataFlowCall getCall() { result = this.getCallInstruction() }
 
-  override DataFlowCall getCall() { result = instr.getPrimaryInstruction() }
+  override ReturnKind getReturnKind() { result = TNormalReturnKind(this.getIndirectionIndex()) }
+}
 
-  override ReturnKind getReturnKind() { result = TIndirectReturnKind(instr.getIndex()) }
+private class SideEffectOutNode extends OutNode, IndirectArgumentOutNode {
+  override DataFlowCall getCall() { result = this.getCallInstruction() }
+
+  override ReturnKind getReturnKind() {
+    result = TIndirectReturnKind(this.getArgumentIndex(), this.getIndirectionIndex())
+  }
 }
 
 /**
@@ -230,13 +328,8 @@ private class SideEffectOutNode extends OutNode {
  * `kind`.
  */
 OutNode getAnOutNode(DataFlowCall call, ReturnKind kind) {
-  // There should be only one `OutNode` for a given `(call, kind)` pair. Showing the optimizer that
-  // this is true helps it make better decisions downstream, especially in virtual dispatch.
-  result =
-    unique(OutNode outNode |
-      outNode.getCall() = call and
-      outNode.getReturnKind() = kind
-    )
+  result.getCall() = call and
+  result.getReturnKind() = kind
 }
 
 /**
@@ -245,7 +338,7 @@ OutNode getAnOutNode(DataFlowCall call, ReturnKind kind) {
  * global or static variable.
  */
 predicate jumpStep(Node n1, Node n2) {
-  exists(GlobalOrNamespaceVariable v |
+  exists(Cpp::GlobalOrNamespaceVariable v |
     v =
       n1.asInstruction()
           .(StoreInstruction)
@@ -269,24 +362,92 @@ predicate jumpStep(Node n1, Node n2) {
  * Thus, `node2` references an object with a field `f` that contains the
  * value of `node1`.
  */
-predicate storeStep(StoreNodeInstr node1, FieldContent f, StoreNodeInstr node2) {
-  exists(FieldAddressInstruction fai |
-    node1.getInstruction() = fai and
-    node2.getInstruction() = fai.getObjectAddress() and
-    f.getField() = fai.getField()
+predicate storeStep(Node node1, Content c, PostFieldUpdateNode node2) {
+  exists(int indirectionIndex1, int numberOfLoads, StoreInstruction store |
+    nodeHasInstruction(node1, store, pragma[only_bind_into](indirectionIndex1)) and
+    node2.getIndirectionIndex() = 1 and
+    numberOfLoadsFromOperand(node2.getFieldAddress(), store.getDestinationAddressOperand(),
+      numberOfLoads)
+  |
+    exists(FieldContent fc | fc = c |
+      fc.getField() = node2.getUpdatedField() and
+      fc.getIndirectionIndex() = 1 + indirectionIndex1 + numberOfLoads
+    )
+    or
+    exists(UnionContent uc | uc = c |
+      uc.getAField() = node2.getUpdatedField() and
+      uc.getIndirectionIndex() = 1 + indirectionIndex1 + numberOfLoads
+    )
   )
 }
 
+/**
+ * Holds if `operandFrom` flows to `operandTo` using a sequence of conversion-like
+ * operations and exactly `n` `LoadInstruction` operations.
+ */
+private predicate numberOfLoadsFromOperandRec(Operand operandFrom, Operand operandTo, int ind) {
+  exists(LoadInstruction load | load.getSourceAddressOperand() = operandFrom |
+    operandTo = operandFrom and ind = 0
+    or
+    numberOfLoadsFromOperand(load.getAUse(), operandTo, ind - 1)
+  )
+  or
+  exists(Operand op, Instruction instr |
+    instr = op.getDef() and
+    conversionFlow(operandFrom, instr, _) and
+    numberOfLoadsFromOperand(op, operandTo, ind)
+  )
+}
+
+/**
+ * Holds if `operandFrom` flows to `operandTo` using a sequence of conversion-like
+ * operations and exactly `n` `LoadInstruction` operations.
+ */
+private predicate numberOfLoadsFromOperand(Operand operandFrom, Operand operandTo, int n) {
+  numberOfLoadsFromOperandRec(operandFrom, operandTo, n)
+  or
+  not any(LoadInstruction load).getSourceAddressOperand() = operandFrom and
+  not conversionFlow(operandFrom, _, _) and
+  operandFrom = operandTo and
+  n = 0
+}
+
+// Needed to join on both an operand and an index at the same time.
+pragma[noinline]
+predicate nodeHasOperand(Node node, Operand operand, int indirectionIndex) {
+  node.asOperand() = operand and indirectionIndex = 0
+  or
+  hasOperandAndIndex(node, operand, indirectionIndex)
+}
+
+// Needed to join on both an instruction and an index at the same time.
+pragma[noinline]
+predicate nodeHasInstruction(Node node, Instruction instr, int indirectionIndex) {
+  node.asInstruction() = instr and indirectionIndex = 0
+  or
+  hasInstructionAndIndex(node, instr, indirectionIndex)
+}
+
 /**
  * Holds if data can flow from `node1` to `node2` via a read of `f`.
  * Thus, `node1` references an object with a field `f` whose value ends up in
  * `node2`.
  */
-predicate readStep(ReadNode node1, FieldContent f, ReadNode node2) {
-  exists(FieldAddressInstruction fai |
-    node1.getInstruction() = fai.getObjectAddress() and
-    node2.getInstruction() = fai and
-    f.getField() = fai.getField()
+predicate readStep(Node node1, Content c, Node node2) {
+  exists(FieldAddress fa1, Operand operand, int numberOfLoads, int indirectionIndex2 |
+    nodeHasOperand(node2, operand, indirectionIndex2) and
+    nodeHasOperand(node1, fa1.getObjectAddressOperand(), _) and
+    numberOfLoadsFromOperand(fa1, operand, numberOfLoads)
+  |
+    exists(FieldContent fc | fc = c |
+      fc.getField() = fa1.getField() and
+      fc.getIndirectionIndex() = indirectionIndex2 + numberOfLoads
+    )
+    or
+    exists(UnionContent uc | uc = c |
+      uc.getAField() = fa1.getField() and
+      uc.getIndirectionIndex() = indirectionIndex2 + numberOfLoads
+    )
   )
 }
 
@@ -304,20 +465,20 @@ predicate clearsContent(Node n, Content c) {
 predicate expectsContent(Node n, ContentSet c) { none() }
 
 /** Gets the type of `n` used for type pruning. */
-IRType getNodeType(Node n) {
+DataFlowType getNodeType(Node n) {
   suppressUnusedNode(n) and
-  result instanceof IRVoidType // stub implementation
+  result instanceof VoidType // stub implementation
 }
 
 /** Gets a string representation of a type returned by `getNodeType`. */
-string ppReprType(IRType t) { none() } // stub implementation
+string ppReprType(DataFlowType t) { none() } // stub implementation
 
 /**
  * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
  * a node of type `t1` to a node of type `t2`.
  */
 pragma[inline]
-predicate compatibleTypes(IRType t1, IRType t2) {
+predicate compatibleTypes(DataFlowType t1, DataFlowType t2) {
   any() // stub implementation
 }
 
@@ -337,11 +498,11 @@ class CastNode extends Node {
  * data-flow library discards call contexts and inserts a node in the big-step
  * relation used for human-readable path explanations.
  */
-class DataFlowCallable = Declaration;
+class DataFlowCallable = Cpp::Declaration;
 
 class DataFlowExpr = Expr;
 
-class DataFlowType = IRType;
+class DataFlowType = Type;
 
 /** A function call relevant for data flow. */
 class DataFlowCall extends CallInstruction {
@@ -368,17 +529,7 @@ class Unit extends TUnit {
 }
 
 /** Holds if `n` should be hidden from path explanations. */
-predicate nodeIsHidden(Node n) {
-  n instanceof OperandNode and not n instanceof ArgumentNode
-  or
-  StoreNodeFlow::flowThrough(n, _) and
-  not StoreNodeFlow::flowOutOf(n, _) and
-  not StoreNodeFlow::flowInto(_, n)
-  or
-  ReadNodeFlow::flowThrough(n, _) and
-  not ReadNodeFlow::flowOutOf(n, _) and
-  not ReadNodeFlow::flowInto(_, n)
-}
+predicate nodeIsHidden(Node n) { n instanceof OperandNode and not n instanceof ArgumentNode }
 
 class LambdaCallKind = Unit;
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ModelUtil.qll

@@ -5,41 +5,89 @@
 
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.DataFlow
+private import DataFlowUtil
+private import SsaInternals as Ssa
 
 /**
  * Gets the instruction that goes into `input` for `call`.
  */
-Operand callInput(CallInstruction call, FunctionInput input) {
+DataFlow::Node callInput(CallInstruction call, FunctionInput input) {
   // An argument or qualifier
   exists(int index |
-    result = call.getArgumentOperand(index) and
+    result.asOperand() = call.getArgumentOperand(index) and
     input.isParameterOrQualifierAddress(index)
   )
   or
   // A value pointed to by an argument or qualifier
-  exists(ReadSideEffectInstruction read |
-    result = read.getSideEffectOperand() and
-    read.getPrimaryInstruction() = call and
-    input.isParameterDerefOrQualifierObject(read.getIndex())
+  exists(int index, int indirectionIndex |
+    hasOperandAndIndex(result, call.getArgumentOperand(index), indirectionIndex) and
+    input.isParameterDerefOrQualifierObject(index, indirectionIndex)
+  )
+  or
+  exists(int ind |
+    result = getIndirectReturnOutNode(call, ind) and
+    input.isReturnValueDeref(ind)
   )
 }
 
 /**
  * Gets the instruction that holds the `output` for `call`.
  */
-Instruction callOutput(CallInstruction call, FunctionOutput output) {
+Node callOutput(CallInstruction call, FunctionOutput output) {
   // The return value
-  result = call and
+  result.asInstruction() = call and
   output.isReturnValue()
   or
   // The side effect of a call on the value pointed to by an argument or qualifier
-  exists(WriteSideEffectInstruction effect |
-    result = effect and
-    effect.getPrimaryInstruction() = call and
-    output.isParameterDerefOrQualifierObject(effect.getIndex())
+  exists(int index, int indirectionIndex |
+    result.(IndirectArgumentOutNode).getArgumentIndex() = index and
+    result.(IndirectArgumentOutNode).getIndirectionIndex() = indirectionIndex and
+    result.(IndirectArgumentOutNode).getCallInstruction() = call and
+    output.isParameterDerefOrQualifierObject(index, indirectionIndex)
   )
   or
-  // TODO: modify this when we get return value dereferences
-  result = call and
-  output.isReturnValueDeref()
+  exists(int ind |
+    result = getIndirectReturnOutNode(call, ind) and
+    output.isReturnValueDeref(ind)
+  )
+}
+
+DataFlow::Node callInput(CallInstruction call, FunctionInput input, int d) {
+  exists(DataFlow::Node n | n = callInput(call, input) and d > 0 |
+    // An argument or qualifier
+    hasOperandAndIndex(result, n.asOperand(), d)
+    or
+    exists(Operand operand, int indirectionIndex |
+      // A value pointed to by an argument or qualifier
+      hasOperandAndIndex(n, operand, indirectionIndex) and
+      hasOperandAndIndex(result, operand, indirectionIndex + d)
+    )
+  )
+}
+
+private IndirectReturnOutNode getIndirectReturnOutNode(CallInstruction call, int d) {
+  result.getCallInstruction() = call and
+  result.getIndirectionIndex() = d
+}
+
+/**
+ * Gets the instruction that holds the `output` for `call`.
+ */
+bindingset[d]
+Node callOutput(CallInstruction call, FunctionOutput output, int d) {
+  exists(DataFlow::Node n | n = callOutput(call, output) and d > 0 |
+    // The return value
+    result = getIndirectReturnOutNode(n.asInstruction(), d)
+    or
+    // If there isn't an indirect out node for the call with indirection `d` then
+    // we conflate this with the underlying `CallInstruction`.
+    not exists(getIndirectReturnOutNode(call, d)) and
+    n.asInstruction() = result.asInstruction()
+    or
+    // The side effect of a call on the value pointed to by an argument or qualifier
+    exists(Operand operand, int indirectionIndex |
+      Ssa::outNodeHasAddressAndIndex(n, operand, indirectionIndex) and
+      Ssa::outNodeHasAddressAndIndex(result, operand, indirectionIndex + d)
+    )
+  )
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -0,0 +1,270 @@
+import cpp as Cpp
+import semmle.code.cpp.ir.IR
+import semmle.code.cpp.ir.internal.IRCppLanguage
+private import semmle.code.cpp.ir.implementation.raw.internal.SideEffects as SideEffects
+private import DataFlowImplCommon as DataFlowImplCommon
+private import DataFlowUtil
+
+/**
+ * Holds if `operand` is an operand that is not used by the dataflow library.
+ * Ignored operands are not recognizd as uses by SSA, and they don't have a
+ * corresponding `(Indirect)OperandNode`.
+ */
+predicate ignoreOperand(Operand operand) {
+  operand = any(Instruction instr | ignoreInstruction(instr)).getAnOperand() or
+  operand = any(Instruction instr | ignoreInstruction(instr)).getAUse() or
+  operand instanceof MemoryOperand
+}
+
+/**
+ * Holds if `instr` is an instruction that is not used by the dataflow library.
+ * Ignored instructions are not recognized as reads/writes by SSA, and they
+ * don't have a corresponding `(Indirect)InstructionNode`.
+ */
+predicate ignoreInstruction(Instruction instr) {
+  DataFlowImplCommon::forceCachingInSameStage() and
+  (
+    instr instanceof WriteSideEffectInstruction or
+    instr instanceof PhiInstruction or
+    instr instanceof ReadSideEffectInstruction or
+    instr instanceof ChiInstruction or
+    instr instanceof InitializeIndirectionInstruction
+  )
+}
+
+/**
+ * Gets the C++ type of `this` in the member function `f`.
+ * The result is a glvalue if `isGLValue` is true, and
+ * a prvalue if `isGLValue` is false.
+ */
+bindingset[isGLValue]
+private CppType getThisType(Cpp::MemberFunction f, boolean isGLValue) {
+  result.hasType(f.getTypeOfThis(), isGLValue)
+}
+
+/**
+ * Gets the C++ type of the instruction `i`.
+ *
+ * This is equivalent to `i.getResultLanguageType()` with the exception
+ * of instructions that directly references a `this` IRVariable. In this
+ * case, `i.getResultLanguageType()` gives an unknown type, whereas the
+ * predicate gives the expected type (i.e., a potentially cv-qualified
+ * type `A*` where `A` is the declaring type of the member function that
+ * contains `i`).
+ */
+cached
+CppType getResultLanguageType(Instruction i) {
+  if i.(VariableAddressInstruction).getIRVariable() instanceof IRThisVariable
+  then
+    if i.isGLValue()
+    then result = getThisType(i.getEnclosingFunction(), true)
+    else result = getThisType(i.getEnclosingFunction(), false)
+  else result = i.getResultLanguageType()
+}
+
+/**
+ * Gets the C++ type of the operand `operand`.
+ * This is equivalent to the type of the operand's defining instruction.
+ *
+ * See `getResultLanguageType` for a description of this behavior.
+ */
+CppType getLanguageType(Operand operand) { result = getResultLanguageType(operand.getDef()) }
+
+/**
+ * Gets the maximum number of indirections a glvalue of type `type` can have.
+ * For example:
+ * - If `type = int`, the result is 1
+ * - If `type = MyStruct`, the result is 1
+ * - If `type = char*`, the result is 2
+ */
+int getMaxIndirectionsForType(Type type) {
+  result = countIndirectionsForCppType(getTypeForGLValue(type))
+}
+
+/**
+ * Gets the maximum number of indirections a value of type `type` can have.
+ *
+ * Note that this predicate is intended to be called on unspecified types
+ * (i.e., `countIndirections(e.getUnspecifiedType())`).
+ */
+private int countIndirections(Type t) {
+  result =
+    1 +
+      countIndirections([t.(Cpp::PointerType).getBaseType(), t.(Cpp::ReferenceType).getBaseType()])
+  or
+  not t instanceof Cpp::PointerType and
+  not t instanceof Cpp::ReferenceType and
+  result = 0
+}
+
+/**
+ * Gets the maximum number of indirections a value of C++
+ * type `langType` can have.
+ */
+int countIndirectionsForCppType(LanguageType langType) {
+  exists(Type type | langType.hasType(type, true) |
+    result = 1 + countIndirections(type.getUnspecifiedType())
+  )
+  or
+  exists(Type type | langType.hasType(type, false) |
+    result = countIndirections(type.getUnspecifiedType())
+  )
+}
+
+/**
+ * A `CallInstruction` that calls an allocation function such
+ * as `malloc` or `operator new`.
+ */
+class AllocationInstruction extends CallInstruction {
+  AllocationInstruction() { this.getStaticCallTarget() instanceof Cpp::AllocationFunction }
+}
+
+/**
+ * Holds if `i` is a base instruction that starts a sequence of uses
+ * of some variable that SSA can handle.
+ *
+ * This is either when `i` is a `VariableAddressInstruction` or when
+ * `i` is a fresh allocation produced by an `AllocationInstruction`.
+ */
+private predicate isSourceVariableBase(Instruction i) {
+  i instanceof VariableAddressInstruction or i instanceof AllocationInstruction
+}
+
+/**
+ * Holds if the value pointed to by `operand` can potentially be
+ * modified be the caller.
+ */
+predicate isModifiableByCall(ArgumentOperand operand) {
+  exists(CallInstruction call, int index, CppType type |
+    type = getLanguageType(operand) and
+    call.getArgumentOperand(index) = operand and
+    if index = -1
+    then not call.getStaticCallTarget() instanceof Cpp::ConstMemberFunction
+    else not SideEffects::isConstPointerLike(any(Type t | type.hasType(t, _)))
+  )
+}
+
+cached
+private module Cached {
+  /**
+   * Holds if `op` is a use of an SSA variable rooted at `base` with `ind` number
+   * of indirections.
+   *
+   * `certain` is `true` if the operand is guaranteed to read the variable, and
+   * `indirectionIndex` specifies the number of loads required to read the variable.
+   */
+  cached
+  predicate isUse(boolean certain, Operand op, Instruction base, int ind, int indirectionIndex) {
+    not ignoreOperand(op) and
+    certain = true and
+    exists(LanguageType type, int m, int ind0 |
+      type = getLanguageType(op) and
+      m = countIndirectionsForCppType(type) and
+      isUseImpl(op, base, ind0) and
+      ind = ind0 + [0 .. m] and
+      indirectionIndex = ind - ind0
+    )
+  }
+
+  /**
+   * Holds if `operand` is a use of an SSA variable rooted at `base`, and the
+   * path from `base` to `operand` passes through `ind` load-like instructions.
+   */
+  private predicate isUseImpl(Operand operand, Instruction base, int ind) {
+    DataFlowImplCommon::forceCachingInSameStage() and
+    ind = 0 and
+    operand.getDef() = base and
+    isSourceVariableBase(base)
+    or
+    exists(Operand mid, Instruction instr |
+      isUseImpl(mid, base, ind) and
+      instr = operand.getDef() and
+      conversionFlow(mid, instr, false)
+    )
+    or
+    exists(int ind0 |
+      isUseImpl(operand.getDef().(LoadInstruction).getSourceAddressOperand(), base, ind0)
+      or
+      isUseImpl(operand.getDef().(InitializeParameterInstruction).getAnOperand(), base, ind0)
+    |
+      ind0 = ind - 1
+    )
+  }
+
+  /**
+   * Holds if `address` is an address of an SSA variable rooted at `base`,
+   * and `instr` is a definition of the SSA variable with `ind` number of indirections.
+   *
+   * `certain` is `true` if `instr` is guaranteed to write to the variable, and
+   * `indirectionIndex` specifies the number of loads required to read the variable
+   * after the write operation.
+   */
+  cached
+  predicate isDef(
+    boolean certain, Instruction instr, Operand address, Instruction base, int ind,
+    int indirectionIndex
+  ) {
+    certain = true and
+    exists(int ind0, CppType type, int m |
+      address =
+        [
+          instr.(StoreInstruction).getDestinationAddressOperand(),
+          instr.(InitializeParameterInstruction).getAnOperand(),
+          instr.(InitializeDynamicAllocationInstruction).getAllocationAddressOperand(),
+          instr.(UninitializedInstruction).getAnOperand()
+        ]
+    |
+      isDefImpl(address, base, ind0) and
+      type = getLanguageType(address) and
+      m = countIndirectionsForCppType(type) and
+      ind = ind0 + [1 .. m] and
+      indirectionIndex = ind - (ind0 + 1)
+    )
+  }
+
+  /**
+   * Holds if `address` is a use of an SSA variable rooted at `base`, and the
+   * path from `base` to `address` passes through `ind` load-like instructions.
+   *
+   * Note: Unlike `isUseImpl`, this predicate recurses through pointer-arithmetic
+   * instructions.
+   */
+  private predicate isDefImpl(Operand address, Instruction base, int ind) {
+    DataFlowImplCommon::forceCachingInSameStage() and
+    ind = 0 and
+    address.getDef() = base and
+    isSourceVariableBase(base)
+    or
+    exists(Operand mid, Instruction instr |
+      isDefImpl(mid, base, ind) and
+      instr = address.getDef() and
+      conversionFlow(mid, instr, _)
+    )
+    or
+    exists(int ind0 |
+      isDefImpl(address.getDef().(LoadInstruction).getSourceAddressOperand(), base, ind0)
+      or
+      isDefImpl(address.getDef().(InitializeParameterInstruction).getAnOperand(), base, ind0)
+    |
+      ind0 = ind - 1
+    )
+  }
+}
+
+import Cached
+
+/**
+ * Inputs to the shared SSA library's parameterized module that is shared
+ * between the SSA pruning stage, and the final SSA stage.
+ */
+module InputSigCommon {
+  class BasicBlock = IRBlock;
+
+  BasicBlock getImmediateBasicBlockDominator(BasicBlock bb) { result.immediatelyDominates(bb) }
+
+  BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
+
+  class ExitBasicBlock extends IRBlock {
+    ExitBasicBlock() { this.getLastInstruction() instanceof ExitFunctionInstruction }
+  }
+}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

@@ -3,6 +3,8 @@ private import semmle.code.cpp.ir.dataflow.DataFlow
 private import ModelUtil
 private import semmle.code.cpp.models.interfaces.DataFlow
 private import semmle.code.cpp.models.interfaces.SideEffect
+private import DataFlowUtil
+private import DataFlowPrivate
 
 /**
  * Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
@@ -23,26 +25,26 @@ cached
 predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
   operandToInstructionTaintStep(nodeFrom.asOperand(), nodeTo.asInstruction())
   or
-  instructionToOperandTaintStep(nodeFrom.asInstruction(), nodeTo.asOperand())
-}
-
-private predicate instructionToOperandTaintStep(Instruction fromInstr, Operand toOperand) {
-  // Propagate flow from the definition of an operand to the operand, even when the overlap is inexact.
-  // We only do this in certain cases:
-  // 1. The instruction's result must not be conflated, and
-  // 2. The instruction's result type is one the types where we expect element-to-object flow. Currently
-  // this is array types and union types. This matches the other two cases of element-to-object flow in
-  // `DefaultTaintTracking`.
-  toOperand.getAnyDef() = fromInstr and
-  not fromInstr.isResultConflated() and
-  (
-    fromInstr.getResultType() instanceof ArrayType or
-    fromInstr.getResultType() instanceof Union
+  modeledTaintStep(nodeFrom, nodeTo)
+  or
+  // Flow from `op` to `*op`.
+  exists(Operand operand, int indirectionIndex |
+    nodeHasOperand(nodeFrom, operand, indirectionIndex) and
+    nodeHasOperand(nodeTo, operand, indirectionIndex - 1)
   )
   or
-  exists(ReadSideEffectInstruction readInstr |
-    fromInstr = readInstr.getArgumentDef() and
-    toOperand = readInstr.getSideEffectOperand()
+  // Flow from `instr` to `*instr`.
+  exists(Instruction instr, int indirectionIndex |
+    nodeHasInstruction(nodeFrom, instr, indirectionIndex) and
+    nodeHasInstruction(nodeTo, instr, indirectionIndex - 1)
+  )
+  or
+  // Flow from (the indirection of) an operand of a pointer arithmetic instruction to the
+  // indirection of the pointer arithmetic instruction. This provides flow from `source`
+  // in `x[source]` to the result of the associated load instruction.
+  exists(PointerArithmeticInstruction pai, int indirectionIndex |
+    nodeHasOperand(nodeFrom, pai.getAnOperand(), pragma[only_bind_into](indirectionIndex)) and
+    hasInstructionAndIndex(nodeTo, pai, indirectionIndex + 1)
   )
 }
 
@@ -61,13 +63,13 @@ private predicate operandToInstructionTaintStep(Operand opFrom, Instruction inst
     instrTo instanceof BitwiseInstruction
     or
     instrTo instanceof PointerArithmeticInstruction
-    or
-    // The `CopyInstruction` case is also present in non-taint data flow, but
-    // that uses `getDef` rather than `getAnyDef`. For taint, we want flow
-    // from a definition of `myStruct` to a `myStruct.myField` expression.
-    instrTo instanceof CopyInstruction
   )
   or
+  // The `CopyInstruction` case is also present in non-taint data flow, but
+  // that uses `getDef` rather than `getAnyDef`. For taint, we want flow
+  // from a definition of `myStruct` to a `myStruct.myField` expression.
+  instrTo.(LoadInstruction).getSourceAddressOperand() = opFrom
+  or
   // Unary instructions tend to preserve enough information in practice that we
   // want taint to flow through.
   // The exception is `FieldAddressInstruction`. Together with the rules below for
@@ -81,40 +83,6 @@ private predicate operandToInstructionTaintStep(Operand opFrom, Instruction inst
     or
     instrTo.(FieldAddressInstruction).getField().getDeclaringType() instanceof Union
   )
-  or
-  // Flow from an element to an array or union that contains it.
-  instrTo.(ChiInstruction).getPartialOperand() = opFrom and
-  not instrTo.isResultConflated() and
-  exists(Type t | instrTo.getResultLanguageType().hasType(t, false) |
-    t instanceof Union
-    or
-    t instanceof ArrayType
-  )
-  or
-  // Until we have flow through indirections across calls, we'll take flow out
-  // of the indirection and into the argument.
-  // When we get proper flow through indirections across calls, this code can be
-  // moved to `adjusedSink` or possibly into the `DataFlow::ExprNode` class.
-  exists(ReadSideEffectInstruction read |
-    read.getSideEffectOperand() = opFrom and
-    read.getArgumentDef() = instrTo
-  )
-  or
-  // Until we have from through indirections across calls, we'll take flow out
-  // of the parameter and into its indirection.
-  // `InitializeIndirectionInstruction` only has a single operand: the address of the
-  // value whose indirection we are initializing. When initializing an indirection of a parameter `p`,
-  // the IR looks like this:
-  // ```
-  // m1 = InitializeParameter[p] : &r1
-  // r2 = Load[p] : r2, m1
-  // m3 = InitializeIndirection[p] : &r2
-  // ```
-  // So by having flow from `r2` to `m3` we're enabling flow from `m1` to `m3`. This relies on the
-  // `LoadOperand`'s overlap being exact.
-  instrTo.(InitializeIndirectionInstruction).getAnOperand() = opFrom
-  or
-  modeledTaintStep(opFrom, instrTo)
 }
 
 /**
@@ -164,24 +132,42 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { n
 predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
 
 /**
- * Holds if taint can flow from `instrIn` to `instrOut` through a call to a
+ * Holds if taint can flow from `nodeIn` to `nodeOut` through a call to a
  * modeled function.
  */
-predicate modeledTaintStep(Operand nodeIn, Instruction nodeOut) {
+predicate modeledTaintStep(DataFlow::Node nodeIn, DataFlow::Node nodeOut) {
+  // Normal taint steps
   exists(CallInstruction call, TaintFunction func, FunctionInput modelIn, FunctionOutput modelOut |
+    call.getStaticCallTarget() = func and
+    func.hasTaintFlow(modelIn, modelOut)
+  |
     (
       nodeIn = callInput(call, modelIn)
       or
       exists(int n |
         modelIn.isParameterDerefOrQualifierObject(n) and
         if n = -1
-        then nodeIn = callInput(call, any(InQualifierObject inQualifier))
+        then nodeIn = callInput(call, any(InQualifierAddress inQualifier))
         else nodeIn = callInput(call, any(InParameter inParam | inParam.getIndex() = n))
       )
     ) and
-    nodeOut = callOutput(call, modelOut) and
-    call.getStaticCallTarget() = func and
-    func.hasTaintFlow(modelIn, modelOut)
+    nodeOut = callOutput(call, modelOut)
+    or
+    exists(int d |
+      nodeIn = callInput(call, modelIn, d)
+      or
+      exists(int n |
+        d = 1 and
+        modelIn.isParameterDerefOrQualifierObject(n) and
+        if n = -1
+        then nodeIn = callInput(call, any(InQualifierAddress inQualifier))
+        else nodeIn = callInput(call, any(InParameter inParam | inParam.getIndex() = n))
+      )
+    |
+      call.getStaticCallTarget() = func and
+      func.hasTaintFlow(modelIn, modelOut) and
+      nodeOut = callOutput(call, modelOut, d)
+    )
   )
   or
   // Taint flow from one argument to another and data flow from an argument to a
@@ -205,12 +191,11 @@ predicate modeledTaintStep(Operand nodeIn, Instruction nodeOut) {
   // Taint flow from a pointer argument to an output, when the model specifies flow from the deref
   // to that output, but the deref is not modeled in the IR for the caller.
   exists(
-    CallInstruction call, ReadSideEffectInstruction read, Function func, FunctionInput modelIn,
-    FunctionOutput modelOut
+    CallInstruction call, DataFlow::SideEffectOperandNode indirectArgument, Function func,
+    FunctionInput modelIn, FunctionOutput modelOut
   |
-    read.getSideEffectOperand() = callInput(call, modelIn) and
-    read.getArgumentDef() = nodeIn.getDef() and
-    not read.getSideEffect().isResultModeled() and
+    indirectArgument = callInput(call, modelIn) and
+    indirectArgument.getAddressOperand() = nodeIn.asOperand() and
     call.getStaticCallTarget() = func and
     (
       func.(DataFlowFunction).hasDataFlow(modelIn, modelOut)

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ssa0/SsaInternals.qll

@@ -0,0 +1,314 @@
+/**
+ * This module defines an initial SSA pruning stage that doesn't take
+ * indirections into account.
+ */
+
+private import codeql.ssa.Ssa as SsaImplCommon
+private import semmle.code.cpp.ir.IR
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
+private import semmle.code.cpp.models.interfaces.Allocation as Alloc
+private import semmle.code.cpp.models.interfaces.DataFlow as DataFlow
+private import semmle.code.cpp.ir.implementation.raw.internal.SideEffects as SideEffects
+private import semmle.code.cpp.ir.internal.IRCppLanguage
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
+private import semmle.code.cpp.ir.dataflow.internal.SsaInternalsCommon
+
+private module SourceVariables {
+  newtype TBaseSourceVariable =
+    // Each IR variable gets its own source variable
+    TBaseIRVariable(IRVariable var) or
+    // Each allocation gets its own source variable
+    TBaseCallVariable(AllocationInstruction call)
+
+  abstract class BaseSourceVariable extends TBaseSourceVariable {
+    abstract string toString();
+
+    abstract DataFlowType getType();
+  }
+
+  class BaseIRVariable extends BaseSourceVariable, TBaseIRVariable {
+    IRVariable var;
+
+    IRVariable getIRVariable() { result = var }
+
+    BaseIRVariable() { this = TBaseIRVariable(var) }
+
+    override string toString() { result = var.toString() }
+
+    override DataFlowType getType() { result = var.getType() }
+  }
+
+  class BaseCallVariable extends BaseSourceVariable, TBaseCallVariable {
+    AllocationInstruction call;
+
+    BaseCallVariable() { this = TBaseCallVariable(call) }
+
+    AllocationInstruction getCallInstruction() { result = call }
+
+    override string toString() { result = call.toString() }
+
+    override DataFlowType getType() { result = call.getResultType() }
+  }
+
+  private newtype TSourceVariable =
+    TSourceIRVariable(BaseIRVariable baseVar) or
+    TCallVariable(AllocationInstruction call)
+
+  abstract class SourceVariable extends TSourceVariable {
+    abstract string toString();
+
+    abstract BaseSourceVariable getBaseVariable();
+  }
+
+  class SourceIRVariable extends SourceVariable, TSourceIRVariable {
+    BaseIRVariable var;
+
+    SourceIRVariable() { this = TSourceIRVariable(var) }
+
+    IRVariable getIRVariable() { result = var.getIRVariable() }
+
+    override BaseIRVariable getBaseVariable() { result.getIRVariable() = this.getIRVariable() }
+
+    override string toString() { result = this.getIRVariable().toString() }
+  }
+
+  class CallVariable extends SourceVariable, TCallVariable {
+    AllocationInstruction call;
+
+    CallVariable() { this = TCallVariable(call) }
+
+    AllocationInstruction getCall() { result = call }
+
+    override BaseCallVariable getBaseVariable() { result.getCallInstruction() = call }
+
+    override string toString() { result = "Call" }
+  }
+}
+
+import SourceVariables
+
+private newtype TDefOrUseImpl =
+  TDefImpl(Operand address) { isDef(_, _, address, _, _, _) } or
+  TUseImpl(Operand operand) {
+    isUse(_, operand, _, _, _) and
+    not isDef(_, _, operand, _, _, _)
+  }
+
+abstract private class DefOrUseImpl extends TDefOrUseImpl {
+  /** Gets a textual representation of this element. */
+  abstract string toString();
+
+  /** Gets the block of this definition or use. */
+  abstract IRBlock getBlock();
+
+  /** Holds if this definition or use has index `index` in block `block`. */
+  abstract predicate hasIndexInBlock(IRBlock block, int index);
+
+  final predicate hasIndexInBlock(IRBlock block, int index, SourceVariable sv) {
+    this.hasIndexInBlock(block, index) and
+    sv = this.getSourceVariable()
+  }
+
+  /** Gets the location of this element. */
+  abstract Cpp::Location getLocation();
+
+  abstract Instruction getBase();
+
+  final BaseSourceVariable getBaseSourceVariable() {
+    exists(IRVariable var |
+      result.(BaseIRVariable).getIRVariable() = var and
+      instructionHasIRVariable(this.getBase(), var)
+    )
+    or
+    result.(BaseCallVariable).getCallInstruction() = this.getBase()
+  }
+
+  /** Gets the variable that is defined or used. */
+  final SourceVariable getSourceVariable() {
+    exists(BaseSourceVariable v |
+      sourceVariableHasBaseAndIndex(result, v) and
+      defOrUseHasSourceVariable(this, v)
+    )
+  }
+}
+
+pragma[noinline]
+private predicate instructionHasIRVariable(VariableAddressInstruction vai, IRVariable var) {
+  vai.getIRVariable() = var
+}
+
+private predicate defOrUseHasSourceVariable(DefOrUseImpl defOrUse, BaseSourceVariable bv) {
+  defHasSourceVariable(defOrUse, bv)
+  or
+  useHasSourceVariable(defOrUse, bv)
+}
+
+pragma[noinline]
+private predicate defHasSourceVariable(DefImpl def, BaseSourceVariable bv) {
+  bv = def.getBaseSourceVariable()
+}
+
+pragma[noinline]
+private predicate useHasSourceVariable(UseImpl use, BaseSourceVariable bv) {
+  bv = use.getBaseSourceVariable()
+}
+
+pragma[noinline]
+private predicate sourceVariableHasBaseAndIndex(SourceVariable v, BaseSourceVariable bv) {
+  v.getBaseVariable() = bv
+}
+
+class DefImpl extends DefOrUseImpl, TDefImpl {
+  Operand address;
+
+  DefImpl() { this = TDefImpl(address) }
+
+  override Instruction getBase() { isDef(_, _, address, result, _, _) }
+
+  Operand getAddressOperand() { result = address }
+
+  Instruction getDefiningInstruction() { isDef(_, result, address, _, _, _) }
+
+  override string toString() { result = address.toString() }
+
+  override IRBlock getBlock() { result = this.getDefiningInstruction().getBlock() }
+
+  override Cpp::Location getLocation() { result = this.getDefiningInstruction().getLocation() }
+
+  final override predicate hasIndexInBlock(IRBlock block, int index) {
+    this.getDefiningInstruction() = block.getInstruction(index)
+  }
+
+  predicate isCertain() { isDef(true, _, address, _, _, _) }
+}
+
+class UseImpl extends DefOrUseImpl, TUseImpl {
+  Operand operand;
+
+  UseImpl() { this = TUseImpl(operand) }
+
+  Operand getOperand() { result = operand }
+
+  override string toString() { result = operand.toString() }
+
+  final override predicate hasIndexInBlock(IRBlock block, int index) {
+    operand.getUse() = block.getInstruction(index)
+  }
+
+  final override IRBlock getBlock() { result = operand.getUse().getBlock() }
+
+  final override Cpp::Location getLocation() { result = operand.getLocation() }
+
+  override Instruction getBase() { isUse(_, operand, result, _, _) }
+
+  predicate isCertain() { isUse(true, operand, _, _, _) }
+}
+
+private module SsaInput implements SsaImplCommon::InputSig {
+  import InputSigCommon
+  import SourceVariables
+
+  /**
+   * Holds if the `i`'th write in block `bb` writes to the variable `v`.
+   * `certain` is `true` if the write is guaranteed to overwrite the entire variable.
+   */
+  predicate variableWrite(IRBlock bb, int i, SourceVariable v, boolean certain) {
+    DataFlowImplCommon::forceCachingInSameStage() and
+    exists(DefImpl def | def.hasIndexInBlock(bb, i, v) |
+      if def.isCertain() then certain = true else certain = false
+    )
+  }
+
+  /**
+   * Holds if the `i`'th read in block `bb` reads to the variable `v`.
+   * `certain` is `true` if the read is guaranteed.
+   */
+  predicate variableRead(IRBlock bb, int i, SourceVariable v, boolean certain) {
+    exists(UseImpl use | use.hasIndexInBlock(bb, i, v) |
+      if use.isCertain() then certain = true else certain = false
+    )
+  }
+}
+
+private newtype TSsaDefOrUse =
+  TDefOrUse(DefOrUseImpl defOrUse) {
+    defOrUse instanceof UseImpl
+    or
+    // If `defOrUse` is a definition we only include it if the
+    // SSA library concludes that it's live after the write.
+    exists(Definition def, SourceVariable sv, IRBlock bb, int i |
+      def.definesAt(sv, bb, i) and
+      defOrUse.(DefImpl).hasIndexInBlock(bb, i, sv)
+    )
+  } or
+  TPhi(PhiNode phi)
+
+abstract private class SsaDefOrUse extends TSsaDefOrUse {
+  string toString() { result = "SsaDefOrUse" }
+
+  DefOrUseImpl asDefOrUse() { none() }
+
+  PhiNode asPhi() { none() }
+
+  abstract Location getLocation();
+}
+
+class DefOrUse extends TDefOrUse, SsaDefOrUse {
+  DefOrUseImpl defOrUse;
+
+  DefOrUse() { this = TDefOrUse(defOrUse) }
+
+  final override DefOrUseImpl asDefOrUse() { result = defOrUse }
+
+  final override Location getLocation() { result = defOrUse.getLocation() }
+
+  final SourceVariable getSourceVariable() { result = defOrUse.getSourceVariable() }
+}
+
+class Phi extends TPhi, SsaDefOrUse {
+  PhiNode phi;
+
+  Phi() { this = TPhi(phi) }
+
+  final override PhiNode asPhi() { result = phi }
+
+  final override Location getLocation() { result = phi.getBasicBlock().getLocation() }
+}
+
+class UseOrPhi extends SsaDefOrUse {
+  UseOrPhi() {
+    this.asDefOrUse() instanceof UseImpl
+    or
+    this instanceof Phi
+  }
+
+  final override Location getLocation() {
+    result = this.asDefOrUse().getLocation() or result = this.(Phi).getLocation()
+  }
+
+  override string toString() {
+    result = this.asDefOrUse().toString()
+    or
+    this instanceof Phi and
+    result = "Phi"
+  }
+}
+
+class Def extends DefOrUse {
+  override DefImpl defOrUse;
+
+  Operand getAddressOperand() { result = defOrUse.getAddressOperand() }
+
+  Instruction getAddress() { result = this.getAddressOperand().getDef() }
+
+  Instruction getDefiningInstruction() { result = defOrUse.getDefiningInstruction() }
+
+  override string toString() { result = this.asDefOrUse().toString() + " (def)" }
+}
+
+private module SsaImpl = SsaImplCommon::Make<SsaInput>;
+
+class PhiNode = SsaImpl::PhiNode;
+
+class Definition = SsaImpl::Definition;

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -143,16 +143,6 @@ private module Cached {
     )
   }
 
-  cached
-  Instruction getRegisterOperandDefinition(Instruction instruction, RegisterOperandTag tag) {
-    exists(OldInstruction oldInstruction, OldIR::RegisterOperand oldOperand |
-      oldInstruction = getOldInstruction(instruction) and
-      oldOperand = oldInstruction.getAnOperand() and
-      tag = oldOperand.getOperandTag() and
-      result = getNewInstruction(oldOperand.getAnyDef())
-    )
-  }
-
   pragma[noopt]
   private predicate hasMemoryOperandDefinition(
     OldInstruction oldInstruction, OldIR::NonPhiMemoryOperand oldOperand, Overlap overlap,

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll

@@ -256,12 +256,6 @@ CppType getInstructionOperandType(Instruction instruction, TypedOperandTag tag)
         .getInstructionMemoryOperandType(getInstructionTag(instruction), tag)
 }
 
-Instruction getPhiOperandDefinition(
-  PhiInstruction instruction, IRBlock predecessorBlock, Overlap overlap
-) {
-  none()
-}
-
 Instruction getPhiInstructionBlockStart(PhiInstruction instr) { none() }
 
 Instruction getInstructionSuccessor(Instruction instruction, EdgeKind kind) {

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll

@@ -143,16 +143,6 @@ private module Cached {
     )
   }
 
-  cached
-  Instruction getRegisterOperandDefinition(Instruction instruction, RegisterOperandTag tag) {
-    exists(OldInstruction oldInstruction, OldIR::RegisterOperand oldOperand |
-      oldInstruction = getOldInstruction(instruction) and
-      oldOperand = oldInstruction.getAnOperand() and
-      tag = oldOperand.getOperandTag() and
-      result = getNewInstruction(oldOperand.getAnyDef())
-    )
-  }
-
   pragma[noopt]
   private predicate hasMemoryOperandDefinition(
     OldInstruction oldInstruction, OldIR::NonPhiMemoryOperand oldOperand, Overlap overlap,

cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll

@@ -205,57 +205,149 @@ private predicate deconstructSizeExpr(Expr sizeExpr, Expr lengthExpr, int sizeof
   sizeof = 1
 }
 
+/** A `Function` that is a call target of an allocation. */
+private signature class CallAllocationExprTarget extends Function;
+
 /**
- * An allocation expression that is a function call, such as call to `malloc`.
+ * This module abstracts over the type of allocation call-targets and provides a
+ * class `CallAllocationExprImpl` which contains the implementation of the various
+ * predicates required by the `Allocation` class.
+ *
+ * This module is then instantiated for two types of allocation call-targets:
+ * - `AllocationFunction`: Functions that we've explicitly modeled as functions that
+ * perform allocations (i.e., `malloc`).
+ * - `HeuristicAllocationFunction`: Functions that we deduce as behaving like an allocation
+ * function using various heuristics.
  */
-private class CallAllocationExpr extends AllocationExpr, FunctionCall {
-  AllocationFunction target;
+private module CallAllocationExprBase<CallAllocationExprTarget Target> {
+  /** A module that contains the collection of member-predicates required on `Target`. */
+  signature module Param {
+    /**
+     * Gets the index of the input pointer argument to be reallocated, if
+     * this is a `realloc` function.
+     */
+    int getReallocPtrArg(Target target);
 
-  CallAllocationExpr() {
-    target = this.getTarget() and
-    // realloc(ptr, 0) only frees the pointer
-    not (
-      exists(target.getReallocPtrArg()) and
-      this.getArgument(target.getSizeArg()).getValue().toInt() = 0
-    ) and
-    // these are modeled directly (and more accurately), avoid duplication
-    not exists(NewOrNewArrayExpr new | new.getAllocatorCall() = this)
+    /**
+     * Gets the index of the argument for the allocation size, if any. The actual
+     * allocation size is the value of this argument multiplied by the result of
+     * `getSizeMult()`, in bytes.
+     */
+    int getSizeArg(Target target);
+
+    /**
+     * Gets the index of an argument that multiplies the allocation size given
+     * by `getSizeArg`, if any.
+     */
+    int getSizeMult(Target target);
+
+    /**
+     * Holds if this allocation requires a
+     * corresponding deallocation of some sort (most do, but `alloca` for example
+     * does not). If it is unclear, we default to no (for example a placement `new`
+     * allocation may or may not require a corresponding `delete`).
+     */
+    predicate requiresDealloc(Target target);
   }
 
-  override Expr getSizeExpr() {
-    exists(Expr sizeExpr | sizeExpr = this.getArgument(target.getSizeArg()) |
-      if exists(target.getSizeMult())
-      then result = sizeExpr
-      else
-        exists(Expr lengthExpr |
-          deconstructSizeExpr(sizeExpr, lengthExpr, _) and
-          result = lengthExpr
+  /**
+   * A module that abstracts over a collection of predicates in
+   * the `Param` module). This should really be member-predicates
+   * on `CallAllocationExprTarget`, but we cannot yet write this in QL.
+   */
+  module With<Param P> {
+    private import P
+
+    /**
+     * An allocation expression that is a function call, such as call to `malloc`.
+     */
+    class CallAllocationExprImpl instanceof FunctionCall {
+      Target target;
+
+      CallAllocationExprImpl() {
+        target = this.getTarget() and
+        // realloc(ptr, 0) only frees the pointer
+        not (
+          exists(getReallocPtrArg(target)) and
+          this.getArgument(getSizeArg(target)).getValue().toInt() = 0
+        ) and
+        // these are modeled directly (and more accurately), avoid duplication
+        not exists(NewOrNewArrayExpr new | new.getAllocatorCall() = this)
+      }
+
+      string toString() { result = super.toString() }
+
+      Expr getSizeExprImpl() {
+        exists(Expr sizeExpr | sizeExpr = super.getArgument(getSizeArg(target)) |
+          if exists(getSizeMult(target))
+          then result = sizeExpr
+          else
+            exists(Expr lengthExpr |
+              deconstructSizeExpr(sizeExpr, lengthExpr, _) and
+              result = lengthExpr
+            )
         )
-    )
+      }
+
+      int getSizeMultImpl() {
+        // malloc with multiplier argument that is a constant
+        result = super.getArgument(getSizeMult(target)).getValue().toInt()
+        or
+        // malloc with no multiplier argument
+        not exists(getSizeMult(target)) and
+        deconstructSizeExpr(super.getArgument(getSizeArg(target)), _, result)
+      }
+
+      int getSizeBytesImpl() {
+        result = this.getSizeExprImpl().getValue().toInt() * this.getSizeMultImpl()
+      }
+
+      Expr getReallocPtrImpl() { result = super.getArgument(getReallocPtrArg(target)) }
+
+      Type getAllocatedElementTypeImpl() {
+        result =
+          super.getFullyConverted().getType().stripTopLevelSpecifiers().(PointerType).getBaseType() and
+        not result instanceof VoidType
+      }
+
+      predicate requiresDeallocImpl() { requiresDealloc(target) }
+    }
+  }
+}
+
+private module CallAllocationExpr {
+  private module Param implements CallAllocationExprBase<AllocationFunction>::Param {
+    int getReallocPtrArg(AllocationFunction f) { result = f.getReallocPtrArg() }
+
+    int getSizeArg(AllocationFunction f) { result = f.getSizeArg() }
+
+    int getSizeMult(AllocationFunction f) { result = f.getSizeMult() }
+
+    predicate requiresDealloc(AllocationFunction f) { f.requiresDealloc() }
   }
 
-  override int getSizeMult() {
-    // malloc with multiplier argument that is a constant
-    result = this.getArgument(target.getSizeMult()).getValue().toInt()
-    or
-    // malloc with no multiplier argument
-    not exists(target.getSizeMult()) and
-    deconstructSizeExpr(this.getArgument(target.getSizeArg()), _, result)
+  /**
+   * A class that provides the implementation of `AllocationExpr` for an allocation
+   * that calls an `AllocationFunction`.
+   */
+  private class Base =
+    CallAllocationExprBase<AllocationFunction>::With<Param>::CallAllocationExprImpl;
+
+  class CallAllocationExpr extends AllocationExpr, Base {
+    override Expr getSizeExpr() { result = super.getSizeExprImpl() }
+
+    override int getSizeMult() { result = super.getSizeMultImpl() }
+
+    override Type getAllocatedElementType() { result = super.getAllocatedElementTypeImpl() }
+
+    override predicate requiresDealloc() { super.requiresDeallocImpl() }
+
+    override int getSizeBytes() { result = super.getSizeBytesImpl() }
+
+    override Expr getReallocPtr() { result = super.getReallocPtrImpl() }
+
+    override string toString() { result = AllocationExpr.super.toString() }
   }
-
-  override int getSizeBytes() {
-    result = this.getSizeExpr().getValue().toInt() * this.getSizeMult()
-  }
-
-  override Expr getReallocPtr() { result = this.getArgument(target.getReallocPtrArg()) }
-
-  override Type getAllocatedElementType() {
-    result =
-      this.getFullyConverted().getType().stripTopLevelSpecifiers().(PointerType).getBaseType() and
-    not result instanceof VoidType
-  }
-
-  override predicate requiresDealloc() { target.requiresDealloc() }
 }
 
 /**
@@ -294,3 +386,99 @@ private class NewArrayAllocationExpr extends AllocationExpr, NewArrayExpr {
 
   override predicate requiresDealloc() { not exists(this.getPlacementPointer()) }
 }
+
+private module HeuristicAllocation {
+  /** A class that maps an `AllocationExpr` to an `HeuristicAllocationExpr`. */
+  private class HeuristicAllocationModeled extends HeuristicAllocationExpr instanceof AllocationExpr {
+    override Expr getSizeExpr() { result = AllocationExpr.super.getSizeExpr() }
+
+    override int getSizeMult() { result = AllocationExpr.super.getSizeMult() }
+
+    override int getSizeBytes() { result = AllocationExpr.super.getSizeBytes() }
+
+    override Expr getReallocPtr() { result = AllocationExpr.super.getReallocPtr() }
+
+    override Type getAllocatedElementType() {
+      result = AllocationExpr.super.getAllocatedElementType()
+    }
+
+    override predicate requiresDealloc() { AllocationExpr.super.requiresDealloc() }
+  }
+
+  /** A class that maps an `AllocationFunction` to an `HeuristicAllocationFunction`. */
+  private class HeuristicAllocationFunctionModeled extends HeuristicAllocationFunction instanceof AllocationFunction {
+    override int getSizeArg() { result = AllocationFunction.super.getSizeArg() }
+
+    override int getSizeMult() { result = AllocationFunction.super.getSizeMult() }
+
+    override int getReallocPtrArg() { result = AllocationFunction.super.getReallocPtrArg() }
+
+    override predicate requiresDealloc() { AllocationFunction.super.requiresDealloc() }
+  }
+
+  private int getAnUnsignedParameter(Function f) {
+    f.getParameter(result).getUnspecifiedType().(IntegralType).isUnsigned()
+  }
+
+  private int getAPointerParameter(Function f) {
+    f.getParameter(result).getUnspecifiedType() instanceof PointerType
+  }
+
+  /**
+   * A class that uses heuristics to find additional allocation functions. The required are as follows:
+   * 1. The word `alloc` must appear in the function name
+   * 2. The function must return a pointer type
+   * 3. There must be a unique parameter of unsigned integral type.
+   */
+  private class HeuristicAllocationFunctionByName extends HeuristicAllocationFunction instanceof Function {
+    int sizeArg;
+
+    HeuristicAllocationFunctionByName() {
+      Function.super.getName().matches("%alloc%") and
+      Function.super.getUnspecifiedType() instanceof PointerType and
+      sizeArg = unique( | | getAnUnsignedParameter(this))
+    }
+
+    override int getSizeArg() { result = sizeArg }
+
+    override int getReallocPtrArg() {
+      Function.super.getName().matches("%realloc%") and
+      result = unique( | | getAPointerParameter(this))
+    }
+
+    override predicate requiresDealloc() { none() }
+  }
+
+  private module Param implements CallAllocationExprBase<HeuristicAllocationFunction>::Param {
+    int getReallocPtrArg(HeuristicAllocationFunction f) { result = f.getReallocPtrArg() }
+
+    int getSizeArg(HeuristicAllocationFunction f) { result = f.getSizeArg() }
+
+    int getSizeMult(HeuristicAllocationFunction f) { result = f.getSizeMult() }
+
+    predicate requiresDealloc(HeuristicAllocationFunction f) { f.requiresDealloc() }
+  }
+
+  /**
+   * A class that provides the implementation of `AllocationExpr` for an allocation
+   * that calls an `HeuristicAllocationFunction`.
+   */
+  private class Base =
+    CallAllocationExprBase<HeuristicAllocationFunction>::With<Param>::CallAllocationExprImpl;
+
+  private class CallAllocationExpr extends HeuristicAllocationExpr, Base {
+    override Expr getSizeExpr() { result = super.getSizeExprImpl() }
+
+    override int getSizeMult() { result = super.getSizeMultImpl() }
+
+    override Type getAllocatedElementType() { result = super.getAllocatedElementTypeImpl() }
+
+    override predicate requiresDealloc() { super.requiresDeallocImpl() }
+
+    override int getSizeBytes() { result = super.getSizeBytesImpl() }
+
+    override Expr getReallocPtr() { result = super.getReallocPtrImpl() }
+
+    override string toString() { result = HeuristicAllocationExpr.super.toString() }
+  }
+}

cpp/ql/lib/semmle/code/cpp/models/interfaces/Allocation.qll

@@ -113,3 +113,84 @@ class OperatorNewAllocationFunction extends AllocationFunction {
     result = 1
   }
 }
+
+/**
+ * An expression that _might_ allocate memory.
+ *
+ * Unlike `AllocationExpr`, this class uses heuristics (such as a call target's
+ * name and parameters) to include additional expressions.
+ */
+abstract class HeuristicAllocationExpr extends Expr {
+  /**
+   * Gets an expression for the allocation size, if any. The actual allocation
+   * size is the value of this expression multiplied by the result of
+   * `getSizeMult()`, in bytes.
+   */
+  Expr getSizeExpr() { none() }
+
+  /**
+   * Gets a constant multiplier for the allocation size given by `getSizeExpr`,
+   * in bytes.
+   */
+  int getSizeMult() { none() }
+
+  /**
+   * Gets the size of this allocation in bytes, if it is a fixed size and that
+   * size can be determined.
+   */
+  int getSizeBytes() { none() }
+
+  /**
+   * Gets the expression for the input pointer argument to be reallocated, if
+   * this is a `realloc` function.
+   */
+  Expr getReallocPtr() { none() }
+
+  /**
+   * Gets the type of the elements that are allocated, if it can be determined.
+   */
+  Type getAllocatedElementType() { none() }
+
+  /**
+   * Whether or not this allocation requires a corresponding deallocation of
+   * some sort (most do, but `alloca` for example does not).  If it is unclear,
+   * we default to no (for example a placement `new` allocation may or may not
+   * require a corresponding `delete`).
+   */
+  predicate requiresDealloc() { any() }
+}
+
+/**
+ * An function that _might_ allocate memory.
+ *
+ * Unlike `AllocationFunction`, this class uses heuristics (such as the function's
+ * name and its parameters) to include additional functions.
+ */
+abstract class HeuristicAllocationFunction extends Function {
+  /**
+   * Gets the index of the argument for the allocation size, if any. The actual
+   * allocation size is the value of this argument multiplied by the result of
+   * `getSizeMult()`, in bytes.
+   */
+  int getSizeArg() { none() }
+
+  /**
+   * Gets the index of an argument that multiplies the allocation size given by
+   * `getSizeArg`, if any.
+   */
+  int getSizeMult() { none() }
+
+  /**
+   * Gets the index of the input pointer argument to be reallocated, if this
+   * is a `realloc` function.
+   */
+  int getReallocPtrArg() { none() }
+
+  /**
+   * Whether or not this allocation requires a corresponding deallocation of
+   * some sort (most do, but `alloca` for example does not).  If it is unclear,
+   * we default to no (for example a placement `new` allocation may or may not
+   * require a corresponding `delete`).
+   */
+  predicate requiresDealloc() { any() }
+}

cpp/ql/src/Architecture/General Namespace-Level Information/GlobalNamespaceClasses.ql

@@ -15,4 +15,4 @@ where
   c.fromSource() and
   c.isTopLevel() and
   c.getParentScope() instanceof GlobalNamespace
-select c, "This class is not declared in any namespace"
+select c, "This class is not declared in any namespace."

cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyDependencies.ql

@@ -16,4 +16,4 @@ where
   t.fromSource() and
   n = t.getMetrics().getEfferentSourceCoupling() and
   n > 10
-select t as class_, "This class has too many dependencies (" + n.toString() + ")"
+select t as class_, "This class has too many dependencies (" + n.toString() + ")."

cpp/ql/src/Architecture/Refactoring Opportunities/ComplexFunctions.ql

@@ -17,4 +17,4 @@ where
   n = f.getMetrics().getNumberOfCalls() and
   n > 99 and
   not f.isMultiplyDefined()
-select f as function, "This function makes too many calls (" + n.toString() + ")"
+select f as function, "This function makes too many calls (" + n.toString() + ")."

cpp/ql/src/Architecture/Refactoring Opportunities/FunctionsWithManyParameters.ql

@@ -18,4 +18,4 @@ where
   f.getMetrics().getNumberOfParameters() > 15
 select f,
   "This function has too many parameters (" + f.getMetrics().getNumberOfParameters().toString() +
-    ")"
+    ")."

cpp/ql/src/Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql

@@ -35,4 +35,4 @@ from LocalVariableOrParameter lv, GlobalVariable gv
 where
   lv.getName() = gv.getName() and
   lv.getFile() = gv.getFile()
-select lv, lv.type() + gv.getName() + " hides $@ with the same name.", gv, "a global variable"
+select lv, lv.type() + gv.getName() + " hides a $@ with the same name.", gv, "global variable"

cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.cpp

@@ -0,0 +1,32 @@
+/*
+ * In this example, the developer intended to use a semicolon but accidentally used a comma:
+ */
+
+enum privileges entitlements = NONE;
+
+if (is_admin)
+    entitlements = FULL, // BAD
+
+restrict_privileges(entitlements);
+
+/*
+ * The use of a comma means that the first example is equivalent to this second example:
+ */
+
+enum privileges entitlements = NONE;
+
+if (is_admin) {
+    entitlements = FULL;
+    restrict_privileges(entitlements);
+}
+
+/*
+ * The indentation of the first example suggests that the developer probably intended the following code:
+ */
+
+enum privileges entitlements = NONE;
+
+if (is_admin)
+    entitlements = FULL; // GOOD
+
+restrict_privileges(entitlements);

cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.qhelp

@@ -0,0 +1,39 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+If the expression after the comma operator starts at an earlier column than the expression before the comma, then
+this suspicious indentation possibly indicates a logic error, caused by a typo that may escape visual inspection.
+</p>
+<warning>
+This query has medium precision because CodeQL currently does not distinguish between tabs and spaces in whitespace.
+If a file contains mixed tabs and spaces, alerts may highlight code that is correctly indented for one value of tab size but not for other tab sizes.
+</warning>
+</overview>
+
+<recommendation>
+<p>
+To ensure that your code is easy to read and review, use standard indentation around the comma operator. Always begin the right-hand-side operand at the same level of
+indentation (column number) as the left-hand-side operand. This makes it easier for other developers to see the intended behavior of your code.
+</p>
+<p>
+Use whitespace consistently to communicate your coding intentions. Where possible, avoid mixing tabs and spaces within a file. If you need to mix them, use them consistently.
+</p>
+</recommendation>
+
+<example>
+<p>
+This example shows three different ways of writing the same code. The first example contains a comma instead of a semicolon which means that the final line is part of the <code>if</code> statement, even though the indentation suggests that it is intended to be separate. The second example looks different but is functionally the same as the first example. It is more likely that the developer intended to write the third example.
+</p>
+<sample src="CommaBeforeMisleadingIndentation.cpp" />
+</example>
+
+<references>
+<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/Comma_operator">Comma operator</a></li>
+<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/Indentation_style#Tabs,_spaces,_and_size_of_indentations">Indentation style &mdash; Tabs, spaces, and size of indentations</a></li>
+</references>
+
+</qhelp>

cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql

@@ -0,0 +1,53 @@
+/**
+ * @name Comma before misleading indentation
+ * @description If expressions before and after a comma operator use different indentation, it is easy to misread the purpose of the code.
+ * @kind problem
+ * @id cpp/comma-before-misleading-indentation
+ * @problem.severity warning
+ * @security-severity 7.8
+ * @precision medium
+ * @tags maintainability
+ *       readability
+ *       security
+ *       external/cwe/cwe-1078
+ *       external/cwe/cwe-670
+ */
+
+import cpp
+import semmle.code.cpp.commons.Exclusions
+
+/** Gets the sub-expression of 'e' with the earliest-starting Location */
+Expr normalizeExpr(Expr e) {
+  result =
+    min(Expr child |
+      child.getParentWithConversions*() = e.getFullyConverted() and
+      not child.getParentWithConversions*() = any(Call c).getAnArgument()
+    |
+      child order by child.getLocation().getStartColumn(), count(child.getParentWithConversions*())
+    )
+}
+
+predicate isParenthesized(CommaExpr ce) {
+  ce.getParent*().(Expr).isParenthesised()
+  or
+  ce.isUnevaluated() // sizeof(), decltype(), alignof(), noexcept(), typeid()
+  or
+  ce.getParent*() = [any(IfStmt i).getCondition(), any(SwitchStmt s).getExpr()]
+  or
+  ce.getParent*() = [any(Loop l).getCondition(), any(ForStmt f).getUpdate()]
+  or
+  ce.getEnclosingStmt() = any(ForStmt f).getInitialization()
+}
+
+from CommaExpr ce, Expr left, Expr right, Location leftLoc, Location rightLoc
+where
+  ce.fromSource() and
+  not isFromMacroDefinition(ce) and
+  left = normalizeExpr(ce.getLeftOperand()) and
+  right = normalizeExpr(ce.getRightOperand()) and
+  leftLoc = left.getLocation() and
+  rightLoc = right.getLocation() and
+  not isParenthesized(ce) and
+  leftLoc.getEndLine() < rightLoc.getStartLine() and
+  leftLoc.getStartColumn() > rightLoc.getStartColumn()
+select right, "The indentation level may be misleading for some tab sizes."

cpp/ql/src/Best Practices/Likely Errors/Slicing.ql

@@ -21,5 +21,5 @@ where
     rhsType.getAMember() = m and
     not m.(VirtualFunction).isPure()
   ) // add additional checks for concrete members in in-between supertypes
-select e, "This assignment expression slices from type $@ to $@", rhsType, rhsType.getName(),
+select e, "This assignment expression slices from type $@ to $@.", rhsType, rhsType.getName(),
   lhsType, lhsType.getName()

cpp/ql/src/Best Practices/Magic Constants/MagicConstants.qll

@@ -72,18 +72,6 @@ predicate floatTrivial(Literal lit) {
 
 predicate charLiteral(Literal lit) { lit instanceof CharLiteral }
 
-Type literalType(Literal literal) { result = literal.getType() }
-
-predicate stringType(DerivedType t) {
-  t.getBaseType() instanceof CharType
-  or
-  exists(SpecifiedType constCharType |
-    t.getBaseType() = constCharType and
-    constCharType.isConst() and
-    constCharType.getBaseType() instanceof CharType
-  )
-}
-
 predicate numberType(Type t) { t instanceof FloatingPointType or t instanceof IntegralType }
 
 predicate stringLiteral(Literal literal) { literal instanceof StringLiteral }

cpp/ql/src/Best Practices/NVI.ql

@@ -18,4 +18,4 @@ where
   f.hasSpecifier("virtual") and
   f.getFile().fromSource() and
   not f instanceof Destructor
-select f, "Avoid having public virtual methods (NVI idiom)"
+select f, "Avoid having public virtual methods (NVI idiom)."

cpp/ql/src/Best Practices/NVIHub.ql

@@ -23,4 +23,4 @@ where
   fclass = f.getDeclaringType() and
   hubIndex = fclass.getMetrics().getAfferentCoupling() * fclass.getMetrics().getEfferentCoupling() and
   hubIndex > 100
-select f, "Avoid having public virtual methods (NVI idiom)"
+select f, "Avoid having public virtual methods (NVI idiom)."

cpp/ql/src/Best Practices/SwitchLongCase.ql

@@ -38,5 +38,5 @@ where
   sc = switch.getASwitchCase() and
   tooLong(sc) and
   switchCaseLength(sc, lines)
-select switch, "Switch has at least one case that is too long: $@", sc,
+select switch, "Switch has at least one case that is too long: $@.", sc,
   sc.getExpr().toString() + " (" + lines.toString() + " lines)"

cpp/ql/src/Best Practices/Unused Entities/UnusedLocals.ql

@@ -58,4 +58,4 @@ where
   not exists(AsmStmt s | f = s.getEnclosingFunction()) and
   not v.getAnAttribute().getName() = "unused" and
   not any(ErrorExpr e).getEnclosingFunction() = f // unextracted expr may use `v`
-select v, "Variable " + v.getName() + " is not used"
+select v, "Variable " + v.getName() + " is not used."

cpp/ql/src/Best Practices/Unused Entities/UnusedStaticVariables.qhelp

@@ -11,7 +11,7 @@ caused by an unhandled case.</p>
 
 </overview>
 <recommendation>
-<p>Check that the unused static variable does not indicate a defect, for example, an unhandled case. If the static variable is genuinuely not needed, 
+<p>Check that the unused static variable does not indicate a defect, for example, an unhandled case. If the static variable is genuinely not needed, 
 then removing it will make code more readable. If the static variable is needed then you should update the code to fix the defect.</p>
 
 </recommendation>

cpp/ql/src/Best Practices/Unused Entities/UnusedStaticVariables.ql

@@ -27,4 +27,4 @@ where
   not declarationHasSideEffects(v) and
   not v.getAnAttribute().hasName("used") and
   not v.getAnAttribute().hasName("unused")
-select v, "Static variable " + v.getName() + " is never read"
+select v, "Static variable " + v.getName() + " is never read."

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,20 @@
+## 0.4.1
+
+### Minor Analysis Improvements
+
+* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
+
+## 0.4.0
+
+### New Queries
+
+* Added a new medium-precision query, `cpp/missing-check-scanf`, which detects `scanf` output variables that are used without a proper return-value check to see that they were actually written. A variation of this query was originally contributed as an [experimental query by @ihsinme](https://github.com/github/codeql/pull/8246).
+
+### Minor Analysis Improvements
+
+* Modernizations from "Cleartext storage of sensitive information in buffer" (`cpp/cleartext-storage-buffer`) have been ported to the "Cleartext storage of sensitive information in file" (`cpp/cleartext-storage-file`), "Cleartext transmission of sensitive information" (`cpp/cleartext-transmission`) and "Cleartext storage of sensitive information in an SQLite database" (`cpp/cleartext-storage-database`) queries. These changes may result in more correct results and fewer false positive results from these queries.
+* The alert message of many queries have been changed to make the message consistent with other languages.
+
 ## 0.3.4
 
 ## 0.3.3

cpp/ql/src/Critical/DeadCodeCondition.ql

@@ -64,5 +64,5 @@ where
   ) and
   (if context = test then testresult = "succeed" else testresult = "fail")
 select cond,
-  "Variable '" + v.getName() + "' is always " + context + " here, this check will always " +
-    testresult + "."
+  "Variable '" + v.getName() + "' is always " + context + ", this check will always " + testresult +
+    "."

cpp/ql/src/Critical/DescriptorMayNotBeClosed.qhelp

@@ -19,7 +19,7 @@ This can occur when an operation performed on the open descriptor fails, and the
 
 <example>
 <p>In the example below, the <code>sockfd</code> socket may remain open if an error is triggered. 
-The code should be updated to ensure that the socket is always closed when when the function ends.
+The code should be updated to ensure that the socket is always closed when the function ends.
 </p>
 <sample src="DescriptorMayNotBeClosed.cpp" />
 </example>

cpp/ql/src/Critical/DescriptorNeverClosed.ql

@@ -29,4 +29,4 @@ from Expr alloc
 where
   allocateDescriptorCall(alloc) and
   not exists(ClosedExpr closed | closed.pointsTo() = alloc)
-select alloc, "This file descriptor is never closed"
+select alloc, "This file descriptor is never closed."