Merge pull request #9682 from github/release-prep/2.10.0

Release preparation for version 2.10.0

.devcontainer/swift/Dockerfile

@@ -0,0 +1,9 @@
+# See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.236.0/containers/cpp/.devcontainer/base.Dockerfile
+
+# [Choice] Debian / Ubuntu version (use Debian 11, Ubuntu 18.04/22.04 on local arm64/Apple Silicon): debian-11, debian-10, ubuntu-22.04, ubuntu-20.04, ubuntu-18.04
+FROM mcr.microsoft.com/vscode/devcontainers/cpp:0-ubuntu-22.04
+
+USER root
+ADD root.sh /tmp/root.sh
+ADD update-codeql.sh /usr/local/bin/update-codeql
+RUN bash /tmp/root.sh && rm /tmp/root.sh

.devcontainer/swift/devcontainer.json

@@ -0,0 +1,25 @@
+{
+	"extensions": [
+		"github.vscode-codeql",
+		"hbenl.vscode-test-explorer",
+		"ms-vscode.test-adapter-converter",
+		"slevesque.vscode-zipexplorer",
+		"ms-vscode.cpptools"
+	],
+	"settings": {
+		"files.watcherExclude": {
+			"**/target/**": true
+		},
+		"codeQL.runningQueries.memory": 2048
+	},
+	"build": {
+		"dockerfile": "Dockerfile",
+	},
+	"runArgs": [
+		"--cap-add=SYS_PTRACE",
+		"--security-opt",
+		"seccomp=unconfined"
+	],
+	"remoteUser": "vscode",
+	"onCreateCommand": ".devcontainer/swift/user.sh"
+}

.devcontainer/swift/root.sh

@@ -0,0 +1,22 @@
+set -xe
+
+BAZELISK_VERSION=v1.12.0
+BAZELISK_DOWNLOAD_SHA=6b0bcb2ea15bca16fffabe6fda75803440375354c085480fe361d2cbf32501db
+
+apt-get update
+export DEBIAN_FRONTEND=noninteractive
+apt-get -y install --no-install-recommends \
+    zlib1g-dev \
+    uuid-dev \
+    python3-distutils \
+    python3-pip \
+    bash-completion
+
+# Install Bazel
+curl -fSsL -o /usr/local/bin/bazelisk https://github.com/bazelbuild/bazelisk/releases/download/${BAZELISK_VERSION}/bazelisk-linux-amd64
+echo "${BAZELISK_DOWNLOAD_SHA} */usr/local/bin/bazelisk" | sha256sum --check -
+chmod 0755 /usr/local/bin/bazelisk
+ln -s bazelisk /usr/local/bin/bazel
+
+# install latest codeql
+update-codeql

.devcontainer/swift/update-codeql.sh

@@ -0,0 +1,20 @@
+#!/bin/bash -e
+
+URL=https://github.com/github/codeql-cli-binaries/releases
+LATEST_VERSION=$(curl -L -s -H 'Accept: application/json' $URL/latest | sed -e 's/.*"tag_name":"\([^"]*\)".*/\1/')
+CURRENT_VERSION=v$(codeql version 2>/dev/null | sed -ne 's/.*release \([0-9.]*\)\./\1/p')
+if [[ $CURRENT_VERSION != $LATEST_VERSION ]]; then
+  if [[ $UID != 0 ]]; then
+    echo "update required, please run this script with sudo:"
+    echo "  sudo $0"
+    exit 1
+  fi
+  ZIP=$(mktemp codeql.XXXX.zip)
+  curl -fSqL -o $ZIP $URL/download/$LATEST_VERSION/codeql-linux64.zip
+  unzip -q $ZIP -d /opt
+  rm $ZIP
+  ln -sf /opt/codeql/codeql /usr/local/bin/codeql
+  echo installed version $LATEST_VERSION
+else
+  echo current version $CURRENT_VERSION is up-to-date
+fi

.devcontainer/swift/user.sh

@@ -0,0 +1,13 @@
+set -xe
+
+# add the workspace to the codeql search path
+mkdir -p /home/vscode/.config/codeql
+echo "--search-path /workspaces/codeql" > /home/vscode/.config/codeql/config
+
+# create a swift extractor pack with the current state
+cd /workspaces/codeql
+bazel run swift/create-extractor-pack
+
+#install and set up pre-commit
+python3 -m pip install pre-commit --no-warn-script-location
+$HOME/.local/bin/pre-commit install

.github/workflows/csv-coverage-pr-artifacts.yml

@@ -41,7 +41,7 @@ jobs:
         git log -1 --format='%H'
       working-directory: base
     - name: Set up Python 3.8
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
       with:
         python-version: 3.8
     - name: Download CodeQL CLI

.github/workflows/csv-coverage-pr-comment.yml

@@ -22,7 +22,7 @@ jobs:
     - name: Clone self (github/codeql)
       uses: actions/checkout@v3
     - name: Set up Python 3.8
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
       with:
         python-version: 3.8
 

.github/workflows/csv-coverage-timeseries.yml

@@ -19,7 +19,7 @@ jobs:
         path: codeqlModels
         fetch-depth: 0
     - name: Set up Python 3.8
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
       with:
         python-version: 3.8
     - name: Download CodeQL CLI

.github/workflows/csv-coverage-update.yml

@@ -22,7 +22,7 @@ jobs:
         path: ql
         fetch-depth: 0
     - name: Set up Python 3.8
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
       with:
         python-version: 3.8
     - name: Download CodeQL CLI

.github/workflows/csv-coverage.yml

@@ -23,7 +23,7 @@ jobs:
         path: codeqlModels
         ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
     - name: Set up Python 3.8
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
       with:
         python-version: 3.8
     - name: Download CodeQL CLI

.github/workflows/query-list.yml

@@ -23,7 +23,7 @@ jobs:
       with:
         path: codeql 
     - name: Set up Python 3.8
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
       with:
         python-version: 3.8
     - name: Download CodeQL CLI

.github/workflows/swift-codegen.yml

@@ -22,7 +22,7 @@ jobs:
         run: |
           bazel run //swift/codegen
           git add swift
-          git diff --exit-code --stat HEAD
+          git diff --exit-code HEAD
       - name: Generate C++ files
         run: |
           bazel run //swift/codegen:codegen -- --generate=trap,cpp --cpp-output=$PWD/swift-generated-headers

.gitignore

@@ -58,3 +58,6 @@ go/main
 # node_modules folders except in the JS test suite
 node_modules/
 !/javascript/ql/test/**/node_modules/
+
+# Temporary folders for working with generated models
+.model-temp

.pre-commit-config.yaml

@@ -40,7 +40,7 @@ repos:
         name: Run Swift checked in code generation
         files: ^swift/(codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements))
         language: system
-        entry: bazel run //swift/codegen
+        entry: bazel run //swift/codegen -- --quiet
         pass_filenames: false
 
       - id: swift-codegen-unit-tests

config/identical-files.json

@@ -75,7 +75,8 @@
   "DataFlow Java/C# Flow Summaries": [
     "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll"
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll",
+    "swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll"
   ],
   "SsaReadPosition Java/C#": [
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
@@ -527,7 +528,8 @@
     "java/ql/lib/semmle/code/java/dataflow/internal/AccessPathSyntax.qll",
     "javascript/ql/lib/semmle/javascript/frameworks/data/internal/AccessPathSyntax.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll",
-    "python/ql/lib/semmle/python/frameworks/data/internal/AccessPathSyntax.qll"
+    "python/ql/lib/semmle/python/frameworks/data/internal/AccessPathSyntax.qll",
+    "swift/ql/lib/codeql/swift/dataflow/internal/AccessPathSyntax.qll"
   ],
   "IncompleteUrlSubstringSanitization": [
     "javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll",

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,19 @@
+## 0.3.0
+
+### Deprecated APIs
+
+* The `BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new `BarrierGuard` parameterized module.
+
+### Bug Fixes
+
+* `UserType.getADeclarationEntry()` now yields all forward declarations when the user type is a `class`, `struct`, or `union`.
+
+## 0.2.3
+
+### New Features
+
+* An `isBraced` predicate was added to the `Initializer` class which holds when a C++ braced initializer was used in the initialization.
+
 ## 0.2.2
 
 ### Deprecated APIs

cpp/ql/lib/change-notes/released/0.2.3.md

@@ -1,4 +1,5 @@
----
-category: feature
----
+## 0.2.3
+
+### New Features
+
 * An `isBraced` predicate was added to the `Initializer` class which holds when a C++ braced initializer was used in the initialization.

cpp/ql/lib/change-notes/released/0.3.0.md

@@ -0,0 +1,9 @@
+## 0.3.0
+
+### Deprecated APIs
+
+* The `BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new `BarrierGuard` parameterized module.
+
+### Bug Fixes
+
+* `UserType.getADeclarationEntry()` now yields all forward declarations when the user type is a `class`, `struct`, or `union`.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.2.2
+lastReleaseVersion: 0.3.0

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.2.3-dev
+version: 0.3.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/UserType.qll

@@ -48,8 +48,8 @@ class UserType extends Type, Declaration, NameQualifyingElement, AccessHolder, @
   }
 
   override TypeDeclarationEntry getADeclarationEntry() {
-    if type_decls(_, underlyingElement(this), _)
-    then type_decls(unresolveElement(result), underlyingElement(this), _)
+    if type_decls(_, unresolveElement(this), _)
+    then type_decls(underlyingElement(result), unresolveElement(this), _)
     else exists(Class t | this.(Class).isConstructedFrom(t) and result = t.getADeclarationEntry())
   }
 

cpp/ql/lib/semmle/code/cpp/commons/Printf.qll

@@ -168,7 +168,7 @@ private predicate callsVariadicFormatter(
 ) {
   // calls a variadic formatter with `formatParamIndex`, `outputParamIndex` linked
   exists(FunctionCall fc, int format, int output |
-    variadicFormatter(fc.getTarget(), type, format, output) and
+    variadicFormatter(pragma[only_bind_into](fc.getTarget()), type, format, output) and
     fc.getEnclosingFunction() = f and
     fc.getArgument(format) = f.getParameter(formatParamIndex).getAnAccess() and
     fc.getArgument(output) = f.getParameter(outputParamIndex).getAnAccess()
@@ -176,7 +176,7 @@ private predicate callsVariadicFormatter(
   or
   // calls a variadic formatter with only `formatParamIndex` linked
   exists(FunctionCall fc, string calledType, int format, int output |
-    variadicFormatter(fc.getTarget(), calledType, format, output) and
+    variadicFormatter(pragma[only_bind_into](fc.getTarget()), calledType, format, output) and
     fc.getEnclosingFunction() = f and
     fc.getArgument(format) = f.getParameter(formatParamIndex).getAnAccess() and
     not fc.getArgument(output) = f.getParameter(_).getAnAccess() and

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

@@ -90,14 +90,20 @@ abstract class Configuration extends string {
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
-  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
-  predicate isBarrierGuard(BarrierGuard guard) { none() }
+  /**
+   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
+   *
+   * Holds if data flow through nodes guarded by `guard` is prohibited.
+   */
+  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
 
   /**
+   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
+   *
    * Holds if data flow through nodes guarded by `guard` is prohibited when
    * the flow state is `state`
    */
-  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
 
   /**
    * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
@@ -335,6 +341,29 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+/** A bridge class to access the deprecated `isBarrierGuard`. */
+private class BarrierGuardGuardedNodeBridge extends Unit {
+  abstract predicate guardedNode(Node n, Configuration config);
+
+  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
+}
+
+private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
+  deprecated override predicate guardedNode(Node n, Configuration config) {
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g) and
+      n = g.getAGuardedNode()
+    )
+  }
+
+  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
+  }
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -348,10 +377,7 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
     not config.isSink(n) and
     not config.isSink(n, _)
     or
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
+    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, config)
   )
 }
 
@@ -360,10 +386,7 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
   exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
     or
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
+    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, state, config)
   )
 }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -90,14 +90,20 @@ abstract class Configuration extends string {
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
-  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
-  predicate isBarrierGuard(BarrierGuard guard) { none() }
+  /**
+   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
+   *
+   * Holds if data flow through nodes guarded by `guard` is prohibited.
+   */
+  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
 
   /**
+   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
+   *
    * Holds if data flow through nodes guarded by `guard` is prohibited when
    * the flow state is `state`
    */
-  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
 
   /**
    * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
@@ -335,6 +341,29 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+/** A bridge class to access the deprecated `isBarrierGuard`. */
+private class BarrierGuardGuardedNodeBridge extends Unit {
+  abstract predicate guardedNode(Node n, Configuration config);
+
+  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
+}
+
+private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
+  deprecated override predicate guardedNode(Node n, Configuration config) {
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g) and
+      n = g.getAGuardedNode()
+    )
+  }
+
+  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
+  }
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -348,10 +377,7 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
     not config.isSink(n) and
     not config.isSink(n, _)
     or
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
+    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, config)
   )
 }
 
@@ -360,10 +386,7 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
   exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
     or
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
+    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, state, config)
   )
 }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -90,14 +90,20 @@ abstract class Configuration extends string {
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
-  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
-  predicate isBarrierGuard(BarrierGuard guard) { none() }
+  /**
+   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
+   *
+   * Holds if data flow through nodes guarded by `guard` is prohibited.
+   */
+  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
 
   /**
+   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
+   *
    * Holds if data flow through nodes guarded by `guard` is prohibited when
    * the flow state is `state`
    */
-  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
 
   /**
    * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
@@ -335,6 +341,29 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+/** A bridge class to access the deprecated `isBarrierGuard`. */
+private class BarrierGuardGuardedNodeBridge extends Unit {
+  abstract predicate guardedNode(Node n, Configuration config);
+
+  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
+}
+
+private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
+  deprecated override predicate guardedNode(Node n, Configuration config) {
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g) and
+      n = g.getAGuardedNode()
+    )
+  }
+
+  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
+  }
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -348,10 +377,7 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
     not config.isSink(n) and
     not config.isSink(n, _)
     or
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
+    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, config)
   )
 }
 
@@ -360,10 +386,7 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
   exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
     or
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
+    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, state, config)
   )
 }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -90,14 +90,20 @@ abstract class Configuration extends string {
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
-  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
-  predicate isBarrierGuard(BarrierGuard guard) { none() }
+  /**
+   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
+   *
+   * Holds if data flow through nodes guarded by `guard` is prohibited.
+   */
+  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
 
   /**
+   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
+   *
    * Holds if data flow through nodes guarded by `guard` is prohibited when
    * the flow state is `state`
    */
-  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
 
   /**
    * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
@@ -335,6 +341,29 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+/** A bridge class to access the deprecated `isBarrierGuard`. */
+private class BarrierGuardGuardedNodeBridge extends Unit {
+  abstract predicate guardedNode(Node n, Configuration config);
+
+  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
+}
+
+private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
+  deprecated override predicate guardedNode(Node n, Configuration config) {
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g) and
+      n = g.getAGuardedNode()
+    )
+  }
+
+  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
+  }
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -348,10 +377,7 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
     not config.isSink(n) and
     not config.isSink(n, _)
     or
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
+    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, config)
   )
 }
 
@@ -360,10 +386,7 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
   exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
     or
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
+    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, state, config)
   )
 }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -90,14 +90,20 @@ abstract class Configuration extends string {
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
-  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
-  predicate isBarrierGuard(BarrierGuard guard) { none() }
+  /**
+   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
+   *
+   * Holds if data flow through nodes guarded by `guard` is prohibited.
+   */
+  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
 
   /**
+   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
+   *
    * Holds if data flow through nodes guarded by `guard` is prohibited when
    * the flow state is `state`
    */
-  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
 
   /**
    * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
@@ -335,6 +341,29 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+/** A bridge class to access the deprecated `isBarrierGuard`. */
+private class BarrierGuardGuardedNodeBridge extends Unit {
+  abstract predicate guardedNode(Node n, Configuration config);
+
+  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
+}
+
+private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
+  deprecated override predicate guardedNode(Node n, Configuration config) {
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g) and
+      n = g.getAGuardedNode()
+    )
+  }
+
+  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
+  }
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -348,10 +377,7 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
     not config.isSink(n) and
     not config.isSink(n, _)
     or
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
+    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, config)
   )
 }
 
@@ -360,10 +386,7 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
   exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
     or
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
+    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, state, config)
   )
 }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll

@@ -850,6 +850,34 @@ class ContentSet instanceof Content {
 }
 
 /**
+ * Holds if the guard `g` validates the expression `e` upon evaluating to `branch`.
+ *
+ * The expression `e` is expected to be a syntactic part of the guard `g`.
+ * For example, the guard `g` might be a call `isSafe(x)` and the expression `e`
+ * the argument `x`.
+ */
+signature predicate guardChecksSig(GuardCondition g, Expr e, boolean branch);
+
+/**
+ * Provides a set of barrier nodes for a guard that validates an expression.
+ *
+ * This is expected to be used in `isBarrier`/`isSanitizer` definitions
+ * in data flow and taint tracking.
+ */
+module BarrierGuard<guardChecksSig/3 guardChecks> {
+  /** Gets a node that is safely guarded by the given guard check. */
+  ExprNode getABarrierNode() {
+    exists(GuardCondition g, SsaDefinition def, Variable v, boolean branch |
+      result.getExpr() = def.getAUse(v) and
+      guardChecks(g, def.getAUse(v), branch) and
+      g.controls(result.getExpr().getBasicBlock(), branch)
+    )
+  }
+}
+
+/**
+ * DEPRECATED: Use `BarrierGuard` module instead.
+ *
  * A guard that validates some expression.
  *
  * To use this in a configuration, extend the class and provide a
@@ -858,7 +886,7 @@ class ContentSet instanceof Content {
  *
  * It is important that all extending classes in scope are disjoint.
  */
-class BarrierGuard extends GuardCondition {
+deprecated class BarrierGuard extends GuardCondition {
   /** Override this predicate to hold if this guard validates `e` upon evaluating to `b`. */
   abstract predicate checks(Expr e, boolean b);
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll

@@ -47,12 +47,6 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { n
  */
 predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
 
-/**
- * Holds if `guard` should be a sanitizer guard in all global taint flow configurations
- * but not in local taint.
- */
-predicate defaultTaintSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
-
 /**
  * Holds if taint can flow in one local step from `nodeFrom` to `nodeTo` excluding
  * local data flow steps. That is, `nodeFrom` and `nodeTo` are likely to represent

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

@@ -116,20 +116,30 @@ abstract class Configuration extends DataFlow::Configuration {
 
   final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
 
-  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
-  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
+  /**
+   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
+   *
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited.
+   */
+  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
-  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
+  deprecated final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
+    this.isSanitizerGuard(guard)
   }
 
   /**
+   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
+   *
    * Holds if taint propagation through nodes guarded by `guard` is prohibited
    * when the flow state is `state`.
    */
-  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    none()
+  }
 
-  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+  deprecated final override predicate isBarrierGuard(
+    DataFlow::BarrierGuard guard, DataFlow::FlowState state
+  ) {
     this.isSanitizerGuard(guard, state)
   }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

@@ -116,20 +116,30 @@ abstract class Configuration extends DataFlow::Configuration {
 
   final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
 
-  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
-  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
+  /**
+   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
+   *
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited.
+   */
+  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
-  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
+  deprecated final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
+    this.isSanitizerGuard(guard)
   }
 
   /**
+   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
+   *
    * Holds if taint propagation through nodes guarded by `guard` is prohibited
    * when the flow state is `state`.
    */
-  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    none()
+  }
 
-  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+  deprecated final override predicate isBarrierGuard(
+    DataFlow::BarrierGuard guard, DataFlow::FlowState state
+  ) {
     this.isSanitizerGuard(guard, state)
   }
 

cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll

@@ -49,6 +49,9 @@ class Expr extends StmtParent, @expr {
   /** Gets the enclosing variable of this expression, if any. */
   Variable getEnclosingVariable() { result = exprEnclosingElement(this) }
 
+  /** Gets the enclosing variable or function of this expression. */
+  Declaration getEnclosingDeclaration() { result = exprEnclosingElement(this) }
+
   /** Gets a child of this expression. */
   Expr getAChild() { exists(int n | result = this.getChild(n)) }
 

cpp/ql/lib/semmle/code/cpp/internal/QualifiedName.qll

@@ -4,11 +4,7 @@
  * qualified.
  *
  * This file contains classes that mirror the standard AST classes for C++, but
- * these classes are only concerned with naming. The other difference is that
- * these classes don't use the `ResolveClass.qll` mechanisms like
- * `unresolveElement` because these classes should eventually be part of the
- * implementation of `ResolveClass.qll`, allowing it to match up classes when
- * their qualified names and parameters match.
+ * these classes are only concerned with naming.
  */
 
 private import semmle.code.cpp.Declaration as D

cpp/ql/lib/semmle/code/cpp/internal/ResolveClass.qll

@@ -115,15 +115,13 @@ private module Cached {
    */
   cached
   predicate isClass(@usertype t) {
-    (
-      usertypes(t, _, 1) or
-      usertypes(t, _, 2) or
-      usertypes(t, _, 3) or
-      usertypes(t, _, 6) or
-      usertypes(t, _, 10) or
-      usertypes(t, _, 11) or
-      usertypes(t, _, 12)
-    )
+    usertypes(t, _, 1) or
+    usertypes(t, _, 2) or
+    usertypes(t, _, 3) or
+    usertypes(t, _, 6) or
+    usertypes(t, _, 10) or
+    usertypes(t, _, 11) or
+    usertypes(t, _, 12)
   }
 
   cached

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -90,14 +90,20 @@ abstract class Configuration extends string {
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
-  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
-  predicate isBarrierGuard(BarrierGuard guard) { none() }
+  /**
+   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
+   *
+   * Holds if data flow through nodes guarded by `guard` is prohibited.
+   */
+  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
 
   /**
+   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
+   *
    * Holds if data flow through nodes guarded by `guard` is prohibited when
    * the flow state is `state`
    */
-  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
 
   /**
    * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
@@ -335,6 +341,29 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+/** A bridge class to access the deprecated `isBarrierGuard`. */
+private class BarrierGuardGuardedNodeBridge extends Unit {
+  abstract predicate guardedNode(Node n, Configuration config);
+
+  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
+}
+
+private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
+  deprecated override predicate guardedNode(Node n, Configuration config) {
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g) and
+      n = g.getAGuardedNode()
+    )
+  }
+
+  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
+  }
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -348,10 +377,7 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
     not config.isSink(n) and
     not config.isSink(n, _)
     or
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
+    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, config)
   )
 }
 
@@ -360,10 +386,7 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
   exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
     or
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
+    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, state, config)
   )
 }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -90,14 +90,20 @@ abstract class Configuration extends string {
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
-  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
-  predicate isBarrierGuard(BarrierGuard guard) { none() }
+  /**
+   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
+   *
+   * Holds if data flow through nodes guarded by `guard` is prohibited.
+   */
+  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
 
   /**
+   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
+   *
    * Holds if data flow through nodes guarded by `guard` is prohibited when
    * the flow state is `state`
    */
-  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
 
   /**
    * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
@@ -335,6 +341,29 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+/** A bridge class to access the deprecated `isBarrierGuard`. */
+private class BarrierGuardGuardedNodeBridge extends Unit {
+  abstract predicate guardedNode(Node n, Configuration config);
+
+  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
+}
+
+private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
+  deprecated override predicate guardedNode(Node n, Configuration config) {
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g) and
+      n = g.getAGuardedNode()
+    )
+  }
+
+  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
+  }
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -348,10 +377,7 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
     not config.isSink(n) and
     not config.isSink(n, _)
     or
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
+    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, config)
   )
 }
 
@@ -360,10 +386,7 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
   exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
     or
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
+    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, state, config)
   )
 }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -90,14 +90,20 @@ abstract class Configuration extends string {
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
-  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
-  predicate isBarrierGuard(BarrierGuard guard) { none() }
+  /**
+   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
+   *
+   * Holds if data flow through nodes guarded by `guard` is prohibited.
+   */
+  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
 
   /**
+   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
+   *
    * Holds if data flow through nodes guarded by `guard` is prohibited when
    * the flow state is `state`
    */
-  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
 
   /**
    * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
@@ -335,6 +341,29 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+/** A bridge class to access the deprecated `isBarrierGuard`. */
+private class BarrierGuardGuardedNodeBridge extends Unit {
+  abstract predicate guardedNode(Node n, Configuration config);
+
+  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
+}
+
+private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
+  deprecated override predicate guardedNode(Node n, Configuration config) {
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g) and
+      n = g.getAGuardedNode()
+    )
+  }
+
+  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
+  }
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -348,10 +377,7 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
     not config.isSink(n) and
     not config.isSink(n, _)
     or
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
+    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, config)
   )
 }
 
@@ -360,10 +386,7 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
   exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
     or
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
+    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, state, config)
   )
 }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -90,14 +90,20 @@ abstract class Configuration extends string {
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
-  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
-  predicate isBarrierGuard(BarrierGuard guard) { none() }
+  /**
+   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
+   *
+   * Holds if data flow through nodes guarded by `guard` is prohibited.
+   */
+  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
 
   /**
+   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
+   *
    * Holds if data flow through nodes guarded by `guard` is prohibited when
    * the flow state is `state`
    */
-  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
 
   /**
    * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
@@ -335,6 +341,29 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+/** A bridge class to access the deprecated `isBarrierGuard`. */
+private class BarrierGuardGuardedNodeBridge extends Unit {
+  abstract predicate guardedNode(Node n, Configuration config);
+
+  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
+}
+
+private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
+  deprecated override predicate guardedNode(Node n, Configuration config) {
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g) and
+      n = g.getAGuardedNode()
+    )
+  }
+
+  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
+  }
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -348,10 +377,7 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
     not config.isSink(n) and
     not config.isSink(n, _)
     or
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
+    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, config)
   )
 }
 
@@ -360,10 +386,7 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
   exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
     or
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
+    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, state, config)
   )
 }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -100,7 +100,7 @@ class Node extends TIRDataFlowNode {
   Declaration getEnclosingCallable() { none() } // overridden in subclasses
 
   /** Gets the function to which this node belongs, if any. */
-  Function getFunction() { none() } // overridden in subclasses
+  Declaration getFunction() { none() } // overridden in subclasses
 
   /** Gets the type of this node. */
   IRType getType() { none() } // overridden in subclasses
@@ -196,7 +196,7 @@ class InstructionNode extends Node, TInstructionNode {
 
   override Declaration getEnclosingCallable() { result = this.getFunction() }
 
-  override Function getFunction() { result = instr.getEnclosingFunction() }
+  override Declaration getFunction() { result = instr.getEnclosingFunction() }
 
   override IRType getType() { result = instr.getResultIRType() }
 
@@ -222,7 +222,7 @@ class OperandNode extends Node, TOperandNode {
 
   override Declaration getEnclosingCallable() { result = this.getFunction() }
 
-  override Function getFunction() { result = op.getUse().getEnclosingFunction() }
+  override Declaration getFunction() { result = op.getUse().getEnclosingFunction() }
 
   override IRType getType() { result = op.getIRType() }
 
@@ -274,7 +274,7 @@ class StoreNodeInstr extends StoreNode, TStoreNodeInstr {
   /** Gets the underlying instruction. */
   Instruction getInstruction() { result = instr }
 
-  override Function getFunction() { result = this.getInstruction().getEnclosingFunction() }
+  override Declaration getFunction() { result = this.getInstruction().getEnclosingFunction() }
 
   override IRType getType() { result = this.getInstruction().getResultIRType() }
 
@@ -328,7 +328,7 @@ class StoreNodeOperand extends StoreNode, TStoreNodeOperand {
   /** Gets the underlying operand. */
   Operand getOperand() { result = operand }
 
-  override Function getFunction() { result = operand.getDef().getEnclosingFunction() }
+  override Declaration getFunction() { result = operand.getDef().getEnclosingFunction() }
 
   override IRType getType() { result = operand.getIRType() }
 
@@ -384,7 +384,7 @@ class ReadNode extends Node, TReadNode {
 
   override Declaration getEnclosingCallable() { result = this.getFunction() }
 
-  override Function getFunction() { result = this.getInstruction().getEnclosingFunction() }
+  override Declaration getFunction() { result = this.getInstruction().getEnclosingFunction() }
 
   override IRType getType() { result = this.getInstruction().getResultIRType() }
 
@@ -436,7 +436,7 @@ class SsaPhiNode extends Node, TSsaPhiNode {
 
   override Declaration getEnclosingCallable() { result = this.getFunction() }
 
-  override Function getFunction() { result = phi.getBasicBlock().getEnclosingFunction() }
+  override Declaration getFunction() { result = phi.getBasicBlock().getEnclosingFunction() }
 
   override IRType getType() { result instanceof IRVoidType }
 
@@ -673,7 +673,7 @@ class VariableNode extends Node, TVariableNode {
   /** Gets the variable corresponding to this node. */
   Variable getVariable() { result = v }
 
-  override Function getFunction() { none() }
+  override Declaration getFunction() { none() }
 
   override Declaration getEnclosingCallable() {
     // When flow crosses from one _enclosing callable_ to another, the
@@ -1092,6 +1092,56 @@ class ContentSet instanceof Content {
 }
 
 /**
+ * Holds if the guard `g` validates the expression `e` upon evaluating to `branch`.
+ *
+ * The expression `e` is expected to be a syntactic part of the guard `g`.
+ * For example, the guard `g` might be a call `isSafe(x)` and the expression `e`
+ * the argument `x`.
+ */
+signature predicate guardChecksSig(IRGuardCondition g, Expr e, boolean branch);
+
+/**
+ * Provides a set of barrier nodes for a guard that validates an expression.
+ *
+ * This is expected to be used in `isBarrier`/`isSanitizer` definitions
+ * in data flow and taint tracking.
+ */
+module BarrierGuard<guardChecksSig/3 guardChecks> {
+  /** Gets a node that is safely guarded by the given guard check. */
+  ExprNode getABarrierNode() {
+    exists(IRGuardCondition g, ValueNumber value, boolean edge |
+      guardChecks(g, value.getAnInstruction().getConvertedResultExpression(), edge) and
+      result.asInstruction() = value.getAnInstruction() and
+      g.controls(result.asInstruction().getBlock(), edge)
+    )
+  }
+}
+
+/**
+ * Holds if the guard `g` validates the instruction `instr` upon evaluating to `branch`.
+ */
+signature predicate instructionGuardChecksSig(IRGuardCondition g, Instruction instr, boolean branch);
+
+/**
+ * Provides a set of barrier nodes for a guard that validates an instruction.
+ *
+ * This is expected to be used in `isBarrier`/`isSanitizer` definitions
+ * in data flow and taint tracking.
+ */
+module InstructionBarrierGuard<instructionGuardChecksSig/3 instructionGuardChecks> {
+  /** Gets a node that is safely guarded by the given guard check. */
+  ExprNode getABarrierNode() {
+    exists(IRGuardCondition g, ValueNumber value, boolean edge |
+      instructionGuardChecks(g, value.getAnInstruction(), edge) and
+      result.asInstruction() = value.getAnInstruction() and
+      g.controls(result.asInstruction().getBlock(), edge)
+    )
+  }
+}
+
+/**
+ * DEPRECATED: Use `BarrierGuard` module instead.
+ *
  * A guard that validates some instruction.
  *
  * To use this in a configuration, extend the class and provide a
@@ -1100,7 +1150,7 @@ class ContentSet instanceof Content {
  *
  * It is important that all extending classes in scope are disjoint.
  */
-class BarrierGuard extends IRGuardCondition {
+deprecated class BarrierGuard extends IRGuardCondition {
   /** Override this predicate to hold if this guard validates `instr` upon evaluating to `b`. */
   predicate checksInstr(Instruction instr, boolean b) { none() }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRLocalFlow.qll

@@ -94,12 +94,6 @@ private string getNodeProperty(DataFlow::Node node, string key) {
       any(DataFlow::Configuration cfg).isBarrierIn(node) and kind = "in"
       or
       any(DataFlow::Configuration cfg).isBarrierOut(node) and kind = "out"
-      or
-      exists(DataFlow::BarrierGuard guard |
-        any(DataFlow::Configuration cfg).isBarrierGuard(guard) and
-        node = guard.getAGuardedNode() and
-        kind = "guard(" + guard.getResultId() + ")"
-      )
     |
       kind, ", "
     )

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

@@ -163,12 +163,6 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { n
  */
 predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
 
-/**
- * Holds if `guard` should be a sanitizer guard in all global taint flow configurations
- * but not in local taint.
- */
-predicate defaultTaintSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
-
 /**
  * Holds if taint can flow from `instrIn` to `instrOut` through a call to a
  * modeled function.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

@@ -116,20 +116,30 @@ abstract class Configuration extends DataFlow::Configuration {
 
   final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
 
-  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
-  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
+  /**
+   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
+   *
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited.
+   */
+  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
-  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
+  deprecated final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
+    this.isSanitizerGuard(guard)
   }
 
   /**
+   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
+   *
    * Holds if taint propagation through nodes guarded by `guard` is prohibited
    * when the flow state is `state`.
    */
-  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    none()
+  }
 
-  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+  deprecated final override predicate isBarrierGuard(
+    DataFlow::BarrierGuard guard, DataFlow::FlowState state
+  ) {
     this.isSanitizerGuard(guard, state)
   }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

@@ -116,20 +116,30 @@ abstract class Configuration extends DataFlow::Configuration {
 
   final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
 
-  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
-  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
+  /**
+   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
+   *
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited.
+   */
+  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
-  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
+  deprecated final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
+    this.isSanitizerGuard(guard)
   }
 
   /**
+   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
+   *
    * Holds if taint propagation through nodes guarded by `guard` is prohibited
    * when the flow state is `state`.
    */
-  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    none()
+  }
 
-  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+  deprecated final override predicate isBarrierGuard(
+    DataFlow::BarrierGuard guard, DataFlow::FlowState state
+  ) {
     this.isSanitizerGuard(guard, state)
   }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll

@@ -116,20 +116,30 @@ abstract class Configuration extends DataFlow::Configuration {
 
   final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
 
-  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
-  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
+  /**
+   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
+   *
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited.
+   */
+  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
-  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
+  deprecated final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
+    this.isSanitizerGuard(guard)
   }
 
   /**
+   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
+   *
    * Holds if taint propagation through nodes guarded by `guard` is prohibited
    * when the flow state is `state`.
    */
-  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    none()
+  }
 
-  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+  deprecated final override predicate isBarrierGuard(
+    DataFlow::BarrierGuard guard, DataFlow::FlowState state
+  ) {
     this.isSanitizerGuard(guard, state)
   }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/IRConfiguration.qll

@@ -16,7 +16,7 @@ class IRConfiguration extends TIRConfiguration {
   /**
    * Holds if IR should be created for function `func`. By default, holds for all functions.
    */
-  predicate shouldCreateIRForFunction(Language::Function func) { any() }
+  predicate shouldCreateIRForFunction(Language::Declaration func) { any() }
 
   /**
    * Holds if the strings used as part of an IR dump should be generated for function `func`.
@@ -25,7 +25,7 @@ class IRConfiguration extends TIRConfiguration {
    * of debug strings for IR that will not be dumped. We still generate the actual IR for these
    * functions, however, to preserve the results of any interprocedural analysis.
    */
-  predicate shouldEvaluateDebugStringsForFunction(Language::Function func) { any() }
+  predicate shouldEvaluateDebugStringsForFunction(Language::Declaration func) { any() }
 }
 
 private newtype TIREscapeAnalysisConfiguration = MkIREscapeAnalysisConfiguration()

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll

@@ -97,7 +97,7 @@ class IRBlockBase extends TIRBlock {
   /**
    * Gets the `Function` that contains this block.
    */
-  final Language::Function getEnclosingFunction() {
+  final Language::Declaration getEnclosingFunction() {
     result = getFirstInstruction(this).getEnclosingFunction()
   }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll

@@ -524,4 +524,23 @@ module InstructionConsistency {
         "' has a `this` argument operand that is not an address, in function '$@'." and
     irFunc = getInstructionIRFunction(instr, irFuncText)
   }
+
+  query predicate nonUniqueIRVariable(
+    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
+  ) {
+    exists(VariableInstruction vi, IRVariable v1, IRVariable v2 |
+      instr = vi and vi.getIRVariable() = v1 and vi.getIRVariable() = v2 and v1 != v2
+    ) and
+    message =
+      "Variable instruction '" + instr.toString() +
+        "' has multiple associated variables, in function '$@'." and
+    irFunc = getInstructionIRFunction(instr, irFuncText)
+    or
+    instr.getOpcode() instanceof Opcode::VariableAddress and
+    not instr instanceof VariableInstruction and
+    message =
+      "Variable address instruction '" + instr.toString() +
+        "' has no associated variable, in function '$@'." and
+    irFunc = getInstructionIRFunction(instr, irFuncText)
+  }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll

@@ -18,7 +18,7 @@ private import Imports::IRType
  * by the AST-to-IR translation (`IRTempVariable`).
  */
 class IRVariable extends TIRVariable {
-  Language::Function func;
+  Language::Declaration func;
 
   IRVariable() {
     this = TIRUserVariable(_, _, func) or
@@ -79,7 +79,7 @@ class IRVariable extends TIRVariable {
   /**
    * Gets the function that references this variable.
    */
-  final Language::Function getEnclosingFunction() { result = func }
+  final Language::Declaration getEnclosingFunction() { result = func }
 }
 
 /**
@@ -246,7 +246,7 @@ class IREllipsisVariable extends IRTempVariable, IRParameter {
 
   final override string toString() { result = "#ellipsis" }
 
-  final override int getIndex() { result = func.getNumberOfParameters() }
+  final override int getIndex() { result = func.(Language::Function).getNumberOfParameters() }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -194,7 +194,7 @@ class Instruction extends Construction::TStageInstruction {
   /**
    * Gets the function that contains this instruction.
    */
-  final Language::Function getEnclosingFunction() {
+  final Language::Declaration getEnclosingFunction() {
     result = this.getEnclosingIRFunction().getFunction()
   }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll

@@ -26,20 +26,20 @@ class PrintIRConfiguration extends TPrintIRConfiguration {
    * Holds if the IR for `func` should be printed. By default, holds for all
    * functions.
    */
-  predicate shouldPrintFunction(Language::Function func) { any() }
+  predicate shouldPrintFunction(Language::Declaration decl) { any() }
 }
 
 /**
  * Override of `IRConfiguration` to only evaluate debug strings for the functions that are to be dumped.
  */
 private class FilteredIRConfiguration extends IRConfiguration {
-  override predicate shouldEvaluateDebugStringsForFunction(Language::Function func) {
+  override predicate shouldEvaluateDebugStringsForFunction(Language::Declaration func) {
     shouldPrintFunction(func)
   }
 }
 
-private predicate shouldPrintFunction(Language::Function func) {
-  exists(PrintIRConfiguration config | config.shouldPrintFunction(func))
+private predicate shouldPrintFunction(Language::Declaration decl) {
+  exists(PrintIRConfiguration config | config.shouldPrintFunction(decl))
 }
 
 private string getAdditionalInstructionProperty(Instruction instr, string key) {

cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll

@@ -5,23 +5,28 @@
 private import IRFunctionBaseInternal
 
 private newtype TIRFunction =
-  MkIRFunction(Language::Function func) { IRConstruction::Raw::functionHasIR(func) }
+  TFunctionIRFunction(Language::Function func) { IRConstruction::Raw::functionHasIR(func) } or
+  TVarInitIRFunction(Language::GlobalVariable var) { IRConstruction::Raw::varHasIRFunc(var) }
 
 /**
  * The IR for a function. This base class contains only the predicates that are the same between all
  * phases of the IR. Each instantiation of `IRFunction` extends this class.
  */
 class IRFunctionBase extends TIRFunction {
-  Language::Function func;
+  Language::Declaration decl;
 
-  IRFunctionBase() { this = MkIRFunction(func) }
+  IRFunctionBase() {
+    this = TFunctionIRFunction(decl)
+    or
+    this = TVarInitIRFunction(decl)
+  }
 
   /** Gets a textual representation of this element. */
-  final string toString() { result = "IR: " + func.toString() }
+  final string toString() { result = "IR: " + decl.toString() }
 
   /** Gets the function whose IR is represented. */
-  final Language::Function getFunction() { result = func }
+  final Language::Declaration getFunction() { result = decl }
 
   /** Gets the location of the function. */
-  final Language::Location getLocation() { result = func.getLocation() }
+  final Language::Location getLocation() { result = decl.getLocation() }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll

@@ -2,21 +2,21 @@ private import TIRVariableInternal
 private import Imports::TempVariableTag
 
 newtype TIRVariable =
-  TIRUserVariable(Language::Variable var, Language::LanguageType type, Language::Function func) {
+  TIRUserVariable(Language::Variable var, Language::LanguageType type, Language::Declaration func) {
     Construction::hasUserVariable(func, var, type)
   } or
   TIRTempVariable(
-    Language::Function func, Language::AST ast, TempVariableTag tag, Language::LanguageType type
+    Language::Declaration func, Language::AST ast, TempVariableTag tag, Language::LanguageType type
   ) {
     Construction::hasTempVariable(func, ast, tag, type)
   } or
   TIRDynamicInitializationFlag(
-    Language::Function func, Language::Variable var, Language::LanguageType type
+    Language::Declaration func, Language::Variable var, Language::LanguageType type
   ) {
     Construction::hasDynamicInitializationFlag(func, var, type)
   } or
   TIRStringLiteral(
-    Language::Function func, Language::AST ast, Language::LanguageType type,
+    Language::Declaration func, Language::AST ast, Language::LanguageType type,
     Language::StringLiteral literal
   ) {
     Construction::hasStringLiteral(func, ast, type, literal)

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRBlock.qll

@@ -97,7 +97,7 @@ class IRBlockBase extends TIRBlock {
   /**
    * Gets the `Function` that contains this block.
    */
-  final Language::Function getEnclosingFunction() {
+  final Language::Declaration getEnclosingFunction() {
     result = getFirstInstruction(this).getEnclosingFunction()
   }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll

@@ -524,4 +524,23 @@ module InstructionConsistency {
         "' has a `this` argument operand that is not an address, in function '$@'." and
     irFunc = getInstructionIRFunction(instr, irFuncText)
   }
+
+  query predicate nonUniqueIRVariable(
+    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
+  ) {
+    exists(VariableInstruction vi, IRVariable v1, IRVariable v2 |
+      instr = vi and vi.getIRVariable() = v1 and vi.getIRVariable() = v2 and v1 != v2
+    ) and
+    message =
+      "Variable instruction '" + instr.toString() +
+        "' has multiple associated variables, in function '$@'." and
+    irFunc = getInstructionIRFunction(instr, irFuncText)
+    or
+    instr.getOpcode() instanceof Opcode::VariableAddress and
+    not instr instanceof VariableInstruction and
+    message =
+      "Variable address instruction '" + instr.toString() +
+        "' has no associated variable, in function '$@'." and
+    irFunc = getInstructionIRFunction(instr, irFuncText)
+  }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRVariable.qll

@@ -18,7 +18,7 @@ private import Imports::IRType
  * by the AST-to-IR translation (`IRTempVariable`).
  */
 class IRVariable extends TIRVariable {
-  Language::Function func;
+  Language::Declaration func;
 
   IRVariable() {
     this = TIRUserVariable(_, _, func) or
@@ -79,7 +79,7 @@ class IRVariable extends TIRVariable {
   /**
    * Gets the function that references this variable.
    */
-  final Language::Function getEnclosingFunction() { result = func }
+  final Language::Declaration getEnclosingFunction() { result = func }
 }
 
 /**
@@ -246,7 +246,7 @@ class IREllipsisVariable extends IRTempVariable, IRParameter {
 
   final override string toString() { result = "#ellipsis" }
 
-  final override int getIndex() { result = func.getNumberOfParameters() }
+  final override int getIndex() { result = func.(Language::Function).getNumberOfParameters() }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -194,7 +194,7 @@ class Instruction extends Construction::TStageInstruction {
   /**
    * Gets the function that contains this instruction.
    */
-  final Language::Function getEnclosingFunction() {
+  final Language::Declaration getEnclosingFunction() {
     result = this.getEnclosingIRFunction().getFunction()
   }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll

@@ -26,20 +26,20 @@ class PrintIRConfiguration extends TPrintIRConfiguration {
    * Holds if the IR for `func` should be printed. By default, holds for all
    * functions.
    */
-  predicate shouldPrintFunction(Language::Function func) { any() }
+  predicate shouldPrintFunction(Language::Declaration decl) { any() }
 }
 
 /**
  * Override of `IRConfiguration` to only evaluate debug strings for the functions that are to be dumped.
  */
 private class FilteredIRConfiguration extends IRConfiguration {
-  override predicate shouldEvaluateDebugStringsForFunction(Language::Function func) {
+  override predicate shouldEvaluateDebugStringsForFunction(Language::Declaration func) {
     shouldPrintFunction(func)
   }
 }
 
-private predicate shouldPrintFunction(Language::Function func) {
-  exists(PrintIRConfiguration config | config.shouldPrintFunction(func))
+private predicate shouldPrintFunction(Language::Declaration decl) {
+  exists(PrintIRConfiguration config | config.shouldPrintFunction(decl))
 }
 
 private string getAdditionalInstructionProperty(Instruction instr, string key) {

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll

@@ -13,6 +13,7 @@ private import TranslatedElement
 private import TranslatedExpr
 private import TranslatedStmt
 private import TranslatedFunction
+private import TranslatedGlobalVar
 
 TranslatedElement getInstructionTranslatedElement(Instruction instruction) {
   instruction = TRawInstruction(result, _)
@@ -35,29 +36,41 @@ module Raw {
   cached
   predicate functionHasIR(Function func) { exists(getTranslatedFunction(func)) }
 
+  cached
+  predicate varHasIRFunc(GlobalOrNamespaceVariable var) {
+    var.hasInitializer() and
+    (
+      not var.getType().isDeeplyConst()
+      or
+      var.getInitializer().getExpr() instanceof StringLiteral
+    )
+  }
+
   cached
   predicate hasInstruction(TranslatedElement element, InstructionTag tag) {
     element.hasInstruction(_, tag, _)
   }
 
   cached
-  predicate hasUserVariable(Function func, Variable var, CppType type) {
-    getTranslatedFunction(func).hasUserVariable(var, type)
+  predicate hasUserVariable(Declaration decl, Variable var, CppType type) {
+    getTranslatedFunction(decl).hasUserVariable(var, type)
+    or
+    getTranslatedVarInit(decl).hasUserVariable(var, type)
   }
 
   cached
-  predicate hasTempVariable(Function func, Locatable ast, TempVariableTag tag, CppType type) {
+  predicate hasTempVariable(Declaration decl, Locatable ast, TempVariableTag tag, CppType type) {
     exists(TranslatedElement element |
       element.getAst() = ast and
-      func = element.getFunction() and
+      decl = element.getFunction() and
       element.hasTempVariable(tag, type)
     )
   }
 
   cached
-  predicate hasStringLiteral(Function func, Locatable ast, CppType type, StringLiteral literal) {
+  predicate hasStringLiteral(Declaration decl, Locatable ast, CppType type, StringLiteral literal) {
     literal = ast and
-    literal.getEnclosingFunction() = func and
+    literal.getEnclosingDeclaration() = decl and
     getTypeForPRValue(literal.getType()) = type
   }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll

@@ -180,7 +180,7 @@ abstract class TranslatedSideEffects extends TranslatedElement {
   /** DEPRECATED: Alias for getAst */
   deprecated override Locatable getAST() { result = getAst() }
 
-  final override Function getFunction() { result = getExpr().getEnclosingFunction() }
+  final override Declaration getFunction() { result = getExpr().getEnclosingDeclaration() }
 
   final override TranslatedElement getChild(int i) {
     result =
@@ -375,7 +375,7 @@ abstract class TranslatedSideEffect extends TranslatedElement {
     kind instanceof GotoEdge
   }
 
-  final override Function getFunction() { result = getParent().getFunction() }
+  final override Declaration getFunction() { result = getParent().getFunction() }
 
   final override Instruction getPrimaryInstructionForSideEffect(InstructionTag tag) {
     tag = OnlyInstructionTag() and
@@ -436,13 +436,6 @@ abstract class TranslatedArgumentSideEffect extends TranslatedSideEffect {
     result = index
   }
 
-  /**
-   * Gets the `TranslatedFunction` containing this expression.
-   */
-  final TranslatedFunction getEnclosingFunction() {
-    result = getTranslatedFunction(call.getEnclosingFunction())
-  }
-
   final override predicate sideEffectInstruction(Opcode opcode, CppType type) {
     opcode = sideEffectOpcode and
     (

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -25,9 +25,9 @@ private Element getRealParent(Expr expr) {
   result.(Destructor).getADestruction() = expr
 }
 
-IRUserVariable getIRUserVariable(Function func, Variable var) {
+IRUserVariable getIRUserVariable(Declaration decl, Variable var) {
   result.getVariable() = var and
-  result.getEnclosingFunction() = func
+  result.getEnclosingFunction() = decl
 }
 
 IRTempVariable getIRTempVariable(Locatable ast, TempVariableTag tag) {
@@ -67,7 +67,8 @@ private predicate ignoreExprAndDescendants(Expr expr) {
   exists(Initializer init, StaticStorageDurationVariable var |
     init = var.getInitializer() and
     not var.hasDynamicInitialization() and
-    expr = init.getExpr().getFullyConverted()
+    expr = init.getExpr().getFullyConverted() and
+    not var instanceof GlobalOrNamespaceVariable
   )
   or
   // Ignore descendants of `__assume` expressions, since we translated these to `NoOp`.
@@ -117,7 +118,8 @@ private predicate ignoreExprOnly(Expr expr) {
   // should not be translated.
   exists(NewOrNewArrayExpr new | expr = new.getAllocatorCall().getArgument(0))
   or
-  not translateFunction(expr.getEnclosingFunction())
+  not translateFunction(expr.getEnclosingFunction()) and
+  not Raw::varHasIRFunc(expr.getEnclosingVariable())
   or
   // We do not yet translate destructors properly, so for now we ignore the
   // destructor call. We do, however, translate the expression being
@@ -662,7 +664,8 @@ newtype TTranslatedElement =
     opcode = getASideEffectOpcode(call, -1)
   } or
   // The side effect that initializes newly-allocated memory.
-  TTranslatedAllocationSideEffect(AllocationExpr expr) { not ignoreSideEffects(expr) }
+  TTranslatedAllocationSideEffect(AllocationExpr expr) { not ignoreSideEffects(expr) } or
+  TTranslatedGlobalOrNamespaceVarInit(GlobalOrNamespaceVariable var) { Raw::varHasIRFunc(var) }
 
 /**
  * Gets the index of the first explicitly initialized element in `initList`
@@ -792,7 +795,7 @@ abstract class TranslatedElement extends TTranslatedElement {
   /**
    * Gets the `Function` that contains this element.
    */
-  abstract Function getFunction();
+  abstract Declaration getFunction();
 
   /**
    * Gets the successor instruction of the instruction that was generated by
@@ -942,3 +945,14 @@ abstract class TranslatedElement extends TTranslatedElement {
    */
   final TranslatedElement getParent() { result.getAChild() = this }
 }
+
+/**
+ * Represents the IR translation of a root element, either a function or a global variable.
+ */
+abstract class TranslatedRootElement extends TranslatedElement {
+  TranslatedRootElement() {
+    this instanceof TTranslatedFunction
+    or
+    this instanceof TTranslatedGlobalOrNamespaceVarInit
+  }
+}

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -12,6 +12,7 @@ private import TranslatedElement
 private import TranslatedFunction
 private import TranslatedInitialization
 private import TranslatedStmt
+private import TranslatedGlobalVar
 import TranslatedCall
 
 /**
@@ -78,7 +79,7 @@ abstract class TranslatedExpr extends TranslatedElement {
   /** DEPRECATED: Alias for getAst */
   deprecated override Locatable getAST() { result = this.getAst() }
 
-  final override Function getFunction() { result = expr.getEnclosingFunction() }
+  final override Declaration getFunction() { result = expr.getEnclosingDeclaration() }
 
   /**
    * Gets the expression from which this `TranslatedExpr` is generated.
@@ -88,8 +89,10 @@ abstract class TranslatedExpr extends TranslatedElement {
   /**
    * Gets the `TranslatedFunction` containing this expression.
    */
-  final TranslatedFunction getEnclosingFunction() {
+  final TranslatedRootElement getEnclosingFunction() {
     result = getTranslatedFunction(expr.getEnclosingFunction())
+    or
+    result = getTranslatedVarInit(expr.getEnclosingVariable())
   }
 }
 
@@ -787,7 +790,7 @@ class TranslatedThisExpr extends TranslatedNonConstantExpr {
 
   override IRVariable getInstructionVariable(InstructionTag tag) {
     tag = ThisAddressTag() and
-    result = this.getEnclosingFunction().getThisVariable()
+    result = this.getEnclosingFunction().(TranslatedFunction).getThisVariable()
   }
 }
 
@@ -838,7 +841,7 @@ class TranslatedNonFieldVariableAccess extends TranslatedVariableAccess {
 
   override IRVariable getInstructionVariable(InstructionTag tag) {
     tag = OnlyInstructionTag() and
-    result = getIRUserVariable(expr.getEnclosingFunction(), expr.getTarget())
+    result = getIRUserVariable(expr.getEnclosingDeclaration(), expr.getTarget())
   }
 }
 
@@ -2522,7 +2525,7 @@ class TranslatedVarArgsStart extends TranslatedNonConstantExpr {
 
   final override IRVariable getInstructionVariable(InstructionTag tag) {
     tag = VarArgsStartEllipsisAddressTag() and
-    result = this.getEnclosingFunction().getEllipsisVariable()
+    result = this.getEnclosingFunction().(TranslatedFunction).getEllipsisVariable()
   }
 
   final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll

@@ -58,7 +58,7 @@ predicate hasReturnValue(Function func) { not func.getUnspecifiedType() instance
  * Represents the IR translation of a function. This is the root elements for
  * all other elements associated with this function.
  */
-class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
+class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
   Function func;
 
   TranslatedFunction() { this = TTranslatedFunction(func) }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedGlobalVar.qll

@@ -0,0 +1,132 @@
+import semmle.code.cpp.ir.implementation.raw.internal.TranslatedElement
+private import cpp
+private import semmle.code.cpp.ir.implementation.IRType
+private import semmle.code.cpp.ir.implementation.Opcode
+private import semmle.code.cpp.ir.implementation.internal.OperandTag
+private import semmle.code.cpp.ir.internal.CppType
+private import TranslatedInitialization
+private import InstructionTag
+private import semmle.code.cpp.ir.internal.IRUtilities
+
+class TranslatedGlobalOrNamespaceVarInit extends TranslatedRootElement,
+  TTranslatedGlobalOrNamespaceVarInit, InitializationContext {
+  GlobalOrNamespaceVariable var;
+
+  TranslatedGlobalOrNamespaceVarInit() { this = TTranslatedGlobalOrNamespaceVarInit(var) }
+
+  override string toString() { result = var.toString() }
+
+  final override GlobalOrNamespaceVariable getAst() { result = var }
+
+  final override Declaration getFunction() { result = var }
+
+  final Location getLocation() { result = var.getLocation() }
+
+  override Instruction getFirstInstruction() { result = this.getInstruction(EnterFunctionTag()) }
+
+  override TranslatedElement getChild(int n) {
+    n = 1 and
+    result = getTranslatedInitialization(var.getInitializer().getExpr().getFullyConverted())
+  }
+
+  override predicate hasInstruction(Opcode op, InstructionTag tag, CppType type) {
+    op instanceof Opcode::EnterFunction and
+    tag = EnterFunctionTag() and
+    type = getVoidType()
+    or
+    op instanceof Opcode::AliasedDefinition and
+    tag = AliasedDefinitionTag() and
+    type = getUnknownType()
+    or
+    op instanceof Opcode::VariableAddress and
+    tag = InitializerVariableAddressTag() and
+    type = getTypeForGLValue(var.getType())
+    or
+    op instanceof Opcode::ReturnVoid and
+    tag = ReturnTag() and
+    type = getVoidType()
+    or
+    op instanceof Opcode::AliasedUse and
+    tag = AliasedUseTag() and
+    type = getVoidType()
+    or
+    op instanceof Opcode::ExitFunction and
+    tag = ExitFunctionTag() and
+    type = getVoidType()
+  }
+
+  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
+    kind instanceof GotoEdge and
+    (
+      tag = EnterFunctionTag() and
+      result = this.getInstruction(AliasedDefinitionTag())
+      or
+      tag = AliasedDefinitionTag() and
+      result = this.getInstruction(InitializerVariableAddressTag())
+      or
+      tag = InitializerVariableAddressTag() and
+      result = getChild(1).getFirstInstruction()
+      or
+      tag = ReturnTag() and
+      result = this.getInstruction(AliasedUseTag())
+      or
+      tag = AliasedUseTag() and
+      result = this.getInstruction(ExitFunctionTag())
+    )
+  }
+
+  override Instruction getChildSuccessor(TranslatedElement child) {
+    child = this.getChild(1) and
+    result = this.getInstruction(ReturnTag())
+  }
+
+  final override CppType getInstructionMemoryOperandType(
+    InstructionTag tag, TypedOperandTag operandTag
+  ) {
+    tag = AliasedUseTag() and
+    operandTag instanceof SideEffectOperandTag and
+    result = getUnknownType()
+  }
+
+  override IRUserVariable getInstructionVariable(InstructionTag tag) {
+    tag = InitializerVariableAddressTag() and
+    result.getVariable() = var and
+    result.getEnclosingFunction() = var
+  }
+
+  override Instruction getTargetAddress() {
+    result = this.getInstruction(InitializerVariableAddressTag())
+  }
+
+  override Type getTargetType() { result = var.getUnspecifiedType() }
+
+  /**
+   * Holds if this variable defines or accesses variable `var` with type `type`. This includes all
+   * parameters and local variables, plus any global variables or static data members that are
+   * directly accessed by the function.
+   */
+  final predicate hasUserVariable(Variable varUsed, CppType type) {
+    (
+      (
+        varUsed instanceof GlobalOrNamespaceVariable
+        or
+        varUsed instanceof MemberVariable and not varUsed instanceof Field
+      ) and
+      exists(VariableAccess access |
+        access.getTarget() = varUsed and
+        access.getEnclosingVariable() = var
+      )
+      or
+      var = varUsed
+      or
+      varUsed.(LocalScopeVariable).getEnclosingElement*() = var
+      or
+      varUsed.(Parameter).getCatchBlock().getEnclosingElement*() = var
+    ) and
+    type = getTypeForPRValue(getVariableType(varUsed))
+  }
+}
+
+TranslatedGlobalOrNamespaceVarInit getTranslatedVarInit(GlobalOrNamespaceVariable var) {
+  result.getAst() = var
+}

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll

@@ -137,7 +137,10 @@ abstract class TranslatedInitialization extends TranslatedElement, TTranslatedIn
 
   final override string toString() { result = "init: " + expr.toString() }
 
-  final override Function getFunction() { result = expr.getEnclosingFunction() }
+  final override Declaration getFunction() {
+    result = expr.getEnclosingFunction() or
+    result = expr.getEnclosingVariable().(GlobalOrNamespaceVariable)
+  }
 
   final override Locatable getAst() { result = expr }
 
@@ -486,7 +489,10 @@ abstract class TranslatedFieldInitialization extends TranslatedElement {
   /** DEPRECATED: Alias for getAst */
   deprecated override Locatable getAST() { result = getAst() }
 
-  final override Function getFunction() { result = ast.getEnclosingFunction() }
+  final override Declaration getFunction() {
+    result = ast.getEnclosingFunction() or
+    result = ast.getEnclosingVariable().(GlobalOrNamespaceVariable)
+  }
 
   final override Instruction getFirstInstruction() { result = getInstruction(getFieldAddressTag()) }
 
@@ -633,7 +639,11 @@ abstract class TranslatedElementInitialization extends TranslatedElement {
   /** DEPRECATED: Alias for getAst */
   deprecated override Locatable getAST() { result = getAst() }
 
-  final override Function getFunction() { result = initList.getEnclosingFunction() }
+  final override Declaration getFunction() {
+    result = initList.getEnclosingFunction()
+    or
+    result = initList.getEnclosingVariable().(GlobalOrNamespaceVariable)
+  }
 
   final override Instruction getFirstInstruction() { result = getInstruction(getElementIndexTag()) }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll

@@ -97,7 +97,7 @@ class IRBlockBase extends TIRBlock {
   /**
    * Gets the `Function` that contains this block.
    */
-  final Language::Function getEnclosingFunction() {
+  final Language::Declaration getEnclosingFunction() {
     result = getFirstInstruction(this).getEnclosingFunction()
   }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll

@@ -524,4 +524,23 @@ module InstructionConsistency {
         "' has a `this` argument operand that is not an address, in function '$@'." and
     irFunc = getInstructionIRFunction(instr, irFuncText)
   }
+
+  query predicate nonUniqueIRVariable(
+    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
+  ) {
+    exists(VariableInstruction vi, IRVariable v1, IRVariable v2 |
+      instr = vi and vi.getIRVariable() = v1 and vi.getIRVariable() = v2 and v1 != v2
+    ) and
+    message =
+      "Variable instruction '" + instr.toString() +
+        "' has multiple associated variables, in function '$@'." and
+    irFunc = getInstructionIRFunction(instr, irFuncText)
+    or
+    instr.getOpcode() instanceof Opcode::VariableAddress and
+    not instr instanceof VariableInstruction and
+    message =
+      "Variable address instruction '" + instr.toString() +
+        "' has no associated variable, in function '$@'." and
+    irFunc = getInstructionIRFunction(instr, irFuncText)
+  }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll

@@ -18,7 +18,7 @@ private import Imports::IRType
  * by the AST-to-IR translation (`IRTempVariable`).
  */
 class IRVariable extends TIRVariable {
-  Language::Function func;
+  Language::Declaration func;
 
   IRVariable() {
     this = TIRUserVariable(_, _, func) or
@@ -79,7 +79,7 @@ class IRVariable extends TIRVariable {
   /**
    * Gets the function that references this variable.
    */
-  final Language::Function getEnclosingFunction() { result = func }
+  final Language::Declaration getEnclosingFunction() { result = func }
 }
 
 /**
@@ -246,7 +246,7 @@ class IREllipsisVariable extends IRTempVariable, IRParameter {
 
   final override string toString() { result = "#ellipsis" }
 
-  final override int getIndex() { result = func.getNumberOfParameters() }
+  final override int getIndex() { result = func.(Language::Function).getNumberOfParameters() }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -194,7 +194,7 @@ class Instruction extends Construction::TStageInstruction {
   /**
    * Gets the function that contains this instruction.
    */
-  final Language::Function getEnclosingFunction() {
+  final Language::Declaration getEnclosingFunction() {
     result = this.getEnclosingIRFunction().getFunction()
   }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll

@@ -26,20 +26,20 @@ class PrintIRConfiguration extends TPrintIRConfiguration {
    * Holds if the IR for `func` should be printed. By default, holds for all
    * functions.
    */
-  predicate shouldPrintFunction(Language::Function func) { any() }
+  predicate shouldPrintFunction(Language::Declaration decl) { any() }
 }
 
 /**
  * Override of `IRConfiguration` to only evaluate debug strings for the functions that are to be dumped.
  */
 private class FilteredIRConfiguration extends IRConfiguration {
-  override predicate shouldEvaluateDebugStringsForFunction(Language::Function func) {
+  override predicate shouldEvaluateDebugStringsForFunction(Language::Declaration func) {
     shouldPrintFunction(func)
   }
 }
 
-private predicate shouldPrintFunction(Language::Function func) {
-  exists(PrintIRConfiguration config | config.shouldPrintFunction(func))
+private predicate shouldPrintFunction(Language::Declaration decl) {
+  exists(PrintIRConfiguration config | config.shouldPrintFunction(decl))
 }
 
 private string getAdditionalInstructionProperty(Instruction instr, string key) {

cpp/ql/lib/semmle/code/cpp/ir/internal/IRCppLanguage.qll

@@ -50,12 +50,16 @@ class AutomaticVariable = Cpp::StackVariable;
 
 class StaticVariable = Cpp::Variable;
 
+class GlobalVariable = Cpp::GlobalOrNamespaceVariable;
+
 class Parameter = Cpp::Parameter;
 
 class Field = Cpp::Field;
 
 class BuiltInOperation = Cpp::BuiltInOperation;
 
+class Declaration = Cpp::Declaration;
+
 // TODO: Remove necessity for these.
 class Expr = Cpp::Expr;
 

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.2.0
+
+## 0.1.4
+
 ## 0.1.3
 
 ### Minor Analysis Improvements

cpp/ql/src/change-notes/released/0.1.4.md

@@ -0,0 +1 @@
+## 0.1.4

cpp/ql/src/change-notes/released/0.2.0.md

@@ -0,0 +1 @@
+## 0.2.0

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.1.3
+lastReleaseVersion: 0.2.0

cpp/ql/src/experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.cpp

@@ -0,0 +1,11 @@
+...
+SSL_shutdown(ssl); 
+SSL_shutdown(ssl); // BAD
+...
+    switch ((ret = SSL_shutdown(ssl))) {
+    case 1:
+      break;
+    case 0:
+      ERR_clear_error();
+      if (-1 != (ret = SSL_shutdown(ssl))) break; // GOOD
+...

cpp/ql/src/experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.qhelp

@@ -0,0 +1,27 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Incorrect closing of the connection leads to the creation of different states for the server and client, which can be exploited by an attacker.</p>
+
+</overview>
+
+<example>
+<p>The following example shows the incorrect and correct usage of function SSL_shutdown.</p>
+<sample src="DangerousUseSSL_shutdown.cpp" />
+
+</example>
+<references>
+
+<li>
+  CERT Coding Standard:
+  <a href="https://wiki.sei.cmu.edu/confluence/display/c/EXP12-C.+Do+not+ignore+values+returned+by+functions">EXP12-C. Do not ignore values returned by functions - SEI CERT C Coding Standard - Confluence</a>.
+</li>
+<li>
+  Openssl.org:
+  <a href="https://www.openssl.org/docs/man3.0/man3/SSL_shutdown.html">SSL_shutdown - shut down a TLS/SSL connection</a>.
+</li>
+
+</references>
+</qhelp>

cpp/ql/src/experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql

@@ -0,0 +1,33 @@
+/**
+ * @name Dangerous use SSL_shutdown.
+ * @description Incorrect closing of the connection leads to the creation of different states for the server and client, which can be exploited by an attacker.
+ * @kind problem
+ * @id cpp/dangerous-use-of-ssl-shutdown
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-670
+ */
+
+import cpp
+import semmle.code.cpp.commons.Exclusions
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+
+from FunctionCall fc, FunctionCall fc1
+where
+  fc != fc1 and
+  fc.getASuccessor+() = fc1 and
+  fc.getTarget().hasName("SSL_shutdown") and
+  fc1.getTarget().hasName("SSL_shutdown") and
+  fc1 instanceof ExprInVoidContext and
+  (
+    globalValueNumber(fc.getArgument(0)) = globalValueNumber(fc1.getArgument(0)) or
+    fc.getArgument(0).(VariableAccess).getTarget() = fc1.getArgument(0).(VariableAccess).getTarget()
+  ) and
+  not exists(FunctionCall fctmp |
+    fctmp.getTarget().hasName("SSL_free") and
+    fc.getASuccessor+() = fctmp and
+    fctmp.getASuccessor+() = fc1
+  )
+select fc, "You need to handle the return value SSL_shutdown"

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.1.4-dev
+version: 0.2.0
 groups: 
   - cpp
   - queries

cpp/ql/test/TestUtilities/InlineExpectationsTest.qll

@@ -239,12 +239,24 @@ private string getColumnString(TColumn column) {
 
 /**
  * RegEx pattern to match a single expected result, not including the leading `$`. It consists of one or
- * more comma-separated tags containing only letters, digits, `-` and `_` (note that the first character
- * must not be a digit), optionally followed by `=` and the expected value.
+ * more comma-separated tags optionally followed by `=` and the expected value.
+ *
+ * Tags must be only letters, digits, `-` and `_` (note that the first character
+ * must not be a digit), but can contain anything enclosed in a single set of
+ * square brackets.
+ *
+ * Examples:
+ * - `tag`
+ * - `tag=value`
+ * - `tag,tag2=value`
+ * - `tag[foo bar]=value`
+ *
+ * Not allowed:
+ * - `tag[[[foo bar]`
  */
 private string expectationPattern() {
   exists(string tag, string tags, string value |
-    tag = "[A-Za-z-_][A-Za-z-_0-9]*" and
+    tag = "[A-Za-z-_](?:[A-Za-z-_0-9]|\\[[^\\]\\]]*\\])*" and
     tags = "((?:" + tag + ")(?:\\s*,\\s*" + tag + ")*)" and
     // In Python, we allow both `"` and `'` for strings, as well as the prefixes `bru`.
     // For example, `b"foo"`.

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/DangerousUseSSL_shutdown.expected

@@ -0,0 +1,2 @@
+| test.cpp:45:20:45:31 | call to SSL_shutdown | You need to handle the return value SSL_shutdown |
+| test.cpp:61:11:61:22 | call to SSL_shutdown | You need to handle the return value SSL_shutdown |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/DangerousUseSSL_shutdown.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/test.cpp

@@ -0,0 +1,75 @@
+// it's not exact, but it's enough for an example
+typedef int SSL;
+
+
+int SSL_shutdown(SSL *ssl);
+int SSL_get_error(const SSL *ssl, int ret);
+void ERR_clear_error(void);
+void print_error(char *buff,int code);
+
+int gootTest1(SSL *ssl)
+{
+  int ret;
+    switch ((ret = SSL_shutdown(ssl))) {
+    case 1:
+      break;
+    case 0:
+      ERR_clear_error();
+      if ((ret = SSL_shutdown(ssl)) == 1) break; // GOOD
+    default:
+      print_error("error shutdown",
+        SSL_get_error(ssl, ret));
+      return -1;
+    }
+ return 0;
+}
+int gootTest2(SSL *ssl)
+{
+  int ret;
+    switch ((ret = SSL_shutdown(ssl))) {
+    case 1:
+      break;
+    case 0:
+      ERR_clear_error();
+      if (-1 != (ret = SSL_shutdown(ssl))) break; // GOOD
+    default:
+      print_error("error shutdown",
+        SSL_get_error(ssl, ret));
+      return -1;
+    }
+ return 0;
+}
+int badTest1(SSL *ssl)
+{
+  int ret;
+    switch ((ret = SSL_shutdown(ssl))) {
+    case 1:
+      break;
+    case 0:
+      SSL_shutdown(ssl); // BAD
+      break;
+    default:      
+      print_error("error shutdown",
+        SSL_get_error(ssl, ret));
+      return -1;
+    }
+ return 0;
+}
+int badTest2(SSL *ssl)
+{
+  int ret;
+    ret = SSL_shutdown(ssl);
+    switch (ret) {
+    case 1:
+      break;
+    case 0:
+      SSL_shutdown(ssl); // BAD
+      break;
+    default:
+      print_error("error shutdown",
+        SSL_get_error(ssl, ret));
+      return -1;
+    }
+ return 0;
+}
+

cpp/ql/test/library-tests/controlflow/dereferenced/dereferenced.cpp

@@ -0,0 +1,49 @@
+
+int *global_ptr;
+const char *global_string = "hello, world";
+
+void test1(int *ptr, int &ref)
+{
+	const char *str;
+	int v, *p;
+	char c;
+
+	v = *ptr; // `ptr` dereferenced
+	v = ptr[0]; // `ptr` dereferenced
+	p = ptr;
+
+	*ptr = 0; // `ptr` dereferenced
+	ptr[0] = 0; // `ptr` dereferenced
+	ptr = 0;
+
+	(*ptr)++; // `ptr`, `*ptr` dereferenced
+	*(ptr++); // `ptr++` dereferenced
+	ptr++;
+
+	v = ref; // (`ref` implicitly dereferenced, not detected)
+	p = &ref;
+	ref = 0; // (`ref` implicitly dereferenced, not detected)
+	ref++; // (`ref` implicitly dereferenced, not detected)
+
+	*global_ptr; // `global_ptr` dereferenced
+	str = global_string;
+	c = global_string[5]; // `global_string` dereferenced
+}
+
+struct myStruct
+{
+	int x;
+	void f() {};
+	void (*g)();
+};
+
+void test1(myStruct *ms)
+{
+	void (*h)();
+
+	ms;
+	ms->x; // `ms` dereferenced
+	ms->f(); // `ms` dereferenced
+	ms->g(); // `ms` dereferenced
+	h = ms->g; // `ms` dereferenced
+}

cpp/ql/test/library-tests/controlflow/dereferenced/dereferenced.expected

@@ -0,0 +1,13 @@
+| dereferenced.cpp:11:6:11:9 | * ... | dereferenced.cpp:11:7:11:9 | ptr |
+| dereferenced.cpp:12:6:12:11 | access to array | dereferenced.cpp:12:6:12:8 | ptr |
+| dereferenced.cpp:15:2:15:5 | * ... | dereferenced.cpp:15:3:15:5 | ptr |
+| dereferenced.cpp:16:2:16:7 | access to array | dereferenced.cpp:16:2:16:4 | ptr |
+| dereferenced.cpp:19:3:19:6 | * ... | dereferenced.cpp:19:4:19:6 | ptr |
+| dereferenced.cpp:19:4:19:6 | ptr | dereferenced.cpp:19:3:19:6 | * ... |
+| dereferenced.cpp:20:2:20:9 | * ... | dereferenced.cpp:20:4:20:8 | ... ++ |
+| dereferenced.cpp:28:2:28:12 | * ... | dereferenced.cpp:28:3:28:12 | global_ptr |
+| dereferenced.cpp:30:6:30:21 | access to array | dereferenced.cpp:30:6:30:18 | global_string |
+| dereferenced.cpp:45:6:45:6 | x | dereferenced.cpp:45:2:45:3 | ms |
+| dereferenced.cpp:46:6:46:6 | call to f | dereferenced.cpp:46:2:46:3 | ms |
+| dereferenced.cpp:47:6:47:6 | g | dereferenced.cpp:47:2:47:3 | ms |
+| dereferenced.cpp:48:10:48:10 | g | dereferenced.cpp:48:6:48:7 | ms |

cpp/ql/test/library-tests/controlflow/dereferenced/dereferenced.ql

@@ -0,0 +1,6 @@
+import cpp
+import semmle.code.cpp.controlflow.Dereferenced
+
+from Expr op, Expr e
+where dereferencedByOperation(op, e) // => dereferenced(e)
+select op, e

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected

@@ -199,7 +199,9 @@ postWithInFlow
 | example.c:28:22:28:25 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | example.c:28:23:28:25 | pos [post update] | PostUpdateNode should not be the target of local flow. |
 | globals.cpp:5:9:5:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| globals.cpp:9:5:9:19 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | globals.cpp:13:5:13:19 | flowTestGlobal1 [post update] | PostUpdateNode should not be the target of local flow. |
+| globals.cpp:16:12:16:26 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | globals.cpp:23:5:23:19 | flowTestGlobal2 [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:8:6:8:6 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:9:6:9:6 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
@@ -218,10 +220,10 @@ postWithInFlow
 | lambdas.cpp:20:11:20:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:20:11:20:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:20:11:20:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| lambdas.cpp:23:3:23:3 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:23:3:23:14 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:23:3:23:14 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:23:3:23:14 | v [post update] | PostUpdateNode should not be the target of local flow. |
-| lambdas.cpp:23:15:23:15 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:28:7:28:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:28:10:31:2 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:28:10:31:2 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.ql

@@ -2,19 +2,17 @@ import TestUtilities.dataflow.FlowTestCommon
 
 module AstTest {
   private import semmle.code.cpp.dataflow.DataFlow
+  private import semmle.code.cpp.controlflow.Guards
 
   /**
    * A `BarrierGuard` that stops flow to all occurrences of `x` within statement
    * S in `if (guarded(x)) S`.
    */
   // This is tested in `BarrierGuard.cpp`.
-  class TestBarrierGuard extends DataFlow::BarrierGuard {
-    TestBarrierGuard() { this.(FunctionCall).getTarget().getName() = "guarded" }
-
-    override predicate checks(Expr checked, boolean isTrue) {
-      checked = this.(FunctionCall).getArgument(0) and
-      isTrue = true
-    }
+  predicate testBarrierGuard(GuardCondition g, Expr checked, boolean isTrue) {
+    g.(FunctionCall).getTarget().getName() = "guarded" and
+    checked = g.(FunctionCall).getArgument(0) and
+    isTrue = true
   }
 
   /** Common data flow configuration to be used by tests. */
@@ -40,29 +38,26 @@ module AstTest {
     }
 
     override predicate isBarrier(DataFlow::Node barrier) {
-      barrier.asExpr().(VariableAccess).getTarget().hasName("barrier")
+      barrier.asExpr().(VariableAccess).getTarget().hasName("barrier") or
+      barrier = DataFlow::BarrierGuard<testBarrierGuard/3>::getABarrierNode()
     }
-
-    override predicate isBarrierGuard(DataFlow::BarrierGuard bg) { bg instanceof TestBarrierGuard }
   }
 }
 
 module IRTest {
   private import semmle.code.cpp.ir.dataflow.DataFlow
   private import semmle.code.cpp.ir.IR
+  private import semmle.code.cpp.controlflow.IRGuards
 
   /**
    * A `BarrierGuard` that stops flow to all occurrences of `x` within statement
    * S in `if (guarded(x)) S`.
    */
   // This is tested in `BarrierGuard.cpp`.
-  class TestBarrierGuard extends DataFlow::BarrierGuard {
-    TestBarrierGuard() { this.(CallInstruction).getStaticCallTarget().getName() = "guarded" }
-
-    override predicate checksInstr(Instruction checked, boolean isTrue) {
-      checked = this.(CallInstruction).getPositionalArgument(0) and
-      isTrue = true
-    }
+  predicate testBarrierGuard(IRGuardCondition g, Instruction checked, boolean isTrue) {
+    g.(CallInstruction).getStaticCallTarget().getName() = "guarded" and
+    checked = g.(CallInstruction).getPositionalArgument(0) and
+    isTrue = true
   }
 
   /** Common data flow configuration to be used by tests. */
@@ -93,10 +88,9 @@ module IRTest {
     }
 
     override predicate isBarrier(DataFlow::Node barrier) {
-      barrier.asExpr().(VariableAccess).getTarget().hasName("barrier")
+      barrier.asExpr().(VariableAccess).getTarget().hasName("barrier") or
+      barrier = DataFlow::InstructionBarrierGuard<testBarrierGuard/3>::getABarrierNode()
     }
-
-    override predicate isBarrierGuard(DataFlow::BarrierGuard bg) { bg instanceof TestBarrierGuard }
   }
 
   private predicate readsVariable(LoadInstruction load, Variable var) {

cpp/ql/test/library-tests/declarationEntry/declarationEntry/declarationEntry.cpp

@@ -33,3 +33,11 @@ public:
 
 myTemplateClass<int> mtc_int;
 myTemplateClass<short> mtc_short;
+
+// Class (UserType)
+
+class myClass
+{
+public:
+	int myMemberVariable;
+};

cpp/ql/test/library-tests/declarationEntry/declarationEntry/declarationEntry.expected

@@ -27,5 +27,11 @@
 | declarationEntry.cpp:31:4:31:19 | myMemberVariable | declarationEntry.cpp:31:4:31:19 | definition of myMemberVariable | 1 | 1 |
 | declarationEntry.cpp:34:22:34:28 | mtc_int | declarationEntry.cpp:34:22:34:28 | definition of mtc_int | 1 | 1 |
 | declarationEntry.cpp:35:24:35:32 | mtc_short | declarationEntry.cpp:35:24:35:32 | definition of mtc_short | 1 | 1 |
+| declarationEntry.cpp:39:7:39:7 | operator= | declarationEntry.cpp:39:7:39:7 | declaration of operator= | 1 | 1 |
+| declarationEntry.cpp:39:7:39:7 | operator= | declarationEntry.cpp:39:7:39:7 | declaration of operator= | 1 | 1 |
+| declarationEntry.cpp:39:7:39:13 | myClass | declarationEntry.cpp:39:7:39:13 | definition of myClass | 1 | 1 |
+| declarationEntry.cpp:39:7:39:13 | myClass | forwardDeclaration.cpp:1:7:1:13 | declaration of myClass | 1 | 1 |
+| declarationEntry.cpp:42:6:42:21 | myMemberVariable | declarationEntry.cpp:42:6:42:21 | definition of myMemberVariable | 1 | 1 |
+| forwardDeclaration.cpp:3:10:3:19 | myClassPtr | forwardDeclaration.cpp:3:10:3:19 | definition of myClassPtr | 1 | 1 |
 | macro.c:2:1:2:3 | foo | macro.c:2:1:2:3 | declaration of foo | 1 | 1 |
 | macro.c:4:5:4:8 | main | macro.c:4:5:4:8 | definition of main | 1 | 1 |

cpp/ql/test/library-tests/declarationEntry/declarationEntry/fde.expected

@@ -10,5 +10,7 @@
 | declarationEntry.cpp:28:7:28:7 | declaration of operator= |  | 0 |  |
 | declarationEntry.cpp:28:7:28:7 | declaration of operator= |  | 0 |  |
 | declarationEntry.cpp:28:7:28:7 | declaration of operator= |  | 0 |  |
+| declarationEntry.cpp:39:7:39:7 | declaration of operator= |  | 0 |  |
+| declarationEntry.cpp:39:7:39:7 | declaration of operator= |  | 0 |  |
 | macro.c:2:1:2:3 | declaration of foo |  | 2 | c_linkage, static |
 | macro.c:4:5:4:8 | definition of main |  | 1 | c_linkage |

cpp/ql/test/library-tests/declarationEntry/declarationEntry/forwardDeclaration.cpp

@@ -0,0 +1,3 @@
+class myClass;
+
+myClass *myClassPtr;

cpp/ql/test/library-tests/declarationEntry/declarationEntry/roundTrip.expected

@@ -0,0 +1,45 @@
+| declarationEntry.c:2:6:2:20 | declaration of myFirstFunction | declarationEntry.c:2:6:2:20 | myFirstFunction | yes |
+| declarationEntry.c:4:6:4:21 | definition of mySecondFunction | declarationEntry.c:4:6:4:21 | mySecondFunction | yes |
+| declarationEntry.c:8:6:8:20 | definition of myThirdFunction | declarationEntry.c:8:6:8:20 | myThirdFunction | yes |
+| declarationEntry.c:13:2:13:2 | declaration of myFourthFunction | declarationEntry.c:13:2:13:2 | myFourthFunction | yes |
+| declarationEntry.c:13:2:13:2 | declaration of myFourthFunction | declarationEntry.c:17:6:17:21 | myFourthFunction | yes |
+| declarationEntry.c:14:2:14:2 | declaration of myFifthFunction | declarationEntry.c:14:2:14:2 | myFifthFunction | yes |
+| declarationEntry.c:17:6:17:21 | declaration of myFourthFunction | declarationEntry.c:13:2:13:2 | myFourthFunction | yes |
+| declarationEntry.c:17:6:17:21 | declaration of myFourthFunction | declarationEntry.c:17:6:17:21 | myFourthFunction | yes |
+| declarationEntry.cpp:3:12:3:21 | declaration of myVariable | declarationEntry.cpp:5:5:5:14 | myVariable | yes |
+| declarationEntry.cpp:5:5:5:14 | definition of myVariable | declarationEntry.cpp:5:5:5:14 | myVariable | yes |
+| declarationEntry.cpp:9:6:9:15 | declaration of myFunction | declarationEntry.cpp:11:6:11:15 | myFunction | yes |
+| declarationEntry.cpp:9:21:9:31 | declaration of myParameter | declarationEntry.cpp:11:21:11:31 | myParameter | yes |
+| declarationEntry.cpp:11:6:11:15 | definition of myFunction | declarationEntry.cpp:11:6:11:15 | myFunction | yes |
+| declarationEntry.cpp:11:21:11:31 | definition of myParameter | declarationEntry.cpp:11:21:11:31 | myParameter | yes |
+| declarationEntry.cpp:18:6:18:11 | declaration of myEnum | declarationEntry.cpp:20:6:20:11 | myEnum | yes |
+| declarationEntry.cpp:20:6:20:11 | definition of myEnum | declarationEntry.cpp:20:6:20:11 | myEnum | yes |
+| declarationEntry.cpp:27:20:27:20 | definition of T | declarationEntry.cpp:27:20:27:20 | T | yes |
+| declarationEntry.cpp:28:7:28:7 | declaration of operator= | declarationEntry.cpp:28:7:28:7 | operator= | yes |
+| declarationEntry.cpp:28:7:28:7 | declaration of operator= | declarationEntry.cpp:28:7:28:7 | operator= | yes |
+| declarationEntry.cpp:28:7:28:7 | declaration of operator= | declarationEntry.cpp:28:7:28:7 | operator= | yes |
+| declarationEntry.cpp:28:7:28:7 | declaration of operator= | declarationEntry.cpp:28:7:28:7 | operator= | yes |
+| declarationEntry.cpp:28:7:28:21 | definition of myTemplateClass<T> | declarationEntry.cpp:28:7:28:21 | myTemplateClass<T> | yes |
+| declarationEntry.cpp:31:4:31:19 | definition of myMemberVariable | declarationEntry.cpp:31:4:31:19 | myMemberVariable | yes |
+| declarationEntry.cpp:31:4:31:19 | definition of myMemberVariable | declarationEntry.cpp:31:4:31:19 | myMemberVariable | yes |
+| declarationEntry.cpp:31:4:31:19 | definition of myMemberVariable | declarationEntry.cpp:31:4:31:19 | myMemberVariable | yes |
+| declarationEntry.cpp:34:22:34:28 | definition of mtc_int | declarationEntry.cpp:34:22:34:28 | mtc_int | yes |
+| declarationEntry.cpp:35:24:35:32 | definition of mtc_short | declarationEntry.cpp:35:24:35:32 | mtc_short | yes |
+| declarationEntry.cpp:39:7:39:7 | declaration of operator= | declarationEntry.cpp:39:7:39:7 | operator= | yes |
+| declarationEntry.cpp:39:7:39:7 | declaration of operator= | declarationEntry.cpp:39:7:39:7 | operator= | yes |
+| declarationEntry.cpp:39:7:39:13 | definition of myClass | declarationEntry.cpp:39:7:39:13 | myClass | yes |
+| declarationEntry.cpp:42:6:42:21 | definition of myMemberVariable | declarationEntry.cpp:42:6:42:21 | myMemberVariable | yes |
+| file://:0:0:0:0 | declaration of 1st parameter | file://:0:0:0:0 | (unnamed parameter 0) | yes |
+| file://:0:0:0:0 | declaration of 1st parameter | file://:0:0:0:0 | (unnamed parameter 0) | yes |
+| file://:0:0:0:0 | declaration of 1st parameter | file://:0:0:0:0 | (unnamed parameter 0) | yes |
+| file://:0:0:0:0 | declaration of 1st parameter | file://:0:0:0:0 | (unnamed parameter 0) | yes |
+| file://:0:0:0:0 | declaration of 1st parameter | file://:0:0:0:0 | (unnamed parameter 0) | yes |
+| file://:0:0:0:0 | declaration of 1st parameter | file://:0:0:0:0 | (unnamed parameter 0) | yes |
+| file://:0:0:0:0 | definition of fp_offset | file://:0:0:0:0 | fp_offset | yes |
+| file://:0:0:0:0 | definition of gp_offset | file://:0:0:0:0 | gp_offset | yes |
+| file://:0:0:0:0 | definition of overflow_arg_area | file://:0:0:0:0 | overflow_arg_area | yes |
+| file://:0:0:0:0 | definition of reg_save_area | file://:0:0:0:0 | reg_save_area | yes |
+| forwardDeclaration.cpp:1:7:1:13 | declaration of myClass | declarationEntry.cpp:39:7:39:13 | myClass | yes |
+| forwardDeclaration.cpp:3:10:3:19 | definition of myClassPtr | forwardDeclaration.cpp:3:10:3:19 | myClassPtr | yes |
+| macro.c:2:1:2:3 | declaration of foo | macro.c:2:1:2:3 | foo | yes |
+| macro.c:4:5:4:8 | definition of main | macro.c:4:5:4:8 | main | yes |

cpp/ql/test/library-tests/declarationEntry/declarationEntry/roundTrip.ql

@@ -0,0 +1,7 @@
+import cpp
+
+from DeclarationEntry de, Declaration d, string canRoundTrip
+where
+  d = de.getDeclaration() and
+  if d.getADeclarationEntry() = de then canRoundTrip = "yes" else canRoundTrip = "no"
+select de, d, canRoundTrip

cpp/ql/test/library-tests/ir/ir/PrintConfig.qll

@@ -12,4 +12,11 @@ predicate locationIsInStandardHeaders(Location loc) {
  *
  * This predicate excludes functions defined in standard headers.
  */
-predicate shouldDumpFunction(Function func) { not locationIsInStandardHeaders(func.getLocation()) }
+predicate shouldDumpFunction(Declaration decl) {
+  not locationIsInStandardHeaders(decl.getLocation()) and
+  (
+    not decl instanceof Variable
+    or
+    decl.(GlobalOrNamespaceVariable).hasInitializer()
+  )
+}

cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency.expected

@@ -23,6 +23,7 @@ invalidOverlap
 nonUniqueEnclosingIRFunction
 fieldAddressOnNonPointer
 thisArgumentIsNonPointer
+nonUniqueIRVariable
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes
 missingIRType

cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.expected

@@ -23,6 +23,7 @@ invalidOverlap
 nonUniqueEnclosingIRFunction
 fieldAddressOnNonPointer
 thisArgumentIsNonPointer
+nonUniqueIRVariable
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes
 missingIRType

cpp/ql/test/library-tests/ir/ir/ir.cpp

@@ -1816,4 +1816,18 @@ void switch_initialization(int x) {
     }
 }
 
+int global_1;
+
+int global_2 = 1;
+
+const int global_3 = 2;
+
+constructor_only global_4(1);
+
+constructor_only global_5 = constructor_only(2);
+
+char *global_string = "global string";
+
+int global_6 = global_2;
+
 // semmle-extractor-options: -std=c++17 --clang

cpp/ql/test/library-tests/ir/ir/operand_locations.expected

@@ -4743,6 +4743,14 @@
 | ir.cpp:1034:6:1034:20 | ChiTotal | total:m1034_2 |
 | ir.cpp:1034:6:1034:20 | SideEffect | m1034_3 |
 | ir.cpp:1035:15:1035:15 | Address | &:r1035_1 |
+| ir.cpp:1038:6:1038:8 | Address | &:r1038_3 |
+| ir.cpp:1038:6:1038:8 | SideEffect | ~m1038_8 |
+| ir.cpp:1038:12:1038:18 | Address | &:r1038_4 |
+| ir.cpp:1038:12:1038:18 | Address | &:r1038_4 |
+| ir.cpp:1038:12:1038:18 | ChiPartial | partial:m1038_7 |
+| ir.cpp:1038:12:1038:18 | ChiTotal | total:m1038_2 |
+| ir.cpp:1038:12:1038:18 | Load | m1038_5 |
+| ir.cpp:1038:12:1038:18 | StoreValue | r1038_6 |
 | ir.cpp:1038:14:1038:14 | Address | &:r1038_5 |
 | ir.cpp:1038:14:1038:14 | Address | &:r1038_5 |
 | ir.cpp:1038:14:1038:14 | Address | &:r1038_5 |
@@ -4833,6 +4841,9 @@
 | ir.cpp:1043:24:1043:24 | SideEffect | ~m1043_20 |
 | ir.cpp:1043:31:1043:31 | Address | &:r1043_9 |
 | ir.cpp:1043:36:1043:55 | Address | &:r1043_11 |
+| ir.cpp:1043:43:1043:43 | Address | &:r1043_16 |
+| ir.cpp:1043:43:1043:43 | Arg(this) | this:r1043_16 |
+| ir.cpp:1043:43:1043:43 | SideEffect | ~m1043_20 |
 | ir.cpp:1043:43:1043:54 | Address | &:r1043_22 |
 | ir.cpp:1043:43:1043:54 | Address | &:r1043_24 |
 | ir.cpp:1043:43:1043:54 | Address | &:r1043_25 |
@@ -4853,11 +4864,8 @@
 | ir.cpp:1043:45:1043:49 | SideEffect | ~m1043_4 |
 | ir.cpp:1043:45:1043:49 | Unary | r1043_13 |
 | ir.cpp:1043:45:1043:49 | Unary | r1043_15 |
-| ir.cpp:1043:52:1043:52 | Address | &:r1043_16 |
-| ir.cpp:1043:52:1043:52 | Arg(this) | this:r1043_16 |
-| ir.cpp:1043:52:1043:52 | SideEffect | ~m1043_20 |
-| ir.cpp:1043:54:1043:54 | Load | ~m1043_20 |
-| ir.cpp:1043:54:1043:54 | Right | r1043_26 |
+| ir.cpp:1043:53:1043:53 | Load | ~m1043_20 |
+| ir.cpp:1043:53:1043:53 | Right | r1043_26 |
 | ir.cpp:1043:58:1043:58 | ChiPartial | partial:m1043_9 |
 | ir.cpp:1043:58:1043:58 | ChiTotal | total:m1043_3 |
 | ir.cpp:1043:58:1043:58 | StoreValue | r1043_8 |
@@ -4972,6 +4980,9 @@
 | ir.cpp:1047:34:1047:34 | SideEffect | ~m1047_20 |
 | ir.cpp:1047:41:1047:41 | Address | &:r1047_9 |
 | ir.cpp:1047:46:1047:65 | Address | &:r1047_11 |
+| ir.cpp:1047:53:1047:53 | Address | &:r1047_16 |
+| ir.cpp:1047:53:1047:53 | Arg(this) | this:r1047_16 |
+| ir.cpp:1047:53:1047:53 | SideEffect | ~m1047_20 |
 | ir.cpp:1047:53:1047:64 | Address | &:r1047_23 |
 | ir.cpp:1047:53:1047:64 | Load | ~m1047_20 |
 | ir.cpp:1047:53:1047:64 | StoreValue | r1047_24 |
@@ -4986,9 +4997,6 @@
 | ir.cpp:1047:55:1047:59 | SideEffect | ~m1047_4 |
 | ir.cpp:1047:55:1047:59 | Unary | r1047_13 |
 | ir.cpp:1047:55:1047:59 | Unary | r1047_15 |
-| ir.cpp:1047:62:1047:62 | Address | &:r1047_16 |
-| ir.cpp:1047:62:1047:62 | Arg(this) | this:r1047_16 |
-| ir.cpp:1047:62:1047:62 | SideEffect | ~m1047_20 |
 | ir.cpp:1047:63:1047:63 | Right | r1047_22 |
 | ir.cpp:1047:68:1047:68 | StoreValue | r1047_8 |
 | ir.cpp:1047:68:1047:68 | Unary | r1047_7 |
@@ -5097,6 +5105,9 @@
 | ir.cpp:1051:39:1051:39 | SideEffect | ~m1051_20 |
 | ir.cpp:1051:46:1051:46 | Address | &:r1051_9 |
 | ir.cpp:1051:51:1051:70 | Address | &:r1051_11 |
+| ir.cpp:1051:58:1051:58 | Address | &:r1051_16 |
+| ir.cpp:1051:58:1051:58 | Arg(this) | this:r1051_16 |
+| ir.cpp:1051:58:1051:58 | SideEffect | ~m1051_20 |
 | ir.cpp:1051:58:1051:69 | Address | &:r1051_22 |
 | ir.cpp:1051:58:1051:69 | Address | &:r1051_24 |
 | ir.cpp:1051:58:1051:69 | Address | &:r1051_26 |
@@ -5117,9 +5128,6 @@
 | ir.cpp:1051:60:1051:64 | SideEffect | ~m1051_4 |
 | ir.cpp:1051:60:1051:64 | Unary | r1051_13 |
 | ir.cpp:1051:60:1051:64 | Unary | r1051_15 |
-| ir.cpp:1051:67:1051:67 | Address | &:r1051_16 |
-| ir.cpp:1051:67:1051:67 | Arg(this) | this:r1051_16 |
-| ir.cpp:1051:67:1051:67 | SideEffect | ~m1051_20 |
 | ir.cpp:1051:73:1051:73 | ChiPartial | partial:m1051_9 |
 | ir.cpp:1051:73:1051:73 | ChiTotal | total:m1051_3 |
 | ir.cpp:1051:73:1051:73 | StoreValue | r1051_8 |
@@ -5184,6 +5192,9 @@
 | ir.cpp:1054:49:1054:49 | SideEffect | ~m1054_20 |
 | ir.cpp:1054:56:1054:56 | Address | &:r1054_9 |
 | ir.cpp:1054:61:1054:88 | Address | &:r1054_11 |
+| ir.cpp:1054:68:1054:68 | Address | &:r1054_16 |
+| ir.cpp:1054:68:1054:68 | Arg(this) | this:r1054_16 |
+| ir.cpp:1054:68:1054:68 | SideEffect | ~m1054_20 |
 | ir.cpp:1054:68:1054:87 | Address | &:r1054_37 |
 | ir.cpp:1054:68:1054:87 | Load | ~m1054_20 |
 | ir.cpp:1054:68:1054:87 | StoreValue | r1054_38 |
@@ -5198,9 +5209,6 @@
 | ir.cpp:1054:70:1054:74 | SideEffect | ~m1054_4 |
 | ir.cpp:1054:70:1054:74 | Unary | r1054_13 |
 | ir.cpp:1054:70:1054:74 | Unary | r1054_15 |
-| ir.cpp:1054:77:1054:77 | Address | &:r1054_16 |
-| ir.cpp:1054:77:1054:77 | Arg(this) | this:r1054_16 |
-| ir.cpp:1054:77:1054:77 | SideEffect | ~m1054_20 |
 | ir.cpp:1054:78:1054:82 | Address | &:r1054_22 |
 | ir.cpp:1054:78:1054:82 | Address | &:r1054_24 |
 | ir.cpp:1054:78:1054:82 | Left | r1054_25 |
@@ -8457,6 +8465,45 @@
 | ir.cpp:1815:14:1815:15 | Address | &:r1815_1 |
 | ir.cpp:1815:14:1815:15 | Load | m1813_4 |
 | ir.cpp:1815:14:1815:15 | Right | r1815_2 |
+| ir.cpp:1821:5:1821:12 | Address | &:r1821_3 |
+| ir.cpp:1821:5:1821:12 | SideEffect | ~m1821_6 |
+| ir.cpp:1821:16:1821:16 | ChiPartial | partial:m1821_5 |
+| ir.cpp:1821:16:1821:16 | ChiTotal | total:m1821_2 |
+| ir.cpp:1821:16:1821:16 | StoreValue | r1821_4 |
+| ir.cpp:1825:18:1825:25 | Address | &:r1825_3 |
+| ir.cpp:1825:18:1825:25 | Arg(this) | this:r1825_3 |
+| ir.cpp:1825:18:1825:25 | SideEffect | ~m1825_10 |
+| ir.cpp:1825:27:1825:27 | Arg(0) | 0:r1825_5 |
+| ir.cpp:1825:27:1825:28 | CallTarget | func:r1825_4 |
+| ir.cpp:1825:27:1825:28 | ChiPartial | partial:m1825_7 |
+| ir.cpp:1825:27:1825:28 | ChiPartial | partial:m1825_9 |
+| ir.cpp:1825:27:1825:28 | ChiTotal | total:m1825_2 |
+| ir.cpp:1825:27:1825:28 | ChiTotal | total:m1825_8 |
+| ir.cpp:1825:27:1825:28 | SideEffect | ~m1825_2 |
+| ir.cpp:1827:18:1827:25 | Address | &:r1827_3 |
+| ir.cpp:1827:18:1827:25 | Arg(this) | this:r1827_3 |
+| ir.cpp:1827:18:1827:25 | SideEffect | ~m1827_10 |
+| ir.cpp:1827:28:1827:47 | CallTarget | func:r1827_4 |
+| ir.cpp:1827:28:1827:47 | ChiPartial | partial:m1827_7 |
+| ir.cpp:1827:28:1827:47 | ChiPartial | partial:m1827_9 |
+| ir.cpp:1827:28:1827:47 | ChiTotal | total:m1827_2 |
+| ir.cpp:1827:28:1827:47 | ChiTotal | total:m1827_8 |
+| ir.cpp:1827:28:1827:47 | SideEffect | ~m1827_2 |
+| ir.cpp:1827:46:1827:46 | Arg(0) | 0:r1827_5 |
+| ir.cpp:1829:7:1829:19 | Address | &:r1829_3 |
+| ir.cpp:1829:7:1829:19 | SideEffect | ~m1829_8 |
+| ir.cpp:1829:23:1829:37 | ChiPartial | partial:m1829_7 |
+| ir.cpp:1829:23:1829:37 | ChiTotal | total:m1829_2 |
+| ir.cpp:1829:23:1829:37 | StoreValue | r1829_6 |
+| ir.cpp:1829:23:1829:37 | Unary | r1829_4 |
+| ir.cpp:1829:23:1829:37 | Unary | r1829_5 |
+| ir.cpp:1831:5:1831:12 | Address | &:r1831_3 |
+| ir.cpp:1831:5:1831:12 | SideEffect | ~m1831_7 |
+| ir.cpp:1831:16:1831:23 | Address | &:r1831_4 |
+| ir.cpp:1831:16:1831:23 | ChiPartial | partial:m1831_6 |
+| ir.cpp:1831:16:1831:23 | ChiTotal | total:m1831_2 |
+| ir.cpp:1831:16:1831:23 | Load | ~m1831_2 |
+| ir.cpp:1831:16:1831:23 | StoreValue | r1831_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_7 |
@@ -8700,6 +8747,34 @@
 | smart_ptr.cpp:47:43:47:63 | SideEffect | ~m47_16 |
 | smart_ptr.cpp:47:43:47:63 | Unary | r47_5 |
 | smart_ptr.cpp:47:43:47:63 | Unary | r47_6 |
+| struct_init.cpp:9:13:9:25 | Left | r9_3 |
+| struct_init.cpp:9:13:9:25 | Left | r9_3 |
+| struct_init.cpp:9:13:9:25 | SideEffect | ~m11_10 |
+| struct_init.cpp:9:31:12:1 | Right | r9_4 |
+| struct_init.cpp:9:31:12:1 | Right | r9_6 |
+| struct_init.cpp:9:31:12:1 | Unary | r9_5 |
+| struct_init.cpp:9:31:12:1 | Unary | r9_5 |
+| struct_init.cpp:9:31:12:1 | Unary | r9_7 |
+| struct_init.cpp:9:31:12:1 | Unary | r9_7 |
+| struct_init.cpp:10:5:10:21 | Address | &:r10_1 |
+| struct_init.cpp:10:5:10:21 | Address | &:r10_6 |
+| struct_init.cpp:10:7:10:9 | ChiPartial | partial:m10_4 |
+| struct_init.cpp:10:7:10:9 | ChiTotal | total:m9_2 |
+| struct_init.cpp:10:7:10:9 | StoreValue | r10_3 |
+| struct_init.cpp:10:7:10:9 | Unary | r10_2 |
+| struct_init.cpp:10:12:10:19 | ChiPartial | partial:m10_8 |
+| struct_init.cpp:10:12:10:19 | ChiTotal | total:m10_5 |
+| struct_init.cpp:10:12:10:19 | StoreValue | r10_7 |
+| struct_init.cpp:11:5:11:22 | Address | &:r11_1 |
+| struct_init.cpp:11:5:11:22 | Address | &:r11_6 |
+| struct_init.cpp:11:7:11:9 | ChiPartial | partial:m11_4 |
+| struct_init.cpp:11:7:11:9 | ChiTotal | total:m10_9 |
+| struct_init.cpp:11:7:11:9 | StoreValue | r11_3 |
+| struct_init.cpp:11:7:11:9 | Unary | r11_2 |
+| struct_init.cpp:11:12:11:20 | ChiPartial | partial:m11_9 |
+| struct_init.cpp:11:12:11:20 | ChiTotal | total:m11_5 |
+| struct_init.cpp:11:12:11:20 | StoreValue | r11_8 |
+| struct_init.cpp:11:13:11:20 | Unary | r11_7 |
 | struct_init.cpp:16:6:16:20 | ChiPartial | partial:m16_3 |
 | struct_init.cpp:16:6:16:20 | ChiTotal | total:m16_2 |
 | struct_init.cpp:16:6:16:20 | SideEffect | ~m17_5 |

cpp/ql/test/library-tests/ir/ir/raw_consistency.expected

@@ -27,6 +27,7 @@ invalidOverlap
 nonUniqueEnclosingIRFunction
 fieldAddressOnNonPointer
 thisArgumentIsNonPointer
+nonUniqueIRVariable
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes
 missingIRType

cpp/ql/test/library-tests/ir/ir/raw_ir.expected

@@ -5650,6 +5650,19 @@ ir.cpp:
 # 1034|     v1034_5(void)               = AliasedUse         : ~m?
 # 1034|     v1034_6(void)               = ExitFunction       : 
 
+# 1038| (lambda [] type at line 1038, col. 12) lam
+# 1038|   Block 0
+# 1038|     v1038_1(void)                             = EnterFunction                 : 
+# 1038|     mu1038_2(unknown)                         = AliasedDefinition             : 
+# 1038|     r1038_3(glval<decltype([...](...){...})>) = VariableAddress[lam]          : 
+# 1038|     r1038_4(glval<decltype([...](...){...})>) = VariableAddress[#temp1038:12] : 
+# 1038|     mu1038_5(decltype([...](...){...}))       = Uninitialized[#temp1038:12]   : &:r1038_4
+# 1038|     r1038_6(decltype([...](...){...}))        = Load[#temp1038:12]            : &:r1038_4, ~m?
+# 1038|     mu1038_7(decltype([...](...){...}))       = Store[lam]                    : &:r1038_3, r1038_6
+# 1038|     v1038_8(void)                             = ReturnVoid                    : 
+# 1038|     v1038_9(void)                             = AliasedUse                    : ~m?
+# 1038|     v1038_10(void)                            = ExitFunction                  : 
+
 # 1038| void (lambda [] type at line 1038, col. 12)::operator()() const
 # 1038|   Block 0
 # 1038|     v1038_1(void)                              = EnterFunction                : 
@@ -9720,6 +9733,70 @@ ir.cpp:
 # 1785|     v1785_7(void)       = AliasedUse          : ~m?
 # 1785|     v1785_8(void)       = ExitFunction        : 
 
+# 1821| int global_2
+# 1821|   Block 0
+# 1821|     v1821_1(void)       = EnterFunction             : 
+# 1821|     mu1821_2(unknown)   = AliasedDefinition         : 
+# 1821|     r1821_3(glval<int>) = VariableAddress[global_2] : 
+# 1821|     r1821_4(int)        = Constant[1]               : 
+# 1821|     mu1821_5(int)       = Store[global_2]           : &:r1821_3, r1821_4
+# 1821|     v1821_6(void)       = ReturnVoid                : 
+# 1821|     v1821_7(void)       = AliasedUse                : ~m?
+# 1821|     v1821_8(void)       = ExitFunction              : 
+
+# 1825| constructor_only global_4
+# 1825|   Block 0
+# 1825|     v1825_1(void)                    = EnterFunction                     : 
+# 1825|     mu1825_2(unknown)                = AliasedDefinition                 : 
+# 1825|     r1825_3(glval<constructor_only>) = VariableAddress[global_4]         : 
+# 1825|     r1825_4(glval<unknown>)          = FunctionAddress[constructor_only] : 
+# 1825|     r1825_5(int)                     = Constant[1]                       : 
+# 1825|     v1825_6(void)                    = Call[constructor_only]            : func:r1825_4, this:r1825_3, 0:r1825_5
+# 1825|     mu1825_7(unknown)                = ^CallSideEffect                   : ~m?
+# 1825|     mu1825_8(constructor_only)       = ^IndirectMayWriteSideEffect[-1]   : &:r1825_3
+# 1825|     v1825_9(void)                    = ReturnVoid                        : 
+# 1825|     v1825_10(void)                   = AliasedUse                        : ~m?
+# 1825|     v1825_11(void)                   = ExitFunction                      : 
+
+# 1827| constructor_only global_5
+# 1827|   Block 0
+# 1827|     v1827_1(void)                    = EnterFunction                     : 
+# 1827|     mu1827_2(unknown)                = AliasedDefinition                 : 
+# 1827|     r1827_3(glval<constructor_only>) = VariableAddress[global_5]         : 
+# 1827|     r1827_4(glval<unknown>)          = FunctionAddress[constructor_only] : 
+# 1827|     r1827_5(int)                     = Constant[2]                       : 
+# 1827|     v1827_6(void)                    = Call[constructor_only]            : func:r1827_4, this:r1827_3, 0:r1827_5
+# 1827|     mu1827_7(unknown)                = ^CallSideEffect                   : ~m?
+# 1827|     mu1827_8(constructor_only)       = ^IndirectMayWriteSideEffect[-1]   : &:r1827_3
+# 1827|     v1827_9(void)                    = ReturnVoid                        : 
+# 1827|     v1827_10(void)                   = AliasedUse                        : ~m?
+# 1827|     v1827_11(void)                   = ExitFunction                      : 
+
+# 1829| char* global_string
+# 1829|   Block 0
+# 1829|     v1829_1(void)            = EnterFunction                   : 
+# 1829|     mu1829_2(unknown)        = AliasedDefinition               : 
+# 1829|     r1829_3(glval<char *>)   = VariableAddress[global_string]  : 
+# 1829|     r1829_4(glval<char[14]>) = StringConstant["global string"] : 
+# 1829|     r1829_5(char *)          = Convert                         : r1829_4
+# 1829|     r1829_6(char *)          = Convert                         : r1829_5
+# 1829|     mu1829_7(char *)         = Store[global_string]            : &:r1829_3, r1829_6
+# 1829|     v1829_8(void)            = ReturnVoid                      : 
+# 1829|     v1829_9(void)            = AliasedUse                      : ~m?
+# 1829|     v1829_10(void)           = ExitFunction                    : 
+
+# 1831| int global_6
+# 1831|   Block 0
+# 1831|     v1831_1(void)       = EnterFunction             : 
+# 1831|     mu1831_2(unknown)   = AliasedDefinition         : 
+# 1831|     r1831_3(glval<int>) = VariableAddress[global_6] : 
+# 1831|     r1831_4(glval<int>) = VariableAddress[global_2] : 
+# 1831|     r1831_5(int)        = Load[global_2]            : &:r1831_4, ~m?
+# 1831|     mu1831_6(int)       = Store[global_6]           : &:r1831_3, r1831_5
+# 1831|     v1831_7(void)       = ReturnVoid                : 
+# 1831|     v1831_8(void)       = AliasedUse                : ~m?
+# 1831|     v1831_9(void)       = ExitFunction              : 
+
 perf-regression.cpp:
 #    6| void Big::Big()
 #    6|   Block 0
@@ -9941,6 +10018,34 @@ smart_ptr.cpp:
 #   28|     v28_6(void)                                           = ExitFunction                                           : 
 
 struct_init.cpp:
+#    9| Info infos_in_file[]
+#    9|   Block 0
+#    9|     v9_1(void)              = EnterFunction                  : 
+#    9|     mu9_2(unknown)          = AliasedDefinition              : 
+#    9|     r9_3(glval<Info[]>)     = VariableAddress[infos_in_file] : 
+#    9|     r9_4(int)               = Constant[0]                    : 
+#    9|     r9_5(glval<Info>)       = PointerAdd[16]                 : r9_3, r9_4
+#   10|     r10_1(glval<char *>)    = FieldAddress[name]             : r9_5
+#   10|     r10_2(glval<char[2]>)   = StringConstant["1"]            : 
+#   10|     r10_3(char *)           = Convert                        : r10_2
+#   10|     mu10_4(char *)          = Store[?]                       : &:r10_1, r10_3
+#   10|     r10_5(glval<..(*)(..)>) = FieldAddress[handler]          : r9_5
+#   10|     r10_6(..(*)(..))        = FunctionAddress[handler1]      : 
+#   10|     mu10_7(..(*)(..))       = Store[?]                       : &:r10_5, r10_6
+#    9|     r9_6(int)               = Constant[1]                    : 
+#    9|     r9_7(glval<Info>)       = PointerAdd[16]                 : r9_3, r9_6
+#   11|     r11_1(glval<char *>)    = FieldAddress[name]             : r9_7
+#   11|     r11_2(glval<char[2]>)   = StringConstant["3"]            : 
+#   11|     r11_3(char *)           = Convert                        : r11_2
+#   11|     mu11_4(char *)          = Store[?]                       : &:r11_1, r11_3
+#   11|     r11_5(glval<..(*)(..)>) = FieldAddress[handler]          : r9_7
+#   11|     r11_6(glval<..()(..)>)  = FunctionAddress[handler2]      : 
+#   11|     r11_7(..(*)(..))        = CopyValue                      : r11_6
+#   11|     mu11_8(..(*)(..))       = Store[?]                       : &:r11_5, r11_7
+#    9|     v9_8(void)              = ReturnVoid                     : 
+#    9|     v9_9(void)              = AliasedUse                     : ~m?
+#    9|     v9_10(void)             = ExitFunction                   : 
+
 #   16| void let_info_escape(Info*)
 #   16|   Block 0
 #   16|     v16_1(void)          = EnterFunction                   :