update mapping and encoding queries according to proposal

Produced with:
```
javascript/ql$tb boost src/Security/CWE-079/StoredXss.ql XssSink
javascript/ql$ tb boost src/Security/CWE-079/XssThroughDom.ql XssSink
```

CONTRIBUTING.md

@@ -36,7 +36,7 @@ If you have an idea for a query that you would like to share with other CodeQL u
 
     For details, see the [guide on query metadata](docs/query-metadata-style-guide.md).
 
-    Make sure the `select` statement is compatible with the query `@kind`. See [About CodeQL queries](https://help.semmle.com/QL/learn-ql/writing-queries/introduction-to-queries.html#select-clause) on help.semmle.com.
+    Make sure the `select` statement is compatible with the query `@kind`. See [About CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/about-codeql-queries/#select-clause) on codeql.github.com.
 
 3. **Formatting**
 

benjamin-button.md

@@ -0,0 +1,51 @@
+# benjamin-buttons.md
+
+This file describes the changes that have been applied to
+the library to make it behave as if it was younger.
+
+## TaintedPath.ql
+
+Sinks added between 2020-01-01 and 2020-10-06 have been removed. Found by looking at:
+
+- the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink
+
+Sinks added between 2018-08-02 and 2020-01-01 have been removed. Found by looking at:
+
+- the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+pathinjection
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+tainted-path
+
+Sinks from the "graceful-fs" and "fs-extra" (added before the open-sourcing squash).
+
+## Xss.ql
+
+Sinks added between 2020-01-01 and 2020-10-06 have been removed. Found by looking at:
+
+- the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink
+
+- recursive type tracking for `jQuery::dollar`, `DOM::domValueRef`.
+
+## SqlInjection.ql
+
+Sinks added between 2020-01-01 and 2020-10-06 have been removed. Found by looking at:
+
+- the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-089
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink
+
+Sinks added between 2018-08-02 and 2020-01-01 have been removed. Found by looking at:
+
+- the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-089
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sql
+
+TypeTracking in SQL.qll (added before the open-sourcing squash)
+
+The model of `mssql` and `sequelize` (added before the open-sourcing squash)
+
+## PseudoProperties
+
+Pseudo-properties (`$name$`) used in type-tracking and global dataflow configurations have been disabled.
+Found by searching for `"\$.*\$"`.

config/identical-files.json

@@ -27,7 +27,8 @@
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll"
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForLibraries.qll"
   ],
   "DataFlow Java/C++/C#/Python Common": [
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
@@ -54,7 +55,8 @@
     "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttrackingforlibraries/TaintTrackingImpl.qll"
   ],
   "DataFlow Java/C++/C#/Python Consistency checks": [
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
@@ -480,11 +482,12 @@
     "python/ql/lib/semmle/python/security/performance/ReDoSUtil.qll",
     "ruby/ql/lib/codeql/ruby/security/performance/ReDoSUtil.qll"
   ],
-  "ReDoS Exponential Python/JS": [
+  "ReDoS Exponential Python/JS/Ruby": [
     "javascript/ql/lib/semmle/javascript/security/performance/ExponentialBackTracking.qll",
-    "python/ql/lib/semmle/python/security/performance/ExponentialBackTracking.qll"
+    "python/ql/lib/semmle/python/security/performance/ExponentialBackTracking.qll",
+    "ruby/ql/lib/codeql/ruby/security/performance/ExponentialBackTracking.qll"
   ],
-  "ReDoS Polynomial Python/JS": [
+  "ReDoS Polynomial Python/JS/Ruby": [
     "javascript/ql/lib/semmle/javascript/security/performance/SuperlinearBackTracking.qll",
     "python/ql/lib/semmle/python/security/performance/SuperlinearBackTracking.qll",
     "ruby/ql/lib/codeql/ruby/security/performance/SuperlinearBackTracking.qll"
@@ -515,5 +518,30 @@
     "java/ql/lib/semmle/code/java/dataflow/internal/AccessPathSyntax.qll",
     "javascript/ql/lib/semmle/javascript/frameworks/data/internal/AccessPathSyntax.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll"
+  ],
+  "Hostname Regexp queries": [
+    "javascript/ql/src/Security/CWE-020/HostnameRegexpShared.qll",
+    "python/ql/src/Security/CWE-020/HostnameRegexpShared.qll",
+    "ruby/ql/src/queries/security/cwe-020/HostnameRegexpShared.qll"
+  ],
+  "ApiGraphModels": [
+    "javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll",
+    "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll"
+  ],
+  "TaintedFormatStringQuery Ruby/JS": [
+    "javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll",
+    "ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll"
+  ],
+  "TaintedFormatStringCustomizations Ruby/JS": [
+    "javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringCustomizations.qll",
+    "ruby/ql/lib/codeql/ruby/security/TaintedFormatStringCustomizations.qll"
+  ],
+  "HttpToFileAccessQuery JS/Ruby": [
+    "javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll",
+    "ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll"
+  ],
+  "HttpToFileAccessCustomizations JS/Ruby": [
+    "javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll",
+    "ruby/ql/lib/codeql/ruby/security/HttpToFileAccessCustomizations.qll"
   ]
 }

cpp/ql/lib/DefaultOptions.qll

@@ -54,11 +54,13 @@ class Options extends string {
    *
    * By default, this holds for `exit`, `_exit`, `abort`, `__assert_fail`,
    * `longjmp`, `__builtin_unreachable` and any function with a
-   * `noreturn` attribute.
+   * `noreturn` attribute or specifier.
    */
   predicate exits(Function f) {
     f.getAnAttribute().hasName("noreturn")
     or
+    f.getASpecifier().hasName("noreturn")
+    or
     f.hasGlobalOrStdName([
         "exit", "_exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
       ])

cpp/ql/lib/Options.qll

@@ -39,7 +39,7 @@ class CustomOptions extends Options {
    *
    * By default, this holds for `exit`, `_exit`, `abort`, `__assert_fail`,
    * `longjmp`, `error`, `__builtin_unreachable` and any function with a
-   * `noreturn` attribute.
+   * `noreturn` attribute or specifier.
    */
   override predicate exits(Function f) { Options.super.exits(f) }
 

cpp/ql/lib/change-notes/2022-03-14-c11-noreturn.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* `DefaultOptions::exits` now holds for C11 functions with the `_Noreturn` or `noreturn` specifier.

cpp/ql/lib/change-notes/2022-03-14-flow-state-barriers.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.

cpp/ql/lib/semmle/code/cpp/Specifier.qll

@@ -38,7 +38,7 @@ class FunctionSpecifier extends Specifier {
 
 /**
  * A C/C++ storage class specifier: `auto`, `register`, `static`, `extern`,
- * or `mutable".
+ * or `mutable`.
  */
 class StorageClassSpecifier extends Specifier {
   StorageClassSpecifier() { this.hasName(["auto", "register", "static", "extern", "mutable"]) }

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -94,6 +94,7 @@ class Type extends Locatable, @type {
    * The result of this predicate will be the type itself, except in the case of a TypedefType or a Decltype,
    * in which case the result will be type which results from (possibly recursively) resolving typedefs.
    */
+  pragma[nomagic]
   Type getUnderlyingType() { result = this }
 
   /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

@@ -109,6 +109,16 @@ abstract class Configuration extends DataFlow::Configuration {
   /** Holds if taint propagation into `node` is prohibited. */
   predicate isSanitizerIn(DataFlow::Node node) { none() }
 
+  /**
+   * Holds if taint propagation into `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerIn(node, state)
+  }
+
   final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
 
   /** Holds if taint propagation out of `node` is prohibited. */
@@ -116,6 +126,16 @@ abstract class Configuration extends DataFlow::Configuration {
 
   final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
 
+  /**
+   * Holds if taint propagation out of `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerOut(node, state)
+  }
+
   /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
@@ -123,6 +143,16 @@ abstract class Configuration extends DataFlow::Configuration {
     this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
+  /**
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited
+   * when the flow state is `state`.
+   */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    this.isSanitizerGuard(guard, state)
+  }
+
   /**
    * Holds if the additional taint propagation step from `node1` to `node2`
    * must be taken into account in the analysis.

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

@@ -109,6 +109,16 @@ abstract class Configuration extends DataFlow::Configuration {
   /** Holds if taint propagation into `node` is prohibited. */
   predicate isSanitizerIn(DataFlow::Node node) { none() }
 
+  /**
+   * Holds if taint propagation into `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerIn(node, state)
+  }
+
   final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
 
   /** Holds if taint propagation out of `node` is prohibited. */
@@ -116,6 +126,16 @@ abstract class Configuration extends DataFlow::Configuration {
 
   final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
 
+  /**
+   * Holds if taint propagation out of `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerOut(node, state)
+  }
+
   /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
@@ -123,6 +143,16 @@ abstract class Configuration extends DataFlow::Configuration {
     this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
+  /**
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited
+   * when the flow state is `state`.
+   */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    this.isSanitizerGuard(guard, state)
+  }
+
   /**
    * Holds if the additional taint propagation step from `node1` to `node2`
    * must be taken into account in the analysis.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

@@ -109,6 +109,16 @@ abstract class Configuration extends DataFlow::Configuration {
   /** Holds if taint propagation into `node` is prohibited. */
   predicate isSanitizerIn(DataFlow::Node node) { none() }
 
+  /**
+   * Holds if taint propagation into `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerIn(node, state)
+  }
+
   final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
 
   /** Holds if taint propagation out of `node` is prohibited. */
@@ -116,6 +126,16 @@ abstract class Configuration extends DataFlow::Configuration {
 
   final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
 
+  /**
+   * Holds if taint propagation out of `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerOut(node, state)
+  }
+
   /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
@@ -123,6 +143,16 @@ abstract class Configuration extends DataFlow::Configuration {
     this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
+  /**
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited
+   * when the flow state is `state`.
+   */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    this.isSanitizerGuard(guard, state)
+  }
+
   /**
    * Holds if the additional taint propagation step from `node1` to `node2`
    * must be taken into account in the analysis.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

@@ -109,6 +109,16 @@ abstract class Configuration extends DataFlow::Configuration {
   /** Holds if taint propagation into `node` is prohibited. */
   predicate isSanitizerIn(DataFlow::Node node) { none() }
 
+  /**
+   * Holds if taint propagation into `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerIn(node, state)
+  }
+
   final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
 
   /** Holds if taint propagation out of `node` is prohibited. */
@@ -116,6 +126,16 @@ abstract class Configuration extends DataFlow::Configuration {
 
   final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
 
+  /**
+   * Holds if taint propagation out of `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerOut(node, state)
+  }
+
   /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
@@ -123,6 +143,16 @@ abstract class Configuration extends DataFlow::Configuration {
     this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
+  /**
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited
+   * when the flow state is `state`.
+   */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    this.isSanitizerGuard(guard, state)
+  }
+
   /**
    * Holds if the additional taint propagation step from `node1` to `node2`
    * must be taken into account in the analysis.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll

@@ -109,6 +109,16 @@ abstract class Configuration extends DataFlow::Configuration {
   /** Holds if taint propagation into `node` is prohibited. */
   predicate isSanitizerIn(DataFlow::Node node) { none() }
 
+  /**
+   * Holds if taint propagation into `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerIn(node, state)
+  }
+
   final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
 
   /** Holds if taint propagation out of `node` is prohibited. */
@@ -116,6 +126,16 @@ abstract class Configuration extends DataFlow::Configuration {
 
   final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
 
+  /**
+   * Holds if taint propagation out of `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerOut(node, state)
+  }
+
   /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
@@ -123,6 +143,16 @@ abstract class Configuration extends DataFlow::Configuration {
     this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
+  /**
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited
+   * when the flow state is `state`.
+   */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    this.isSanitizerGuard(guard, state)
+  }
+
   /**
    * Holds if the additional taint propagation step from `node1` to `node2`
    * must be taken into account in the analysis.

cpp/ql/test/library-tests/ir/ir/PrintAST.expected

@@ -12820,6 +12820,221 @@ ir.cpp:
 # 1668|                 Type = [IntType] int
 # 1668|                 ValueCategory = prvalue(load)
 # 1670|     getStmt(3): [ReturnStmt] return ...
+# 1672| [TopLevelFunction] void array_structured_binding_non_ref_init()
+# 1672|   <params>: 
+# 1672|   getEntryPoint(): [BlockStmt] { ... }
+# 1673|     getStmt(0): [DeclStmt] declaration
+# 1673|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of xs
+# 1673|           Type = [ArrayType] int[2]
+# 1673|         getVariable().getInitializer(): [Initializer] initializer for xs
+# 1673|           getExpr(): [ArrayAggregateLiteral] {...}
+# 1673|               Type = [ArrayType] int[2]
+# 1673|               ValueCategory = prvalue
+# 1673|             getElementExpr(0): [Literal] 1
+# 1673|                 Type = [IntType] int
+# 1673|                 Value = [Literal] 1
+# 1673|                 ValueCategory = prvalue
+# 1673|             getElementExpr(1): [Literal] 2
+# 1673|                 Type = [IntType] int
+# 1673|                 Value = [Literal] 2
+# 1673|                 ValueCategory = prvalue
+# 1674|     getStmt(1): [DeclStmt] declaration
+# 1674|       getDeclarationEntry(0): (no string representation)
+# 1674|           Type = [ArrayType] int[2]
+# 1674|         getVariable().getInitializer(): [Initializer] initializer for (unnamed local variable)
+# 1674|           getExpr(): [VariableAccess] xs
+# 1674|               Type = [ArrayType] int[2]
+# 1674|               ValueCategory = prvalue(load)
+# 1674|       getDeclarationEntry(1): [VariableDeclarationEntry] definition of x0
+# 1674|           Type = [IntType] int
+#-----|         getVariable().getInitializer(): [Initializer] initializer for x0
+#-----|           getExpr(): [ArrayExpr] access to array
+#-----|               Type = [IntType] int
+#-----|               ValueCategory = lvalue
+#-----|             getArrayBase(): [VariableAccess] (unnamed local variable)
+#-----|                 Type = [ArrayType] int[2]
+#-----|                 ValueCategory = lvalue
+#-----|             getArrayOffset(): [Literal] 0
+#-----|                 Type = [LongType] unsigned long
+#-----|                 Value = [Literal] 0
+#-----|                 ValueCategory = prvalue
+#-----|             getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#-----|                 Type = [IntPointerType] int *
+#-----|                 ValueCategory = prvalue
+# 1674|       getDeclarationEntry(2): [VariableDeclarationEntry] definition of x1
+# 1674|           Type = [IntType] int
+#-----|         getVariable().getInitializer(): [Initializer] initializer for x1
+#-----|           getExpr(): [ArrayExpr] access to array
+#-----|               Type = [IntType] int
+#-----|               ValueCategory = lvalue
+#-----|             getArrayBase(): [VariableAccess] (unnamed local variable)
+#-----|                 Type = [ArrayType] int[2]
+#-----|                 ValueCategory = lvalue
+#-----|             getArrayOffset(): [Literal] 1
+#-----|                 Type = [LongType] unsigned long
+#-----|                 Value = [Literal] 1
+#-----|                 ValueCategory = prvalue
+#-----|             getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#-----|                 Type = [IntPointerType] int *
+#-----|                 ValueCategory = prvalue
+# 1675|     getStmt(2): [ReturnStmt] return ...
+# 1677| [CopyAssignmentOperator] CapturedLambdaMyObj& CapturedLambdaMyObj::operator=(CapturedLambdaMyObj const&)
+# 1677|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const CapturedLambdaMyObj &
+# 1677| [MoveAssignmentOperator] CapturedLambdaMyObj& CapturedLambdaMyObj::operator=(CapturedLambdaMyObj&&)
+# 1677|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] CapturedLambdaMyObj &&
+# 1677| [CopyConstructor] void CapturedLambdaMyObj::CapturedLambdaMyObj(CapturedLambdaMyObj const&)
+# 1677|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const CapturedLambdaMyObj &
+# 1677| [MoveConstructor] void CapturedLambdaMyObj::CapturedLambdaMyObj(CapturedLambdaMyObj&&)
+# 1677|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] CapturedLambdaMyObj &&
+# 1680| [Constructor] void CapturedLambdaMyObj::CapturedLambdaMyObj()
+# 1680|   <params>: 
+# 1680|   <initializations>: 
+# 1680|   getEntryPoint(): [BlockStmt] { ... }
+# 1680|     getStmt(0): [ReturnStmt] return ...
+# 1683| [TopLevelFunction] void captured_lambda(int, int&, int&&)
+# 1683|   <params>: 
+# 1683|     getParameter(0): [Parameter] x
+# 1683|         Type = [IntType] int
+# 1683|     getParameter(1): [Parameter] y
+# 1683|         Type = [LValueReferenceType] int &
+# 1683|     getParameter(2): [Parameter] z
+# 1683|         Type = [RValueReferenceType] int &&
+# 1684|   getEntryPoint(): [BlockStmt] { ... }
+# 1685|     getStmt(0): [DeclStmt] declaration
+# 1685|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of obj1
+# 1685|           Type = [LValueReferenceType] const CapturedLambdaMyObj &
+# 1685|         getVariable().getInitializer(): [Initializer] initializer for obj1
+# 1685|           getExpr(): [ConstructorCall] call to CapturedLambdaMyObj
+# 1685|               Type = [VoidType] void
+# 1685|               ValueCategory = prvalue
+# 1685|           getExpr().getFullyConverted(): [ReferenceToExpr] (reference to)
+# 1685|               Type = [LValueReferenceType] const CapturedLambdaMyObj &
+# 1685|               ValueCategory = prvalue
+# 1685|             getExpr(): [CStyleCast] (const CapturedLambdaMyObj)...
+# 1685|                 Conversion = [GlvalueConversion] glvalue conversion
+# 1685|                 Type = [SpecifiedType] const CapturedLambdaMyObj
+# 1685|                 ValueCategory = lvalue
+# 1685|               getExpr(): [TemporaryObjectExpr] temporary object
+# 1685|                   Type = [Class] CapturedLambdaMyObj
+# 1685|                   ValueCategory = lvalue
+# 1686|     getStmt(1): [DeclStmt] declaration
+# 1686|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of obj2
+# 1686|           Type = [Class] CapturedLambdaMyObj
+# 1686|         getVariable().getInitializer(): [Initializer] initializer for obj2
+# 1686|           getExpr(): [ConstructorCall] call to CapturedLambdaMyObj
+# 1686|               Type = [VoidType] void
+# 1686|               ValueCategory = prvalue
+# 1688|     getStmt(2): [DeclStmt] declaration
+# 1688|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of lambda_outer
+# 1688|           Type = [Closure,LocalClass] decltype([...](...){...})
+# 1688|         getVariable().getInitializer(): [Initializer] initializer for lambda_outer
+# 1688|           getExpr(): [LambdaExpression] [...](...){...}
+# 1688|               Type = [Closure,LocalClass] decltype([...](...){...})
+# 1688|               ValueCategory = prvalue
+# 1688|             getInitializer(): [ClassAggregateLiteral] {...}
+# 1688|                 Type = [Closure,LocalClass] decltype([...](...){...})
+# 1688|                 ValueCategory = prvalue
+# 1688|               getFieldExpr(obj1): [Literal] Unknown literal
+# 1688|                   Type = [SpecifiedType] const CapturedLambdaMyObj
+# 1688|                   ValueCategory = prvalue
+# 1688|               getFieldExpr(obj2): [Literal] Unknown literal
+# 1688|                   Type = [Class] CapturedLambdaMyObj
+# 1688|                   ValueCategory = prvalue
+# 1688|               getFieldExpr(x): [VariableAccess] x
+# 1688|                   Type = [IntType] int
+# 1688|                   ValueCategory = prvalue(load)
+# 1688|               getFieldExpr(y): [VariableAccess] y
+# 1688|                   Type = [LValueReferenceType] int &
+# 1688|                   ValueCategory = prvalue(load)
+# 1688|               getFieldExpr(z): [VariableAccess] z
+# 1688|                   Type = [RValueReferenceType] int &&
+# 1688|                   ValueCategory = prvalue(load)
+# 1690|               getFieldExpr(y).getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
+# 1690|                   Type = [IntType] int
+# 1690|                   ValueCategory = prvalue(load)
+# 1690|               getFieldExpr(z).getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
+# 1690|                   Type = [IntType] int
+# 1690|                   ValueCategory = prvalue(load)
+# 1691|     getStmt(3): [ReturnStmt] return ...
+# 1688| [CopyAssignmentOperator] (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)& (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator=((void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25) const&)
+# 1688|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const lambda [] type at line 1688, col. 25 &
+# 1688| [CopyConstructor] void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::(unnamed constructor)((void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25) const&)
+# 1688|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const lambda [] type at line 1688, col. 25 &
+# 1688| [MoveConstructor] void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::(unnamed constructor)((void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)&&)
+# 1688|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] lambda [] type at line 1688, col. 25 &&
+# 1688| [Constructor] void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::(unnamed constructor)()
+# 1688|   <params>: 
+# 1688| [ConstMemberFunction] void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const
+# 1688|   <params>: 
+# 1688|   getEntryPoint(): [BlockStmt] { ... }
+# 1689|     getStmt(0): [DeclStmt] declaration
+# 1689|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of lambda_inner
+# 1689|           Type = [Closure,LocalClass] decltype([...](...){...})
+# 1689|         getVariable().getInitializer(): [Initializer] initializer for lambda_inner
+# 1689|           getExpr(): [LambdaExpression] [...](...){...}
+# 1689|               Type = [Closure,LocalClass] decltype([...](...){...})
+# 1689|               ValueCategory = prvalue
+# 1689|             getInitializer(): [ClassAggregateLiteral] {...}
+# 1689|                 Type = [Closure,LocalClass] decltype([...](...){...})
+# 1689|                 ValueCategory = prvalue
+# 1689|               getFieldExpr(obj1): [Literal] Unknown literal
+# 1689|                   Type = [SpecifiedType] const CapturedLambdaMyObj
+# 1689|                   ValueCategory = prvalue
+# 1689|               getFieldExpr(obj2): [Literal] Unknown literal
+# 1689|                   Type = [Class] CapturedLambdaMyObj
+# 1689|                   ValueCategory = prvalue
+# 1689|               getFieldExpr(x): [PointerFieldAccess] x
+# 1689|                   Type = [IntType] int
+# 1689|                   ValueCategory = prvalue(load)
+# 1689|                 getQualifier(): [ThisExpr] this
+# 1689|                     Type = [PointerType] const lambda [] type at line 1688, col. 25 *
+# 1689|                     ValueCategory = prvalue(load)
+# 1689|               getFieldExpr(y): [PointerFieldAccess] y
+# 1689|                   Type = [IntType] int
+# 1689|                   ValueCategory = prvalue(load)
+# 1689|                 getQualifier(): [ThisExpr] this
+# 1689|                     Type = [PointerType] const lambda [] type at line 1688, col. 25 *
+# 1689|                     ValueCategory = prvalue(load)
+# 1689|               getFieldExpr(z): [PointerFieldAccess] z
+# 1689|                   Type = [IntType] int
+# 1689|                   ValueCategory = prvalue(load)
+# 1689|                 getQualifier(): [ThisExpr] this
+# 1689|                     Type = [PointerType] const lambda [] type at line 1688, col. 25 *
+# 1689|                     ValueCategory = prvalue(load)
+# 1690|     getStmt(1): [ReturnStmt] return ...
+# 1689| [CopyAssignmentOperator] (void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const)::(lambda [] type at line 1689, col. 29)& (void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const)::(lambda [] type at line 1689, col. 29)::operator=((void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const)::(lambda [] type at line 1689, col. 29) const&)
+# 1689|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const lambda [] type at line 1689, col. 29 &
+# 1689| [CopyConstructor] void (void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const)::(lambda [] type at line 1689, col. 29)::(unnamed constructor)((void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const)::(lambda [] type at line 1689, col. 29) const&)
+# 1689|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const lambda [] type at line 1689, col. 29 &
+# 1689| [MoveConstructor] void (void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const)::(lambda [] type at line 1689, col. 29)::(unnamed constructor)((void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const)::(lambda [] type at line 1689, col. 29)&&)
+# 1689|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] lambda [] type at line 1689, col. 29 &&
+# 1689| [Constructor] void (void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const)::(lambda [] type at line 1689, col. 29)::(unnamed constructor)()
+# 1689|   <params>: 
+# 1689| [ConstMemberFunction] void (void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const)::(lambda [] type at line 1689, col. 29)::operator()() const
+# 1689|   <params>: 
+# 1689|   getEntryPoint(): [BlockStmt] { ... }
+# 1689|     getStmt(0): [EmptyStmt] ;
+# 1689|     getStmt(1): [ReturnStmt] return ...
 perf-regression.cpp:
 #    4| [CopyAssignmentOperator] Big& Big::operator=(Big const&)
 #    4|   <params>: 

cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency.expected

@@ -6,6 +6,8 @@ missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
+| ir.cpp:1688:24:1690:5 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1689:28:1689:54 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction

cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.expected

@@ -6,6 +6,8 @@ missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
+| ir.cpp:1688:24:1690:5 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1689:28:1689:54 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction

cpp/ql/test/library-tests/ir/ir/ir.cpp

@@ -1669,4 +1669,25 @@ void tuple_structured_binding_no_ref_get() {
     }
 }
 
+void array_structured_binding_non_ref_init() {
+    int xs[2] = {1, 2};
+    auto [x0, x1] = xs;
+}
+
+class CapturedLambdaMyObj
+{
+public:
+    CapturedLambdaMyObj() {}
+};
+
+void captured_lambda(int x, int &y, int &&z)
+{
+    const auto &obj1 = CapturedLambdaMyObj();
+    auto obj2 = CapturedLambdaMyObj();
+
+    auto lambda_outer = [obj1, obj2, x, y, z](){
+        auto lambda_inner = [obj1, obj2, x, y, z](){;};
+    };
+}
+
 // semmle-extractor-options: -std=c++17 --clang

cpp/ql/test/library-tests/ir/ir/operand_locations.expected

@@ -684,7 +684,9 @@
 | file://:0:0:0:0 | ChiTotal | total:m763_8 |
 | file://:0:0:0:0 | ChiTotal | total:m1043_10 |
 | file://:0:0:0:0 | ChiTotal | total:m1240_4 |
+| file://:0:0:0:0 | Left | r0_2 |
 | file://:0:0:0:0 | Left | r0_4 |
+| file://:0:0:0:0 | Left | r0_7 |
 | file://:0:0:0:0 | Left | r0_11 |
 | file://:0:0:0:0 | Load | m0_2 |
 | file://:0:0:0:0 | Load | m0_2 |
@@ -696,7 +698,9 @@
 | file://:0:0:0:0 | Load | m1466_4 |
 | file://:0:0:0:0 | Load | m1466_4 |
 | file://:0:0:0:0 | Load | ~m1444_6 |
+| file://:0:0:0:0 | Right | r0_3 |
 | file://:0:0:0:0 | Right | r0_5 |
+| file://:0:0:0:0 | Right | r0_8 |
 | file://:0:0:0:0 | Right | r0_12 |
 | file://:0:0:0:0 | SideEffect | m0_4 |
 | file://:0:0:0:0 | SideEffect | m0_4 |
@@ -726,12 +730,15 @@
 | file://:0:0:0:0 | StoreValue | r0_1 |
 | file://:0:0:0:0 | StoreValue | r0_1 |
 | file://:0:0:0:0 | StoreValue | r0_3 |
+| file://:0:0:0:0 | StoreValue | r0_4 |
 | file://:0:0:0:0 | StoreValue | r0_6 |
+| file://:0:0:0:0 | StoreValue | r0_9 |
 | file://:0:0:0:0 | StoreValue | r0_13 |
 | file://:0:0:0:0 | StoreValue | r0_13 |
 | file://:0:0:0:0 | StoreValue | r0_22 |
 | file://:0:0:0:0 | StoreValue | r0_22 |
 | file://:0:0:0:0 | Unary | r0_1 |
+| file://:0:0:0:0 | Unary | r0_1 |
 | file://:0:0:0:0 | Unary | r0_2 |
 | file://:0:0:0:0 | Unary | r0_3 |
 | file://:0:0:0:0 | Unary | r0_5 |
@@ -739,6 +746,7 @@
 | file://:0:0:0:0 | Unary | r0_6 |
 | file://:0:0:0:0 | Unary | r0_6 |
 | file://:0:0:0:0 | Unary | r0_6 |
+| file://:0:0:0:0 | Unary | r0_6 |
 | file://:0:0:0:0 | Unary | r0_7 |
 | file://:0:0:0:0 | Unary | r0_7 |
 | file://:0:0:0:0 | Unary | r0_7 |
@@ -7436,6 +7444,89 @@
 | ir.cpp:1668:17:1668:17 | Load | m1661_14 |
 | ir.cpp:1668:17:1668:17 | Load | ~m1666_6 |
 | ir.cpp:1668:17:1668:17 | StoreValue | r1668_4 |
+| ir.cpp:1672:6:1672:42 | ChiPartial | partial:m1672_3 |
+| ir.cpp:1672:6:1672:42 | ChiTotal | total:m1672_2 |
+| ir.cpp:1672:6:1672:42 | SideEffect | m1672_3 |
+| ir.cpp:1673:9:1673:10 | Address | &:r1673_1 |
+| ir.cpp:1673:9:1673:10 | Left | r1673_1 |
+| ir.cpp:1673:9:1673:10 | Left | r1673_1 |
+| ir.cpp:1673:16:1673:22 | Address | &:r1673_4 |
+| ir.cpp:1673:16:1673:22 | Address | &:r1673_9 |
+| ir.cpp:1673:16:1673:22 | Right | r1673_3 |
+| ir.cpp:1673:16:1673:22 | Right | r1673_8 |
+| ir.cpp:1673:18:1673:18 | ChiPartial | partial:m1673_6 |
+| ir.cpp:1673:18:1673:18 | ChiTotal | total:m1673_2 |
+| ir.cpp:1673:18:1673:18 | StoreValue | r1673_5 |
+| ir.cpp:1673:21:1673:21 | ChiPartial | partial:m1673_11 |
+| ir.cpp:1673:21:1673:21 | ChiTotal | total:m1673_7 |
+| ir.cpp:1673:21:1673:21 | StoreValue | r1673_10 |
+| ir.cpp:1674:10:1674:10 | Address | &:r1674_1 |
+| ir.cpp:1674:11:1674:11 | Address | &:r1674_5 |
+| ir.cpp:1674:15:1674:15 | Address | &:r1674_6 |
+| ir.cpp:1674:21:1674:22 | Address | &:r1674_2 |
+| ir.cpp:1674:21:1674:22 | Load | m1673_12 |
+| ir.cpp:1674:21:1674:22 | StoreValue | r1674_3 |
+| ir.cpp:1680:5:1680:23 | Address | &:r1680_5 |
+| ir.cpp:1680:5:1680:23 | Address | &:r1680_5 |
+| ir.cpp:1680:5:1680:23 | Address | &:r1680_7 |
+| ir.cpp:1680:5:1680:23 | Address | &:r1680_7 |
+| ir.cpp:1680:5:1680:23 | ChiPartial | partial:m1680_3 |
+| ir.cpp:1680:5:1680:23 | ChiTotal | total:m1680_2 |
+| ir.cpp:1680:5:1680:23 | Load | m1680_6 |
+| ir.cpp:1680:5:1680:23 | SideEffect | m1680_3 |
+| ir.cpp:1680:5:1680:23 | SideEffect | m1680_8 |
+| ir.cpp:1683:6:1683:20 | ChiPartial | partial:m1683_3 |
+| ir.cpp:1683:6:1683:20 | ChiTotal | total:m1683_2 |
+| ir.cpp:1683:26:1683:26 | Address | &:r1683_5 |
+| ir.cpp:1683:34:1683:34 | Address | &:r1683_7 |
+| ir.cpp:1683:34:1683:34 | Address | &:r1683_7 |
+| ir.cpp:1683:34:1683:34 | Address | &:r1683_9 |
+| ir.cpp:1683:34:1683:34 | Load | m1683_8 |
+| ir.cpp:1683:43:1683:43 | Address | &:r1683_11 |
+| ir.cpp:1683:43:1683:43 | Address | &:r1683_11 |
+| ir.cpp:1683:43:1683:43 | Address | &:r1683_13 |
+| ir.cpp:1683:43:1683:43 | Load | m1683_12 |
+| ir.cpp:1685:17:1685:20 | Address | &:r1685_1 |
+| ir.cpp:1685:24:1685:44 | Address | &:r1685_2 |
+| ir.cpp:1685:24:1685:44 | Address | &:r1685_2 |
+| ir.cpp:1685:24:1685:44 | Arg(this) | this:r1685_2 |
+| ir.cpp:1685:24:1685:44 | CallTarget | func:r1685_4 |
+| ir.cpp:1685:24:1685:44 | ChiPartial | partial:m1685_6 |
+| ir.cpp:1685:24:1685:44 | ChiPartial | partial:m1685_8 |
+| ir.cpp:1685:24:1685:44 | ChiTotal | total:m1683_4 |
+| ir.cpp:1685:24:1685:44 | ChiTotal | total:m1685_3 |
+| ir.cpp:1685:24:1685:44 | SideEffect | ~m1683_4 |
+| ir.cpp:1685:24:1685:44 | StoreValue | r1685_11 |
+| ir.cpp:1685:24:1685:44 | Unary | r1685_2 |
+| ir.cpp:1685:24:1685:44 | Unary | r1685_10 |
+| ir.cpp:1686:10:1686:13 | Address | &:r1686_1 |
+| ir.cpp:1686:10:1686:13 | Address | &:r1686_1 |
+| ir.cpp:1686:10:1686:13 | Arg(this) | this:r1686_1 |
+| ir.cpp:1686:16:1686:37 | CallTarget | func:r1686_3 |
+| ir.cpp:1686:16:1686:37 | ChiPartial | partial:m1686_5 |
+| ir.cpp:1686:16:1686:37 | ChiPartial | partial:m1686_7 |
+| ir.cpp:1686:16:1686:37 | ChiTotal | total:m1685_7 |
+| ir.cpp:1686:16:1686:37 | ChiTotal | total:m1686_2 |
+| ir.cpp:1686:16:1686:37 | SideEffect | ~m1685_7 |
+| ir.cpp:1688:24:1690:5 | Address | &:r1688_2 |
+| ir.cpp:1688:24:1690:5 | Unary | r1688_2 |
+| ir.cpp:1688:46:1688:46 | Address | &:r1688_5 |
+| ir.cpp:1688:46:1688:46 | Address | &:r1688_5 |
+| ir.cpp:1688:46:1688:46 | Address | &:r1688_7 |
+| ir.cpp:1688:46:1688:46 | ChiPartial | partial:m1688_3 |
+| ir.cpp:1688:46:1688:46 | ChiTotal | total:m1688_2 |
+| ir.cpp:1688:46:1688:46 | Load | m1688_6 |
+| ir.cpp:1689:28:1689:54 | Address | &:r1689_2 |
+| ir.cpp:1689:28:1689:54 | Unary | r1689_2 |
+| ir.cpp:1689:50:1689:50 | Address | &:r1689_5 |
+| ir.cpp:1689:50:1689:50 | Address | &:r1689_5 |
+| ir.cpp:1689:50:1689:50 | Address | &:r1689_7 |
+| ir.cpp:1689:50:1689:50 | Address | &:r1689_7 |
+| ir.cpp:1689:50:1689:50 | ChiPartial | partial:m1689_3 |
+| ir.cpp:1689:50:1689:50 | ChiTotal | total:m1689_2 |
+| ir.cpp:1689:50:1689:50 | Load | m1689_6 |
+| ir.cpp:1689:50:1689:50 | SideEffect | m1689_3 |
+| ir.cpp:1689:50:1689:50 | SideEffect | m1689_8 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_7 |

cpp/ql/test/library-tests/ir/ir/raw_consistency.expected

@@ -1,4 +1,8 @@
 missingOperand
+| ir.cpp:1688:24:1690:5 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:24:1690:5 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1689:28:1689:54 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
+| ir.cpp:1689:28:1689:54 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
 unexpectedOperand
 duplicateOperand
 missingPhiOperand
@@ -7,6 +11,10 @@ duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
 | ../../../include/memory.h:68:25:68:33 | CopyValue: (reference to) | Instruction 'CopyValue: (reference to)' has no successors in function '$@'. | ../../../include/memory.h:67:5:67:5 | void std::unique_ptr<int, std::default_delete<int>>::~unique_ptr() | void std::unique_ptr<int, std::default_delete<int>>::~unique_ptr() |
+| ir.cpp:1688:24:1690:5 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:24:1690:5 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1689:28:1689:54 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
+| ir.cpp:1689:28:1689:54 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
@@ -18,6 +26,25 @@ lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
 | ir.cpp:1486:8:1486:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() |
+| ir.cpp:1683:34:1683:34 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1683:43:1683:43 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:10:1688:21 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:24:1690:5 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:24:1690:5 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:24:1690:5 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:24:1690:5 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:24:1690:5 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:24:1690:5 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:24:1690:5 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1688:46:1688:46 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
+| ir.cpp:1689:14:1689:25 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
+| ir.cpp:1689:28:1689:54 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
+| ir.cpp:1689:28:1689:54 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
+| ir.cpp:1689:28:1689:54 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
+| ir.cpp:1689:28:1689:54 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
+| ir.cpp:1689:28:1689:54 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
+| ir.cpp:1689:28:1689:54 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
+| ir.cpp:1689:28:1689:54 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
 switchInstructionWithoutDefaultEdge
 notMarkedAsConflated
 wronglyMarkedAsConflated

cpp/ql/test/library-tests/ir/ir/raw_ir.expected

@@ -8664,6 +8664,184 @@ ir.cpp:
 # 1645|     v1645_5(void)                                     = AliasedUse                                      : ~m?
 # 1645|     v1645_6(void)                                     = ExitFunction                                    : 
 
+# 1672| void array_structured_binding_non_ref_init()
+# 1672|   Block 0
+# 1672|     v1672_1(void)          = EnterFunction                             : 
+# 1672|     mu1672_2(unknown)      = AliasedDefinition                         : 
+# 1672|     mu1672_3(unknown)      = InitializeNonLocal                        : 
+# 1673|     r1673_1(glval<int[2]>) = VariableAddress[xs]                       : 
+# 1673|     mu1673_2(int[2])       = Uninitialized[xs]                         : &:r1673_1
+# 1673|     r1673_3(int)           = Constant[0]                               : 
+# 1673|     r1673_4(glval<int>)    = PointerAdd[4]                             : r1673_1, r1673_3
+# 1673|     r1673_5(int)           = Constant[1]                               : 
+# 1673|     mu1673_6(int)          = Store[?]                                  : &:r1673_4, r1673_5
+# 1673|     r1673_7(int)           = Constant[1]                               : 
+# 1673|     r1673_8(glval<int>)    = PointerAdd[4]                             : r1673_1, r1673_7
+# 1673|     r1673_9(int)           = Constant[2]                               : 
+# 1673|     mu1673_10(int)         = Store[?]                                  : &:r1673_8, r1673_9
+# 1674|     r1674_1(glval<int[2]>) = VariableAddress[(unnamed local variable)] : 
+# 1674|     r1674_2(glval<int[2]>) = VariableAddress[xs]                       : 
+# 1674|     r1674_3(int[2])        = Load[xs]                                  : &:r1674_2, ~m?
+# 1674|     mu1674_4(int[2])       = Store[(unnamed local variable)]           : &:r1674_1, r1674_3
+# 1674|     r1674_5(glval<int &>)  = VariableAddress[x0]                       : 
+#-----|     r0_1(glval<int[2]>)    = VariableAddress[(unnamed local variable)] : 
+#-----|     r0_2(int *)            = Convert                                   : r0_1
+#-----|     r0_3(unsigned long)    = Constant[0]                               : 
+#-----|     r0_4(glval<int>)       = PointerAdd[4]                             : r0_2, r0_3
+#-----|     mu0_5(int &)           = Store[x0]                                 : &:r1674_5, r0_4
+# 1674|     r1674_6(glval<int &>)  = VariableAddress[x1]                       : 
+#-----|     r0_6(glval<int[2]>)    = VariableAddress[(unnamed local variable)] : 
+#-----|     r0_7(int *)            = Convert                                   : r0_6
+#-----|     r0_8(unsigned long)    = Constant[1]                               : 
+#-----|     r0_9(glval<int>)       = PointerAdd[4]                             : r0_7, r0_8
+#-----|     mu0_10(int &)          = Store[x1]                                 : &:r1674_6, r0_9
+# 1675|     v1675_1(void)          = NoOp                                      : 
+# 1672|     v1672_4(void)          = ReturnVoid                                : 
+# 1672|     v1672_5(void)          = AliasedUse                                : ~m?
+# 1672|     v1672_6(void)          = ExitFunction                              : 
+
+# 1680| void CapturedLambdaMyObj::CapturedLambdaMyObj()
+# 1680|   Block 0
+# 1680|     v1680_1(void)                        = EnterFunction                : 
+# 1680|     mu1680_2(unknown)                    = AliasedDefinition            : 
+# 1680|     mu1680_3(unknown)                    = InitializeNonLocal           : 
+# 1680|     r1680_4(glval<unknown>)              = VariableAddress[#this]       : 
+# 1680|     mu1680_5(glval<CapturedLambdaMyObj>) = InitializeParameter[#this]   : &:r1680_4
+# 1680|     r1680_6(glval<CapturedLambdaMyObj>)  = Load[#this]                  : &:r1680_4, ~m?
+# 1680|     mu1680_7(CapturedLambdaMyObj)        = InitializeIndirection[#this] : &:r1680_6
+# 1680|     v1680_8(void)                        = NoOp                         : 
+# 1680|     v1680_9(void)                        = ReturnIndirection[#this]     : &:r1680_6, ~m?
+# 1680|     v1680_10(void)                       = ReturnVoid                   : 
+# 1680|     v1680_11(void)                       = AliasedUse                   : ~m?
+# 1680|     v1680_12(void)                       = ExitFunction                 : 
+
+# 1683| void captured_lambda(int, int&, int&&)
+# 1683|   Block 0
+# 1683|     v1683_1(void)                             = EnterFunction                        : 
+# 1683|     mu1683_2(unknown)                         = AliasedDefinition                    : 
+# 1683|     mu1683_3(unknown)                         = InitializeNonLocal                   : 
+# 1683|     r1683_4(glval<int>)                       = VariableAddress[x]                   : 
+# 1683|     mu1683_5(int)                             = InitializeParameter[x]               : &:r1683_4
+# 1683|     r1683_6(glval<int &>)                     = VariableAddress[y]                   : 
+# 1683|     mu1683_7(int &)                           = InitializeParameter[y]               : &:r1683_6
+# 1683|     r1683_8(int &)                            = Load[y]                              : &:r1683_6, ~m?
+# 1683|     mu1683_9(unknown)                         = InitializeIndirection[y]             : &:r1683_8
+# 1683|     r1683_10(glval<int &&>)                   = VariableAddress[z]                   : 
+# 1683|     mu1683_11(int &&)                         = InitializeParameter[z]               : &:r1683_10
+# 1683|     r1683_12(int &&)                          = Load[z]                              : &:r1683_10, ~m?
+# 1683|     mu1683_13(unknown)                        = InitializeIndirection[z]             : &:r1683_12
+# 1685|     r1685_1(glval<CapturedLambdaMyObj &>)     = VariableAddress[obj1]                : 
+# 1685|     r1685_2(glval<CapturedLambdaMyObj>)       = VariableAddress[#temp1685:24]        : 
+# 1685|     mu1685_3(CapturedLambdaMyObj)             = Uninitialized[#temp1685:24]          : &:r1685_2
+# 1685|     r1685_4(glval<unknown>)                   = FunctionAddress[CapturedLambdaMyObj] : 
+# 1685|     v1685_5(void)                             = Call[CapturedLambdaMyObj]            : func:r1685_4, this:r1685_2
+# 1685|     mu1685_6(unknown)                         = ^CallSideEffect                      : ~m?
+# 1685|     mu1685_7(CapturedLambdaMyObj)             = ^IndirectMayWriteSideEffect[-1]      : &:r1685_2
+# 1685|     r1685_8(glval<CapturedLambdaMyObj>)       = Convert                              : r1685_2
+# 1685|     r1685_9(CapturedLambdaMyObj &)            = CopyValue                            : r1685_8
+# 1685|     mu1685_10(CapturedLambdaMyObj &)          = Store[obj1]                          : &:r1685_1, r1685_9
+# 1686|     r1686_1(glval<CapturedLambdaMyObj>)       = VariableAddress[obj2]                : 
+# 1686|     mu1686_2(CapturedLambdaMyObj)             = Uninitialized[obj2]                  : &:r1686_1
+# 1686|     r1686_3(glval<unknown>)                   = FunctionAddress[CapturedLambdaMyObj] : 
+# 1686|     v1686_4(void)                             = Call[CapturedLambdaMyObj]            : func:r1686_3, this:r1686_1
+# 1686|     mu1686_5(unknown)                         = ^CallSideEffect                      : ~m?
+# 1686|     mu1686_6(CapturedLambdaMyObj)             = ^IndirectMayWriteSideEffect[-1]      : &:r1686_1
+# 1688|     r1688_1(glval<decltype([...](...){...})>) = VariableAddress[lambda_outer]        : 
+# 1688|     r1688_2(glval<decltype([...](...){...})>) = VariableAddress[#temp1688:24]        : 
+# 1688|     mu1688_3(decltype([...](...){...}))       = Uninitialized[#temp1688:24]          : &:r1688_2
+# 1688|     r1688_4(glval<CapturedLambdaMyObj>)       = FieldAddress[obj1]                   : r1688_2
+
+# 1688|   Block 1
+# 1688|     mu1688_5(CapturedLambdaMyObj)       = Store[?]           : &:r1688_4
+# 1688|     r1688_6(glval<CapturedLambdaMyObj>) = FieldAddress[obj2] : r1688_2
+
+# 1688|   Block 2
+# 1688|     mu1688_7(CapturedLambdaMyObj)        = Store[?]             : &:r1688_6
+# 1688|     r1688_8(glval<int>)                  = FieldAddress[x]      : r1688_2
+# 1688|     r1688_9(glval<int>)                  = VariableAddress[x]   : 
+# 1688|     r1688_10(int)                        = Load[x]              : &:r1688_9, ~m?
+# 1688|     mu1688_11(int)                       = Store[?]             : &:r1688_8, r1688_10
+# 1688|     r1688_12(glval<int>)                 = FieldAddress[y]      : r1688_2
+# 1688|     r1688_13(glval<int &>)               = VariableAddress[y]   : 
+# 1688|     r1688_14(int &)                      = Load[y]              : &:r1688_13, ~m?
+# 1690|     r1690_1(int)                         = Load[?]              : &:r1688_14, ~m?
+# 1690|     mu1690_2(int)                        = Store[?]             : &:r1688_12, r1690_1
+# 1688|     r1688_15(glval<int>)                 = FieldAddress[z]      : r1688_2
+# 1688|     r1688_16(glval<int &&>)              = VariableAddress[z]   : 
+# 1688|     r1688_17(int &&)                     = Load[z]              : &:r1688_16, ~m?
+# 1690|     r1690_3(int)                         = Load[?]              : &:r1688_17, ~m?
+# 1690|     mu1690_4(int)                        = Store[?]             : &:r1688_15, r1690_3
+# 1688|     r1688_18(decltype([...](...){...}))  = Load[#temp1688:24]   : &:r1688_2, ~m?
+# 1688|     mu1688_19(decltype([...](...){...})) = Store[lambda_outer]  : &:r1688_1, r1688_18
+# 1691|     v1691_1(void)                        = NoOp                 : 
+# 1683|     v1683_14(void)                       = ReturnIndirection[y] : &:r1683_8, ~m?
+# 1683|     v1683_15(void)                       = ReturnIndirection[z] : &:r1683_12, ~m?
+# 1683|     v1683_16(void)                       = ReturnVoid           : 
+# 1683|     v1683_17(void)                       = AliasedUse           : ~m?
+# 1683|     v1683_18(void)                       = ExitFunction         : 
+
+# 1688| void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const
+# 1688|   Block 0
+# 1688|     v1688_1(void)                              = EnterFunction                 : 
+# 1688|     mu1688_2(unknown)                          = AliasedDefinition             : 
+# 1688|     mu1688_3(unknown)                          = InitializeNonLocal            : 
+# 1688|     r1688_4(glval<unknown>)                    = VariableAddress[#this]        : 
+# 1688|     mu1688_5(glval<decltype([...](...){...})>) = InitializeParameter[#this]    : &:r1688_4
+# 1688|     r1688_6(glval<decltype([...](...){...})>)  = Load[#this]                   : &:r1688_4, ~m?
+# 1688|     mu1688_7(decltype([...](...){...}))        = InitializeIndirection[#this]  : &:r1688_6
+# 1689|     r1689_1(glval<decltype([...](...){...})>)  = VariableAddress[lambda_inner] : 
+# 1689|     r1689_2(glval<decltype([...](...){...})>)  = VariableAddress[#temp1689:28] : 
+# 1689|     mu1689_3(decltype([...](...){...}))        = Uninitialized[#temp1689:28]   : &:r1689_2
+# 1689|     r1689_4(glval<CapturedLambdaMyObj>)        = FieldAddress[obj1]            : r1689_2
+
+# 1689|   Block 1
+# 1689|     mu1689_5(CapturedLambdaMyObj)       = Store[?]           : &:r1689_4
+# 1689|     r1689_6(glval<CapturedLambdaMyObj>) = FieldAddress[obj2] : r1689_2
+
+# 1689|   Block 2
+# 1689|     mu1689_7(CapturedLambdaMyObj)                    = Store[?]                 : &:r1689_6
+# 1689|     r1689_8(glval<int>)                              = FieldAddress[x]          : r1689_2
+# 1689|     r1689_9(glval<unknown>)                          = VariableAddress[#this]   : 
+# 1689|     r1689_10(lambda [] type at line 1688, col. 25 *) = Load[#this]              : &:r1689_9, ~m?
+# 1689|     r1689_11(glval<int>)                             = FieldAddress[x]          : r1689_10
+# 1689|     r1689_12(int)                                    = Load[?]                  : &:r1689_11, ~m?
+# 1689|     mu1689_13(int)                                   = Store[?]                 : &:r1689_8, r1689_12
+# 1689|     r1689_14(glval<int>)                             = FieldAddress[y]          : r1689_2
+# 1689|     r1689_15(glval<unknown>)                         = VariableAddress[#this]   : 
+# 1689|     r1689_16(lambda [] type at line 1688, col. 25 *) = Load[#this]              : &:r1689_15, ~m?
+# 1689|     r1689_17(glval<int>)                             = FieldAddress[y]          : r1689_16
+# 1689|     r1689_18(int)                                    = Load[?]                  : &:r1689_17, ~m?
+# 1689|     mu1689_19(int)                                   = Store[?]                 : &:r1689_14, r1689_18
+# 1689|     r1689_20(glval<int>)                             = FieldAddress[z]          : r1689_2
+# 1689|     r1689_21(glval<unknown>)                         = VariableAddress[#this]   : 
+# 1689|     r1689_22(lambda [] type at line 1688, col. 25 *) = Load[#this]              : &:r1689_21, ~m?
+# 1689|     r1689_23(glval<int>)                             = FieldAddress[z]          : r1689_22
+# 1689|     r1689_24(int)                                    = Load[?]                  : &:r1689_23, ~m?
+# 1689|     mu1689_25(int)                                   = Store[?]                 : &:r1689_20, r1689_24
+# 1689|     r1689_26(decltype([...](...){...}))              = Load[#temp1689:28]       : &:r1689_2, ~m?
+# 1689|     mu1689_27(decltype([...](...){...}))             = Store[lambda_inner]      : &:r1689_1, r1689_26
+# 1690|     v1690_1(void)                                    = NoOp                     : 
+# 1688|     v1688_8(void)                                    = ReturnIndirection[#this] : &:r1688_6, ~m?
+# 1688|     v1688_9(void)                                    = ReturnVoid               : 
+# 1688|     v1688_10(void)                                   = AliasedUse               : ~m?
+# 1688|     v1688_11(void)                                   = ExitFunction             : 
+
+# 1689| void (void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const)::(lambda [] type at line 1689, col. 29)::operator()() const
+# 1689|   Block 0
+# 1689|     v1689_1(void)                              = EnterFunction                : 
+# 1689|     mu1689_2(unknown)                          = AliasedDefinition            : 
+# 1689|     mu1689_3(unknown)                          = InitializeNonLocal           : 
+# 1689|     r1689_4(glval<unknown>)                    = VariableAddress[#this]       : 
+# 1689|     mu1689_5(glval<decltype([...](...){...})>) = InitializeParameter[#this]   : &:r1689_4
+# 1689|     r1689_6(glval<decltype([...](...){...})>)  = Load[#this]                  : &:r1689_4, ~m?
+# 1689|     mu1689_7(decltype([...](...){...}))        = InitializeIndirection[#this] : &:r1689_6
+# 1689|     v1689_8(void)                              = NoOp                         : 
+# 1689|     v1689_9(void)                              = NoOp                         : 
+# 1689|     v1689_10(void)                             = ReturnIndirection[#this]     : &:r1689_6, ~m?
+# 1689|     v1689_11(void)                             = ReturnVoid                   : 
+# 1689|     v1689_12(void)                             = AliasedUse                   : ~m?
+# 1689|     v1689_13(void)                             = ExitFunction                 : 
+
 perf-regression.cpp:
 #    6| void Big::Big()
 #    6|   Block 0

cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency.expected

@@ -6,6 +6,8 @@ missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
+| ir.cpp:1688:24:1690:5 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1689:28:1689:54 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction

cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency_unsound.expected

@@ -6,6 +6,8 @@ missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
+| ir.cpp:1688:24:1690:5 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
+| ir.cpp:1689:28:1689:54 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected

@@ -35,6 +35,41 @@ edges
 | test.cpp:142:11:142:17 | sprintf output argument | test.cpp:143:10:143:16 | command indirection |
 | test.cpp:142:31:142:33 | str indirection | test.cpp:142:11:142:17 | sprintf output argument |
 | test.cpp:142:31:142:33 | str indirection | test.cpp:142:11:142:17 | sprintf output argument |
+| test.cpp:174:9:174:16 | fread output argument | test.cpp:177:20:177:27 | filename indirection |
+| test.cpp:174:9:174:16 | fread output argument | test.cpp:178:22:178:26 | flags indirection |
+| test.cpp:174:9:174:16 | fread output argument | test.cpp:180:22:180:29 | filename indirection |
+| test.cpp:177:13:177:17 | strncat output argument | test.cpp:183:32:183:38 | command indirection |
+| test.cpp:177:20:177:27 | filename indirection | test.cpp:177:13:177:17 | strncat output argument |
+| test.cpp:177:20:177:27 | filename indirection | test.cpp:177:13:177:17 | strncat output argument |
+| test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | command indirection |
+| test.cpp:178:22:178:26 | flags indirection | test.cpp:178:13:178:19 | strncat output argument |
+| test.cpp:178:22:178:26 | flags indirection | test.cpp:178:13:178:19 | strncat output argument |
+| test.cpp:180:13:180:19 | strncat output argument | test.cpp:183:32:183:38 | command indirection |
+| test.cpp:180:22:180:29 | filename indirection | test.cpp:180:13:180:19 | strncat output argument |
+| test.cpp:180:22:180:29 | filename indirection | test.cpp:180:13:180:19 | strncat output argument |
+| test.cpp:186:47:186:54 | *filename | test.cpp:187:18:187:25 | filename indirection |
+| test.cpp:186:47:186:54 | *filename | test.cpp:188:20:188:24 | flags indirection |
+| test.cpp:186:47:186:54 | filename | test.cpp:187:18:187:25 | filename indirection |
+| test.cpp:186:47:186:54 | filename | test.cpp:188:20:188:24 | flags indirection |
+| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:11:188:17 | command [post update] |
+| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:11:188:17 | command [post update] |
+| test.cpp:187:18:187:25 | filename indirection | test.cpp:187:11:187:15 | strncat output argument |
+| test.cpp:187:18:187:25 | filename indirection | test.cpp:187:11:187:15 | strncat output argument |
+| test.cpp:188:11:188:17 | command [post update] | test.cpp:188:11:188:17 | command [post update] |
+| test.cpp:188:11:188:17 | command [post update] | test.cpp:196:10:196:16 | command [post update] |
+| test.cpp:188:11:188:17 | command [post update] | test.cpp:196:10:196:16 | command [post update] |
+| test.cpp:188:11:188:17 | command [post update] | test.cpp:205:10:205:16 | command [post update] |
+| test.cpp:188:11:188:17 | command [post update] | test.cpp:205:10:205:16 | command [post update] |
+| test.cpp:188:11:188:17 | strncat output argument | test.cpp:188:11:188:17 | command [post update] |
+| test.cpp:188:11:188:17 | strncat output argument | test.cpp:188:11:188:17 | command [post update] |
+| test.cpp:188:20:188:24 | flags indirection | test.cpp:188:11:188:17 | strncat output argument |
+| test.cpp:188:20:188:24 | flags indirection | test.cpp:188:11:188:17 | strncat output argument |
+| test.cpp:194:9:194:16 | fread output argument | test.cpp:196:26:196:33 | filename |
+| test.cpp:194:9:194:16 | fread output argument | test.cpp:196:26:196:33 | filename indirection |
+| test.cpp:196:10:196:16 | command [post update] | test.cpp:198:32:198:38 | command indirection |
+| test.cpp:196:26:196:33 | filename | test.cpp:186:47:186:54 | filename |
+| test.cpp:196:26:196:33 | filename indirection | test.cpp:186:47:186:54 | *filename |
+| test.cpp:205:10:205:16 | command [post update] | test.cpp:207:32:207:38 | command indirection |
 nodes
 | test.cpp:16:20:16:23 | argv | semmle.label | argv |
 | test.cpp:22:13:22:20 | sprintf output argument | semmle.label | sprintf output argument |
@@ -72,6 +107,29 @@ nodes
 | test.cpp:142:11:142:17 | sprintf output argument | semmle.label | sprintf output argument |
 | test.cpp:142:31:142:33 | str indirection | semmle.label | str indirection |
 | test.cpp:143:10:143:16 | command indirection | semmle.label | command indirection |
+| test.cpp:174:9:174:16 | fread output argument | semmle.label | fread output argument |
+| test.cpp:177:13:177:17 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:177:20:177:27 | filename indirection | semmle.label | filename indirection |
+| test.cpp:178:13:178:19 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:178:22:178:26 | flags indirection | semmle.label | flags indirection |
+| test.cpp:180:13:180:19 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:180:22:180:29 | filename indirection | semmle.label | filename indirection |
+| test.cpp:183:32:183:38 | command indirection | semmle.label | command indirection |
+| test.cpp:186:47:186:54 | *filename | semmle.label | *filename |
+| test.cpp:186:47:186:54 | filename | semmle.label | filename |
+| test.cpp:187:11:187:15 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:187:18:187:25 | filename indirection | semmle.label | filename indirection |
+| test.cpp:188:11:188:17 | command [post update] | semmle.label | command [post update] |
+| test.cpp:188:11:188:17 | command [post update] | semmle.label | command [post update] |
+| test.cpp:188:11:188:17 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:188:20:188:24 | flags indirection | semmle.label | flags indirection |
+| test.cpp:194:9:194:16 | fread output argument | semmle.label | fread output argument |
+| test.cpp:196:10:196:16 | command [post update] | semmle.label | command [post update] |
+| test.cpp:196:26:196:33 | filename | semmle.label | filename |
+| test.cpp:196:26:196:33 | filename indirection | semmle.label | filename indirection |
+| test.cpp:198:32:198:38 | command indirection | semmle.label | command indirection |
+| test.cpp:205:10:205:16 | command [post update] | semmle.label | command [post update] |
+| test.cpp:207:32:207:38 | command indirection | semmle.label | command indirection |
 subpaths
 #select
 | test.cpp:23:12:23:19 | command1 | test.cpp:16:20:16:23 | argv | test.cpp:23:12:23:19 | command1 indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:16:20:16:23 | argv | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument |
@@ -83,3 +141,10 @@ subpaths
 | test.cpp:114:25:114:29 | call to c_str | test.cpp:113:20:113:25 | call to getenv | test.cpp:114:25:114:29 | call to c_str indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:113:20:113:25 | call to getenv | user input (an environment variable) | test.cpp:114:17:114:17 | Call | Call |
 | test.cpp:120:25:120:28 | call to data | test.cpp:119:20:119:25 | call to getenv | test.cpp:120:10:120:30 | call to data indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:119:20:119:25 | call to getenv | user input (an environment variable) | test.cpp:120:17:120:17 | Call | Call |
 | test.cpp:143:10:143:16 | command | test.cpp:140:9:140:11 | fread output argument | test.cpp:143:10:143:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:140:9:140:11 | fread output argument | user input (String read by fread) | test.cpp:142:11:142:17 | sprintf output argument | sprintf output argument |
+| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:174:9:174:16 | fread output argument | user input (String read by fread) | test.cpp:177:13:177:17 | strncat output argument | strncat output argument |
+| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:174:9:174:16 | fread output argument | user input (String read by fread) | test.cpp:178:13:178:19 | strncat output argument | strncat output argument |
+| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:174:9:174:16 | fread output argument | user input (String read by fread) | test.cpp:180:13:180:19 | strncat output argument | strncat output argument |
+| test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:194:9:194:16 | fread output argument | user input (String read by fread) | test.cpp:187:11:187:15 | strncat output argument | strncat output argument |
+| test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:194:9:194:16 | fread output argument | user input (String read by fread) | test.cpp:188:11:188:17 | strncat output argument | strncat output argument |
+| test.cpp:207:32:207:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:207:32:207:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:194:9:194:16 | fread output argument | user input (String read by fread) | test.cpp:187:11:187:15 | strncat output argument | strncat output argument |
+| test.cpp:207:32:207:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:207:32:207:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:194:9:194:16 | fread output argument | user input (String read by fread) | test.cpp:188:11:188:17 | strncat output argument | strncat output argument |

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp

@@ -168,7 +168,43 @@ void test15(FILE *f) {
   system(command); // GOOD: the user string was converted to an integer and back
 }
 
+void test16(FILE *f, bool use_flags) {
+  // BAD: the user string is injected directly into a command
+  char command[1000] = "mv ", flags[1000] = "-R", filename[1000];
+  fread(filename, 1, 1000, f);
 
-// TODO: test for call context sensitivity at concatenation site
+  if (use_flags) {
+    strncat(flags, filename, 1000);
+    strncat(command, flags, 1000);
+  } else {
+    strncat(command, filename, 1000);
+  }
+
+  execl("/bin/sh", "sh", "-c", command);
+}
+
+void concat(char *command, char *flags, char *filename) {
+  strncat(flags, filename, 1000);
+  strncat(command, flags, 1000);
+}
+
+void test17(FILE *f) {
+  // BAD: the user string is injected directly into a command
+  char command[1000] = "mv ", flags[1000] = "-R", filename[1000];
+  fread(filename, 1, 1000, f);
+
+  concat(command, flags, filename);
+
+  execl("/bin/sh", "sh", "-c", command);
+}
+
+void test18() {
+  // GOOD [FALSE POSITIVE]
+  char command[1000] = "ls ", flags[1000] = "-l", filename[1000] = ".";
+
+  concat(command, flags, filename);
+
+  execl("/bin/sh", "sh", "-c", command);
+}
 
 // open question: do we want to report certain sources even when they're the start of the string?

cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/test.c

@@ -1,4 +1,4 @@
-
+// semmle-extractor-options: -std=c11
 int f1(void) {
     int x = 1;
     return 2;
@@ -99,3 +99,9 @@ int f14()
 {
 	__asm__("rdtsc"); // GOOD
 }
+
+_Noreturn void f15();
+
+int f16() {
+    f15(); // GOOD
+}

cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/test.cpp

@@ -1,4 +1,4 @@
-
+// semmle-extractor-options: -std=c++11
 class MyValue {
 public:
 	MyValue(int _val) : val(_val) {};
@@ -164,3 +164,9 @@ int g19(int x)
 
 	return x; // GOOD
 }
+
+[[noreturn]] void g20();
+
+int g21() {
+    g20(); // GOOD
+}

csharp/ql/lib/change-notes/2022-03-14-flow-state-barriers.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.

csharp/ql/lib/semmle/code/csharp/commons/Constants.qll

@@ -105,31 +105,12 @@ private module ConstantComparisonOperation {
   }
 }
 
-private class StructuralComparisonConfig extends StructuralComparison::StructuralComparisonConfiguration {
-  StructuralComparisonConfig() { this = "CompareIdenticalValues" }
-
-  override predicate candidate(ControlFlowElement x, ControlFlowElement y) {
-    exists(ComparisonTest ct |
-      x = ct.getFirstArgument() and
-      y = ct.getSecondArgument()
-    )
-  }
-
-  ComparisonTest getComparisonTest() {
-    exists(Element x, Element y |
-      result.getFirstArgument() = x and
-      result.getSecondArgument() = y and
-      same(x, y)
-    )
-  }
-}
-
 /**
  * Holds if comparison test `ct` compares two structurally identical
  * expressions.
  */
 predicate comparesIdenticalValues(ComparisonTest ct) {
-  ct = any(StructuralComparisonConfig c).getComparisonTest()
+  StructuralComparison::sameGvn(ct.getFirstArgument(), ct.getSecondArgument())
 }
 
 /**

csharp/ql/lib/semmle/code/csharp/commons/StructuralComparison.qll

@@ -192,13 +192,18 @@ private import Cached
 
 predicate toGvn = toGvnCached/1;
 
+/**
+ * Holds if the control flow elements `x` and `y` are structurally equal.
+ */
 pragma[inline]
-private predicate sameGvn(ControlFlowElement x, ControlFlowElement y) {
+predicate sameGvn(ControlFlowElement x, ControlFlowElement y) {
   pragma[only_bind_into](toGvn(pragma[only_bind_out](x))) =
     pragma[only_bind_into](toGvn(pragma[only_bind_out](y)))
 }
 
 /**
+ * DEPRECATED: Use `sameGvn` instead.
+ *
  * A configuration for performing structural comparisons of program elements
  * (expressions and statements).
  *
@@ -207,7 +212,7 @@ private predicate sameGvn(ControlFlowElement x, ControlFlowElement y) {
  *
  * Each use of the library is identified by a unique string value.
  */
-abstract class StructuralComparisonConfiguration extends string {
+abstract deprecated class StructuralComparisonConfiguration extends string {
   bindingset[this]
   StructuralComparisonConfiguration() { any() }
 
@@ -235,55 +240,3 @@ abstract class StructuralComparisonConfiguration extends string {
    */
   predicate same(ControlFlowElement x, ControlFlowElement y) { candidate(x, y) and sameGvn(x, y) }
 }
-
-/**
- * INTERNAL: Do not use.
- *
- * A verbatim copy of the class `StructuralComparisonConfiguration` for internal
- * use.
- *
- * A copy is needed in order to use structural comparison within the standard
- * library without running into caching issues.
- */
-module Internal {
-  // Import all uses of the internal library to make sure caching works
-  private import semmle.code.csharp.controlflow.Guards as G
-
-  /**
-   * A configuration for performing structural comparisons of program elements
-   * (expressions and statements).
-   *
-   * The predicate `candidate()` must be overridden, in order to identify the
-   * elements for which to perform structural comparison.
-   *
-   * Each use of the library is identified by a unique string value.
-   */
-  abstract class InternalStructuralComparisonConfiguration extends string {
-    bindingset[this]
-    InternalStructuralComparisonConfiguration() { any() }
-
-    /**
-     * Holds if elements `x` and `y` are candidates for testing structural
-     * equality.
-     *
-     * Subclasses are expected to override this predicate to identify the
-     * top-level elements which they want to compare. Care should be
-     * taken to avoid identifying too many pairs of elements, as in general
-     * there are very many structurally equal subtrees in a program, and
-     * in order to keep the computation feasible we must focus attention.
-     *
-     * Note that this relation is not expected to be symmetric -- it's
-     * fine to include a pair `(x, y)` but not `(y, x)`.
-     * In fact, not including the symmetrically implied fact will save
-     * half the computation time on the structural comparison.
-     */
-    abstract predicate candidate(ControlFlowElement x, ControlFlowElement y);
-
-    /**
-     * Holds if elements `x` and `y` structurally equal. `x` and `y` must be
-     * flagged as candidates for structural equality, that is,
-     * `candidate(x, y)` must hold.
-     */
-    predicate same(ControlFlowElement x, ControlFlowElement y) { candidate(x, y) and sameGvn(x, y) }
-  }
-}

csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll

@@ -8,7 +8,7 @@ private import dotnet
 private import ControlFlow::SuccessorTypes
 private import semmle.code.csharp.commons.Assertions
 private import semmle.code.csharp.commons.ComparisonTest
-private import semmle.code.csharp.commons.StructuralComparison::Internal
+private import semmle.code.csharp.commons.StructuralComparison as SC
 private import semmle.code.csharp.controlflow.BasicBlocks
 private import semmle.code.csharp.controlflow.internal.Completion
 private import semmle.code.csharp.frameworks.System
@@ -1798,32 +1798,30 @@ module Internal {
   }
 
   /**
-   * A helper class for calculating structurally equal access/call expressions.
+   * Holds if access/call expression `e` (targeting declaration `target`)
+   * is a sub expression of a guard that controls whether basic block
+   * `bb` is reached.
    */
-  private class ConditionOnExprComparisonConfig extends InternalStructuralComparisonConfiguration {
-    ConditionOnExprComparisonConfig() { this = "ConditionOnExprComparisonConfig" }
+  pragma[noinline]
+  private predicate candidateAux(AccessOrCallExpr e, Declaration target, BasicBlock bb) {
+    target = e.getTarget() and
+    guardControlsSub(_, bb, e)
+  }
 
-    override predicate candidate(ControlFlowElement x, ControlFlowElement y) {
-      exists(BasicBlock bb, Declaration d |
-        this.candidateAux(x, d, bb) and
-        y =
-          any(AccessOrCallExpr e |
-            e.getAControlFlowNode().getBasicBlock() = bb and
-            e.getTarget() = d
-          )
-      )
-    }
+  private predicate candidate(AccessOrCallExpr x, AccessOrCallExpr y) {
+    exists(BasicBlock bb, Declaration d |
+      candidateAux(x, d, bb) and
+      y =
+        any(AccessOrCallExpr e |
+          e.getAControlFlowNode().getBasicBlock() = bb and
+          e.getTarget() = d
+        )
+    )
+  }
 
-    /**
-     * Holds if access/call expression `e` (targeting declaration `target`)
-     * is a sub expression of a guard that controls whether basic block
-     * `bb` is reached.
-     */
-    pragma[noinline]
-    private predicate candidateAux(AccessOrCallExpr e, Declaration target, BasicBlock bb) {
-      target = e.getTarget() and
-      guardControlsSub(_, bb, e)
-    }
+  private predicate same(AccessOrCallExpr x, AccessOrCallExpr y) {
+    candidate(x, y) and
+    SC::sameGvn(x, y)
   }
 
   cached
@@ -1849,7 +1847,7 @@ module Internal {
     pragma[nomagic]
     private predicate guardControlsSubSame(Guard g, BasicBlock bb, ControlGuardDescendant sub) {
       guardControlsSub(g, bb, sub) and
-      any(ConditionOnExprComparisonConfig c).same(sub, _)
+      same(sub, _)
     }
 
     pragma[nomagic]
@@ -1862,7 +1860,7 @@ module Internal {
       guardedBB = guardedCfn.getBasicBlock() and
       guardControls(g, guardedBB, v) and
       guardControlsSubSame(g, guardedBB, sub) and
-      any(ConditionOnExprComparisonConfig c).same(sub, guarded)
+      same(sub, guarded)
     }
 
     pragma[nomagic]

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -2031,3 +2031,47 @@ abstract class SyntheticField extends string {
  * Holds if the the content `c` is a container.
  */
 predicate containerContent(DataFlow::Content c) { c instanceof DataFlow::ElementContent }
+
+/**
+ * A module containing predicates related to generating models as data.
+ */
+module Csv {
+  private string parameterQualifiedTypeNamesToString(DataFlowCallable c) {
+    result =
+      concat(Parameter p, int i |
+        p = c.getParameter(i)
+      |
+        p.getType().getQualifiedName(), "," order by i
+      )
+  }
+
+  /** Holds if the summary should apply for all overrides of `c`. */
+  predicate isBaseCallableOrPrototype(DataFlowCallable c) {
+    c.getDeclaringType() instanceof Interface
+    or
+    exists(Modifiable m | m = [c.(Modifiable), c.(Accessor).getDeclaration()] |
+      m.isAbstract()
+      or
+      c.getDeclaringType().(Modifiable).isAbstract() and m.(Virtualizable).isVirtual()
+    )
+  }
+
+  /** Gets a string representing whether the summary should apply for all overrides of `c`. */
+  private string getCallableOverride(DataFlowCallable c) {
+    if isBaseCallableOrPrototype(c) then result = "true" else result = "false"
+  }
+
+  /** Computes the first 6 columns for CSV rows of `c`. */
+  string asPartialModel(DataFlowCallable c) {
+    exists(string namespace, string type |
+      c.getDeclaringType().hasQualifiedName(namespace, type) and
+      result =
+        namespace + ";" //
+          + type + ";" //
+          + getCallableOverride(c) + ";" //
+          + c.getName() + ";" //
+          + "(" + parameterQualifiedTypeNamesToString(c) + ")" //
+          + /* ext + */ ";" //
+    )
+  }
+}

csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll

@@ -1056,7 +1056,7 @@ module Private {
       |
         c.relevantSummary(input, output, preservesValue) and
         csv =
-          c.getCallableCsv() + ";;" + getComponentStackCsv(input) + ";" +
+          c.getCallableCsv() + ";" + getComponentStackCsv(input) + ";" +
             getComponentStackCsv(output) + ";" + renderKind(preservesValue)
       )
     }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

@@ -109,6 +109,16 @@ abstract class Configuration extends DataFlow::Configuration {
   /** Holds if taint propagation into `node` is prohibited. */
   predicate isSanitizerIn(DataFlow::Node node) { none() }
 
+  /**
+   * Holds if taint propagation into `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerIn(node, state)
+  }
+
   final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
 
   /** Holds if taint propagation out of `node` is prohibited. */
@@ -116,6 +126,16 @@ abstract class Configuration extends DataFlow::Configuration {
 
   final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
 
+  /**
+   * Holds if taint propagation out of `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerOut(node, state)
+  }
+
   /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
@@ -123,6 +143,16 @@ abstract class Configuration extends DataFlow::Configuration {
     this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
+  /**
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited
+   * when the flow state is `state`.
+   */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    this.isSanitizerGuard(guard, state)
+  }
+
   /**
    * Holds if the additional taint propagation step from `node1` to `node2`
    * must be taken into account in the analysis.

csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

@@ -109,6 +109,16 @@ abstract class Configuration extends DataFlow::Configuration {
   /** Holds if taint propagation into `node` is prohibited. */
   predicate isSanitizerIn(DataFlow::Node node) { none() }
 
+  /**
+   * Holds if taint propagation into `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerIn(node, state)
+  }
+
   final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
 
   /** Holds if taint propagation out of `node` is prohibited. */
@@ -116,6 +126,16 @@ abstract class Configuration extends DataFlow::Configuration {
 
   final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
 
+  /**
+   * Holds if taint propagation out of `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerOut(node, state)
+  }
+
   /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
@@ -123,6 +143,16 @@ abstract class Configuration extends DataFlow::Configuration {
     this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
+  /**
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited
+   * when the flow state is `state`.
+   */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    this.isSanitizerGuard(guard, state)
+  }
+
   /**
    * Holds if the additional taint propagation step from `node1` to `node2`
    * must be taken into account in the analysis.

csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll

@@ -109,6 +109,16 @@ abstract class Configuration extends DataFlow::Configuration {
   /** Holds if taint propagation into `node` is prohibited. */
   predicate isSanitizerIn(DataFlow::Node node) { none() }
 
+  /**
+   * Holds if taint propagation into `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerIn(node, state)
+  }
+
   final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
 
   /** Holds if taint propagation out of `node` is prohibited. */
@@ -116,6 +126,16 @@ abstract class Configuration extends DataFlow::Configuration {
 
   final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
 
+  /**
+   * Holds if taint propagation out of `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerOut(node, state)
+  }
+
   /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
@@ -123,6 +143,16 @@ abstract class Configuration extends DataFlow::Configuration {
     this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
+  /**
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited
+   * when the flow state is `state`.
+   */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    this.isSanitizerGuard(guard, state)
+  }
+
   /**
    * Holds if the additional taint propagation step from `node1` to `node2`
    * must be taken into account in the analysis.

csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll

@@ -109,6 +109,16 @@ abstract class Configuration extends DataFlow::Configuration {
   /** Holds if taint propagation into `node` is prohibited. */
   predicate isSanitizerIn(DataFlow::Node node) { none() }
 
+  /**
+   * Holds if taint propagation into `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerIn(node, state)
+  }
+
   final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
 
   /** Holds if taint propagation out of `node` is prohibited. */
@@ -116,6 +126,16 @@ abstract class Configuration extends DataFlow::Configuration {
 
   final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
 
+  /**
+   * Holds if taint propagation out of `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerOut(node, state)
+  }
+
   /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
@@ -123,6 +143,16 @@ abstract class Configuration extends DataFlow::Configuration {
     this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
+  /**
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited
+   * when the flow state is `state`.
+   */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    this.isSanitizerGuard(guard, state)
+  }
+
   /**
    * Holds if the additional taint propagation step from `node1` to `node2`
    * must be taken into account in the analysis.

csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll

@@ -109,6 +109,16 @@ abstract class Configuration extends DataFlow::Configuration {
   /** Holds if taint propagation into `node` is prohibited. */
   predicate isSanitizerIn(DataFlow::Node node) { none() }
 
+  /**
+   * Holds if taint propagation into `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerIn(node, state)
+  }
+
   final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
 
   /** Holds if taint propagation out of `node` is prohibited. */
@@ -116,6 +126,16 @@ abstract class Configuration extends DataFlow::Configuration {
 
   final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
 
+  /**
+   * Holds if taint propagation out of `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerOut(node, state)
+  }
+
   /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
@@ -123,6 +143,16 @@ abstract class Configuration extends DataFlow::Configuration {
     this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
+  /**
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited
+   * when the flow state is `state`.
+   */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    this.isSanitizerGuard(guard, state)
+  }
+
   /**
    * Holds if the additional taint propagation step from `node1` to `node2`
    * must be taken into account in the analysis.

csharp/ql/lib/semmle/code/csharp/frameworks/system/Linq.qll

@@ -2,14 +2,14 @@
  * Provides classes related to the namespace `System.Linq`.
  */
 
-private import csharp as csharp
+private import csharp as CSharp
 private import semmle.code.csharp.frameworks.System as System
 private import semmle.code.csharp.dataflow.ExternalFlow as ExternalFlow
 
 /** Definitions relating to the `System.Linq` namespace. */
 module SystemLinq {
   /** The `System.Linq` namespace. */
-  class Namespace extends csharp::Namespace {
+  class Namespace extends CSharp::Namespace {
     Namespace() {
       this.getParentNamespace() instanceof System::SystemNamespace and
       this.hasUndecoratedName("Linq")
@@ -17,7 +17,7 @@ module SystemLinq {
   }
 
   /** A class in the `System.Linq` namespace. */
-  class Class extends csharp::Class {
+  class Class extends CSharp::Class {
     Class() { this.getNamespace() instanceof Namespace }
   }
 
@@ -26,10 +26,10 @@ module SystemLinq {
     SystemLinqEnumerableClass() { this.hasName("Enumerable") }
 
     /** Gets a `Count()` method. */
-    csharp::ExtensionMethod getACountMethod() { result = this.getAMethod("Count<>") }
+    CSharp::ExtensionMethod getACountMethod() { result = this.getAMethod("Count<>") }
 
     /** Gets an `Any()` method. */
-    csharp::ExtensionMethod getAnAnyMethod() { result = this.getAMethod("Any<>") }
+    CSharp::ExtensionMethod getAnAnyMethod() { result = this.getAMethod("Any<>") }
   }
 }
 

csharp/ql/lib/semmle/code/csharp/frameworks/system/data/Common.qll

@@ -2,14 +2,14 @@
  * Provides classes related to the namespace `System.Data.Common`.
  */
 
-private import csharp as csharp
+private import csharp as CSharp
 private import semmle.code.csharp.frameworks.system.Data as Data
 private import semmle.code.csharp.dataflow.ExternalFlow as ExternalFlow
 
 /** Definitions relating to the `System.Data.Common` namespace. */
 module SystemDataCommon {
   /** The `System.Data.Common` namespace. */
-  class Namespace extends csharp::Namespace {
+  class Namespace extends CSharp::Namespace {
     Namespace() {
       this.getParentNamespace() instanceof Data::SystemDataNamespace and
       this.hasName("Common")
@@ -17,7 +17,7 @@ module SystemDataCommon {
   }
 
   /** A class in the `System.Data.Common` namespace. */
-  class Class extends csharp::Class {
+  class Class extends CSharp::Class {
     Class() { this.getNamespace() instanceof Namespace }
   }
 

csharp/ql/lib/semmle/code/csharp/frameworks/system/data/Entity.qll

@@ -2,13 +2,13 @@
  * Provides classes related to the Entity Framework namespace `System.Data.Entity`.
  */
 
-private import csharp as csharp
+private import csharp as CSharp
 private import semmle.code.csharp.frameworks.system.Data as Data
 
 /** Definitions relating to the `System.Data.Entity` namespace. */
 module SystemDataEntity {
   /** The `System.Data.Entity` namespace. */
-  class Namespace extends csharp::Namespace {
+  class Namespace extends CSharp::Namespace {
     Namespace() {
       this.getParentNamespace() instanceof Data::SystemDataNamespace and
       this.hasName("Entity")
@@ -16,7 +16,7 @@ module SystemDataEntity {
   }
 
   /** A class in the `System.Data.Entity` namespace. */
-  class Class extends csharp::Class {
+  class Class extends CSharp::Class {
     Class() { this.getNamespace() instanceof Namespace }
   }
 
@@ -25,28 +25,28 @@ module SystemDataEntity {
     Database() { this.hasName("Database") }
 
     /** Gets the `ExecuteSqlCommand` method. */
-    csharp::Method getExecuteSqlCommandMethod() { result = this.getAMethod("ExecuteSqlCommand") }
+    CSharp::Method getExecuteSqlCommandMethod() { result = this.getAMethod("ExecuteSqlCommand") }
 
     /** Gets the `ExecuteSqlCommandAsync` method. */
-    csharp::Method getExecuteSqlCommandAsyncMethod() {
+    CSharp::Method getExecuteSqlCommandAsyncMethod() {
       result = this.getAMethod("ExecuteSqlCommandAsync")
     }
 
     /** Gets the `SqlQuery` method. */
-    csharp::Method getSqlQueryMethod() { result = this.getAMethod("SqlQuery") }
+    CSharp::Method getSqlQueryMethod() { result = this.getAMethod("SqlQuery") }
   }
 
   /** The `System.Data.Entity.DbSet` class. */
   class DbSet extends Class {
     DbSet() {
-      this.getUnboundDeclaration().(csharp::UnboundGenericClass).getUndecoratedName() = "DbSet"
+      this.getUnboundDeclaration().(CSharp::UnboundGenericClass).getUndecoratedName() = "DbSet"
     }
 
     /** Gets the `SqlQuery` method. */
-    csharp::Method getSqlQueryMethod() { result = this.getAMethod("SqlQuery") }
+    CSharp::Method getSqlQueryMethod() { result = this.getAMethod("SqlQuery") }
 
     /** Gets the `DbSet` type, if any. */
-    csharp::Type getDbSetType() { result = this.(csharp::ConstructedType).getTypeArgument(0) }
+    CSharp::Type getDbSetType() { result = this.(CSharp::ConstructedType).getTypeArgument(0) }
   }
 
   /** The `System.Data.Entity.DbContext` class. */
@@ -55,23 +55,23 @@ module SystemDataEntity {
   }
 
   /** A user provided sub type of `DbContext`. */
-  class CustomDbContext extends csharp::Class {
+  class CustomDbContext extends CSharp::Class {
     CustomDbContext() {
       this.fromSource() and
       this.getABaseType+() instanceof DbContext
     }
 
     /** Gets a property that has the type `DbSet`. */
-    csharp::Property getADbSetProperty() {
+    CSharp::Property getADbSetProperty() {
       result = this.getAProperty() and
       result.getType() instanceof DbSet
     }
   }
 
   /** An Entity Framework entity, as referenced from a `CustomDbContext`. */
-  class Entity extends csharp::Class {
+  class Entity extends CSharp::Class {
     Entity() {
-      exists(CustomDbContext dbContext, csharp::Property p |
+      exists(CustomDbContext dbContext, CSharp::Property p |
         p = dbContext.getADbSetProperty() and
         this = p.getType().(DbSet).getDbSetType()
       )
@@ -82,7 +82,7 @@ module SystemDataEntity {
 /** Definitions relating to the `System.Data.Entity.Infrastructure` namespace. */
 module SystemDataEntityInfrastructure {
   /** The `System.Data.Entity.Infrastructure` namespace. */
-  class Namespace extends csharp::Namespace {
+  class Namespace extends CSharp::Namespace {
     Namespace() {
       this.getParentNamespace() instanceof SystemDataEntity::Namespace and
       this.hasName("Infrastructure")
@@ -90,7 +90,7 @@ module SystemDataEntityInfrastructure {
   }
 
   /** A class in the `System.Data.Entity.Infrastructure` namespace. */
-  class Class extends csharp::Class {
+  class Class extends CSharp::Class {
     Class() { this.getNamespace() instanceof Namespace }
   }
 
@@ -99,7 +99,7 @@ module SystemDataEntityInfrastructure {
     DbRawSqlQuery() {
       this.getABaseType*()
           .getUnboundDeclaration()
-          .(csharp::UnboundGenericClass)
+          .(CSharp::UnboundGenericClass)
           .getUndecoratedName() = "DbRawSqlQuery"
     }
   }

csharp/ql/lib/semmle/code/csharp/frameworks/system/linq/Expressions.qll

@@ -2,13 +2,13 @@
  * Provides classes related to the namespace `System.Linq.Expressions`.
  */
 
-private import csharp as csharp
+private import csharp as CSharp
 private import semmle.code.csharp.frameworks.system.Linq
 
 /** Definitions relating to the `System.Linq.Expressions` namespace. */
 module SystemLinqExpressions {
   /** The `System.Linq.Expressions` namespace. */
-  class Namespace extends csharp::Namespace {
+  class Namespace extends CSharp::Namespace {
     Namespace() {
       this.getParentNamespace() instanceof SystemLinq::Namespace and
       this.hasName("Expressions")
@@ -16,12 +16,12 @@ module SystemLinqExpressions {
   }
 
   /** A class in the `System.Linq.Expressions` namespace. */
-  class Class extends csharp::Class {
+  class Class extends CSharp::Class {
     Class() { this.getNamespace() instanceof Namespace }
   }
 
   /** The `Expression<TDelegate>` class. */
-  class ExpressionDelegate extends Class, csharp::UnboundGenericClass {
+  class ExpressionDelegate extends Class, CSharp::UnboundGenericClass {
     ExpressionDelegate() { this.hasName("Expression<>") }
   }
 
@@ -30,20 +30,20 @@ module SystemLinqExpressions {
    * or a type of the form `Expression<T>`, where `T` is an actual
    * `delegate` type.
    */
-  class DelegateExtType extends csharp::Type {
-    csharp::DelegateType dt;
+  class DelegateExtType extends CSharp::Type {
+    CSharp::DelegateType dt;
 
     DelegateExtType() {
       this = dt
       or
       this =
-        any(csharp::ConstructedClass cc |
+        any(CSharp::ConstructedClass cc |
           cc.getUnboundGeneric() instanceof ExpressionDelegate and
           dt = cc.getTypeArgument(0)
         )
     }
 
     /** Gets the underlying `delegate` type. */
-    csharp::DelegateType getDelegateType() { result = dt }
+    CSharp::DelegateType getDelegateType() { result = dt }
   }
 }

csharp/ql/lib/semmle/code/csharp/frameworks/system/xml/XPath.qll

@@ -1,20 +1,20 @@
 /** Provides classes related to the namespace `System.Xml.XPath`. */
 
-import csharp as csharp
-private import semmle.code.csharp.frameworks.system.Xml as xml
+private import csharp as CSharp
+private import semmle.code.csharp.frameworks.system.Xml as Xml
 
 /** Definitions relating to the `System.Xml.XPath` namespace. */
 module SystemXmlXPath {
   /** The `System.Xml.XPath` namespace. */
-  class Namespace extends csharp::Namespace {
+  class Namespace extends CSharp::Namespace {
     Namespace() {
-      this.getParentNamespace() instanceof xml::SystemXmlNamespace and
+      this.getParentNamespace() instanceof Xml::SystemXmlNamespace and
       this.hasName("XPath")
     }
   }
 
   /** A class in the `System.Xml.XPath` namespace. */
-  class Class extends csharp::Class {
+  class Class extends CSharp::Class {
     Class() { this.getNamespace() instanceof Namespace }
   }
 
@@ -28,17 +28,17 @@ module SystemXmlXPath {
     XPathNavigator() { this.hasName("XPathNavigator") }
 
     /** Gets a method that selects nodes. */
-    csharp::Method getASelectMethod() {
+    CSharp::Method getASelectMethod() {
       result = this.getAMethod() and result.getName().matches("Select%")
     }
 
     /** Gets the `Compile` method. */
-    csharp::Method getCompileMethod() { result = this.getAMethod("Compile") }
+    CSharp::Method getCompileMethod() { result = this.getAMethod("Compile") }
 
     /** Gets an `Evaluate` method. */
-    csharp::Method getAnEvaluateMethod() { result = this.getAMethod("Evaluate") }
+    CSharp::Method getAnEvaluateMethod() { result = this.getAMethod("Evaluate") }
 
     /** Gets a `Matches` method. */
-    csharp::Method getAMatchesMethod() { result = this.getAMethod("Matches") }
+    CSharp::Method getAMatchesMethod() { result = this.getAMethod("Matches") }
   }
 }

csharp/ql/src/Concurrency/UnsafeLazyInitialization.ql

@@ -14,24 +14,12 @@
 import csharp
 import semmle.code.csharp.commons.StructuralComparison
 
-class DoubleCheckedLock extends StructuralComparisonConfiguration {
-  DoubleCheckedLock() { this = "double checked lock" }
-
-  override predicate candidate(ControlFlowElement x, ControlFlowElement y) {
-    exists(IfStmt unlockedIf, IfStmt lockedIf, LockStmt lock |
-      x = unlockedIf.getCondition() and
-      y = lockedIf.getCondition() and
-      lock = unlockedIf.getThen().stripSingletonBlocks() and
-      lockedIf.getParent*() = lock.getBlock()
-    )
-  }
-}
-
-predicate doubleCheckedLock(Field field, IfStmt ifs) {
-  exists(DoubleCheckedLock config, LockStmt lock, Expr eq1, Expr eq2 | ifs.getCondition() = eq1 |
-    lock = ifs.getThen().stripSingletonBlocks() and
-    config.same(eq1, eq2) and
-    field.getAnAccess() = eq1.getAChildExpr*()
+predicate doubleCheckedLock(Field field, IfStmt unlockedIf) {
+  exists(LockStmt lock, IfStmt lockedIf |
+    lock = unlockedIf.getThen().stripSingletonBlocks() and
+    lockedIf.getParent*() = lock.getBlock() and
+    sameGvn(unlockedIf.getCondition(), lockedIf.getCondition()) and
+    field.getAnAccess() = unlockedIf.getCondition().getAChildExpr*()
   )
 }
 

csharp/ql/src/Language Abuse/MissedTernaryOpportunity.ql

@@ -12,25 +12,8 @@
 import csharp
 import semmle.code.csharp.commons.StructuralComparison
 
-class StructuralComparisonConfig extends StructuralComparisonConfiguration {
-  StructuralComparisonConfig() { this = "MissedTernaryOpportunity" }
-
-  override predicate candidate(ControlFlowElement x, ControlFlowElement y) {
-    exists(IfStmt is, AssignExpr ae1 |
-      ae1 = is.getThen().stripSingletonBlocks().(ExprStmt).getExpr()
-    |
-      x = ae1.getLValue() and
-      exists(AssignExpr ae2 | ae2 = is.getElse().stripSingletonBlocks().(ExprStmt).getExpr() |
-        y = ae2.getLValue()
-      )
-    )
-  }
-
-  IfStmt getIfStmt() {
-    exists(AssignExpr ae | ae = result.getThen().stripSingletonBlocks().(ExprStmt).getExpr() |
-      same(ae.getLValue(), _)
-    )
-  }
+private Expr getAssignedExpr(Stmt stmt) {
+  result = stmt.stripSingletonBlocks().(ExprStmt).getExpr().(AssignExpr).getLValue()
 }
 
 from IfStmt is, string what
@@ -40,10 +23,8 @@ where
     is.getElse().stripSingletonBlocks() instanceof ReturnStmt and
     what = "return"
     or
-    exists(StructuralComparisonConfig c |
-      is = c.getIfStmt() and
-      what = "write to the same variable"
-    )
+    sameGvn(getAssignedExpr(is.getThen()), getAssignedExpr(is.getElse())) and
+    what = "write to the same variable"
   ) and
   not exists(IfStmt other | is = other.getElse())
 select is,

csharp/ql/src/Language Abuse/UselessIsBeforeAs.ql

@@ -13,35 +13,26 @@
 import csharp
 import semmle.code.csharp.commons.StructuralComparison
 
-class StructuralComparisonConfig extends StructuralComparisonConfiguration {
-  StructuralComparisonConfig() { this = "UselessIsBeforeAs" }
+private predicate candidate(AsExpr ae, IsExpr ie) {
+  exists(IfStmt is, TypeAccessPatternExpr tape |
+    ie = is.getCondition().getAChild*() and
+    tape = ie.getPattern() and
+    ae.getTargetType() = tape.getTarget()
+  |
+    ae = is.getThen().getAChild*()
+    or
+    ae = is.getElse().getAChild*()
+  )
+}
 
-  override predicate candidate(ControlFlowElement x, ControlFlowElement y) {
-    exists(IfStmt is, AsExpr ae, IsExpr ie, TypeAccessPatternExpr tape |
-      ie = is.getCondition().getAChild*() and
-      tape = ie.getPattern() and
-      ae.getTargetType() = tape.getTarget() and
-      x = ie.getExpr() and
-      y = ae.getExpr()
-    |
-      ae = is.getThen().getAChild*()
-      or
-      ae = is.getElse().getAChild*()
-    )
-  }
-
-  predicate uselessIsBeforeAs(AsExpr ae, IsExpr ie) {
-    exists(Expr x, Expr y |
-      same(x, y) and
-      ie.getExpr() = x and
-      ae.getExpr() = y
-    )
-  }
+private predicate uselessIsBeforeAs(AsExpr ae, IsExpr ie) {
+  candidate(ae, ie) and
+  sameGvn(ie.getExpr(), ae.getExpr())
 }
 
 from AsExpr ae, IsExpr ie
 where
-  exists(StructuralComparisonConfig c | c.uselessIsBeforeAs(ae, ie)) and
+  uselessIsBeforeAs(ae, ie) and
   not exists(MethodCall mc | ae = mc.getAnArgument().getAChildExpr*())
 select ae,
   "This 'as' expression performs a type test - it should be directly compared against null, rendering the 'is' $@ potentially redundant.",

csharp/ql/src/Language Abuse/UselessNullCoalescingExpression.ql

@@ -14,24 +14,22 @@
 import csharp
 import semmle.code.csharp.commons.StructuralComparison
 
-class StructuralComparisonConfig extends StructuralComparisonConfiguration {
-  StructuralComparisonConfig() { this = "UselessNullCoalescingExpression" }
-
-  override predicate candidate(ControlFlowElement x, ControlFlowElement y) {
-    exists(NullCoalescingExpr nce |
-      x.(Access) = nce.getLeftOperand() and
-      y.(Access) = nce.getRightOperand().getAChildExpr*()
-    )
-  }
-
-  NullCoalescingExpr getUselessNullCoalescingExpr() {
-    exists(AssignableAccess x |
-      result.getLeftOperand() = x and
-      forex(AssignableAccess y | same(x, y) | y instanceof AssignableRead and not y.isRefArgument())
-    )
-  }
+pragma[noinline]
+private predicate same(AssignableAccess x, AssignableAccess y) {
+  exists(NullCoalescingExpr nce |
+    x = nce.getLeftOperand() and
+    y = nce.getRightOperand().getAChildExpr*()
+  ) and
+  sameGvn(x, y)
 }
 
-from StructuralComparisonConfig c, NullCoalescingExpr nce
-where nce = c.getUselessNullCoalescingExpr()
+private predicate uselessNullCoalescingExpr(NullCoalescingExpr nce) {
+  exists(AssignableAccess x |
+    nce.getLeftOperand() = x and
+    forex(AssignableAccess y | same(x, y) | y instanceof AssignableRead and not y.isRefArgument())
+  )
+}
+
+from NullCoalescingExpr nce
+where uselessNullCoalescingExpr(nce)
 select nce, "Both operands of this null-coalescing expression access the same variable or property."

csharp/ql/src/Likely Bugs/NestedLoopsSameVariable.ql

@@ -15,18 +15,6 @@ import csharp
 import semmle.code.csharp.commons.ComparisonTest
 import semmle.code.csharp.commons.StructuralComparison as SC
 
-/** A structural comparison configuration for comparing the conditions of nested `for` loops. */
-class NestedForConditions extends SC::StructuralComparisonConfiguration {
-  NestedForConditions() { this = "Compare nested for conditions" }
-
-  override predicate candidate(ControlFlowElement e1, ControlFlowElement e2) {
-    exists(NestedForLoopSameVariable nested |
-      e1 = nested.getInnerForStmt().getCondition() and
-      e2 = nested.getOuterForStmt().getCondition()
-    )
-  }
-}
-
 private predicate hasChild(Stmt outer, Element child) {
   outer = child.getParent() and
   (outer instanceof ForStmt or outer = any(ForStmt f).getBody())
@@ -61,9 +49,7 @@ class NestedForLoopSameVariable extends ForStmt {
   }
 
   private predicate haveSameCondition() {
-    exists(NestedForConditions config |
-      config.same(this.getInnerForStmt().getCondition(), this.getOuterForStmt().getCondition())
-    )
+    SC::sameGvn(this.getInnerForStmt().getCondition(), this.getOuterForStmt().getCondition())
   }
 
   private predicate haveSameUpdate() {

csharp/ql/src/Likely Bugs/SelfAssignment.ql

@@ -13,37 +13,25 @@
 import csharp
 import semmle.code.csharp.commons.StructuralComparison
 
-class StructuralComparisonConfig extends StructuralComparisonConfiguration {
-  StructuralComparisonConfig() { this = "SelfAssignment" }
-
-  override predicate candidate(ControlFlowElement x, ControlFlowElement y) {
-    exists(AssignExpr ae |
-      // Member initializers are never self-assignments, in particular
-      // not initializers such as `new C { F = F };`
-      not ae instanceof MemberInitializer and
-      // Enum field initializers are never self assignments. `enum E { A = 42 }`
-      not ae.getParent().(Field).getDeclaringType() instanceof Enum
-    |
-      ae.getLValue() = x and
-      ae.getRValue() = y
-    ) and
-    forall(Expr e | e = x.(Expr).getAChildExpr*() |
-      // Non-trivial property accesses may have side-effects,
-      // so these are not considered
-      e instanceof PropertyAccess implies e instanceof TrivialPropertyAccess
-    )
-  }
-
-  AssignExpr getSelfAssignExpr() {
-    exists(Expr x, Expr y |
-      same(x, y) and
-      result.getLValue() = x and
-      result.getRValue() = y
-    )
-  }
+private predicate candidate(AssignExpr ae) {
+  // Member initializers are never self-assignments, in particular
+  // not initializers such as `new C { F = F };`
+  not ae instanceof MemberInitializer and
+  // Enum field initializers are never self assignments. `enum E { A = 42 }`
+  not ae.getParent().(Field).getDeclaringType() instanceof Enum and
+  forall(Expr e | e = ae.getLValue().getAChildExpr*() |
+    // Non-trivial property accesses may have side-effects,
+    // so these are not considered
+    e instanceof PropertyAccess implies e instanceof TrivialPropertyAccess
+  )
 }
 
-Declaration getDeclaration(Expr e) {
+private predicate selfAssignExpr(AssignExpr ae) {
+  candidate(ae) and
+  sameGvn(ae.getLValue(), ae.getRValue())
+}
+
+private Declaration getDeclaration(Expr e) {
   result = e.(VariableAccess).getTarget()
   or
   result = e.(MemberAccess).getTarget()
@@ -51,6 +39,6 @@ Declaration getDeclaration(Expr e) {
   result = getDeclaration(e.(ArrayAccess).getQualifier())
 }
 
-from StructuralComparisonConfig c, AssignExpr ae, Declaration target
-where ae = c.getSelfAssignExpr() and target = getDeclaration(ae.getLValue())
+from AssignExpr ae, Declaration target
+where selfAssignExpr(ae) and target = getDeclaration(ae.getLValue())
 select ae, "This assignment assigns $@ to itself.", target, target.getName()

csharp/ql/src/Performance/UseTryGetValue.ql

@@ -13,19 +13,14 @@ import csharp
 import semmle.code.csharp.commons.StructuralComparison
 import semmle.code.csharp.controlflow.Guards as G
 
-class SameElement extends StructuralComparisonConfiguration {
-  SameElement() { this = "Same element" }
-
-  override predicate candidate(ControlFlowElement e1, ControlFlowElement e2) {
-    exists(MethodCall mc, IndexerRead access |
-      mc.getTarget().hasName("ContainsKey") and
-      access.getQualifier().(G::GuardedExpr).isGuardedBy(mc, mc.getQualifier(), _) and
-      e1 = mc.getArgument(0) and
-      e2 = access.getIndex(0)
-    )
-  }
+pragma[noinline]
+private predicate candidate(MethodCall mc, IndexerRead access) {
+  mc.getTarget().hasName("ContainsKey") and
+  access.getQualifier().(G::GuardedExpr).isGuardedBy(mc, mc.getQualifier(), _)
 }
 
-from SameElement element, MethodCall call, IndexerAccess index
-where element.same(call.getArgument(0), index.getIndex(0))
+from MethodCall call, IndexerRead index
+where
+  candidate(call, index) and
+  sameGvn(call.getArgument(0), index.getIndex(0))
 select call, "Inefficient use of 'ContainsKey' and $@.", index, "indexer"

csharp/ql/src/utils/model-generator/ModelGeneratorUtilsSpecific.qll

@@ -7,12 +7,12 @@ private import semmle.code.csharp.dataflow.internal.DataFlowDispatch
 private predicate isRelevantForModels(Callable api) { not api instanceof MainMethod }
 
 /**
- * A class of Callables that are relevant for generating summary, source and sinks models for.
+ * A class of callables that are relevant generating summary, source and sinks models for.
  *
- * In the Standard library and 3rd party libraries it the Callables that can be called
+ * In the Standard library and 3rd party libraries it the callables that can be called
  * from outside the library itself.
  */
-class TargetApi extends Callable {
+class TargetApi extends DataFlowCallable {
   TargetApi() {
     [this.(Modifiable), this.(Accessor).getDeclaration()].isEffectivelyPublic() and
     this.fromSource() and
@@ -20,44 +20,7 @@ class TargetApi extends Callable {
   }
 }
 
-private string parameterQualifiedTypeNamesToString(TargetApi api) {
-  result =
-    concat(Parameter p, int i |
-      p = api.getParameter(i)
-    |
-      p.getType().getQualifiedName(), "," order by i
-    )
-}
-
-/** Holds if the summary should apply for all overrides of this. */
-private predicate isBaseCallableOrPrototype(TargetApi api) {
-  api.getDeclaringType() instanceof Interface
-  or
-  exists(Modifiable m | m = [api.(Modifiable), api.(Accessor).getDeclaration()] |
-    m.isAbstract()
-    or
-    api.getDeclaringType().(Modifiable).isAbstract() and m.(Virtualizable).isVirtual()
-  )
-}
-
-/** Gets a string representing whether the summary should apply for all overrides of this. */
-private string getCallableOverride(TargetApi api) {
-  if isBaseCallableOrPrototype(api) then result = "true" else result = "false"
-}
-
-/** Computes the first 6 columns for CSV rows. */
-string asPartialModel(TargetApi api) {
-  exists(string namespace, string type |
-    api.getDeclaringType().hasQualifiedName(namespace, type) and
-    result =
-      namespace + ";" //
-        + type + ";" //
-        + getCallableOverride(api) + ";" //
-        + api.getName() + ";" //
-        + "(" + parameterQualifiedTypeNamesToString(api) + ")" //
-        + /* ext + */ ";" //
-  )
-}
+predicate asPartialModel = Csv::asPartialModel/1;
 
 /**
  * Holds for type `t` for fields that are relevant as an intermediate
@@ -86,6 +49,11 @@ string parameterNodeAsInput(DataFlow::ParameterNode p) {
   result = "Argument[Qualifier]" and p instanceof InstanceParameterNode
 }
 
+pragma[nomagic]
+private Parameter getParameter(ReturnNodeExt node, ParameterPosition pos) {
+  result = node.getEnclosingCallable().getParameter(pos.getPosition())
+}
+
 /**
  * Gets the model string represention of the the return node `node`.
  */
@@ -94,7 +62,7 @@ string returnNodeAsOutput(ReturnNodeExt node) {
   then result = "ReturnValue"
   else
     exists(ParameterPosition pos | pos = node.getKind().(ParamUpdateReturnKind).getPosition() |
-      result = parameterAccess(node.getEnclosingCallable().getParameter(pos.getPosition()))
+      result = parameterAccess(getParameter(node, pos))
       or
       pos.isThisParameter() and
       result = "Argument[Qualifier]"

csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.ql

@@ -1,4 +1,5 @@
 import shared.FlowSummaries
+private import semmle.code.csharp.dataflow.internal.DataFlowPrivate::Csv
 private import semmle.code.csharp.dataflow.ExternalFlow
 
 class IncludeFilteredSummarizedCallable extends IncludeSummarizedCallable {
@@ -14,7 +15,7 @@ class IncludeFilteredSummarizedCallable extends IncludeSummarizedCallable {
   ) {
     this.propagatesFlow(input, output, preservesValue) and
     not exists(IncludeSummarizedCallable rsc |
-      rsc.isBaseCallableOrPrototype() and
+      isBaseCallableOrPrototype(rsc) and
       rsc.propagatesFlow(input, output, preservesValue) and
       this.(UnboundCallable).overridesOrImplementsUnbound(rsc)
     )

csharp/ql/test/library-tests/structuralcomparison/structuralComparison.ql

@@ -1,28 +1,25 @@
 import csharp
 import semmle.code.csharp.commons.StructuralComparison
 
-private class StructuralComparisonTest extends StructuralComparisonConfiguration {
-  StructuralComparisonTest() { this = "StructuralComparisonTest" }
-
-  /**
-   * All pairs of controls flow elements found in the source and within the same
-   * enclosing callable excluding all instances of `ThisAccess` to reduce the size
-   * of the output.
-   */
-  override predicate candidate(ControlFlowElement e1, ControlFlowElement e2) {
-    e1.fromSource() and
-    e2.fromSource() and
-    e1 != e2 and
-    e1.getEnclosingCallable() = e2.getEnclosingCallable() and
-    not e1 instanceof ThisAccess
-  }
+/**
+ * All pairs of controls flow elements found in the source and within the same
+ * enclosing callable excluding all instances of `ThisAccess` to reduce the size
+ * of the output.
+ */
+private predicate candidate(ControlFlowElement x, ControlFlowElement y) {
+  x.fromSource() and
+  y.fromSource() and
+  x != y and
+  x.getEnclosingCallable() = y.getEnclosingCallable() and
+  not x instanceof ThisAccess
 }
 
-query predicate same(ControlFlowElement e1, ControlFlowElement e2) {
-  exists(StructuralComparisonTest sct, Location l1, Location l2 |
-    sct.same(e1, e2) and
-    l1 = e1.getLocation() and
-    l2 = e2.getLocation() and
+query predicate same(ControlFlowElement x, ControlFlowElement y) {
+  exists(Location l1, Location l2 |
+    candidate(x, y) and
+    sameGvn(x, y) and
+    l1 = x.getLocation() and
+    l2 = y.getLocation() and
     (
       l1.getStartLine() < l2.getStartLine()
       or
@@ -31,4 +28,4 @@ query predicate same(ControlFlowElement e1, ControlFlowElement e2) {
   )
 }
 
-query predicate gvn(ControlFlowElement e, Gvn gvn) { gvn = toGvn(e) and e.fromSource() }
+query predicate gvn(ControlFlowElement x, Gvn gvn) { gvn = toGvn(x) and x.fromSource() }

csharp/ql/test/shared/FlowSummaries.qll

@@ -1,44 +1,12 @@
 import semmle.code.csharp.dataflow.FlowSummary
 import semmle.code.csharp.dataflow.internal.FlowSummaryImpl::Private::TestOutput
+private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
 
 abstract class IncludeSummarizedCallable extends RelevantSummarizedCallable {
   IncludeSummarizedCallable() {
     [this.(Modifiable), this.(Accessor).getDeclaration()].isEffectivelyPublic()
   }
 
-  /** Gets the qualified parameter types of this callable as a comma-separated string. */
-  private string parameterQualifiedTypeNamesToString() {
-    result =
-      concat(Parameter p, int i |
-        p = this.getParameter(i)
-      |
-        p.getType().getQualifiedName(), "," order by i
-      )
-  }
-
-  /** Holds if the summary should apply for all overrides of this. */
-  predicate isBaseCallableOrPrototype() {
-    this.getDeclaringType() instanceof Interface
-    or
-    exists(Modifiable m | m = [this.(Modifiable), this.(Accessor).getDeclaration()] |
-      m.isAbstract()
-      or
-      this.getDeclaringType().(Modifiable).isAbstract() and m.(Virtualizable).isVirtual()
-    )
-  }
-
-  /** Gets a string representing whether the summary should apply for all overrides of this. */
-  private string getCallableOverride() {
-    if this.isBaseCallableOrPrototype() then result = "true" else result = "false"
-  }
-
   /** Gets a string representing the callable in semi-colon separated format for use in flow summaries. */
-  final override string getCallableCsv() {
-    exists(string namespace, string type |
-      this.getDeclaringType().hasQualifiedName(namespace, type) and
-      result =
-        namespace + ";" + type + ";" + this.getCallableOverride() + ";" + this.getName() + ";" + "("
-          + this.parameterQualifiedTypeNamesToString() + ")"
-    )
-  }
+  final override string getCallableCsv() { result = Csv::asPartialModel(this) }
 }

java/ql/lib/change-notes/2022-03-14-flow-state-barriers.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.

java/ql/lib/semmle/code/java/JDK.qll

@@ -4,6 +4,7 @@
 
 import Member
 import semmle.code.java.security.ExternalProcess
+private import semmle.code.java.dataflow.FlowSteps
 
 // --- Standard types ---
 /** The class `java.lang.Object`. */
@@ -37,6 +38,27 @@ class StringLengthMethod extends Method {
   StringLengthMethod() { this.hasName("length") and this.getDeclaringType() instanceof TypeString }
 }
 
+/**
+ * The methods on the class `java.lang.String` that are used to perform partial matches with a specified substring or char.
+ */
+class StringPartialMatchMethod extends Method {
+  StringPartialMatchMethod() {
+    this.hasName([
+        "contains", "startsWith", "endsWith", "matches", "indexOf", "lastIndexOf", "regionMatches"
+      ]) and
+    this.getDeclaringType() instanceof TypeString
+  }
+
+  /**
+   * Gets the index of the parameter that is being matched against.
+   */
+  int getMatchParameterIndex() {
+    if this.hasName("regionMatches")
+    then this.getParameterType(result) instanceof TypeString
+    else result = 0
+  }
+}
+
 /** The class `java.lang.StringBuffer`. */
 class TypeStringBuffer extends Class {
   TypeStringBuffer() { this.hasQualifiedName("java.lang", "StringBuffer") }
@@ -228,11 +250,13 @@ class MethodSystemGetenv extends Method {
 /**
  * Any method named `getProperty` on class `java.lang.System`.
  */
-class MethodSystemGetProperty extends Method {
+class MethodSystemGetProperty extends ValuePreservingMethod {
   MethodSystemGetProperty() {
     this.hasName("getProperty") and
     this.getDeclaringType() instanceof TypeSystem
   }
+
+  override predicate returnsValue(int arg) { arg = 1 }
 }
 
 /**
@@ -244,6 +268,9 @@ class MethodAccessSystemGetProperty extends MethodAccess {
   /**
    * Holds if this call has a compile-time constant first argument with the value `propertyName`.
    * For example: `System.getProperty("user.dir")`.
+   *
+   * Note: Better to use `semmle.code.java.environment.SystemProperty#getSystemProperty` instead
+   * as that predicate covers ways of accessing the same information via various libraries.
    */
   predicate hasCompileTimeConstantGetPropertyName(string propertyName) {
     this.getArgument(0).(CompileTimeConstantExpr).getStringValue() = propertyName

java/ql/lib/semmle/code/java/StringFormat.qll

@@ -4,6 +4,7 @@
 
 import java
 import dataflow.DefUse
+private import semmle.code.java.environment.SystemProperty
 
 /**
  * A library method that formats a number of its arguments according to a
@@ -312,27 +313,7 @@ private predicate formatStringValue(Expr e, string fmtvalue) {
     or
     formatStringValue(e.(ChooseExpr).getAResultExpr(), fmtvalue)
     or
-    exists(Method getprop, MethodAccess ma, string prop |
-      e = ma and
-      ma.getMethod() = getprop and
-      getprop.hasName("getProperty") and
-      getprop.getDeclaringType().hasQualifiedName("java.lang", "System") and
-      getprop.getNumberOfParameters() = 1 and
-      ma.getAnArgument().(StringLiteral).getValue() = prop and
-      (prop = "line.separator" or prop = "file.separator" or prop = "path.separator") and
-      fmtvalue = "x" // dummy value
-    )
-    or
-    exists(Field f |
-      e = f.getAnAccess() and
-      f.getDeclaringType() instanceof TypeFile and
-      fmtvalue = "x" // dummy value
-    |
-      f.hasName("pathSeparator") or
-      f.hasName("pathSeparatorChar") or
-      f.hasName("separator") or
-      f.hasName("separatorChar")
-    )
+    e = getSystemProperty(["line.separator", "file.separator", "path.separator"]) and fmtvalue = "x" // dummy value
   )
 }
 

java/ql/lib/semmle/code/java/dataflow/FlowSources.qll

@@ -203,6 +203,7 @@ class EnvReadMethod extends Method {
   EnvReadMethod() {
     this instanceof MethodSystemGetenv or
     this instanceof PropertiesGetPropertyMethod or
+    this instanceof PropertiesGetMethod or
     this instanceof MethodSystemGetProperty
   }
 }

java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll

@@ -10,11 +10,13 @@ private import semmle.code.java.dataflow.DataFlow
  * ensuring that they are visible to the taint tracking library.
  */
 private module Frameworks {
+  private import semmle.code.java.JDK
   private import semmle.code.java.frameworks.jackson.JacksonSerializability
   private import semmle.code.java.frameworks.android.AsyncTask
   private import semmle.code.java.frameworks.android.Intent
   private import semmle.code.java.frameworks.android.SQLite
   private import semmle.code.java.frameworks.Guice
+  private import semmle.code.java.frameworks.Properties
   private import semmle.code.java.frameworks.Protobuf
   private import semmle.code.java.frameworks.guava.Guava
   private import semmle.code.java.frameworks.apache.Lang

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForOnActivityResult.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll

@@ -87,12 +87,30 @@ abstract class Configuration extends string {
   /** Holds if data flow into `node` is prohibited. */
   predicate isBarrierIn(Node node) { none() }
 
+  /**
+   * Holds if data flow into `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
   /** Holds if data flow out of `node` is prohibited. */
   predicate isBarrierOut(Node node) { none() }
 
+  /**
+   * Holds if data flow out of `node` is prohibited when the flow state is
+   * `state`
+   */
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   /** Holds if data flow through nodes guarded by `guard` is prohibited. */
   predicate isBarrierGuard(BarrierGuard guard) { none() }
 
+  /**
+   * Holds if data flow through nodes guarded by `guard` is prohibited when
+   * the flow state is `state`
+   */
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -305,7 +323,7 @@ private class RetNodeEx extends NodeEx {
   ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }
 
-private predicate inBarrier(NodeEx node, Configuration config) {
+private predicate fullInBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierIn(n)
@@ -314,7 +332,16 @@ private predicate inBarrier(NodeEx node, Configuration config) {
   )
 }
 
-private predicate outBarrier(NodeEx node, Configuration config) {
+private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierIn(n, state)
+  |
+    config.isSource(n, state)
+  )
+}
+
+private predicate fullOutBarrier(NodeEx node, Configuration config) {
   exists(Node n |
     node.asNode() = n and
     config.isBarrierOut(n)
@@ -323,6 +350,15 @@ private predicate outBarrier(NodeEx node, Configuration config) {
   )
 }
 
+private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
+  exists(Node n |
+    node.asNode() = n and
+    config.isBarrierOut(n, state)
+  |
+    config.isSink(n, state)
+  )
+}
+
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
   exists(Node n | node.asNode() = n |
@@ -345,9 +381,19 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 
 pragma[nomagic]
 private predicate stateBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
+  exists(Node n | node.asNode() = n |
     config.isBarrier(n, state)
+    or
+    config.isBarrierIn(n, state) and
+    not config.isSource(n, state)
+    or
+    config.isBarrierOut(n, state) and
+    not config.isSink(n, state)
+    or
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
   )
 }
 
@@ -376,8 +422,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
+  not fullOutBarrier(node1, config) and
+  not fullInBarrier(node2, config) and
   not fullBarrier(node1, config) and
   not fullBarrier(node2, config)
 }
@@ -430,6 +476,8 @@ private predicate additionalLocalStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config)
   )
@@ -471,6 +519,8 @@ private predicate additionalJumpStateStep(
     config.isAdditionalFlowStep(n1, s1, n2, s2) and
     getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
     stepFilter(node1, node2, config) and
+    not stateOutBarrier(node1, s1, config) and
+    not stateInBarrier(node2, s2, config) and
     not stateBarrier(node1, s1, config) and
     not stateBarrier(node2, s2, config) and
     not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -870,8 +920,8 @@ private module Stage1 {
   private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
     revFlow(node, true, config) and
     fwdFlow(node, true, config) and
-    not inBarrier(node, config) and
-    not outBarrier(node, config)
+    not fullInBarrier(node, config) and
+    not fullOutBarrier(node, config)
   }
 
   /** Holds if flow may return from `callable`. */
@@ -966,8 +1016,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
   viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
   Stage1::revFlow(ret, config) and
-  not outBarrier(ret, config) and
-  not inBarrier(out, config)
+  not fullOutBarrier(ret, config) and
+  not fullInBarrier(out, config)
 }
 
 pragma[nomagic]
@@ -988,8 +1038,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
-  not outBarrier(arg, config) and
-  not inBarrier(p, config)
+  not fullOutBarrier(arg, config) and
+  not fullInBarrier(p, config)
 }
 
 /**
@@ -1706,18 +1756,31 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
+  private predicate localFlowEntry(NodeEx node, FlowState state, Configuration config) {
     Stage2::revFlow(node, state, config) and
     (
-      sourceNode(node, state, config) or
-      jumpStep(_, node, config) or
-      additionalJumpStep(_, node, config) or
-      additionalJumpStateStep(_, _, node, state, config) or
-      node instanceof ParamNodeEx or
-      node.asNode() instanceof OutNodeExt or
-      store(_, _, node, _, config) or
-      read(_, _, node, config) or
+      sourceNode(node, state, config)
+      or
+      jumpStep(_, node, config)
+      or
+      additionalJumpStep(_, node, config)
+      or
+      additionalJumpStateStep(_, _, node, state, config)
+      or
+      node instanceof ParamNodeEx
+      or
+      node.asNode() instanceof OutNodeExt
+      or
+      store(_, _, node, _, config)
+      or
+      read(_, _, node, config)
+      or
       node instanceof FlowCheckNode
+      or
+      exists(FlowState s |
+        additionalLocalStateStep(_, s, node, state, config) and
+        s != state
+      )
     )
   }
 
@@ -1737,6 +1800,9 @@ private module LocalFlowBigStep {
     or
     exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
       additionalJumpStateStep(node, state, next, s, config)
+      or
+      additionalLocalStateStep(node, state, next, s, config) and
+      s != state
     )
     or
     Stage2::revFlow(node, state, config) and
@@ -1770,42 +1836,40 @@ private module LocalFlowBigStep {
    */
   pragma[nomagic]
   private predicate localFlowStepPlus(
-    NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-    DataFlowType t, Configuration config, LocalCallContext cc
+    NodeEx node1, FlowState state, NodeEx node2, boolean preservesValue, DataFlowType t,
+    Configuration config, LocalCallContext cc
   ) {
     not isUnreachableInCallCached(node2.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
     (
-      localFlowEntry(node1, pragma[only_bind_into](state1), pragma[only_bind_into](config)) and
+      localFlowEntry(node1, pragma[only_bind_into](state), pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
-        state1 = state2 and
         preservesValue = true and
-        t = node1.getDataFlowType() // irrelevant dummy value
+        t = node1.getDataFlowType() and // irrelevant dummy value
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
         or
-        additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+        additionalLocalFlowStepNodeCand2(node1, state, node2, state, config) and
         preservesValue = false and
         t = node2.getDataFlowType()
       ) and
       node1 != node2 and
       cc.relevantFor(node1.getEnclosingCallable()) and
-      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall()) and
-      Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+      not isUnreachableInCallCached(node1.asNode(), cc.(LocalCallContextSpecificCall).getCall())
       or
       exists(NodeEx mid |
-        localFlowStepPlus(node1, state1, mid, pragma[only_bind_into](state2), preservesValue, t,
+        localFlowStepPlus(node1, pragma[only_bind_into](state), mid, preservesValue, t,
           pragma[only_bind_into](config), cc) and
         localFlowStepNodeCand1(mid, node2, config) and
         not mid instanceof FlowCheckNode and
-        Stage2::revFlow(node2, pragma[only_bind_into](state2), pragma[only_bind_into](config))
+        Stage2::revFlow(node2, pragma[only_bind_into](state), pragma[only_bind_into](config))
       )
       or
-      exists(NodeEx mid, FlowState st |
-        localFlowStepPlus(node1, state1, mid, st, _, _, pragma[only_bind_into](config), cc) and
-        additionalLocalFlowStepNodeCand2(mid, st, node2, state2, config) and
+      exists(NodeEx mid |
+        localFlowStepPlus(node1, state, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, state, node2, state, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = node2.getDataFlowType() and
-        Stage2::revFlow(node2, state2, pragma[only_bind_into](config))
+        t = node2.getDataFlowType()
       )
     )
   }
@@ -1819,9 +1883,19 @@ private module LocalFlowBigStep {
     NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
     AccessPathFrontNil apf, Configuration config, LocalCallContext callContext
   ) {
-    localFlowStepPlus(node1, state1, node2, state2, preservesValue, apf.getType(), config,
-      callContext) and
-    localFlowExit(node2, state2, config)
+    localFlowStepPlus(node1, state1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, state1, config) and
+    state1 = state2
+    or
+    additionalLocalFlowStepNodeCand2(node1, state1, node2, state2, config) and
+    state1 != state2 and
+    preservesValue = false and
+    apf = TFrontNil(node2.getDataFlowType()) and
+    callContext.relevantFor(node1.getEnclosingCallable()) and
+    not exists(DataFlowCall call | call = callContext.(LocalCallContextSpecificCall).getCall() |
+      isUnreachableInCallCached(node1.asNode(), call) or
+      isUnreachableInCallCached(node2.asNode(), call)
+    )
   }
 }
 
@@ -2695,10 +2769,10 @@ private module Stage4 {
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
-    localFlowEntry(node, _, config) and
     result =
       getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
-        node.getEnclosingCallable())
+        node.getEnclosingCallable()) and
+    exists(config)
   }
 
   private predicate localStep(

java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll

@@ -1056,7 +1056,7 @@ module Private {
       |
         c.relevantSummary(input, output, preservesValue) and
         csv =
-          c.getCallableCsv() + ";;" + getComponentStackCsv(input) + ";" +
+          c.getCallableCsv() + ";" + getComponentStackCsv(input) + ";" +
             getComponentStackCsv(output) + ";" + renderKind(preservesValue)
       )
     }

java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

@@ -109,6 +109,16 @@ abstract class Configuration extends DataFlow::Configuration {
   /** Holds if taint propagation into `node` is prohibited. */
   predicate isSanitizerIn(DataFlow::Node node) { none() }
 
+  /**
+   * Holds if taint propagation into `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerIn(node, state)
+  }
+
   final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
 
   /** Holds if taint propagation out of `node` is prohibited. */
@@ -116,6 +126,16 @@ abstract class Configuration extends DataFlow::Configuration {
 
   final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
 
+  /**
+   * Holds if taint propagation out of `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerOut(node, state)
+  }
+
   /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
@@ -123,6 +143,16 @@ abstract class Configuration extends DataFlow::Configuration {
     this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
+  /**
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited
+   * when the flow state is `state`.
+   */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    this.isSanitizerGuard(guard, state)
+  }
+
   /**
    * Holds if the additional taint propagation step from `node1` to `node2`
    * must be taken into account in the analysis.

java/ql/lib/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

@@ -109,6 +109,16 @@ abstract class Configuration extends DataFlow::Configuration {
   /** Holds if taint propagation into `node` is prohibited. */
   predicate isSanitizerIn(DataFlow::Node node) { none() }
 
+  /**
+   * Holds if taint propagation into `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerIn(node, state)
+  }
+
   final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
 
   /** Holds if taint propagation out of `node` is prohibited. */
@@ -116,6 +126,16 @@ abstract class Configuration extends DataFlow::Configuration {
 
   final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
 
+  /**
+   * Holds if taint propagation out of `node` is prohibited when the flow state is
+   * `state`.
+   */
+  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
+    this.isSanitizerOut(node, state)
+  }
+
   /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
@@ -123,6 +143,16 @@ abstract class Configuration extends DataFlow::Configuration {
     this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
+  /**
+   * Holds if taint propagation through nodes guarded by `guard` is prohibited
+   * when the flow state is `state`.
+   */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
+
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
+    this.isSanitizerGuard(guard, state)
+  }
+
   /**
    * Holds if the additional taint propagation step from `node1` to `node2`
    * must be taken into account in the analysis.

java/ql/lib/semmle/code/java/environment/SystemProperty.qll

@@ -0,0 +1,286 @@
+/**
+ * Provides classes and predicates for working with java system properties.
+ */
+
+import java
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.frameworks.Properties
+private import semmle.code.java.frameworks.apache.Lang
+
+/**
+ * Gets an expression that retrieves the value of `propertyName` from `System.getProperty()`.
+ *
+ * Note: Expression type is not just `String`.
+ */
+Expr getSystemProperty(string propertyName) {
+  result = getSystemPropertyFromSystem(propertyName) or
+  result = getSystemPropertyFromSystemGetProperties(propertyName) or
+  result = getSystemPropertyFromFile(propertyName) or
+  result = getSystemPropertyFromApacheSystemUtils(propertyName) or
+  result = getSystemPropertyFromApacheFileUtils(propertyName) or
+  result = getSystemPropertyFromGuava(propertyName) or
+  result = getSystemPropertyFromOperatingSystemMXBean(propertyName) or
+  result = getSystemPropertyFromSpringProperties(propertyName)
+}
+
+private MethodAccess getSystemPropertyFromSystem(string propertyName) {
+  result.(MethodAccessSystemGetProperty).hasCompileTimeConstantGetPropertyName(propertyName)
+  or
+  result.getMethod().hasName("lineSeparator") and propertyName = "line.separator"
+}
+
+/**
+ * A method access that retrieves the value of `propertyName` from the following methods:
+ *  - `System.getProperties().getProperty(...)`
+ *  - `System.getProperties().get(...)`
+ */
+private MethodAccess getSystemPropertyFromSystemGetProperties(string propertyName) {
+  exists(Method getMethod |
+    getMethod instanceof PropertiesGetMethod
+    or
+    getMethod instanceof PropertiesGetPropertyMethod and
+    result.getMethod() = getMethod
+  ) and
+  result.getArgument(0).(CompileTimeConstantExpr).getStringValue() = propertyName and
+  localExprFlowPlusInitializers(any(MethodAccess m |
+      m.getMethod().getDeclaringType() instanceof TypeSystem and
+      m.getMethod().hasName("getProperties")
+    ), result.getQualifier())
+}
+
+private FieldAccess getSystemPropertyFromFile(string propertyName) {
+  result.getField() instanceof FieldFileSeparator and propertyName = "file.separator"
+  or
+  result.getField() instanceof FieldFilePathSeparator and propertyName = "path.separator"
+}
+
+/** The field `java.io.File.separator` or `java.io.File.separatorChar` */
+private class FieldFileSeparator extends Field {
+  FieldFileSeparator() {
+    this.getDeclaringType() instanceof TypeFile and this.hasName(["separator", "separatorChar"])
+  }
+}
+
+/* The field `java.io.File.pathSeparator` or `java.io.File.pathSeparatorChar` */
+private class FieldFilePathSeparator extends Field {
+  FieldFilePathSeparator() {
+    this.getDeclaringType() instanceof TypeFile and
+    this.hasName(["pathSeparator", "pathSeparatorChar"])
+  }
+}
+
+/**
+ * A field access to the system property.
+ * See: https://commons.apache.org/proper/commons-lang/apidocs/org/apache/commons/lang3/SystemUtils.html
+ */
+private FieldAccess getSystemPropertyFromApacheSystemUtils(string propertyName) {
+  exists(Field f | f = result.getField() and f.getDeclaringType() instanceof TypeApacheSystemUtils |
+    f.hasName("AWT_TOOLKIT") and propertyName = "awt.toolkit"
+    or
+    f.hasName("FILE_ENCODING") and propertyName = "file.encoding"
+    or
+    f.hasName("FILE_SEPARATOR") and propertyName = "file.separator"
+    or
+    f.hasName("JAVA_AWT_FONTS") and propertyName = "java.awt.fonts"
+    or
+    f.hasName("JAVA_AWT_GRAPHICSENV") and propertyName = "java.awt.graphicsenv"
+    or
+    f.hasName("JAVA_AWT_HEADLESS") and propertyName = "java.awt.headless"
+    or
+    f.hasName("JAVA_AWT_PRINTERJOB") and propertyName = "java.awt.printerjob"
+    or
+    f.hasName("JAVA_CLASS_PATH") and propertyName = "java.class.path"
+    or
+    f.hasName("JAVA_CLASS_VERSION") and propertyName = "java.class.version"
+    or
+    f.hasName("JAVA_COMPILER") and propertyName = "java.compiler"
+    or
+    f.hasName("JAVA_EXT_DIRS") and propertyName = "java.ext.dirs"
+    or
+    f.hasName("JAVA_HOME") and propertyName = "java.home"
+    or
+    f.hasName("JAVA_IO_TMPDIR") and propertyName = "java.io.tmpdir"
+    or
+    f.hasName("JAVA_LIBRARY_PATH") and propertyName = "java.library.path"
+    or
+    f.hasName("JAVA_RUNTIME_NAME") and propertyName = "java.runtime.name"
+    or
+    f.hasName("JAVA_RUNTIME_VERSION") and propertyName = "java.runtime.version"
+    or
+    f.hasName("JAVA_SPECIFICATION_NAME") and propertyName = "java.specification.name"
+    or
+    f.hasName("JAVA_SPECIFICATION_VENDOR") and propertyName = "java.specification.vendor"
+    or
+    f.hasName("JAVA_UTIL_PREFS_PREFERENCES_FACTORY") and
+    propertyName = "java.util.prefs.PreferencesFactory" // This really does break the lowercase convention obeyed everywhere else
+    or
+    f.hasName("JAVA_VENDOR") and propertyName = "java.vendor"
+    or
+    f.hasName("JAVA_VENDOR_URL") and propertyName = "java.vendor.url"
+    or
+    f.hasName("JAVA_VERSION") and propertyName = "java.version"
+    or
+    f.hasName("JAVA_VM_INFO") and propertyName = "java.vm.info"
+    or
+    f.hasName("JAVA_VM_NAME") and propertyName = "java.vm.name"
+    or
+    f.hasName("JAVA_VM_SPECIFICATION_NAME") and propertyName = "java.vm.specification.name"
+    or
+    f.hasName("JAVA_VM_SPECIFICATION_VENDOR") and propertyName = "java.vm.specification.vendor"
+    or
+    f.hasName("JAVA_VM_VENDOR") and propertyName = "java.vm.vendor"
+    or
+    f.hasName("JAVA_VM_VERSION") and propertyName = "java.vm.version"
+    or
+    f.hasName("LINE_SEPARATOR") and propertyName = "line.separator"
+    or
+    f.hasName("OS_ARCH") and propertyName = "os.arch"
+    or
+    f.hasName("OS_NAME") and propertyName = "os.name"
+    or
+    f.hasName("OS_VERSION") and propertyName = "os.version"
+    or
+    f.hasName("PATH_SEPARATOR") and propertyName = "path.separator"
+    or
+    f.hasName("USER_COUNTRY") and propertyName = "user.country"
+    or
+    f.hasName("USER_DIR") and propertyName = "user.dir"
+    or
+    f.hasName("USER_HOME") and propertyName = "user.home"
+    or
+    f.hasName("USER_LANGUAGE") and propertyName = "user.language"
+    or
+    f.hasName("USER_NAME") and propertyName = "user.name"
+    or
+    f.hasName("USER_TIMEZONE") and propertyName = "user.timezone"
+  )
+}
+
+private MethodAccess getSystemPropertyFromApacheFileUtils(string propertyName) {
+  exists(Method m |
+    result.getMethod() = m and
+    m.getDeclaringType().hasQualifiedName("org.apache.commons.io", "FileUtils")
+  |
+    m.hasName(["getTempDirectory", "getTempDirectoryPath"]) and propertyName = "java.io.tmpdir"
+    or
+    m.hasName(["getUserDirectory", "getUserDirectoryPath"]) and propertyName = "user.home"
+  )
+}
+
+private MethodAccess getSystemPropertyFromGuava(string propertyName) {
+  exists(EnumConstant ec |
+    ec.getDeclaringType().hasQualifiedName("com.google.common.base", "StandardSystemProperty") and
+    // Example: `StandardSystemProperty.JAVA_IO_TMPDIR.value()`
+    (
+      localExprFlowPlusInitializers(ec.getAnAccess(), result.getQualifier()) and
+      result.getMethod().hasName("value")
+    )
+    or
+    // Example: `System.getProperty(StandardSystemProperty.JAVA_IO_TMPDIR.key())`
+    exists(MethodAccess keyMa |
+      localExprFlowPlusInitializers(ec.getAnAccess(), keyMa.getQualifier()) and
+      keyMa.getMethod().hasName("key") and
+      localExprFlowPlusInitializers(keyMa, result.(MethodAccessSystemGetProperty).getArgument(0))
+    )
+  |
+    ec.hasName("JAVA_VERSION") and propertyName = "java.version"
+    or
+    ec.hasName("JAVA_VENDOR") and propertyName = "java.vendor"
+    or
+    ec.hasName("JAVA_VENDOR_URL") and propertyName = "java.vendor.url"
+    or
+    ec.hasName("JAVA_HOME") and propertyName = "java.home"
+    or
+    ec.hasName("JAVA_VM_SPECIFICATION_VERSION") and propertyName = "java.vm.specification.version"
+    or
+    ec.hasName("JAVA_VM_SPECIFICATION_VENDOR") and propertyName = "java.vm.specification.vendor"
+    or
+    ec.hasName("JAVA_VM_SPECIFICATION_NAME") and propertyName = "java.vm.specification.name"
+    or
+    ec.hasName("JAVA_VM_VERSION") and propertyName = "java.vm.version"
+    or
+    ec.hasName("JAVA_VM_VENDOR") and propertyName = "java.vm.vendor"
+    or
+    ec.hasName("JAVA_VM_NAME") and propertyName = "java.vm.name"
+    or
+    ec.hasName("JAVA_SPECIFICATION_VERSION") and propertyName = "java.specification.version"
+    or
+    ec.hasName("JAVA_SPECIFICATION_VENDOR") and propertyName = "java.specification.vendor"
+    or
+    ec.hasName("JAVA_SPECIFICATION_NAME") and propertyName = "java.specification.name"
+    or
+    ec.hasName("JAVA_CLASS_VERSION") and propertyName = "java.class.version"
+    or
+    ec.hasName("JAVA_CLASS_PATH") and propertyName = "java.class.path"
+    or
+    ec.hasName("JAVA_LIBRARY_PATH") and propertyName = "java.library.path"
+    or
+    ec.hasName("JAVA_IO_TMPDIR") and propertyName = "java.io.tmpdir"
+    or
+    ec.hasName("JAVA_COMPILER") and propertyName = "java.compiler"
+    or
+    ec.hasName("JAVA_EXT_DIRS") and propertyName = "java.ext.dirs"
+    or
+    ec.hasName("OS_NAME") and propertyName = "os.name"
+    or
+    ec.hasName("OS_ARCH") and propertyName = "os.arch"
+    or
+    ec.hasName("OS_VERSION") and propertyName = "os.version"
+    or
+    ec.hasName("FILE_SEPARATOR") and propertyName = "file.separator"
+    or
+    ec.hasName("PATH_SEPARATOR") and propertyName = "path.separator"
+    or
+    ec.hasName("LINE_SEPARATOR") and propertyName = "line.separator"
+    or
+    ec.hasName("USER_NAME") and propertyName = "user.name"
+    or
+    ec.hasName("USER_HOME") and propertyName = "user.home"
+    or
+    ec.hasName("USER_DIR") and propertyName = "user.dir"
+  )
+}
+
+private MethodAccess getSystemPropertyFromOperatingSystemMXBean(string propertyName) {
+  exists(Method m |
+    m = result.getMethod() and
+    m.getDeclaringType().hasQualifiedName("java.lang.management", "OperatingSystemMXBean")
+  |
+    m.getName() = "getName" and propertyName = "os.name"
+    or
+    m.getName() = "getArch" and propertyName = "os.arch"
+    or
+    m.getName() = "getVersion" and propertyName = "os.version"
+  )
+}
+
+private MethodAccess getSystemPropertyFromSpringProperties(string propertyName) {
+  exists(Method m |
+    m = result.getMethod() and
+    m.getDeclaringType().hasQualifiedName("org.springframework.core", "SpringProperties") and
+    m.hasName("getProperty")
+  ) and
+  result.getArgument(0).(CompileTimeConstantExpr).getStringValue() = propertyName
+}
+
+/**
+ * Holds if data can flow from `e1` to `e2` in zero or more
+ * local (intra-procedural) steps or via local variable intializers
+ * for final variables.
+ */
+private predicate localExprFlowPlusInitializers(Expr e1, Expr e2) {
+  localFlowPlusInitializers(DataFlow::exprNode(e1), DataFlow::exprNode(e2))
+}
+
+/**
+ * Holds if data can flow from `pred` to `succ` in zero or more
+ * local (intra-procedural) steps or via instance or static variable intializers
+ * for final variables.
+ */
+private predicate localFlowPlusInitializers(DataFlow::Node pred, DataFlow::Node succ) {
+  exists(Variable v | v.isFinal() and pred.asExpr() = v.getInitializer() |
+    DataFlow::localFlow(DataFlow::exprNode(v.getAnAccess()), succ)
+  )
+  or
+  DataFlow::localFlow(pred, succ)
+}

java/ql/lib/semmle/code/java/frameworks/Properties.qll

@@ -1,25 +1,44 @@
 /* Definitions related to `java.util.Properties`. */
 import semmle.code.java.Type
+private import semmle.code.java.dataflow.FlowSteps
 
-library class TypeProperty extends Class {
+/**
+ * The `java.util.Properties` class.
+ */
+class TypeProperty extends Class {
   TypeProperty() { hasQualifiedName("java.util", "Properties") }
 }
 
-library class PropertiesGetPropertyMethod extends Method {
+/** The `getProperty` method of the class `java.util.Properties`. */
+class PropertiesGetPropertyMethod extends ValuePreservingMethod {
   PropertiesGetPropertyMethod() {
     getDeclaringType() instanceof TypeProperty and
     hasName("getProperty")
   }
+
+  override predicate returnsValue(int arg) { arg = 1 }
 }
 
-library class PropertiesSetPropertyMethod extends Method {
+/** The `get` method of the class `java.util.Properties`. */
+class PropertiesGetMethod extends Method {
+  PropertiesGetMethod() {
+    getDeclaringType() instanceof TypeProperty and
+    hasName("get")
+  }
+}
+
+/** The `setProperty` method of the class `java.util.Properties`. */
+class PropertiesSetPropertyMethod extends Method {
   PropertiesSetPropertyMethod() {
     getDeclaringType() instanceof TypeProperty and
     hasName("setProperty")
   }
 }
 
-library class PropertiesStoreMethod extends Method {
+/**
+ * The methods of the class `java.util.Properties` that write the contents to an output.
+ */
+class PropertiesStoreMethod extends Method {
   PropertiesStoreMethod() {
     getDeclaringType() instanceof TypeProperty and
     (getName().matches("store%") or getName() = "save")

java/ql/lib/semmle/code/java/frameworks/apache/Lang.qll

@@ -37,3 +37,12 @@ private class ApacheStrBuilderFluentMethod extends FluentMethod {
     this.getReturnType().(RefType).hasQualifiedName("org.apache.commons.lang3.text", "StrBuilder")
   }
 }
+
+/**
+ * The class `org.apache.commons.lang.SystemUtils` or `org.apache.commons.lang3.SystemUtils`.
+ */
+class TypeApacheSystemUtils extends Class {
+  TypeApacheSystemUtils() {
+    this.hasQualifiedName(["org.apache.commons.lang", "org.apache.commons.lang3"], "SystemUtils")
+  }
+}

java/ql/lib/semmle/code/java/os/OSCheck.qll

@@ -0,0 +1,161 @@
+/**
+ * Provides classes and predicates for guards that check for the current OS.
+ */
+
+import java
+import semmle.code.java.controlflow.Guards
+private import semmle.code.java.environment.SystemProperty
+private import semmle.code.java.frameworks.apache.Lang
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.TaintTracking
+
+/**
+ * A guard that checks if the current OS is Windows.
+ * When True, the OS is Windows.
+ * When False, the OS is not Windows.
+ */
+abstract class IsWindowsGuard extends Guard { }
+
+/**
+ * A guard that checks if the current OS is a specific Windows variant.
+ * When True, the OS is Windows.
+ * When False, the OS *may* still be Windows.
+ */
+abstract class IsSpecificWindowsVariant extends Guard { }
+
+/**
+ * A guard that checks if the current OS is unix or unix-like.
+ * When True, the OS is unix or unix-like.
+ * When False, the OS is not unix or unix-like.
+ */
+abstract class IsUnixGuard extends Guard { }
+
+/**
+ * A guard that checks if the current OS is a specific unix or unix-like variant.
+ * When True, the OS is unix or unix-like.
+ * When False, the OS *may* still be unix or unix-like.
+ */
+abstract class IsSpecificUnixVariant extends Guard { }
+
+/**
+ * Holds when `ma` compares the current OS against the string constant `osString`.
+ */
+private predicate isOsFromSystemProp(MethodAccess ma, string osString) {
+  TaintTracking::localExprTaint(getSystemProperty("os.name"), ma.getQualifier()) and // Call from System.getProperty (or equivalent) to some partial match method
+  exists(StringPartialMatchMethod m, CompileTimeConstantExpr matchedStringConstant |
+    m = ma.getMethod() and
+    matchedStringConstant.getStringValue().toLowerCase() = osString
+  |
+    DataFlow::localExprFlow(matchedStringConstant, ma.getArgument(m.getMatchParameterIndex()))
+  )
+}
+
+private class IsWindowsFromSystemProp extends IsWindowsGuard instanceof MethodAccess {
+  IsWindowsFromSystemProp() { isOsFromSystemProp(this, any(string s | s.regexpMatch("windows?"))) }
+}
+
+/**
+ * Holds when the Guard is an equality check between the system property with the name `propertyName`
+ * and the string or char constant `compareToLiteral`, and the branch evaluates to `branch`.
+ */
+private Guard isOsFromSystemPropertyEqualityCheck(
+  string propertyName, string compareToLiteral, boolean branch
+) {
+  result
+      .isEquality(getSystemProperty(propertyName),
+        any(Literal literal |
+          (literal instanceof CharacterLiteral or literal instanceof StringLiteral) and
+          literal.getValue() = compareToLiteral
+        ), branch)
+}
+
+private class IsWindowsFromPathSeparator extends IsWindowsGuard {
+  IsWindowsFromPathSeparator() {
+    this = isOsFromSystemPropertyEqualityCheck("path.separator", ";", true) or
+    this = isOsFromSystemPropertyEqualityCheck("path.separator", ":", false)
+  }
+}
+
+private class IsWindowsFromFileSeparator extends IsWindowsGuard {
+  IsWindowsFromFileSeparator() {
+    this = isOsFromSystemPropertyEqualityCheck("file.separator", "\\", true) or
+    this = isOsFromSystemPropertyEqualityCheck("file.separator", "/", false)
+  }
+}
+
+private class IsUnixFromPathSeparator extends IsUnixGuard {
+  IsUnixFromPathSeparator() {
+    this = isOsFromSystemPropertyEqualityCheck("path.separator", ":", true) or
+    this = isOsFromSystemPropertyEqualityCheck("path.separator", ";", false)
+  }
+}
+
+private class IsUnixFromFileSeparator extends IsUnixGuard {
+  IsUnixFromFileSeparator() {
+    this = isOsFromSystemPropertyEqualityCheck("file.separator", "/", true) or
+    this = isOsFromSystemPropertyEqualityCheck("file.separator", "\\", false)
+  }
+}
+
+private class IsUnixFromSystemProp extends IsSpecificUnixVariant instanceof MethodAccess {
+  IsUnixFromSystemProp() {
+    isOsFromSystemProp(this, any(string s | s.regexpMatch(["mac.*", "linux.*"])))
+  }
+}
+
+bindingset[fieldNamePattern]
+private predicate isOsFromApacheCommons(FieldAccess fa, string fieldNamePattern) {
+  exists(Field f | f = fa.getField() |
+    f.getDeclaringType() instanceof TypeApacheSystemUtils and
+    f.getName().matches(fieldNamePattern)
+  )
+}
+
+private class IsWindowsFromApacheCommons extends IsWindowsGuard instanceof FieldAccess {
+  IsWindowsFromApacheCommons() { isOsFromApacheCommons(this, "IS_OS_WINDOWS") }
+}
+
+private class IsSpecificWindowsVariantFromApacheCommons extends IsSpecificWindowsVariant instanceof FieldAccess {
+  IsSpecificWindowsVariantFromApacheCommons() { isOsFromApacheCommons(this, "IS_OS_WINDOWS_%") }
+}
+
+private class IsUnixFromApacheCommons extends IsUnixGuard instanceof FieldAccess {
+  IsUnixFromApacheCommons() { isOsFromApacheCommons(this, "IS_OS_UNIX") }
+}
+
+private class IsSpecificUnixVariantFromApacheCommons extends IsSpecificUnixVariant instanceof FieldAccess {
+  IsSpecificUnixVariantFromApacheCommons() {
+    isOsFromApacheCommons(this,
+      [
+        "IS_OS_AIX", "IS_OS_HP_UX", "IS_OS_IRIX", "IS_OS_LINUX", "IS_OS_MAC%", "IS_OS_FREE_BSD",
+        "IS_OS_OPEN_BSD", "IS_OS_NET_BSD", "IS_OS_SOLARIS", "IS_OS_SUN_OS", "IS_OS_ZOS"
+      ])
+  }
+}
+
+/**
+ * A guard that checks if the `java.nio.file.FileSystem` supports posix file permissions.
+ * This is often used to infer if the OS is unix-based and can generally be considered to be true for all unix-based OSes
+ * ([source](https://en.wikipedia.org/wiki/POSIX#POSIX-oriented_operating_systems)).
+ * Looks for calls to `contains("posix")` on the `supportedFileAttributeViews()` method returned by `FileSystem`.
+ */
+private class IsUnixFromPosixFromFileSystem extends IsUnixGuard instanceof MethodAccess {
+  IsUnixFromPosixFromFileSystem() {
+    exists(Method m | m = this.getMethod() |
+      m.getDeclaringType()
+          .getASupertype*()
+          .getSourceDeclaration()
+          .hasQualifiedName("java.util", "Set") and
+      m.hasName("contains")
+    ) and
+    this.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "posix" and
+    exists(Method supportedFileAttributeViewsMethod |
+      supportedFileAttributeViewsMethod.hasName("supportedFileAttributeViews") and
+      supportedFileAttributeViewsMethod.getDeclaringType() instanceof TypeFileSystem
+    |
+      DataFlow::localExprFlow(any(MethodAccess ma |
+          ma.getMethod() = supportedFileAttributeViewsMethod
+        ), super.getQualifier())
+    )
+  }
+}

java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql

@@ -11,6 +11,7 @@
  */
 
 import java
+import semmle.code.java.os.OSCheck
 import TempDirUtils
 import DataFlow::PathGraph
 import semmle.code.java.dataflow.TaintTracking2
@@ -102,11 +103,36 @@ private class FileCreateTempFileSink extends FileCreationSink {
   }
 }
 
+/**
+ * A guard that holds when the program is definitely running under some version of Windows.
+ */
+abstract private class WindowsOsBarrierGuard extends DataFlow::BarrierGuard { }
+
+private class IsNotUnixBarrierGuard extends WindowsOsBarrierGuard instanceof IsUnixGuard {
+  override predicate checks(Expr e, boolean branch) {
+    this.controls(e.getBasicBlock(), branch.booleanNot())
+  }
+}
+
+private class IsWindowsBarrierGuard extends WindowsOsBarrierGuard instanceof IsWindowsGuard {
+  override predicate checks(Expr e, boolean branch) { this.controls(e.getBasicBlock(), branch) }
+}
+
+private class IsSpecificWindowsBarrierGuard extends WindowsOsBarrierGuard instanceof IsSpecificWindowsVariant {
+  override predicate checks(Expr e, boolean branch) {
+    branch = true and this.controls(e.getBasicBlock(), branch)
+  }
+}
+
+/**
+ * A taint tracking configuration tracking the access of the system temporary directory
+ * flowing to the creation of files or directories.
+ */
 private class TempDirSystemGetPropertyToCreateConfig extends TaintTracking::Configuration {
   TempDirSystemGetPropertyToCreateConfig() { this = "TempDirSystemGetPropertyToCreateConfig" }
 
   override predicate isSource(DataFlow::Node source) {
-    source.asExpr() instanceof MethodAccessSystemGetPropertyTempDirTainted
+    source.asExpr() instanceof ExprSystemGetPropertyTempDirTainted
   }
 
   /**
@@ -129,6 +155,10 @@ private class TempDirSystemGetPropertyToCreateConfig extends TaintTracking::Conf
       sanitizer.asExpr() = sanitisingMethodAccess.getArgument(0)
     )
   }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof WindowsOsBarrierGuard
+  }
 }
 
 /**
@@ -147,10 +177,8 @@ private class TempDirSystemGetPropertyDirectlyToMkdirConfig extends TaintTrackin
   }
 
   override predicate isSource(DataFlow::Node node) {
-    exists(
-      MethodAccessSystemGetPropertyTempDirTainted propertyGetMethodAccess, DataFlow::Node callSite
-    |
-      DataFlow::localFlow(DataFlow::exprNode(propertyGetMethodAccess), callSite)
+    exists(ExprSystemGetPropertyTempDirTainted propertyGetExpr, DataFlow::Node callSite |
+      DataFlow::localFlow(DataFlow::exprNode(propertyGetExpr), callSite)
     |
       isFileConstructorArgument(callSite.asExpr(), node.asExpr(), 1)
     )

java/ql/src/Security/CWE/CWE-200/TempDirUsageSafe.java

@@ -1,10 +1,14 @@
 import java.io.File;
 import java.io.IOException;
+import java.io.UncheckedIOException;
 import java.nio.file.Files;
+import java.nio.file.Path;
 import java.nio.file.attribute.PosixFilePermission;
 import java.nio.file.attribute.PosixFilePermissions;
+
 import java.util.EnumSet;
 
+
 public class TempDirUsageSafe {
     void exampleSafe() throws IOException {
         Path temp1 = Files.createTempFile("random", ".txt"); // GOOD: File has permissions `-rw-------`
@@ -30,7 +34,7 @@ public class TempDirUsageSafe {
         createTempFile(tempChildFile.toPath()); // GOOD: Good has permissions `-rw-------`
     }
 
-    static void createTempFile(Path tempDir) {
+    static void createTempFile(Path tempDirChild) {
         try {
             if (tempDirChild.getFileSystem().supportedFileAttributeViews().contains("posix")) {
                 // Explicit permissions setting is only required on unix-like systems because

java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll

@@ -3,34 +3,14 @@
  */
 
 import java
+private import semmle.code.java.environment.SystemProperty
 import semmle.code.java.dataflow.FlowSources
 
 /**
- * A method that returns a `String` or `File` that has been tainted by `System.getProperty("java.io.tmpdir")`.
+ * A method or field access that returns a `String` or `File` that has been tainted by `System.getProperty("java.io.tmpdir")`.
  */
-abstract class MethodAccessSystemGetPropertyTempDirTainted extends MethodAccess { }
-
-/**
- * Method access `System.getProperty("java.io.tmpdir")`.
- */
-private class MethodAccessSystemGetPropertyTempDir extends MethodAccessSystemGetPropertyTempDirTainted,
-  MethodAccessSystemGetProperty {
-  MethodAccessSystemGetPropertyTempDir() {
-    this.hasCompileTimeConstantGetPropertyName("java.io.tmpdir")
-  }
-}
-
-/**
- * A method call to the `org.apache.commons.io.FileUtils` methods `getTempDirectory` or `getTempDirectoryPath`.
- */
-private class MethodAccessApacheFileUtilsTempDir extends MethodAccessSystemGetPropertyTempDirTainted {
-  MethodAccessApacheFileUtilsTempDir() {
-    exists(Method m |
-      m.getDeclaringType().hasQualifiedName("org.apache.commons.io", "FileUtils") and
-      m.hasName(["getTempDirectory", "getTempDirectoryPath"]) and
-      this.getMethod() = m
-    )
-  }
+class ExprSystemGetPropertyTempDirTainted extends Expr {
+  ExprSystemGetPropertyTempDirTainted() { this = getSystemProperty("java.io.tmpdir") }
 }
 
 /**

java/ql/src/change-notes/2022-02-14-os-guards.md

@@ -0,0 +1,7 @@
+---
+category: minorAnalysis
+---
+ * Added new guards `IsWindowsGuard`, `IsSpecificWindowsVariant`, `IsUnixGuard`, and `IsSpecificUnixVariant` to detect OS specific guards.
+ * Added a new predicate `getSystemProperty` that gets all expressions that retrieve system properties from a variety of sources (eg. alternative JDK API's, Google Guava, Apache Commons, Apache IO, etc..).
+ * Updated "Local information disclosure in a temporary directory" (`java/local-temp-file-or-directory-information-disclosure`) to remove false-positives when OS is properly used as logical guard.
+ 

java/ql/src/utils/model-generator/ModelGeneratorUtilsSpecific.qll

@@ -5,7 +5,7 @@ private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.internal.ContainerFlow
 private import semmle.code.java.dataflow.internal.DataFlowImplCommon
 
-Method superImpl(Method m) {
+private Method superImpl(Method m) {
   result = m.getAnOverride() and
   not exists(result.getAnOverride()) and
   not m instanceof ToStringMethod

java/ql/test/library-tests/JDK/PrintAst.expected

@@ -60,6 +60,75 @@ jdk/A.java:
 #   28|             0: [ArrayTypeAccess] ...[]
 #   28|               0: [TypeAccess] String
 #   28|       5: [BlockStmt] { ... }
+jdk/StringMatch.java:
+#    0| [CompilationUnit] StringMatch
+#    1|   1: [Class] StringMatch
+#    2|     3: [FieldDeclaration] String STR;
+#    2|       -1: [TypeAccess] String
+#    2|       0: [StringLiteral] "the quick brown fox jumps over the lazy dog"
+#    4|     4: [Method] a
+#    4|       3: [TypeAccess] void
+#    4|       5: [BlockStmt] { ... }
+#    5|         0: [ExprStmt] <Expr>;
+#    5|           0: [MethodAccess] matches(...)
+#    5|             -1: [VarAccess] STR
+#    5|             0: [StringLiteral] "[a-z]+"
+#    8|     5: [Method] b
+#    8|       3: [TypeAccess] void
+#    8|       5: [BlockStmt] { ... }
+#    9|         0: [ExprStmt] <Expr>;
+#    9|           0: [MethodAccess] contains(...)
+#    9|             -1: [VarAccess] STR
+#    9|             0: [StringLiteral] "the"
+#   12|     6: [Method] c
+#   12|       3: [TypeAccess] void
+#   12|       5: [BlockStmt] { ... }
+#   13|         0: [ExprStmt] <Expr>;
+#   13|           0: [MethodAccess] startsWith(...)
+#   13|             -1: [VarAccess] STR
+#   13|             0: [StringLiteral] "the"
+#   16|     7: [Method] d
+#   16|       3: [TypeAccess] void
+#   16|       5: [BlockStmt] { ... }
+#   17|         0: [ExprStmt] <Expr>;
+#   17|           0: [MethodAccess] endsWith(...)
+#   17|             -1: [VarAccess] STR
+#   17|             0: [StringLiteral] "dog"
+#   20|     8: [Method] e
+#   20|       3: [TypeAccess] void
+#   20|       5: [BlockStmt] { ... }
+#   21|         0: [ExprStmt] <Expr>;
+#   21|           0: [MethodAccess] indexOf(...)
+#   21|             -1: [VarAccess] STR
+#   21|             0: [StringLiteral] "lazy"
+#   24|     9: [Method] f
+#   24|       3: [TypeAccess] void
+#   24|       5: [BlockStmt] { ... }
+#   25|         0: [ExprStmt] <Expr>;
+#   25|           0: [MethodAccess] lastIndexOf(...)
+#   25|             -1: [VarAccess] STR
+#   25|             0: [StringLiteral] "lazy"
+#   28|     10: [Method] g
+#   28|       3: [TypeAccess] void
+#   28|       5: [BlockStmt] { ... }
+#   29|         0: [ExprStmt] <Expr>;
+#   29|           0: [MethodAccess] regionMatches(...)
+#   29|             -1: [VarAccess] STR
+#   29|             0: [IntegerLiteral] 0
+#   29|             1: [StringLiteral] "fox"
+#   29|             2: [IntegerLiteral] 0
+#   29|             3: [IntegerLiteral] 4
+#   32|     11: [Method] h
+#   32|       3: [TypeAccess] void
+#   32|       5: [BlockStmt] { ... }
+#   33|         0: [ExprStmt] <Expr>;
+#   33|           0: [MethodAccess] regionMatches(...)
+#   33|             -1: [VarAccess] STR
+#   33|             0: [BooleanLiteral] true
+#   33|             1: [IntegerLiteral] 0
+#   33|             2: [StringLiteral] "FOX"
+#   33|             3: [IntegerLiteral] 0
+#   33|             4: [IntegerLiteral] 4
 jdk/SystemGetPropertyCall.java:
 #    0| [CompilationUnit] SystemGetPropertyCall
 #    3|   1: [Class] SystemGetPropertyCall

java/ql/test/library-tests/JDK/StringMatch.expected

@@ -0,0 +1,8 @@
+| jdk/StringMatch.java:5:9:5:29 | matches(...) | jdk/StringMatch.java:5:21:5:28 | "[a-z]+" |
+| jdk/StringMatch.java:9:9:9:27 | contains(...) | jdk/StringMatch.java:9:22:9:26 | "the" |
+| jdk/StringMatch.java:13:9:13:29 | startsWith(...) | jdk/StringMatch.java:13:24:13:28 | "the" |
+| jdk/StringMatch.java:17:9:17:27 | endsWith(...) | jdk/StringMatch.java:17:22:17:26 | "dog" |
+| jdk/StringMatch.java:21:9:21:27 | indexOf(...) | jdk/StringMatch.java:21:21:21:26 | "lazy" |
+| jdk/StringMatch.java:25:9:25:31 | lastIndexOf(...) | jdk/StringMatch.java:25:25:25:30 | "lazy" |
+| jdk/StringMatch.java:29:9:29:41 | regionMatches(...) | jdk/StringMatch.java:29:30:29:34 | "fox" |
+| jdk/StringMatch.java:33:9:33:47 | regionMatches(...) | jdk/StringMatch.java:33:36:33:40 | "FOX" |

java/ql/test/library-tests/JDK/StringMatch.ql

@@ -0,0 +1,5 @@
+import java
+
+from MethodAccess ma, StringPartialMatchMethod m
+where ma.getMethod() = m
+select ma, ma.getArgument(m.getMatchParameterIndex())

java/ql/test/library-tests/JDK/jdk/StringMatch.java

@@ -0,0 +1,35 @@
+public class StringMatch {
+    private static String STR = "the quick brown fox jumps over the lazy dog";
+
+    void a() {
+        STR.matches("[a-z]+");
+    }
+
+    void b() {
+        STR.contains("the");
+    }
+
+    void c() {
+        STR.startsWith("the");
+    }
+
+    void d() {
+        STR.endsWith("dog");
+    }
+
+    void e() {
+        STR.indexOf("lazy");
+    }
+
+    void f() {
+        STR.lastIndexOf("lazy");
+    }
+
+    void g() {
+        STR.regionMatches(0, "fox", 0, 4);
+    }
+
+    void h() {
+        STR.regionMatches(true, 0, "FOX", 0, 4);
+    }
+}

java/ql/test/library-tests/environment/SystemPropertyAccess.java

@@ -0,0 +1,30 @@
+import java.io.File;
+import java.util.Properties;
+import org.apache.commons.lang3.SystemUtils;
+import com.google.common.base.StandardSystemProperty;
+
+public class SystemPropertyAccess {
+    private static final Properties SYSTEM_PROPERTIES = System.getProperties();
+
+    void test() {
+        System.getProperty("os.name");
+        System.getProperty("os.name", "default");
+        System.getProperties().getProperty("os.name");
+        System.getProperties().get("java.io.tmpdir");
+        SYSTEM_PROPERTIES.getProperty("java.home");
+        SYSTEM_PROPERTIES.get("file.encoding");
+        System.lineSeparator();
+        String awtToolkit = SystemUtils.AWT_TOOLKIT;
+        String fileEncoding = SystemUtils.FILE_ENCODING;
+        String tmpDir = SystemUtils.JAVA_IO_TMPDIR;
+        String separator = File.separator;
+        char separatorChar = File.separatorChar;
+        String pathSeparator = File.pathSeparator;
+        char pathSeparatorChar = File.pathSeparatorChar;
+        StandardSystemProperty.JAVA_VERSION.value();
+        StandardSystemProperty property = StandardSystemProperty.JAVA_VERSION;
+        property.value();
+        System.getProperty(StandardSystemProperty.JAVA_IO_TMPDIR.key());
+    }
+    
+}

java/ql/test/library-tests/environment/SystemPropertyTest.expected

@@ -0,0 +1,57 @@
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:93:5:93:50 | AWT_TOOLKIT | awt.toolkit |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:115:5:115:52 | FILE_ENCODING | file.encoding |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:141:5:142:53 | FILE_SEPARATOR | file.separator |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:160:5:160:53 | JAVA_AWT_FONTS | java.awt.fonts |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:178:5:178:59 | JAVA_AWT_GRAPHICSENV | java.awt.graphicsenv |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:199:5:199:56 | JAVA_AWT_HEADLESS | java.awt.headless |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:217:5:217:58 | JAVA_AWT_PRINTERJOB | java.awt.printerjob |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:235:5:235:54 | JAVA_CLASS_PATH | java.class.path |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:253:5:253:57 | JAVA_CLASS_VERSION | java.class.version |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:272:5:272:52 | JAVA_COMPILER | java.compiler |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:308:5:308:52 | JAVA_EXT_DIRS | java.ext.dirs |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:326:5:326:48 | JAVA_HOME | java.home |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:344:5:344:53 | JAVA_IO_TMPDIR | java.io.tmpdir |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:362:5:362:56 | JAVA_LIBRARY_PATH | java.library.path |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:381:5:381:56 | JAVA_RUNTIME_NAME | java.runtime.name |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:400:5:400:59 | JAVA_RUNTIME_VERSION | java.runtime.version |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:418:5:418:62 | JAVA_SPECIFICATION_NAME | java.specification.name |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:436:5:436:64 | JAVA_SPECIFICATION_VENDOR | java.specification.vendor |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:473:5:474:13 | JAVA_UTIL_PREFS_PREFERENCES_FACTORY | java.util.prefs.PreferencesFactory |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:492:5:492:50 | JAVA_VENDOR | java.vendor |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:510:5:510:54 | JAVA_VENDOR_URL | java.vendor.url |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:528:5:528:51 | JAVA_VERSION | java.version |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:547:5:547:51 | JAVA_VM_INFO | java.vm.info |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:565:5:565:51 | JAVA_VM_NAME | java.vm.name |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:583:5:583:65 | JAVA_VM_SPECIFICATION_NAME | java.vm.specification.name |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:601:5:601:67 | JAVA_VM_SPECIFICATION_VENDOR | java.vm.specification.vendor |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:637:5:637:53 | JAVA_VM_VENDOR | java.vm.vendor |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:655:5:655:54 | JAVA_VM_VERSION | java.vm.version |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:674:5:675:53 | LINE_SEPARATOR | line.separator |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:693:5:693:46 | OS_ARCH | os.arch |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:711:5:711:46 | OS_NAME | os.name |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:729:5:729:49 | OS_VERSION | os.version |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:749:5:750:53 | PATH_SEPARATOR | path.separator |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:770:5:770:73 | USER_COUNTRY | user.country |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:788:5:788:47 | USER_DIR | user.dir |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:806:5:806:48 | USER_HOME | user.home |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:825:5:825:52 | USER_LANGUAGE | user.language |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:843:5:843:48 | USER_NAME | user.name |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:861:5:861:52 | USER_TIMEZONE | user.timezone |
+| ../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/SystemUtils.java:1762:47:1762:63 | JAVA_AWT_HEADLESS | java.awt.headless |
+| SystemPropertyAccess.java:10:9:10:37 | getProperty(...) | os.name |
+| SystemPropertyAccess.java:11:9:11:48 | getProperty(...) | os.name |
+| SystemPropertyAccess.java:12:9:12:53 | getProperty(...) | os.name |
+| SystemPropertyAccess.java:13:9:13:52 | get(...) | java.io.tmpdir |
+| SystemPropertyAccess.java:14:9:14:50 | getProperty(...) | java.home |
+| SystemPropertyAccess.java:15:9:15:46 | get(...) | file.encoding |
+| SystemPropertyAccess.java:16:9:16:30 | lineSeparator(...) | line.separator |
+| SystemPropertyAccess.java:17:29:17:51 | SystemUtils.AWT_TOOLKIT | awt.toolkit |
+| SystemPropertyAccess.java:18:31:18:55 | SystemUtils.FILE_ENCODING | file.encoding |
+| SystemPropertyAccess.java:19:25:19:50 | SystemUtils.JAVA_IO_TMPDIR | java.io.tmpdir |
+| SystemPropertyAccess.java:20:28:20:41 | File.separator | file.separator |
+| SystemPropertyAccess.java:21:30:21:47 | File.separatorChar | file.separator |
+| SystemPropertyAccess.java:22:32:22:49 | File.pathSeparator | path.separator |
+| SystemPropertyAccess.java:23:34:23:55 | File.pathSeparatorChar | path.separator |
+| SystemPropertyAccess.java:24:9:24:51 | value(...) | java.version |
+| SystemPropertyAccess.java:26:9:26:24 | value(...) | java.version |
+| SystemPropertyAccess.java:27:9:27:71 | getProperty(...) | java.io.tmpdir |

java/ql/test/library-tests/environment/SystemPropertyTest.ql

@@ -0,0 +1,6 @@
+import default
+import semmle.code.java.environment.SystemProperty
+
+from Expr systemPropertyAccess, string propertyName
+where systemPropertyAccess = getSystemProperty(propertyName)
+select systemPropertyAccess, propertyName