Merge pull request #12107 from aibaars/downgrade-tree-sitter

Ruby: downgrade tree-sitter to 0.20.7

.github/actions/fetch-codeql/action.yml

@@ -19,4 +19,6 @@ runs:
         gh extension install github/gh-codeql
         gh codeql set-channel "$CHANNEL"
         gh codeql version
+        printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}"
+        gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}"
         gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}"

.github/actions/os-version/action.yml

@@ -0,0 +1,32 @@
+name: OS Version
+description: Get OS version.
+
+outputs:
+  version:
+    description: "OS version"
+    value: ${{ steps.version.outputs.version }}
+
+runs:
+  using: composite
+  steps:
+    - if: runner.os == 'Linux'
+      shell: bash
+      run: |
+        . /etc/os-release
+        echo "VERSION=${NAME} ${VERSION}" >> $GITHUB_ENV
+    - if: runner.os == 'Windows'
+      shell: powershell
+      run: |
+        $objects = systeminfo.exe /FO CSV | ConvertFrom-Csv
+        "VERSION=$($objects.'OS Name') $($objects.'OS Version')" >> $env:GITHUB_ENV
+    - if: runner.os == 'macOS'
+      shell: bash
+      run: |
+        echo "VERSION=$(sw_vers -productName) $(sw_vers -productVersion)" >> $GITHUB_ENV
+    - name: Emit OS version
+      id: version
+      shell: bash
+      run: |
+        echo "$VERSION"
+        echo "version=${VERSION}" >> $GITHUB_OUTPUT
+

.github/dependabot.yml

@@ -1,19 +1,12 @@
 version: 2
 updates:
   - package-ecosystem: "cargo"
-    directory: "ruby/node-types"
+    directory: "ruby"
     schedule:
       interval: "daily"
+
   - package-ecosystem: "cargo"
-    directory: "ruby/generator"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "cargo"
-    directory: "ruby/extractor"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "cargo"
-    directory: "ruby/autobuilder"
+    directory: "ql"
     schedule:
       interval: "daily"
 

.github/workflows/check-change-note.yml

@@ -26,3 +26,9 @@ jobs:
         run: |
           gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
           grep true -c
+      - name: Fail if the change note filename doesn't match the expected format. The file name must be of the form 'YYYY-MM-DD.md' or 'YYYY-MM-DD-{title}.md', where '{title}' is arbitrary text.
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))] | all(test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$"))' |
+          grep true -c

.github/workflows/codeql-analysis.yml

@@ -30,7 +30,7 @@ jobs:
     - name: Setup dotnet
       uses: actions/setup-dotnet@v2
       with:
-        dotnet-version: 6.0.202
+        dotnet-version: 7.0.102
 
     - name: Checkout repository
       uses: actions/checkout@v3

.github/workflows/csharp-qltest.yml

@@ -77,10 +77,10 @@ jobs:
       - name: Setup dotnet
         uses: actions/setup-dotnet@v3
         with:
-          dotnet-version: 6.0.202
+          dotnet-version: 7.0.102
       - name: Extractor unit tests
         run: |
-          dotnet test -p:RuntimeFrameworkVersion=6.0.4 "${{ github.workspace }}/csharp/extractor/Semmle.Util.Tests"
-          dotnet test -p:RuntimeFrameworkVersion=6.0.4 "${{ github.workspace }}/csharp/extractor/Semmle.Extraction.Tests"
-          dotnet test -p:RuntimeFrameworkVersion=6.0.4 "${{ github.workspace }}/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests"
-          dotnet test -p:RuntimeFrameworkVersion=6.0.4 "${{ github.workspace }}/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/csharp/extractor/Semmle.Util.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/csharp/extractor/Semmle.Extraction.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests"

.github/workflows/mad_modelDiff.yml

@@ -11,7 +11,7 @@ on:
     branches:
       - main
     paths:
-      - "java/ql/src/utils/model-generator/**/*.*"
+      - "java/ql/src/utils/modelgenerator/**/*.*"
       - ".github/workflows/mad_modelDiff.yml"
 
 permissions:
@@ -40,12 +40,12 @@ jobs:
       - name: Download database
         env:
           SLUG: ${{ matrix.slug }}
+          GH_TOKEN: ${{ github.token }}
         run: |
           set -x
           mkdir lib-dbs
           SHORTNAME=${SLUG//[^a-zA-Z0-9_]/}
-          projectId=`curl -s https://lgtm.com/api/v1.0/projects/g/${SLUG} | jq .id`
-          curl -L "https://lgtm.com/api/v1.0/snapshots/$projectId/java" -o "$SHORTNAME.zip"
+          gh api -H "Accept: application/zip" "/repos/${SLUG}/code-scanning/codeql/databases/java" > "$SHORTNAME.zip"
           unzip -q -d "${SHORTNAME}-db" "${SHORTNAME}.zip"
           mkdir "lib-dbs/$SHORTNAME/"
           mv "${SHORTNAME}-db/"$(ls -1 "${SHORTNAME}"-db)/* "lib-dbs/${SHORTNAME}/"
@@ -61,7 +61,7 @@ jobs:
             DATABASE=$2
             cd codeql-$QL_VARIANT
             SHORTNAME=`basename $DATABASE`
-            python java/ql/src/utils/model-generator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE ${SHORTNAME}.temp.model.yml
+            python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE ${SHORTNAME}.temp.model.yml
             mv java/ql/lib/ext/generated/${SHORTNAME}.temp.model.yml $MODELS/${SHORTNAME}Generated_${QL_VARIANT}.model.yml
             cd ..
           }
@@ -100,4 +100,6 @@ jobs:
         with:
           name: diffs
           path: tmp-models/*.html
+          # An html file is only produced if the generated models differ.
+          if-no-files-found: ignore
           retention-days: 20

.github/workflows/mad_regenerate-models.yml

@@ -50,7 +50,7 @@ jobs:
           SLUG: ${{ matrix.slug }}
         run: |
           SHORTNAME=${SLUG//[^a-zA-Z0-9_]/}
-          java/ql/src/utils/model-generator/RegenerateModels.py "${SLUG}" dbs/${SHORTNAME}
+          java/ql/src/utils/modelgenerator/RegenerateModels.py "${SLUG}" dbs/${SHORTNAME}
       - name: Stage changes
         run: |
           find java -name "*.model.yml" -print0 | xargs -0 git add

.github/workflows/ql-for-ql-build.yml

@@ -27,7 +27,7 @@ jobs:
         uses: ./.github/actions/find-latest-bundle
       - name: Find codeql
         id: find-codeql
-        uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
+        uses: github/codeql-action/init@beae46e6b1da530ed5e9fc6a756f92433ca47ae1
         with:
           languages: javascript # does not matter
           tools: ${{ steps.find-latest-bundle.outputs.url }}
@@ -38,12 +38,14 @@ jobs:
         shell: bash
         env:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
+      - uses: ./.github/actions/os-version
+        id: os_version
       - name: Cache entire pack
         id: cache-pack
         uses: actions/cache@v3
         with:
           path: ${{ runner.temp }}/pack
-          key: ${{ runner.os }}-pack-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}-${{ hashFiles('ql/**/*.ql*') }}-${{ hashFiles('ql/**/qlpack.yml') }}-${{ hashFiles('ql/ql/src/ql.dbscheme*') }}-${{ steps.get-codeql-version.outputs.version }}--${{ hashFiles('.github/workflows/ql-for-ql-build.yml') }}
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-pack-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}-${{ hashFiles('ql/**/*.ql*') }}-${{ hashFiles('ql/**/qlpack.yml') }}-${{ hashFiles('ql/ql/src/ql.dbscheme*') }}-${{ steps.get-codeql-version.outputs.version }}--${{ hashFiles('.github/workflows/ql-for-ql-build.yml') }}
       - name: Cache queries
         if: steps.cache-pack.outputs.cache-hit != 'true'
         id: cache-queries
@@ -77,7 +79,7 @@ jobs:
             ql/target/release/ql-autobuilder.exe
             ql/target/release/ql-extractor
             ql/target/release/ql-extractor.exe
-          key: ${{ runner.os }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}
       - name: Cache cargo
         if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
         uses: actions/cache@v3
@@ -86,7 +88,7 @@ jobs:
             ~/.cargo/registry
             ~/.cargo/git
             ql/target
-          key: ${{ runner.os }}-rust-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-rust-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
       - name: Check formatting
         if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
         run: cd ql; cargo fmt --all -- --check
@@ -137,20 +139,20 @@ jobs:
         env:
           CONF: ./ql-for-ql-config.yml
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
+        uses: github/codeql-action/init@beae46e6b1da530ed5e9fc6a756f92433ca47ae1
         with:
           languages: ql
           db-location: ${{ runner.temp }}/db
           config-file: ./ql-for-ql-config.yml
           tools: ${{ steps.find-latest-bundle.outputs.url }}
-      - name: Move pack cache
+      - name: Move pack queries
         run: |
-          cp -r ${PACK}/.cache ql/ql/src/.cache
+          cp -r ${PACK}/queries ql/ql/src
         env:
           PACK: ${{ runner.temp }}/pack
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
+        uses: github/codeql-action/analyze@beae46e6b1da530ed5e9fc6a756f92433ca47ae1
         with:
           category: "ql-for-ql"
       - name: Copy sarif file to CWD
@@ -172,4 +174,4 @@ jobs:
         with:
           name: ql-for-ql-langs
           path: split-sarif
-          retention-days: 1
+          retention-days: 1

.github/workflows/ql-for-ql-dataset_measure.yml

@@ -25,16 +25,18 @@ jobs:
 
       - name: Find codeql
         id: find-codeql
-        uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
+        uses: github/codeql-action/init@beae46e6b1da530ed5e9fc6a756f92433ca47ae1
         with:
           languages: javascript # does not matter
+      - uses: ./.github/actions/os-version
+        id: os_version
       - uses: actions/cache@v3
         with:
           path: |
             ~/.cargo/registry
             ~/.cargo/git
             ql/target
-          key: ${{ runner.os }}-qltest-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-qltest-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
       - name: Build Extractor
         run: cd ql; env "PATH=$PATH:`dirname ${CODEQL}`" ./scripts/create-extractor-pack.sh
         env:

.github/workflows/ql-for-ql-tests.yml

@@ -6,11 +6,13 @@ on:
     paths:
       - "ql/**"
       - codeql-workspace.yml
+      - .github/workflows/ql-for-ql-tests.yml
   pull_request:
     branches: [main]
     paths:
       - "ql/**"
       - codeql-workspace.yml
+      - .github/workflows/ql-for-ql-tests.yml
 
 env:
   CARGO_TERM_COLOR: always
@@ -22,28 +24,84 @@ jobs:
       - uses: actions/checkout@v3
       - name: Find codeql
         id: find-codeql
-        uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
+        uses: github/codeql-action/init@beae46e6b1da530ed5e9fc6a756f92433ca47ae1
         with:
           languages: javascript # does not matter
+      - uses: ./.github/actions/os-version
+        id: os_version
       - uses: actions/cache@v3
         with:
           path: |
             ~/.cargo/registry
             ~/.cargo/git
             ql/target
-          key: ${{ runner.os }}-qltest-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-qltest-cargo-${{ hashFiles('ql/rust-toolchain.toml', 'ql/**/Cargo.lock') }}
       - name: Build extractor
         run: |
           cd ql;
           codeqlpath=$(dirname ${{ steps.find-codeql.outputs.codeql-path }});
           env "PATH=$PATH:$codeqlpath" ./scripts/create-extractor-pack.sh
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with: 
+          key: ql-for-ql-tests
       - name: Run QL tests
         run: |
-          "${CODEQL}" test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}/ql/extractor-pack" --consistency-queries ql/ql/consistency-queries ql/ql/test
+          "${CODEQL}" test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}/ql/extractor-pack" --consistency-queries ql/ql/consistency-queries --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" ql/ql/test
         env:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
-      - name: Check QL formatting
+
+  other-os: 
+    strategy:
+      matrix:
+        os: [macos-latest, windows-latest]
+    needs: [qltest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install GNU tar 
+        if: runner.os == 'macOS'
         run: |
-          find ql/ql/src "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 "${CODEQL}" query format --check-only
+          brew install gnu-tar
+          echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
+      - name: Find codeql
+        id: find-codeql
+        uses: github/codeql-action/init@beae46e6b1da530ed5e9fc6a756f92433ca47ae1
+        with:
+          languages: javascript # does not matter
+      - uses: ./.github/actions/os-version
+        id: os_version
+      - uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            ql/target
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-qltest-cargo-${{ hashFiles('ql/rust-toolchain.toml', 'ql/**/Cargo.lock') }}
+      - name: Build extractor
+        if: runner.os != 'Windows'
+        run: |
+          cd ql;
+          codeqlpath=$(dirname ${{ steps.find-codeql.outputs.codeql-path }});
+          env "PATH=$PATH:$codeqlpath" ./scripts/create-extractor-pack.sh
+      - name: Build extractor (Windows)
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: |
+          cd ql;
+          $Env:PATH += ";$(dirname ${{ steps.find-codeql.outputs.codeql-path }})"
+          pwsh ./scripts/create-extractor-pack.ps1
+      - name: Run a single QL tests - Unix
+        if: runner.os != 'Windows'
+        run: |
+          "${CODEQL}" test run --check-databases --search-path "${{ github.workspace }}/ql/extractor-pack" ql/ql/test/queries/style/DeadCode/DeadCode.qlref
         env:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
+      - name: Run a single QL tests - Windows
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: |
+          $Env:PATH += ";$(dirname ${{ steps.find-codeql.outputs.codeql-path }})"
+          codeql test run --check-databases --search-path "${{ github.workspace }}/ql/extractor-pack" ql/ql/test/queries/style/DeadCode/DeadCode.qlref
+      

.github/workflows/ruby-build.yml

@@ -48,6 +48,8 @@ jobs:
         run: |
           brew install gnu-tar
           echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
+      - uses: ./.github/actions/os-version
+        id: os_version
       - name: Cache entire extractor
         uses: actions/cache@v3
         id: cache-extractor
@@ -58,7 +60,7 @@ jobs:
             ruby/target/release/ruby-extractor
             ruby/target/release/ruby-extractor.exe
             ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
-          key: ${{ runner.os }}-ruby-extractor-${{ hashFiles('ruby/rust-toolchain.toml', 'ruby/**/Cargo.lock') }}--${{ hashFiles('ruby/**/*.rs') }}
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/rust-toolchain.toml', 'ruby/**/Cargo.lock') }}--${{ hashFiles('ruby/**/*.rs') }}
       - uses: actions/cache@v3
         if: steps.cache-extractor.outputs.cache-hit != 'true'
         with:
@@ -66,7 +68,7 @@ jobs:
             ~/.cargo/registry
             ~/.cargo/git
             ruby/target
-          key: ${{ runner.os }}-ruby-rust-cargo-${{ hashFiles('ruby/rust-toolchain.toml', 'ruby/**/Cargo.lock') }}
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-rust-cargo-${{ hashFiles('ruby/rust-toolchain.toml', 'ruby/**/Cargo.lock') }}
       - name: Check formatting
         if: steps.cache-extractor.outputs.cache-hit != 'true'
         run: cargo fmt --all -- --check
@@ -203,11 +205,6 @@ jobs:
       - name: Fetch CodeQL
         uses: ./.github/actions/fetch-codeql
 
-      - uses: actions/checkout@v3
-        with:
-          repository: Shopify/example-ruby-app
-          ref: 67a0decc5eb550f3a9228eda53925c3afd40dfe9
-
       - name: Download Ruby bundle
         uses: actions/download-artifact@v3
         with:
@@ -216,26 +213,15 @@ jobs:
       - name: Unzip Ruby bundle
         shell: bash
         run: unzip -q -d "${{ runner.temp }}/ruby-bundle" "${{ runner.temp }}/codeql-ruby-bundle.zip"
-      - name: Prepare test files
-        shell: bash
-        run: |
-          echo "import codeql.ruby.AST select count(File f)" > "test.ql"
-          echo "| 4 |" > "test.expected"
-          echo 'name: sample-tests
-          version: 0.0.0
-          dependencies:
-            codeql/ruby-all: "*"
-          extractor: ruby
-          tests: .
-          ' > qlpack.yml
+
       - name: Run QL test
         shell: bash
         run: |
-          codeql test run --search-path "${{ runner.temp }}/ruby-bundle" --additional-packs "${{ runner.temp }}/ruby-bundle" .
+          codeql test run --search-path "${{ runner.temp }}/ruby-bundle" --additional-packs "${{ runner.temp }}/ruby-bundle" ruby/ql/test/library-tests/ast/constants/
       - name: Create database
         shell: bash
         run: |
-          codeql database create --search-path "${{ runner.temp }}/ruby-bundle" --language ruby --source-root . ../database
+          codeql database create --search-path "${{ runner.temp }}/ruby-bundle" --language ruby --source-root ruby/ql/test/library-tests/ast/constants/ ../database
       - name: Analyze database
         shell: bash
         run: |

CONTRIBUTING.md

@@ -25,6 +25,7 @@ If you have an idea for a query that you would like to share with other CodeQL u
 
     Each language-specific directory contains further subdirectories that group queries based on their `@tags` or purpose.
     - Experimental queries and libraries are stored in the `experimental` subdirectory within each language-specific directory in the [CodeQL repository](https://github.com/github/codeql). For example, experimental Java queries and libraries are stored in `java/ql/src/experimental` and any corresponding tests in `java/ql/test/experimental`.
+    - Experimental queries need to include `experimental` in their `@tags`
     - The structure of an `experimental` subdirectory mirrors the structure of its parent directory.
     - Select or create an appropriate directory in `experimental` based on the existing directory structure of `experimental` or its parent directory.
 

README.md

@@ -10,6 +10,8 @@ There is [extensive documentation](https://codeql.github.com/docs/) on getting s
 
 We welcome contributions to our standard library and standard checks. Do you have an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Before you do, though, please take the time to read our [contributing guidelines](CONTRIBUTING.md). You can also consult our [style guides](https://github.com/github/codeql/tree/main/docs) to learn how to format your code for consistency and clarity, how to write query metadata, and how to write query help documentation for your query.
 
+For information on contributing to CodeQL documentation, see the "[contributing guide](docs/codeql/CONTRIBUTING.md)" for docs.
+
 ## License
 
 The code in this repository is licensed under the [MIT License](LICENSE) by [GitHub](https://github.com).

config/identical-files.json

@@ -29,13 +29,14 @@
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplForContentDataFlow.qll",
     "go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl.qll",
     "go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll",
+    "go/ql/lib/semmle/go/dataflow/internal/DataFlowImplForStringsNewReplacer.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplForRegExp.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForRegExp.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForHttpClientLibraries.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForPathname.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl.qll"
@@ -402,16 +403,6 @@
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
   ],
-  "Inline Test Expectations": [
-    "cpp/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "csharp/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "java/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "python/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "ruby/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "ql/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "go/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "swift/ql/test/TestUtilities/InlineExpectationsTest.qll"
-  ],
   "C++ ExternalAPIs": [
     "cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll",
     "cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll"

cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/Semmle.Autobuild.Cpp.Tests.csproj

@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net7.0</TargetFramework>
     <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
     <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
     <Nullable>enable</Nullable>

cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net7.0</TargetFramework>
     <AssemblyName>Semmle.Autobuild.Cpp</AssemblyName>
     <RootNamespace>Semmle.Autobuild.Cpp</RootNamespace>
     <ApplicationIcon />

cpp/downgrades/23f7cbb88a4eb29f30c3490363dc201bc054c5ff/exprs.ql

@@ -13,5 +13,5 @@ predicate isExprWithNewBuiltin(Expr expr) {
 from Expr expr, int kind, int kind_new, Location location
 where
   exprs(expr, kind, location) and
-  if isExprWithNewBuiltin(expr) then kind_new = 0 else kind_new = kind
+  if isExprWithNewBuiltin(expr) then kind_new = 1 else kind_new = kind
 select expr, kind_new, location

cpp/downgrades/73af5058c6899dcdb05754c27ca966aeb3a68c94/exprs.ql

@@ -9,5 +9,5 @@ class Location extends @location_expr {
 from Expr expr, int kind, int kind_new, Location location
 where
   exprs(expr, kind, location) and
-  if expr instanceof @blockassignexpr then kind_new = 0 else kind_new = kind
+  if expr instanceof @blockassignexpr then kind_new = 1 else kind_new = kind
 select expr, kind_new, location

cpp/downgrades/a5bb28ed29f73855d64cc5f939cef977fa8fd19a/builtintypes.ql

@@ -0,0 +1,11 @@
+class BuiltinType extends @builtintype {
+  string toString() { none() }
+}
+
+from BuiltinType type, string name, int kind, int kind_new, int size, int sign, int alignment
+where
+  builtintypes(type, name, kind, size, sign, alignment) and
+  if type instanceof @float16 or type instanceof @complex_float16
+  then kind_new = 2
+  else kind_new = kind
+select type, name, kind_new, size, sign, alignment

cpp/downgrades/a5bb28ed29f73855d64cc5f939cef977fa8fd19a/upgrade.properties

@@ -0,0 +1,3 @@
+description: Introduce (_Complex) _Float16 type
+compatibility: backwards
+builtintypes.rel: run builtintypes.qlo

cpp/downgrades/ba86bebea4c7a8235c2fa0e220391fbd4446a087/upgrade.properties

@@ -0,0 +1,2 @@
+description: Uncomment case splits in dbscheme
+compatibility: full

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 0.5.2
+
+No user-facing changes.
+
+## 0.5.1
+
+No user-facing changes.
+
 ## 0.5.0
 
 ### Breaking Changes

cpp/ql/lib/change-notes/released/0.5.1.md

@@ -0,0 +1,3 @@
+## 0.5.1
+
+No user-facing changes.

cpp/ql/lib/change-notes/released/0.5.2.md

@@ -0,0 +1,3 @@
+## 0.5.2
+
+No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.0
+lastReleaseVersion: 0.5.2

cpp/ql/lib/definitions.qll

@@ -123,6 +123,13 @@ private predicate constructorCallTypeMention(ConstructorCall cc, TypeMention tm)
   )
 }
 
+/** Holds if `loc` has the container `container` and is on the line starting at `startLine`. */
+pragma[nomagic]
+private predicate hasContainerAndStartLine(Location loc, Container container, int startLine) {
+  loc.getStartLine() = startLine and
+  loc.getContainer() = container
+}
+
 /**
  * Gets an element, of kind `kind`, that element `e` uses, if any.
  * Attention: This predicate yields multiple definitions for a single location.
@@ -159,9 +166,9 @@ Top definitionOf(Top e, string kind) {
     // Multiple type mentions can be generated when a typedef is used, and
     // in such cases we want to exclude all but the originating typedef.
     not exists(Type secondary |
-      exists(TypeMention tm, File f, int startline, int startcol |
+      exists(File f, int startline, int startcol |
         typeMentionStartLoc(e, result, f, startline, startcol) and
-        typeMentionStartLoc(tm, secondary, f, startline, startcol) and
+        typeMentionStartLoc(_, secondary, f, startline, startcol) and
         (
           result = secondary.(TypedefType).getBaseType() or
           result = secondary.(TypedefType).getBaseType().(SpecifiedType).getBaseType()
@@ -184,11 +191,9 @@ Top definitionOf(Top e, string kind) {
     kind = "I" and
     result = e.(Include).getIncludedFile() and
     // exclude `#include` directives containing macros
-    not exists(MacroInvocation mi, Location l1, Location l2 |
-      l1 = e.(Include).getLocation() and
-      l2 = mi.getLocation() and
-      l1.getContainer() = l2.getContainer() and
-      l1.getStartLine() = l2.getStartLine()
+    not exists(MacroInvocation mi, Container container, int startLine |
+      hasContainerAndStartLine(e.(Include).getLocation(), container, startLine) and
+      hasContainerAndStartLine(mi.getLocation(), container, startLine)
       // (an #include directive must be always on it's own line)
     )
   ) and

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -876,9 +876,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
     )
   }
 
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
       PrevStage::readStepCand(node1, _, _, config)
     }
 
+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
     }
 
     pragma[nomagic]
@@ -1731,8 +1735,8 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
       )
       or
@@ -1901,8 +1905,8 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
         parameterFlowsThroughRev(p, ap, pos, _, config)
       )
     }
@@ -1923,8 +1927,8 @@ private module MkStage<StageSig PrevStage> {
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
       )
     }
@@ -3749,8 +3753,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4212,17 +4216,15 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
     }
 
   pragma[nomagic]
@@ -4230,19 +4232,17 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
   }
 
   /**

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -876,9 +876,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
     )
   }
 
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
       PrevStage::readStepCand(node1, _, _, config)
     }
 
+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
     }
 
     pragma[nomagic]
@@ -1731,8 +1735,8 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
       )
       or
@@ -1901,8 +1905,8 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
         parameterFlowsThroughRev(p, ap, pos, _, config)
       )
     }
@@ -1923,8 +1927,8 @@ private module MkStage<StageSig PrevStage> {
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
       )
     }
@@ -3749,8 +3753,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4212,17 +4216,15 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
     }
 
   pragma[nomagic]
@@ -4230,19 +4232,17 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
   }
 
   /**

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -876,9 +876,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
     )
   }
 
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
       PrevStage::readStepCand(node1, _, _, config)
     }
 
+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
     }
 
     pragma[nomagic]
@@ -1731,8 +1735,8 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
       )
       or
@@ -1901,8 +1905,8 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
         parameterFlowsThroughRev(p, ap, pos, _, config)
       )
     }
@@ -1923,8 +1927,8 @@ private module MkStage<StageSig PrevStage> {
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
       )
     }
@@ -3749,8 +3753,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4212,17 +4216,15 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
     }
 
   pragma[nomagic]
@@ -4230,19 +4232,17 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
   }
 
   /**

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -876,9 +876,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
     )
   }
 
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
       PrevStage::readStepCand(node1, _, _, config)
     }
 
+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
     }
 
     pragma[nomagic]
@@ -1731,8 +1735,8 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
       )
       or
@@ -1901,8 +1905,8 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
         parameterFlowsThroughRev(p, ap, pos, _, config)
       )
     }
@@ -1923,8 +1927,8 @@ private module MkStage<StageSig PrevStage> {
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
       )
     }
@@ -3749,8 +3753,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4212,17 +4216,15 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
     }
 
   pragma[nomagic]
@@ -4230,19 +4232,17 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
   }
 
   /**

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll

@@ -45,6 +45,16 @@ module Consistency {
     ) {
       none()
     }
+
+    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodeAtPosition`. */
+    predicate uniqueParameterNodeAtPositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
+      none()
+    }
+
+    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodePosition`. */
+    predicate uniqueParameterNodePositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
+      none()
+    }
   }
 
   private class RelevantNode extends Node {
@@ -101,9 +111,7 @@ module Consistency {
     exists(int c |
       c =
         strictcount(Node n |
-          not exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
-            n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-          ) and
+          not n.hasLocationInfo(_, _, _, _, _) and
           not any(ConsistencyConfiguration conf).missingLocationExclude(n)
         ) and
       msg = "Nodes without location: " + c
@@ -248,6 +256,7 @@ module Consistency {
   query predicate uniqueParameterNodeAtPosition(
     DataFlowCallable c, ParameterPosition pos, Node p, string msg
   ) {
+    not any(ConsistencyConfiguration conf).uniqueParameterNodeAtPositionExclude(c, pos, p) and
     isParameterNode(p, c, pos) and
     not exists(unique(Node p0 | isParameterNode(p0, c, pos))) and
     msg = "Parameters with overlapping positions."
@@ -256,6 +265,7 @@ module Consistency {
   query predicate uniqueParameterNodePosition(
     DataFlowCallable c, ParameterPosition pos, Node p, string msg
   ) {
+    not any(ConsistencyConfiguration conf).uniqueParameterNodePositionExclude(c, pos, p) and
     isParameterNode(p, c, pos) and
     not exists(unique(ParameterPosition pos0 | isParameterNode(p, c, pos0))) and
     msg = "Parameter node with multiple positions."

cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/ArrayLengthAnalysis.qll

@@ -218,7 +218,7 @@ private predicate allocation(Instruction array, Length length, int delta) {
           length.(VNLength).getInstruction().getConvertedResultExpression() = lengthExpr
         )
         or
-        not exists(int d | deconstructMallocSizeExpr(alloc.getSizeExpr(), _, d)) and
+        not deconstructMallocSizeExpr(alloc.getSizeExpr(), _, _) and
         length.(VNLength).getInstruction().getConvertedResultExpression() = alloc.getSizeExpr() and
         delta = 0
       )

cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll

@@ -543,9 +543,7 @@ private predicate boundedPhiCand(
   PhiInstruction phi, boolean upper, Bound b, int delta, boolean fromBackEdge, int origdelta,
   Reason reason
 ) {
-  exists(PhiInputOperand op |
-    boundedPhiInp(phi, op, b, delta, upper, fromBackEdge, origdelta, reason)
-  )
+  boundedPhiInp(phi, _, b, delta, upper, fromBackEdge, origdelta, reason)
 }
 
 /**

cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/ConstantShiftExprRange.qll

@@ -0,0 +1,263 @@
+private import cpp
+private import experimental.semmle.code.cpp.models.interfaces.SimpleRangeAnalysisExpr
+private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
+
+float evaluateConstantExpr(Expr e) {
+  result = e.getValue().toFloat()
+  or
+  // This handles when a constant value is put into a variable
+  // and the variable is used later
+  exists(SsaDefinition defn, StackVariable sv |
+    defn.getAUse(sv) = e and
+    result = defn.getDefiningValue(sv).getValue().toFloat()
+  )
+}
+
+// If the constant right operand is negative or is greater than or equal to the number of
+// bits in the left operands type, then the result is undefined (except on the IA-32
+// architecture where the shift value is masked with 0b00011111, but we can't
+// assume the architecture).
+bindingset[val]
+private predicate isValidShiftExprShift(float val, Expr l) {
+  val >= 0 and
+  // We use getFullyConverted because the spec says to use the *promoted* left operand
+  val < (l.getFullyConverted().getUnderlyingType().getSize() * 8)
+}
+
+bindingset[val, shift, max_val]
+private predicate canLShiftOverflow(int val, int shift, int max_val) {
+  // val << shift = val * 2^shift > max_val => val > max_val/2^shift = max_val >> b
+  val > max_val.bitShiftRight(shift)
+}
+
+/**
+ * A range analysis expression consisting of the `>>` or `>>=` operator when at least
+ * one operand is a constant (and if the right operand is a constant, it must be "valid"
+ * (see `isValidShiftExprShift`)). When handling any undefined behavior, it leaves the
+ * values unconstrained. From the C++ standard: "The behavior is undefined if the right
+ * operand is negative, or greater than or equal to the length in bits of the promoted
+ * left operand. The value of E1 >> E2 is E1 right-shifted E2 bit positions. If E1 has an
+ * unsigned type or if E1 has a signed type and a non-negative value, the value of the
+ * result is the integral part of the quotient of E1/2^E2. If E1 has a signed type and a
+ * negative value, the resulting value is implementation-defined."
+ */
+class ConstantRShiftExprRange extends SimpleRangeAnalysisExpr {
+  /**
+   * Holds for `a >> b` or `a >>= b` in one of the following two cases:
+   * 1. `a` is a constant and `b` is not
+   * 2. `b` is constant
+   *
+   * We don't handle the case where `a` and `b` are both non-constant values.
+   */
+  ConstantRShiftExprRange() {
+    getUnspecifiedType() instanceof IntegralType and
+    exists(Expr l, Expr r |
+      l = this.(RShiftExpr).getLeftOperand() and
+      r = this.(RShiftExpr).getRightOperand()
+      or
+      l = this.(AssignRShiftExpr).getLValue() and
+      r = this.(AssignRShiftExpr).getRValue()
+    |
+      l.getUnspecifiedType() instanceof IntegralType and
+      r.getUnspecifiedType() instanceof IntegralType and
+      (
+        // If the left operand is a constant, verify that the right operand is not a constant
+        exists(evaluateConstantExpr(l)) and not exists(evaluateConstantExpr(r))
+        or
+        // If the right operand is a constant, check if it is a valid shift expression
+        exists(float constROp |
+          constROp = evaluateConstantExpr(r) and isValidShiftExprShift(constROp, l)
+        )
+      )
+    )
+  }
+
+  Expr getLeftOperand() {
+    result = this.(RShiftExpr).getLeftOperand() or
+    result = this.(AssignRShiftExpr).getLValue()
+  }
+
+  Expr getRightOperand() {
+    result = this.(RShiftExpr).getRightOperand() or
+    result = this.(AssignRShiftExpr).getRValue()
+  }
+
+  override float getLowerBounds() {
+    exists(int lLower, int lUpper, int rLower, int rUpper |
+      lLower = getFullyConvertedLowerBounds(getLeftOperand()) and
+      lUpper = getFullyConvertedUpperBounds(getLeftOperand()) and
+      rLower = getFullyConvertedLowerBounds(getRightOperand()) and
+      rUpper = getFullyConvertedUpperBounds(getRightOperand()) and
+      lLower <= lUpper and
+      rLower <= rUpper
+    |
+      if
+        lLower < 0
+        or
+        not (
+          isValidShiftExprShift(rLower, getLeftOperand()) and
+          isValidShiftExprShift(rUpper, getLeftOperand())
+        )
+      then
+        // We don't want to deal with shifting negative numbers at the moment,
+        // and a negative shift is implementation defined, so we set the result
+        // to the minimum value
+        result = exprMinVal(this)
+      else
+        // We can get the smallest value by shifting the smallest bound by the largest bound
+        result = lLower.bitShiftRight(rUpper)
+    )
+  }
+
+  override float getUpperBounds() {
+    exists(int lLower, int lUpper, int rLower, int rUpper |
+      lLower = getFullyConvertedLowerBounds(getLeftOperand()) and
+      lUpper = getFullyConvertedUpperBounds(getLeftOperand()) and
+      rLower = getFullyConvertedLowerBounds(getRightOperand()) and
+      rUpper = getFullyConvertedUpperBounds(getRightOperand()) and
+      lLower <= lUpper and
+      rLower <= rUpper
+    |
+      if
+        lLower < 0
+        or
+        not (
+          isValidShiftExprShift(rLower, getLeftOperand()) and
+          isValidShiftExprShift(rUpper, getLeftOperand())
+        )
+      then
+        // We don't want to deal with shifting negative numbers at the moment,
+        // and a negative shift is implementation defined, so we set the result
+        // to the maximum value
+        result = exprMaxVal(this)
+      else
+        // We can get the largest value by shifting the largest bound by the smallest bound
+        result = lUpper.bitShiftRight(rLower)
+    )
+  }
+
+  override predicate dependsOnChild(Expr child) {
+    child = getLeftOperand() or child = getRightOperand()
+  }
+}
+
+/**
+ * A range analysis expression consisting of the `<<` or `<<=` operator when at least
+ * one operand is a constant (and if the right operand is a constant, it must be "valid"
+ * (see `isValidShiftExprShift`)). When handling any undefined behavior, it leaves the
+ * values unconstrained. From the C++ standard: "The behavior is undefined if the right
+ * operand is negative, or greater than or equal to the length in bits of the promoted left operand.
+ * The value of E1 << E2 is E1 left-shifted E2 bit positions; vacated bits are zero-filled. If E1
+ * has an unsigned type, the value of the result is E1 x 2 E2, reduced modulo one more than the
+ * maximum value representable in the result type. Otherwise, if E1 has a signed type and
+ * non-negative value, and E1 x 2 E2 is representable in the corresponding unsigned type of the
+ * result type, then that value, converted to the result type, is the resulting value; otherwise,
+ * the behavior is undefined."
+ */
+class ConstantLShiftExprRange extends SimpleRangeAnalysisExpr {
+  /**
+   * Holds for `a << b` or `a <<= b` in one of the following two cases:
+   * 1. `a` is a constant and `b` is not
+   * 2. `b` is constant
+   *
+   * We don't handle the case where `a` and `b` are both non-constant values.
+   */
+  ConstantLShiftExprRange() {
+    getUnspecifiedType() instanceof IntegralType and
+    exists(Expr l, Expr r |
+      l = this.(LShiftExpr).getLeftOperand() and
+      r = this.(LShiftExpr).getRightOperand()
+      or
+      l = this.(AssignLShiftExpr).getLValue() and
+      r = this.(AssignLShiftExpr).getRValue()
+    |
+      l.getUnspecifiedType() instanceof IntegralType and
+      r.getUnspecifiedType() instanceof IntegralType and
+      (
+        // If the left operand is a constant, verify that the right operand is not a constant
+        exists(evaluateConstantExpr(l)) and not exists(evaluateConstantExpr(r))
+        or
+        // If the right operand is a constant, check if it is a valid shift expression
+        exists(float constROp |
+          constROp = evaluateConstantExpr(r) and isValidShiftExprShift(constROp, l)
+        )
+      )
+    )
+  }
+
+  Expr getLeftOperand() {
+    result = this.(LShiftExpr).getLeftOperand() or
+    result = this.(AssignLShiftExpr).getLValue()
+  }
+
+  Expr getRightOperand() {
+    result = this.(LShiftExpr).getRightOperand() or
+    result = this.(AssignLShiftExpr).getRValue()
+  }
+
+  override float getLowerBounds() {
+    exists(int lLower, int lUpper, int rLower, int rUpper |
+      lLower = getFullyConvertedLowerBounds(getLeftOperand()) and
+      lUpper = getFullyConvertedUpperBounds(getLeftOperand()) and
+      rLower = getFullyConvertedLowerBounds(getRightOperand()) and
+      rUpper = getFullyConvertedUpperBounds(getRightOperand()) and
+      lLower <= lUpper and
+      rLower <= rUpper
+    |
+      if
+        lLower < 0
+        or
+        not (
+          isValidShiftExprShift(rLower, getLeftOperand()) and
+          isValidShiftExprShift(rUpper, getLeftOperand())
+        )
+      then
+        // We don't want to deal with shifting negative numbers at the moment,
+        // and a negative shift is undefined, so we set to the minimum value
+        result = exprMinVal(this)
+      else
+        // If we have `0b01010000 << [0, 2]`, the max value for 8 bits is 0b10100000
+        // (a shift of 1) but doing a shift by the upper bound would give 0b01000000.
+        // So if the left shift operation causes an overflow, we just assume the max value
+        // If necessary, we may be able to improve this bound in the future
+        if canLShiftOverflow(lUpper, rUpper, exprMaxVal(this))
+        then result = exprMinVal(this)
+        else result = lLower.bitShiftLeft(rLower)
+    )
+  }
+
+  override float getUpperBounds() {
+    exists(int lLower, int lUpper, int rLower, int rUpper |
+      lLower = getFullyConvertedLowerBounds(getLeftOperand()) and
+      lUpper = getFullyConvertedUpperBounds(getLeftOperand()) and
+      rLower = getFullyConvertedLowerBounds(getRightOperand()) and
+      rUpper = getFullyConvertedUpperBounds(getRightOperand()) and
+      lLower <= lUpper and
+      rLower <= rUpper
+    |
+      if
+        lLower < 0
+        or
+        not (
+          isValidShiftExprShift(rLower, getLeftOperand()) and
+          isValidShiftExprShift(rUpper, getLeftOperand())
+        )
+      then
+        // We don't want to deal with shifting negative numbers at the moment,
+        // and a negative shift is undefined, so we set it to the maximum value
+        result = exprMaxVal(this)
+      else
+        // If we have `0b01010000 << [0, 2]`, the max value for 8 bits is 0b10100000
+        // (a shift of 1) but doing a shift by the upper bound would give 0b01000000.
+        // So if the left shift operation causes an overflow, we just assume the max value
+        // If necessary, we may be able to improve this bound in the future
+        if canLShiftOverflow(lUpper, rUpper, exprMaxVal(this))
+        then result = exprMaxVal(this)
+        else result = lUpper.bitShiftLeft(rUpper)
+    )
+  }
+
+  override predicate dependsOnChild(Expr child) {
+    child = getLeftOperand() or child = getRightOperand()
+  }
+}

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/FloatDelta.qll

@@ -0,0 +1,29 @@
+private import RangeAnalysisStage
+
+module FloatDelta implements DeltaSig {
+  class Delta = float;
+
+  bindingset[d]
+  bindingset[result]
+  float toFloat(Delta d) { result = d }
+
+  bindingset[d]
+  bindingset[result]
+  int toInt(Delta d) { result = d }
+
+  bindingset[n]
+  bindingset[result]
+  Delta fromInt(int n) { result = n }
+
+  bindingset[f]
+  Delta fromFloat(float f) {
+    result =
+      min(float diff, float res |
+        diff = (res - f) and res = f.ceil()
+        or
+        diff = (f - res) and res = f.floor()
+      |
+        res order by diff
+      )
+  }
+}

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/ModulusAnalysis.qll

@@ -14,321 +14,328 @@ private import ModulusAnalysisSpecific::Private
 private import experimental.semmle.code.cpp.semantic.Semantic
 private import ConstantAnalysis
 private import RangeUtils
+private import RangeAnalysisStage
 
-/**
- * Holds if `e + delta` equals `v` at `pos`.
- */
-private predicate valueFlowStepSsa(SemSsaVariable v, SemSsaReadPosition pos, SemExpr e, int delta) {
-  semSsaUpdateStep(v, e, delta) and pos.hasReadOfVar(v)
-  or
-  exists(SemGuard guard, boolean testIsTrue |
-    pos.hasReadOfVar(v) and
-    guard = semEqFlowCond(v, e, delta, true, testIsTrue) and
-    semGuardDirectlyControlsSsaRead(guard, pos, testIsTrue)
-  )
-}
-
-/**
- * Holds if `add` is the addition of `larg` and `rarg`, neither of which are
- * `ConstantIntegerExpr`s.
- */
-private predicate nonConstAddition(SemExpr add, SemExpr larg, SemExpr rarg) {
-  exists(SemAddExpr a | a = add |
-    larg = a.getLeftOperand() and
-    rarg = a.getRightOperand()
-  ) and
-  not larg instanceof SemConstantIntegerExpr and
-  not rarg instanceof SemConstantIntegerExpr
-}
-
-/**
- * Holds if `sub` is the subtraction of `larg` and `rarg`, where `rarg` is not
- * a `ConstantIntegerExpr`.
- */
-private predicate nonConstSubtraction(SemExpr sub, SemExpr larg, SemExpr rarg) {
-  exists(SemSubExpr s | s = sub |
-    larg = s.getLeftOperand() and
-    rarg = s.getRightOperand()
-  ) and
-  not rarg instanceof SemConstantIntegerExpr
-}
-
-/** Gets an expression that is the remainder modulo `mod` of `arg`. */
-private SemExpr modExpr(SemExpr arg, int mod) {
-  exists(SemRemExpr rem |
-    result = rem and
-    arg = rem.getLeftOperand() and
-    rem.getRightOperand().(SemConstantIntegerExpr).getIntValue() = mod and
-    mod >= 2
-  )
-  or
-  exists(SemConstantIntegerExpr c |
-    mod = 2.pow([1 .. 30]) and
-    c.getIntValue() = mod - 1 and
-    result.(SemBitAndExpr).hasOperands(arg, c)
-  )
-}
-
-/**
- * Gets a guard that tests whether `v` is congruent with `val` modulo `mod` on
- * its `testIsTrue` branch.
- */
-private SemGuard moduloCheck(SemSsaVariable v, int val, int mod, boolean testIsTrue) {
-  exists(SemExpr rem, SemConstantIntegerExpr c, int r, boolean polarity |
-    result.isEquality(rem, c, polarity) and
-    c.getIntValue() = r and
-    rem = modExpr(v.getAUse(), mod) and
-    (
-      testIsTrue = polarity and val = r
-      or
-      testIsTrue = polarity.booleanNot() and
-      mod = 2 and
-      val = 1 - r and
-      (r = 0 or r = 1)
-    )
-  )
-}
-
-/**
- * Holds if a guard ensures that `v` at `pos` is congruent with `val` modulo `mod`.
- */
-private predicate moduloGuardedRead(SemSsaVariable v, SemSsaReadPosition pos, int val, int mod) {
-  exists(SemGuard guard, boolean testIsTrue |
-    pos.hasReadOfVar(v) and
-    guard = moduloCheck(v, val, mod, testIsTrue) and
-    semGuardControlsSsaRead(guard, pos, testIsTrue)
-  )
-}
-
-/** Holds if `factor` is a power of 2 that divides `mask`. */
-bindingset[mask]
-private predicate andmaskFactor(int mask, int factor) {
-  mask % factor = 0 and
-  factor = 2.pow([1 .. 30])
-}
-
-/** Holds if `e` is evenly divisible by `factor`. */
-private predicate evenlyDivisibleExpr(SemExpr e, int factor) {
-  exists(SemConstantIntegerExpr c, int k | k = c.getIntValue() |
-    e.(SemMulExpr).getAnOperand() = c and factor = k.abs() and factor >= 2
-    or
-    e.(SemShiftLeftExpr).getRightOperand() = c and factor = 2.pow(k) and k > 0
-    or
-    e.(SemBitAndExpr).getAnOperand() = c and factor = max(int f | andmaskFactor(k, f))
-  )
-}
-
-/**
- * Holds if `rix` is the number of input edges to `phi`.
- */
-private predicate maxPhiInputRank(SemSsaPhiNode phi, int rix) {
-  rix = max(int r | rankedPhiInput(phi, _, _, r))
-}
-
-/**
- * Gets the remainder of `val` modulo `mod`.
- *
- * For `mod = 0` the result equals `val` and for `mod > 1` the result is within
- * the range `[0 .. mod-1]`.
- */
-bindingset[val, mod]
-private int remainder(int val, int mod) {
-  mod = 0 and result = val
-  or
-  mod > 1 and result = ((val % mod) + mod) % mod
-}
-
-/**
- * Holds if `inp` is an input to `phi` and equals `phi` modulo `mod` along `edge`.
- */
-private predicate phiSelfModulus(
-  SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int mod
-) {
-  exists(SemSsaBound phibound, int v, int m |
-    edge.phiInput(phi, inp) and
-    phibound.getAVariable() = phi and
-    ssaModulus(inp, edge, phibound, v, m) and
-    mod = m.gcd(v) and
-    mod != 1
-  )
-}
-
-/**
- * Holds if `b + val` modulo `mod` is a candidate congruence class for `phi`.
- */
-private predicate phiModulusInit(SemSsaPhiNode phi, SemBound b, int val, int mod) {
-  exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge |
-    edge.phiInput(phi, inp) and
-    ssaModulus(inp, edge, b, val, mod)
-  )
-}
-
-/**
- * Holds if all inputs to `phi` numbered `1` to `rix` are equal to `b + val` modulo `mod`.
- */
-pragma[nomagic]
-private predicate phiModulusRankStep(SemSsaPhiNode phi, SemBound b, int val, int mod, int rix) {
-  /*
-   * base case. If any phi input is equal to `b + val` modulo `mod`, that's a potential congruence
-   * class for the phi node.
+module ModulusAnalysis<DeltaSig D, BoundSig<D> Bounds, UtilSig<D> U> {
+  /**
+   * Holds if `e + delta` equals `v` at `pos`.
    */
+  private predicate valueFlowStepSsa(SemSsaVariable v, SemSsaReadPosition pos, SemExpr e, int delta) {
+    U::semSsaUpdateStep(v, e, D::fromInt(delta)) and pos.hasReadOfVar(v)
+    or
+    exists(SemGuard guard, boolean testIsTrue |
+      pos.hasReadOfVar(v) and
+      guard = U::semEqFlowCond(v, e, D::fromInt(delta), true, testIsTrue) and
+      semGuardDirectlyControlsSsaRead(guard, pos, testIsTrue)
+    )
+  }
 
-  rix = 0 and
-  phiModulusInit(phi, b, val, mod)
-  or
-  exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int v1, int m1 |
-    mod != 1 and
-    val = remainder(v1, mod)
-  |
+  /**
+   * Holds if `add` is the addition of `larg` and `rarg`, neither of which are
+   * `ConstantIntegerExpr`s.
+   */
+  private predicate nonConstAddition(SemExpr add, SemExpr larg, SemExpr rarg) {
+    exists(SemAddExpr a | a = add |
+      larg = a.getLeftOperand() and
+      rarg = a.getRightOperand()
+    ) and
+    not larg instanceof SemConstantIntegerExpr and
+    not rarg instanceof SemConstantIntegerExpr
+  }
+
+  /**
+   * Holds if `sub` is the subtraction of `larg` and `rarg`, where `rarg` is not
+   * a `ConstantIntegerExpr`.
+   */
+  private predicate nonConstSubtraction(SemExpr sub, SemExpr larg, SemExpr rarg) {
+    exists(SemSubExpr s | s = sub |
+      larg = s.getLeftOperand() and
+      rarg = s.getRightOperand()
+    ) and
+    not rarg instanceof SemConstantIntegerExpr
+  }
+
+  /** Gets an expression that is the remainder modulo `mod` of `arg`. */
+  private SemExpr modExpr(SemExpr arg, int mod) {
+    exists(SemRemExpr rem |
+      result = rem and
+      arg = rem.getLeftOperand() and
+      rem.getRightOperand().(SemConstantIntegerExpr).getIntValue() = mod and
+      mod >= 2
+    )
+    or
+    exists(SemConstantIntegerExpr c |
+      mod = 2.pow([1 .. 30]) and
+      c.getIntValue() = mod - 1 and
+      result.(SemBitAndExpr).hasOperands(arg, c)
+    )
+  }
+
+  /**
+   * Gets a guard that tests whether `v` is congruent with `val` modulo `mod` on
+   * its `testIsTrue` branch.
+   */
+  private SemGuard moduloCheck(SemSsaVariable v, int val, int mod, boolean testIsTrue) {
+    exists(SemExpr rem, SemConstantIntegerExpr c, int r, boolean polarity |
+      result.isEquality(rem, c, polarity) and
+      c.getIntValue() = r and
+      rem = modExpr(v.getAUse(), mod) and
+      (
+        testIsTrue = polarity and val = r
+        or
+        testIsTrue = polarity.booleanNot() and
+        mod = 2 and
+        val = 1 - r and
+        (r = 0 or r = 1)
+      )
+    )
+  }
+
+  /**
+   * Holds if a guard ensures that `v` at `pos` is congruent with `val` modulo `mod`.
+   */
+  private predicate moduloGuardedRead(SemSsaVariable v, SemSsaReadPosition pos, int val, int mod) {
+    exists(SemGuard guard, boolean testIsTrue |
+      pos.hasReadOfVar(v) and
+      guard = moduloCheck(v, val, mod, testIsTrue) and
+      semGuardControlsSsaRead(guard, pos, testIsTrue)
+    )
+  }
+
+  /** Holds if `factor` is a power of 2 that divides `mask`. */
+  bindingset[mask]
+  private predicate andmaskFactor(int mask, int factor) {
+    mask % factor = 0 and
+    factor = 2.pow([1 .. 30])
+  }
+
+  /** Holds if `e` is evenly divisible by `factor`. */
+  private predicate evenlyDivisibleExpr(SemExpr e, int factor) {
+    exists(SemConstantIntegerExpr c, int k | k = c.getIntValue() |
+      e.(SemMulExpr).getAnOperand() = c and factor = k.abs() and factor >= 2
+      or
+      e.(SemShiftLeftExpr).getRightOperand() = c and factor = 2.pow(k) and k > 0
+      or
+      e.(SemBitAndExpr).getAnOperand() = c and factor = max(int f | andmaskFactor(k, f))
+    )
+  }
+
+  /**
+   * Holds if `rix` is the number of input edges to `phi`.
+   */
+  private predicate maxPhiInputRank(SemSsaPhiNode phi, int rix) {
+    rix = max(int r | rankedPhiInput(phi, _, _, r))
+  }
+
+  /**
+   * Gets the remainder of `val` modulo `mod`.
+   *
+   * For `mod = 0` the result equals `val` and for `mod > 1` the result is within
+   * the range `[0 .. mod-1]`.
+   */
+  bindingset[val, mod]
+  private int remainder(int val, int mod) {
+    mod = 0 and result = val
+    or
+    mod > 1 and result = ((val % mod) + mod) % mod
+  }
+
+  /**
+   * Holds if `inp` is an input to `phi` and equals `phi` modulo `mod` along `edge`.
+   */
+  private predicate phiSelfModulus(
+    SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int mod
+  ) {
+    exists(Bounds::SemSsaBound phibound, int v, int m |
+      edge.phiInput(phi, inp) and
+      phibound.getAVariable() = phi and
+      ssaModulus(inp, edge, phibound, v, m) and
+      mod = m.gcd(v) and
+      mod != 1
+    )
+  }
+
+  /**
+   * Holds if `b + val` modulo `mod` is a candidate congruence class for `phi`.
+   */
+  private predicate phiModulusInit(SemSsaPhiNode phi, Bounds::SemBound b, int val, int mod) {
+    exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge |
+      edge.phiInput(phi, inp) and
+      ssaModulus(inp, edge, b, val, mod)
+    )
+  }
+
+  /**
+   * Holds if all inputs to `phi` numbered `1` to `rix` are equal to `b + val` modulo `mod`.
+   */
+  pragma[nomagic]
+  private predicate phiModulusRankStep(
+    SemSsaPhiNode phi, Bounds::SemBound b, int val, int mod, int rix
+  ) {
     /*
-     * Recursive case. If `inp` = `b + v2` mod `m2`, we combine that with the preceding potential
-     * congruence class `b + v1` mod `m1`. The result will be the congruence class of `v1` modulo
-     * the greatest common denominator of `m1`, `m2`, and `v1 - v2`.
+     * base case. If any phi input is equal to `b + val` modulo `mod`, that's a potential congruence
+     * class for the phi node.
      */
 
-    exists(int v2, int m2 |
-      rankedPhiInput(pragma[only_bind_out](phi), inp, edge, rix) and
-      phiModulusRankStep(phi, b, v1, m1, rix - 1) and
-      ssaModulus(inp, edge, b, v2, m2) and
-      mod = m1.gcd(m2).gcd(v1 - v2)
+    rix = 0 and
+    phiModulusInit(phi, b, val, mod)
+    or
+    exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int v1, int m1 |
+      mod != 1 and
+      val = remainder(v1, mod)
+    |
+      /*
+       * Recursive case. If `inp` = `b + v2` mod `m2`, we combine that with the preceding potential
+       * congruence class `b + v1` mod `m1`. The result will be the congruence class of `v1` modulo
+       * the greatest common denominator of `m1`, `m2`, and `v1 - v2`.
+       */
+
+      exists(int v2, int m2 |
+        rankedPhiInput(pragma[only_bind_out](phi), inp, edge, rix) and
+        phiModulusRankStep(phi, b, v1, m1, rix - 1) and
+        ssaModulus(inp, edge, b, v2, m2) and
+        mod = m1.gcd(m2).gcd(v1 - v2)
+      )
+      or
+      /*
+       * Recursive case. If `inp` = `phi` mod `m2`, we combine that with the preceding potential
+       * congruence class `b + v1` mod `m1`. The result will be a congruence class modulo the greatest
+       * common denominator of `m1` and `m2`.
+       */
+
+      exists(int m2 |
+        rankedPhiInput(phi, inp, edge, rix) and
+        phiModulusRankStep(phi, b, v1, m1, rix - 1) and
+        phiSelfModulus(phi, inp, edge, m2) and
+        mod = m1.gcd(m2)
+      )
     )
-    or
-    /*
-     * Recursive case. If `inp` = `phi` mod `m2`, we combine that with the preceding potential
-     * congruence class `b + v1` mod `m1`. The result will be a congruence class modulo the greatest
-     * common denominator of `m1` and `m2`.
-     */
+  }
 
-    exists(int m2 |
-      rankedPhiInput(phi, inp, edge, rix) and
-      phiModulusRankStep(phi, b, v1, m1, rix - 1) and
-      phiSelfModulus(phi, inp, edge, m2) and
-      mod = m1.gcd(m2)
+  /**
+   * Holds if `phi` is equal to `b + val` modulo `mod`.
+   */
+  private predicate phiModulus(SemSsaPhiNode phi, Bounds::SemBound b, int val, int mod) {
+    exists(int r |
+      maxPhiInputRank(phi, r) and
+      phiModulusRankStep(phi, b, val, mod, r)
     )
-  )
-}
+  }
 
-/**
- * Holds if `phi` is equal to `b + val` modulo `mod`.
- */
-private predicate phiModulus(SemSsaPhiNode phi, SemBound b, int val, int mod) {
-  exists(int r |
-    maxPhiInputRank(phi, r) and
-    phiModulusRankStep(phi, b, val, mod, r)
-  )
-}
-
-/**
- * Holds if `v` at `pos` is equal to `b + val` modulo `mod`.
- */
-private predicate ssaModulus(SemSsaVariable v, SemSsaReadPosition pos, SemBound b, int val, int mod) {
-  phiModulus(v, b, val, mod) and pos.hasReadOfVar(v)
-  or
-  b.(SemSsaBound).getAVariable() = v and pos.hasReadOfVar(v) and val = 0 and mod = 0
-  or
-  exists(SemExpr e, int val0, int delta |
-    semExprModulus(e, b, val0, mod) and
-    valueFlowStepSsa(v, pos, e, delta) and
-    val = remainder(val0 + delta, mod)
-  )
-  or
-  moduloGuardedRead(v, pos, val, mod) and b instanceof SemZeroBound
-}
-
-/**
- * Holds if `e` is equal to `b + val` modulo `mod`.
- *
- * There are two cases for the modulus:
- * - `mod = 0`: The equality `e = b + val` is an ordinary equality.
- * - `mod > 1`: `val` lies within the range `[0 .. mod-1]`.
- */
-cached
-predicate semExprModulus(SemExpr e, SemBound b, int val, int mod) {
-  not ignoreExprModulus(e) and
-  (
-    e = b.getExpr(val) and mod = 0
+  /**
+   * Holds if `v` at `pos` is equal to `b + val` modulo `mod`.
+   */
+  private predicate ssaModulus(
+    SemSsaVariable v, SemSsaReadPosition pos, Bounds::SemBound b, int val, int mod
+  ) {
+    phiModulus(v, b, val, mod) and pos.hasReadOfVar(v)
     or
-    evenlyDivisibleExpr(e, mod) and
-    val = 0 and
-    b instanceof SemZeroBound
+    b.(Bounds::SemSsaBound).getAVariable() = v and pos.hasReadOfVar(v) and val = 0 and mod = 0
     or
-    exists(SemSsaVariable v, SemSsaReadPositionBlock bb |
-      ssaModulus(v, bb, b, val, mod) and
-      e = v.getAUse() and
-      bb.getAnExpr() = e
-    )
-    or
-    exists(SemExpr mid, int val0, int delta |
-      semExprModulus(mid, b, val0, mod) and
-      semValueFlowStep(e, mid, delta) and
+    exists(SemExpr e, int val0, int delta |
+      semExprModulus(e, b, val0, mod) and
+      valueFlowStepSsa(v, pos, e, delta) and
       val = remainder(val0 + delta, mod)
     )
     or
-    exists(SemConditionalExpr cond, int v1, int v2, int m1, int m2 |
-      cond = e and
-      condExprBranchModulus(cond, true, b, v1, m1) and
-      condExprBranchModulus(cond, false, b, v2, m2) and
-      mod = m1.gcd(m2).gcd(v1 - v2) and
-      mod != 1 and
-      val = remainder(v1, mod)
-    )
-    or
-    exists(SemBound b1, SemBound b2, int v1, int v2, int m1, int m2 |
-      addModulus(e, true, b1, v1, m1) and
-      addModulus(e, false, b2, v2, m2) and
-      mod = m1.gcd(m2) and
-      mod != 1 and
-      val = remainder(v1 + v2, mod)
-    |
-      b = b1 and b2 instanceof SemZeroBound
+    moduloGuardedRead(v, pos, val, mod) and b instanceof Bounds::SemZeroBound
+  }
+
+  /**
+   * Holds if `e` is equal to `b + val` modulo `mod`.
+   *
+   * There are two cases for the modulus:
+   * - `mod = 0`: The equality `e = b + val` is an ordinary equality.
+   * - `mod > 1`: `val` lies within the range `[0 .. mod-1]`.
+   */
+  cached
+  predicate semExprModulus(SemExpr e, Bounds::SemBound b, int val, int mod) {
+    not ignoreExprModulus(e) and
+    (
+      e = b.getExpr(D::fromInt(val)) and mod = 0
       or
-      b = b2 and b1 instanceof SemZeroBound
+      evenlyDivisibleExpr(e, mod) and
+      val = 0 and
+      b instanceof Bounds::SemZeroBound
+      or
+      exists(SemSsaVariable v, SemSsaReadPositionBlock bb |
+        ssaModulus(v, bb, b, val, mod) and
+        e = v.getAUse() and
+        bb.getAnExpr() = e
+      )
+      or
+      exists(SemExpr mid, int val0, int delta |
+        semExprModulus(mid, b, val0, mod) and
+        U::semValueFlowStep(e, mid, D::fromInt(delta)) and
+        val = remainder(val0 + delta, mod)
+      )
+      or
+      exists(SemConditionalExpr cond, int v1, int v2, int m1, int m2 |
+        cond = e and
+        condExprBranchModulus(cond, true, b, v1, m1) and
+        condExprBranchModulus(cond, false, b, v2, m2) and
+        mod = m1.gcd(m2).gcd(v1 - v2) and
+        mod != 1 and
+        val = remainder(v1, mod)
+      )
+      or
+      exists(Bounds::SemBound b1, Bounds::SemBound b2, int v1, int v2, int m1, int m2 |
+        addModulus(e, true, b1, v1, m1) and
+        addModulus(e, false, b2, v2, m2) and
+        mod = m1.gcd(m2) and
+        mod != 1 and
+        val = remainder(v1 + v2, mod)
+      |
+        b = b1 and b2 instanceof Bounds::SemZeroBound
+        or
+        b = b2 and b1 instanceof Bounds::SemZeroBound
+      )
+      or
+      exists(int v1, int v2, int m1, int m2 |
+        subModulus(e, true, b, v1, m1) and
+        subModulus(e, false, any(Bounds::SemZeroBound zb), v2, m2) and
+        mod = m1.gcd(m2) and
+        mod != 1 and
+        val = remainder(v1 - v2, mod)
+      )
     )
-    or
-    exists(int v1, int v2, int m1, int m2 |
-      subModulus(e, true, b, v1, m1) and
-      subModulus(e, false, any(SemZeroBound zb), v2, m2) and
-      mod = m1.gcd(m2) and
-      mod != 1 and
-      val = remainder(v1 - v2, mod)
+  }
+
+  private predicate condExprBranchModulus(
+    SemConditionalExpr cond, boolean branch, Bounds::SemBound b, int val, int mod
+  ) {
+    semExprModulus(cond.getBranchExpr(branch), b, val, mod)
+  }
+
+  private predicate addModulus(SemExpr add, boolean isLeft, Bounds::SemBound b, int val, int mod) {
+    exists(SemExpr larg, SemExpr rarg | nonConstAddition(add, larg, rarg) |
+      semExprModulus(larg, b, val, mod) and isLeft = true
+      or
+      semExprModulus(rarg, b, val, mod) and isLeft = false
     )
-  )
-}
+  }
 
-private predicate condExprBranchModulus(
-  SemConditionalExpr cond, boolean branch, SemBound b, int val, int mod
-) {
-  semExprModulus(cond.getBranchExpr(branch), b, val, mod)
-}
-
-private predicate addModulus(SemExpr add, boolean isLeft, SemBound b, int val, int mod) {
-  exists(SemExpr larg, SemExpr rarg | nonConstAddition(add, larg, rarg) |
-    semExprModulus(larg, b, val, mod) and isLeft = true
-    or
-    semExprModulus(rarg, b, val, mod) and isLeft = false
-  )
-}
-
-private predicate subModulus(SemExpr sub, boolean isLeft, SemBound b, int val, int mod) {
-  exists(SemExpr larg, SemExpr rarg | nonConstSubtraction(sub, larg, rarg) |
-    semExprModulus(larg, b, val, mod) and isLeft = true
-    or
-    semExprModulus(rarg, b, val, mod) and isLeft = false
-  )
-}
-
-/**
- * Holds if `inp` is an input to `phi` along `edge` and this input has index `r`
- * in an arbitrary 1-based numbering of the input edges to `phi`.
- */
-private predicate rankedPhiInput(
-  SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int r
-) {
-  edge.phiInput(phi, inp) and
-  edge =
-    rank[r](SemSsaReadPositionPhiInputEdge e |
-      e.phiInput(phi, _)
-    |
-      e order by e.getOrigBlock().getUniqueId()
+  private predicate subModulus(SemExpr sub, boolean isLeft, Bounds::SemBound b, int val, int mod) {
+    exists(SemExpr larg, SemExpr rarg | nonConstSubtraction(sub, larg, rarg) |
+      semExprModulus(larg, b, val, mod) and isLeft = true
+      or
+      semExprModulus(rarg, b, val, mod) and isLeft = false
     )
+  }
+
+  /**
+   * Holds if `inp` is an input to `phi` along `edge` and this input has index `r`
+   * in an arbitrary 1-based numbering of the input edges to `phi`.
+   */
+  private predicate rankedPhiInput(
+    SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int r
+  ) {
+    edge.phiInput(phi, inp) and
+    edge =
+      rank[r](SemSsaReadPositionPhiInputEdge e |
+        e.phiInput(phi, _)
+      |
+        e order by e.getOrigBlock().getUniqueId()
+      )
+  }
 }

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysis.qll

@@ -1,832 +1,24 @@
-/**
- * Provides classes and predicates for range analysis.
- *
- * An inferred bound can either be a specific integer, the abstract value of an
- * SSA variable, or the abstract value of an interesting expression. The latter
- * category includes array lengths that are not SSA variables.
- *
- * If an inferred bound relies directly on a condition, then this condition is
- * reported as the reason for the bound.
- */
-
-/*
- * This library tackles range analysis as a flow problem. Consider e.g.:
- * ```
- *   len = arr.length;
- *   if (x < len) { ... y = x-1; ... y ... }
- * ```
- * In this case we would like to infer `y <= arr.length - 2`, and this is
- * accomplished by tracking the bound through a sequence of steps:
- * ```
- *   arr.length --> len = .. --> x < len --> x-1 --> y = .. --> y
- * ```
- *
- * In its simplest form the step relation `E1 --> E2` relates two expressions
- * such that `E1 <= B` implies `E2 <= B` for any `B` (with a second separate
- * step relation handling lower bounds). Examples of such steps include
- * assignments `E2 = E1` and conditions `x <= E1` where `E2` is a use of `x`
- * guarded by the condition.
- *
- * In order to handle subtractions and additions with constants, and strict
- * comparisons, the step relation is augmented with an integer delta. With this
- * generalization `E1 --(delta)--> E2` relates two expressions and an integer
- * such that `E1 <= B` implies `E2 <= B + delta` for any `B`. This corresponds
- * to the predicate `boundFlowStep`.
- *
- * The complete range analysis is then implemented as the transitive closure of
- * the step relation summing the deltas along the way. If `E1` transitively
- * steps to `E2`, `delta` is the sum of deltas along the path, and `B` is an
- * interesting bound equal to the value of `E1` then `E2 <= B + delta`. This
- * corresponds to the predicate `bounded`.
- *
- * Phi nodes need a little bit of extra handling. Consider `x0 = phi(x1, x2)`.
- * There are essentially two cases:
- * - If `x1 <= B + d1` and `x2 <= B + d2` then `x0 <= B + max(d1,d2)`.
- * - If `x1 <= B + d1` and `x2 <= x0 + d2` with `d2 <= 0` then `x0 <= B + d1`.
- * The first case is for whenever a bound can be proven without taking looping
- * into account. The second case is relevant when `x2` comes from a back-edge
- * where we can prove that the variable has been non-increasing through the
- * loop-iteration as this means that any upper bound that holds prior to the
- * loop also holds for the variable during the loop.
- * This generalizes to a phi node with `n` inputs, so if
- * `x0 = phi(x1, ..., xn)` and `xi <= B + delta` for one of the inputs, then we
- * also have `x0 <= B + delta` if we can prove either:
- * - `xj <= B + d` with `d <= delta` or
- * - `xj <= x0 + d` with `d <= 0`
- * for each input `xj`.
- *
- * As all inferred bounds can be related directly to a path in the source code
- * the only source of non-termination is if successive redundant (and thereby
- * increasingly worse) bounds are calculated along a loop in the source code.
- * We prevent this by weakening the bound to a small finite set of bounds when
- * a path follows a second back-edge (we postpone weakening till the second
- * back-edge as a precise bound might require traversing a loop once).
- */
-
-private import RangeAnalysisSpecific as Specific
+private import RangeAnalysisStage
+private import RangeAnalysisSpecific
+private import experimental.semmle.code.cpp.semantic.analysis.FloatDelta
 private import RangeUtils
-private import SignAnalysisCommon
-private import ModulusAnalysis
-private import experimental.semmle.code.cpp.semantic.Semantic
-private import ConstantAnalysis
+private import experimental.semmle.code.cpp.semantic.SemanticBound as SemanticBound
 
-cached
-private module RangeAnalysisCache {
-  cached
-  module RangeAnalysisPublic {
-    /**
-     * Holds if `b + delta` is a valid bound for `e`.
-     * - `upper = true`  : `e <= b + delta`
-     * - `upper = false` : `e >= b + delta`
-     *
-     * The reason for the bound is given by `reason` and may be either a condition
-     * or `NoReason` if the bound was proven directly without the use of a bounding
-     * condition.
-     */
-    cached
-    predicate semBounded(SemExpr e, SemBound b, int delta, boolean upper, SemReason reason) {
-      bounded(e, b, delta, upper, _, _, reason) and
-      bestBound(e, b, delta, upper)
-    }
+module Bounds implements BoundSig<FloatDelta> {
+  class SemBound instanceof SemanticBound::SemBound {
+    string toString() { result = super.toString() }
+
+    SemExpr getExpr(float delta) { result = super.getExpr(delta) }
   }
 
-  /**
-   * Holds if `guard = boundFlowCond(_, _, _, _, _) or guard = eqFlowCond(_, _, _, _, _)`.
-   */
-  cached
-  predicate possibleReason(SemGuard guard) {
-    guard = boundFlowCond(_, _, _, _, _) or guard = semEqFlowCond(_, _, _, _, _)
+  class SemZeroBound extends SemBound instanceof SemanticBound::SemZeroBound { }
+
+  class SemSsaBound extends SemBound instanceof SemanticBound::SemSsaBound {
+    SemSsaVariable getAVariable() { result = this.(SemanticBound::SemSsaBound).getAVariable() }
   }
 }
 
-private import RangeAnalysisCache
-import RangeAnalysisPublic
+private module CppRangeAnalysis =
+  RangeStage<FloatDelta, Bounds, CppLangImpl, RangeUtil<FloatDelta, CppLangImpl>>;
 
-/**
- * Holds if `b + delta` is a valid bound for `e` and this is the best such delta.
- * - `upper = true`  : `e <= b + delta`
- * - `upper = false` : `e >= b + delta`
- */
-private predicate bestBound(SemExpr e, SemBound b, int delta, boolean upper) {
-  delta = min(int d | bounded(e, b, d, upper, _, _, _)) and upper = true
-  or
-  delta = max(int d | bounded(e, b, d, upper, _, _, _)) and upper = false
-}
-
-/**
- * Holds if `comp` corresponds to:
- * - `upper = true`  : `v <= e + delta` or `v < e + delta`
- * - `upper = false` : `v >= e + delta` or `v > e + delta`
- */
-private predicate boundCondition(
-  SemRelationalExpr comp, SemSsaVariable v, SemExpr e, int delta, boolean upper
-) {
-  comp.getLesserOperand() = semSsaRead(v, delta) and e = comp.getGreaterOperand() and upper = true
-  or
-  comp.getGreaterOperand() = semSsaRead(v, delta) and e = comp.getLesserOperand() and upper = false
-  or
-  exists(SemSubExpr sub, SemConstantIntegerExpr c, int d |
-    // (v - d) - e < c
-    comp.getLesserOperand() = sub and
-    comp.getGreaterOperand() = c and
-    sub.getLeftOperand() = semSsaRead(v, d) and
-    sub.getRightOperand() = e and
-    upper = true and
-    delta = d + c.getIntValue()
-    or
-    // (v - d) - e > c
-    comp.getGreaterOperand() = sub and
-    comp.getLesserOperand() = c and
-    sub.getLeftOperand() = semSsaRead(v, d) and
-    sub.getRightOperand() = e and
-    upper = false and
-    delta = d + c.getIntValue()
-    or
-    // e - (v - d) < c
-    comp.getLesserOperand() = sub and
-    comp.getGreaterOperand() = c and
-    sub.getLeftOperand() = e and
-    sub.getRightOperand() = semSsaRead(v, d) and
-    upper = false and
-    delta = d - c.getIntValue()
-    or
-    // e - (v - d) > c
-    comp.getGreaterOperand() = sub and
-    comp.getLesserOperand() = c and
-    sub.getLeftOperand() = e and
-    sub.getRightOperand() = semSsaRead(v, d) and
-    upper = true and
-    delta = d - c.getIntValue()
-  )
-}
-
-/**
- * Holds if `comp` is a comparison between `x` and `y` for which `y - x` has a
- * fixed value modulo some `mod > 1`, such that the comparison can be
- * strengthened by `strengthen` when evaluating to `testIsTrue`.
- */
-private predicate modulusComparison(SemRelationalExpr comp, boolean testIsTrue, int strengthen) {
-  exists(
-    SemBound b, int v1, int v2, int mod1, int mod2, int mod, boolean resultIsStrict, int d, int k
-  |
-    // If `x <= y` and `x =(mod) b + v1` and `y =(mod) b + v2` then
-    // `0 <= y - x =(mod) v2 - v1`. By choosing `k =(mod) v2 - v1` with
-    // `0 <= k < mod` we get `k <= y - x`. If the resulting comparison is
-    // strict then the strengthening amount is instead `k - 1` modulo `mod`:
-    // `x < y` means `0 <= y - x - 1 =(mod) k - 1` so `k - 1 <= y - x - 1` and
-    // thus `k - 1 < y - x` with `0 <= k - 1 < mod`.
-    semExprModulus(comp.getLesserOperand(), b, v1, mod1) and
-    semExprModulus(comp.getGreaterOperand(), b, v2, mod2) and
-    mod = mod1.gcd(mod2) and
-    mod != 1 and
-    (testIsTrue = true or testIsTrue = false) and
-    (
-      if comp.isStrict()
-      then resultIsStrict = testIsTrue
-      else resultIsStrict = testIsTrue.booleanNot()
-    ) and
-    (
-      resultIsStrict = true and d = 1
-      or
-      resultIsStrict = false and d = 0
-    ) and
-    (
-      testIsTrue = true and k = v2 - v1
-      or
-      testIsTrue = false and k = v1 - v2
-    ) and
-    strengthen = (((k - d) % mod) + mod) % mod
-  )
-}
-
-/**
- * Gets a condition that tests whether `v` is bounded by `e + delta`.
- *
- * If the condition evaluates to `testIsTrue`:
- * - `upper = true`  : `v <= e + delta`
- * - `upper = false` : `v >= e + delta`
- */
-private SemGuard boundFlowCond(
-  SemSsaVariable v, SemExpr e, int delta, boolean upper, boolean testIsTrue
-) {
-  exists(
-    SemRelationalExpr comp, int d1, int d2, int d3, int strengthen, boolean compIsUpper,
-    boolean resultIsStrict
-  |
-    comp = result.asExpr() and
-    boundCondition(comp, v, e, d1, compIsUpper) and
-    (testIsTrue = true or testIsTrue = false) and
-    upper = compIsUpper.booleanXor(testIsTrue.booleanNot()) and
-    (
-      if comp.isStrict()
-      then resultIsStrict = testIsTrue
-      else resultIsStrict = testIsTrue.booleanNot()
-    ) and
-    (
-      if
-        getTrackedTypeForSsaVariable(v) instanceof SemIntegerType or
-        getTrackedTypeForSsaVariable(v) instanceof SemAddressType
-      then
-        upper = true and strengthen = -1
-        or
-        upper = false and strengthen = 1
-      else strengthen = 0
-    ) and
-    (
-      exists(int k | modulusComparison(comp, testIsTrue, k) and d2 = strengthen * k)
-      or
-      not modulusComparison(comp, testIsTrue, _) and d2 = 0
-    ) and
-    // A strict inequality `x < y` can be strengthened to `x <= y - 1`.
-    (
-      resultIsStrict = true and d3 = strengthen
-      or
-      resultIsStrict = false and d3 = 0
-    ) and
-    delta = d1 + d2 + d3
-  )
-  or
-  exists(boolean testIsTrue0 |
-    semImplies_v2(result, testIsTrue, boundFlowCond(v, e, delta, upper, testIsTrue0), testIsTrue0)
-  )
-  or
-  result = semEqFlowCond(v, e, delta, true, testIsTrue) and
-  (upper = true or upper = false)
-  or
-  // guard that tests whether `v2` is bounded by `e + delta + d1 - d2` and
-  // exists a guard `guardEq` such that `v = v2 - d1 + d2`.
-  exists(SemSsaVariable v2, SemGuard guardEq, boolean eqIsTrue, int d1, int d2 |
-    guardEq = semEqFlowCond(v, semSsaRead(v2, d1), d2, true, eqIsTrue) and
-    result = boundFlowCond(v2, e, delta + d1 - d2, upper, testIsTrue) and
-    // guardEq needs to control guard
-    guardEq.directlyControls(result.getBasicBlock(), eqIsTrue)
-  )
-}
-
-private newtype TSemReason =
-  TSemNoReason() or
-  TSemCondReason(SemGuard guard) { possibleReason(guard) }
-
-/**
- * A reason for an inferred bound. This can either be `CondReason` if the bound
- * is due to a specific condition, or `NoReason` if the bound is inferred
- * without going through a bounding condition.
- */
-abstract class SemReason extends TSemReason {
-  /** Gets a textual representation of this reason. */
-  abstract string toString();
-}
-
-/**
- * A reason for an inferred bound that indicates that the bound is inferred
- * without going through a bounding condition.
- */
-class SemNoReason extends SemReason, TSemNoReason {
-  override string toString() { result = "NoReason" }
-}
-
-/** A reason for an inferred bound pointing to a condition. */
-class SemCondReason extends SemReason, TSemCondReason {
-  /** Gets the condition that is the reason for the bound. */
-  SemGuard getCond() { this = TSemCondReason(result) }
-
-  override string toString() { result = getCond().toString() }
-}
-
-/**
- * Holds if `e + delta` is a valid bound for `v` at `pos`.
- * - `upper = true`  : `v <= e + delta`
- * - `upper = false` : `v >= e + delta`
- */
-private predicate boundFlowStepSsa(
-  SemSsaVariable v, SemSsaReadPosition pos, SemExpr e, int delta, boolean upper, SemReason reason
-) {
-  semSsaUpdateStep(v, e, delta) and
-  pos.hasReadOfVar(v) and
-  (upper = true or upper = false) and
-  reason = TSemNoReason()
-  or
-  exists(SemGuard guard, boolean testIsTrue |
-    pos.hasReadOfVar(v) and
-    guard = boundFlowCond(v, e, delta, upper, testIsTrue) and
-    semGuardDirectlyControlsSsaRead(guard, pos, testIsTrue) and
-    reason = TSemCondReason(guard)
-  )
-}
-
-/** Holds if `v != e + delta` at `pos` and `v` is of integral type. */
-private predicate unequalFlowStepIntegralSsa(
-  SemSsaVariable v, SemSsaReadPosition pos, SemExpr e, int delta, SemReason reason
-) {
-  getTrackedTypeForSsaVariable(v) instanceof SemIntegerType and
-  exists(SemGuard guard, boolean testIsTrue |
-    pos.hasReadOfVar(v) and
-    guard = semEqFlowCond(v, e, delta, false, testIsTrue) and
-    semGuardDirectlyControlsSsaRead(guard, pos, testIsTrue) and
-    reason = TSemCondReason(guard)
-  )
-}
-
-/**
- * An expression that does conversion, boxing, or unboxing
- */
-private class ConvertOrBoxExpr extends SemUnaryExpr {
-  ConvertOrBoxExpr() {
-    this instanceof SemConvertExpr
-    or
-    this instanceof SemBoxExpr
-    or
-    this instanceof SemUnboxExpr
-  }
-}
-
-/**
- * A cast that can be ignored for the purpose of range analysis.
- */
-private class SafeCastExpr extends ConvertOrBoxExpr {
-  SafeCastExpr() {
-    conversionCannotOverflow(getTrackedType(pragma[only_bind_into](getOperand())),
-      getTrackedType(this))
-  }
-}
-
-/**
- * Holds if `typ` is a small integral type with the given lower and upper bounds.
- */
-private predicate typeBound(SemIntegerType typ, int lowerbound, int upperbound) {
-  exists(int bitSize | bitSize = typ.getByteSize() * 8 |
-    bitSize < 32 and
-    (
-      if typ.isSigned()
-      then (
-        upperbound = 1.bitShiftLeft(bitSize - 1) - 1 and
-        lowerbound = -upperbound - 1
-      ) else (
-        lowerbound = 0 and
-        upperbound = 1.bitShiftLeft(bitSize) - 1
-      )
-    )
-  )
-}
-
-/**
- * A cast to a small integral type that may overflow or underflow.
- */
-private class NarrowingCastExpr extends ConvertOrBoxExpr {
-  NarrowingCastExpr() {
-    not this instanceof SafeCastExpr and
-    typeBound(getTrackedType(this), _, _)
-  }
-
-  /** Gets the lower bound of the resulting type. */
-  int getLowerBound() { typeBound(getTrackedType(this), result, _) }
-
-  /** Gets the upper bound of the resulting type. */
-  int getUpperBound() { typeBound(getTrackedType(this), _, result) }
-}
-
-/** Holds if `e >= 1` as determined by sign analysis. */
-private predicate strictlyPositiveIntegralExpr(SemExpr e) {
-  semStrictlyPositive(e) and getTrackedType(e) instanceof SemIntegerType
-}
-
-/** Holds if `e <= -1` as determined by sign analysis. */
-private predicate strictlyNegativeIntegralExpr(SemExpr e) {
-  semStrictlyNegative(e) and getTrackedType(e) instanceof SemIntegerType
-}
-
-/**
- * Holds if `e1 + delta` is a valid bound for `e2`.
- * - `upper = true`  : `e2 <= e1 + delta`
- * - `upper = false` : `e2 >= e1 + delta`
- */
-private predicate boundFlowStep(SemExpr e2, SemExpr e1, int delta, boolean upper) {
-  semValueFlowStep(e2, e1, delta) and
-  (upper = true or upper = false)
-  or
-  e2.(SafeCastExpr).getOperand() = e1 and
-  delta = 0 and
-  (upper = true or upper = false)
-  or
-  exists(SemExpr x | e2.(SemAddExpr).hasOperands(e1, x) |
-    // `x instanceof ConstantIntegerExpr` is covered by valueFlowStep
-    not x instanceof SemConstantIntegerExpr and
-    not e1 instanceof SemConstantIntegerExpr and
-    if strictlyPositiveIntegralExpr(x)
-    then upper = false and delta = 1
-    else
-      if semPositive(x)
-      then upper = false and delta = 0
-      else
-        if strictlyNegativeIntegralExpr(x)
-        then upper = true and delta = -1
-        else
-          if semNegative(x)
-          then upper = true and delta = 0
-          else none()
-  )
-  or
-  exists(SemExpr x, SemSubExpr sub |
-    e2 = sub and
-    sub.getLeftOperand() = e1 and
-    sub.getRightOperand() = x
-  |
-    // `x instanceof ConstantIntegerExpr` is covered by valueFlowStep
-    not x instanceof SemConstantIntegerExpr and
-    if strictlyPositiveIntegralExpr(x)
-    then upper = true and delta = -1
-    else
-      if semPositive(x)
-      then upper = true and delta = 0
-      else
-        if strictlyNegativeIntegralExpr(x)
-        then upper = false and delta = 1
-        else
-          if semNegative(x)
-          then upper = false and delta = 0
-          else none()
-  )
-  or
-  e2.(SemRemExpr).getRightOperand() = e1 and
-  semPositive(e1) and
-  delta = -1 and
-  upper = true
-  or
-  e2.(SemRemExpr).getLeftOperand() = e1 and semPositive(e1) and delta = 0 and upper = true
-  or
-  e2.(SemBitAndExpr).getAnOperand() = e1 and
-  semPositive(e1) and
-  delta = 0 and
-  upper = true
-  or
-  e2.(SemBitOrExpr).getAnOperand() = e1 and
-  semPositive(e2) and
-  delta = 0 and
-  upper = false
-  or
-  Specific::hasBound(e2, e1, delta, upper)
-}
-
-/** Holds if `e2 = e1 * factor` and `factor > 0`. */
-private predicate boundFlowStepMul(SemExpr e2, SemExpr e1, int factor) {
-  exists(SemConstantIntegerExpr c, int k | k = c.getIntValue() and k > 0 |
-    e2.(SemMulExpr).hasOperands(e1, c) and factor = k
-    or
-    exists(SemShiftLeftExpr e |
-      e = e2 and e.getLeftOperand() = e1 and e.getRightOperand() = c and factor = 2.pow(k)
-    )
-  )
-}
-
-/**
- * Holds if `e2 = e1 / factor` and `factor > 0`.
- *
- * This conflates division, right shift, and unsigned right shift and is
- * therefore only valid for non-negative numbers.
- */
-private predicate boundFlowStepDiv(SemExpr e2, SemExpr e1, int factor) {
-  exists(SemConstantIntegerExpr c, int k | k = c.getIntValue() and k > 0 |
-    exists(SemDivExpr e |
-      e = e2 and e.getLeftOperand() = e1 and e.getRightOperand() = c and factor = k
-    )
-    or
-    exists(SemShiftRightExpr e |
-      e = e2 and e.getLeftOperand() = e1 and e.getRightOperand() = c and factor = 2.pow(k)
-    )
-    or
-    exists(SemShiftRightUnsignedExpr e |
-      e = e2 and e.getLeftOperand() = e1 and e.getRightOperand() = c and factor = 2.pow(k)
-    )
-  )
-}
-
-/**
- * Holds if `b + delta` is a valid bound for `v` at `pos`.
- * - `upper = true`  : `v <= b + delta`
- * - `upper = false` : `v >= b + delta`
- */
-private predicate boundedSsa(
-  SemSsaVariable v, SemSsaReadPosition pos, SemBound b, int delta, boolean upper,
-  boolean fromBackEdge, int origdelta, SemReason reason
-) {
-  exists(SemExpr mid, int d1, int d2, SemReason r1, SemReason r2 |
-    boundFlowStepSsa(v, pos, mid, d1, upper, r1) and
-    bounded(mid, b, d2, upper, fromBackEdge, origdelta, r2) and
-    // upper = true:  v <= mid + d1 <= b + d1 + d2 = b + delta
-    // upper = false: v >= mid + d1 >= b + d1 + d2 = b + delta
-    delta = d1 + d2 and
-    (if r1 instanceof SemNoReason then reason = r2 else reason = r1)
-  )
-  or
-  exists(int d, SemReason r1, SemReason r2 |
-    boundedSsa(v, pos, b, d, upper, fromBackEdge, origdelta, r2) or
-    boundedPhi(v, b, d, upper, fromBackEdge, origdelta, r2)
-  |
-    unequalIntegralSsa(v, pos, b, d, r1) and
-    (
-      upper = true and delta = d - 1
-      or
-      upper = false and delta = d + 1
-    ) and
-    (
-      reason = r1
-      or
-      reason = r2 and not r2 instanceof SemNoReason
-    )
-  )
-}
-
-/**
- * Holds if `v != b + delta` at `pos` and `v` is of integral type.
- */
-private predicate unequalIntegralSsa(
-  SemSsaVariable v, SemSsaReadPosition pos, SemBound b, int delta, SemReason reason
-) {
-  exists(SemExpr e, int d1, int d2 |
-    unequalFlowStepIntegralSsa(v, pos, e, d1, reason) and
-    boundedUpper(e, b, d1) and
-    boundedLower(e, b, d2) and
-    delta = d2 + d1
-  )
-}
-
-/**
- * Holds if `b + delta` is an upper bound for `e`.
- *
- * This predicate only exists to prevent a bad standard order in `unequalIntegralSsa`.
- */
-pragma[nomagic]
-private predicate boundedUpper(SemExpr e, SemBound b, int delta) {
-  bounded(e, b, delta, true, _, _, _)
-}
-
-/**
- * Holds if `b + delta` is a lower bound for `e`.
- *
- * This predicate only exists to prevent a bad standard order in `unequalIntegralSsa`.
- */
-pragma[nomagic]
-private predicate boundedLower(SemExpr e, SemBound b, int delta) {
-  bounded(e, b, delta, false, _, _, _)
-}
-
-/** Weakens a delta to lie in the range `[-1..1]`. */
-bindingset[delta, upper]
-private int weakenDelta(boolean upper, int delta) {
-  delta in [-1 .. 1] and result = delta
-  or
-  upper = true and result = -1 and delta < -1
-  or
-  upper = false and result = 1 and delta > 1
-}
-
-/**
- * Holds if `b + delta` is a valid bound for `inp` when used as an input to
- * `phi` along `edge`.
- * - `upper = true`  : `inp <= b + delta`
- * - `upper = false` : `inp >= b + delta`
- */
-private predicate boundedPhiInp(
-  SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, SemBound b, int delta,
-  boolean upper, boolean fromBackEdge, int origdelta, SemReason reason
-) {
-  edge.phiInput(phi, inp) and
-  exists(int d, boolean fromBackEdge0 |
-    boundedSsa(inp, edge, b, d, upper, fromBackEdge0, origdelta, reason)
-    or
-    boundedPhi(inp, b, d, upper, fromBackEdge0, origdelta, reason)
-    or
-    b.(SemSsaBound).getAVariable() = inp and
-    d = 0 and
-    (upper = true or upper = false) and
-    fromBackEdge0 = false and
-    origdelta = 0 and
-    reason = TSemNoReason()
-  |
-    if semBackEdge(phi, inp, edge)
-    then
-      fromBackEdge = true and
-      (
-        fromBackEdge0 = true and delta = weakenDelta(upper, d - origdelta) + origdelta
-        or
-        fromBackEdge0 = false and delta = d
-      )
-    else (
-      delta = d and fromBackEdge = fromBackEdge0
-    )
-  )
-}
-
-/**
- * Holds if `b + delta` is a valid bound for `inp` when used as an input to
- * `phi` along `edge`.
- * - `upper = true`  : `inp <= b + delta`
- * - `upper = false` : `inp >= b + delta`
- *
- * Equivalent to `boundedPhiInp(phi, inp, edge, b, delta, upper, _, _, _)`.
- */
-pragma[noinline]
-private predicate boundedPhiInp1(
-  SemSsaPhiNode phi, SemBound b, boolean upper, SemSsaVariable inp,
-  SemSsaReadPositionPhiInputEdge edge, int delta
-) {
-  boundedPhiInp(phi, inp, edge, b, delta, upper, _, _, _)
-}
-
-/**
- * Holds if `phi` is a valid bound for `inp` when used as an input to `phi`
- * along `edge`.
- * - `upper = true`  : `inp <= phi`
- * - `upper = false` : `inp >= phi`
- */
-private predicate selfBoundedPhiInp(
-  SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, boolean upper
-) {
-  exists(int d, SemSsaBound phibound |
-    phibound.getAVariable() = phi and
-    boundedPhiInp(phi, inp, edge, phibound, d, upper, _, _, _) and
-    (
-      upper = true and d <= 0
-      or
-      upper = false and d >= 0
-    )
-  )
-}
-
-/**
- * Holds if `b + delta` is a valid bound for some input, `inp`, to `phi`, and
- * thus a candidate bound for `phi`.
- * - `upper = true`  : `inp <= b + delta`
- * - `upper = false` : `inp >= b + delta`
- */
-pragma[noinline]
-private predicate boundedPhiCand(
-  SemSsaPhiNode phi, boolean upper, SemBound b, int delta, boolean fromBackEdge, int origdelta,
-  SemReason reason
-) {
-  exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge |
-    boundedPhiInp(phi, inp, edge, b, delta, upper, fromBackEdge, origdelta, reason)
-  )
-}
-
-/**
- * Holds if the candidate bound `b + delta` for `phi` is valid for the phi input
- * `inp` along `edge`.
- */
-private predicate boundedPhiCandValidForEdge(
-  SemSsaPhiNode phi, SemBound b, int delta, boolean upper, boolean fromBackEdge, int origdelta,
-  SemReason reason, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge
-) {
-  boundedPhiCand(phi, upper, b, delta, fromBackEdge, origdelta, reason) and
-  (
-    exists(int d | boundedPhiInp1(phi, b, upper, inp, edge, d) | upper = true and d <= delta)
-    or
-    exists(int d | boundedPhiInp1(phi, b, upper, inp, edge, d) | upper = false and d >= delta)
-    or
-    selfBoundedPhiInp(phi, inp, edge, upper)
-  )
-}
-
-/**
- * Holds if `b + delta` is a valid bound for `phi`.
- * - `upper = true`  : `phi <= b + delta`
- * - `upper = false` : `phi >= b + delta`
- */
-private predicate boundedPhi(
-  SemSsaPhiNode phi, SemBound b, int delta, boolean upper, boolean fromBackEdge, int origdelta,
-  SemReason reason
-) {
-  forex(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge | edge.phiInput(phi, inp) |
-    boundedPhiCandValidForEdge(phi, b, delta, upper, fromBackEdge, origdelta, reason, inp, edge)
-  )
-}
-
-/**
- * Holds if `e` has an upper (for `upper = true`) or lower
- * (for `upper = false`) bound of `b`.
- */
-private predicate baseBound(SemExpr e, int b, boolean upper) {
-  Specific::hasConstantBound(e, b, upper)
-  or
-  upper = false and
-  b = 0 and
-  semPositive(e.(SemBitAndExpr).getAnOperand()) and
-  // REVIEW: We let the language opt out here to preserve original results.
-  not Specific::ignoreZeroLowerBound(e)
-}
-
-/**
- * Holds if the value being cast has an upper (for `upper = true`) or lower
- * (for `upper = false`) bound within the bounds of the resulting type.
- * For `upper = true` this means that the cast will not overflow and for
- * `upper = false` this means that the cast will not underflow.
- */
-private predicate safeNarrowingCast(NarrowingCastExpr cast, boolean upper) {
-  exists(int bound | bounded(cast.getOperand(), any(SemZeroBound zb), bound, upper, _, _, _) |
-    upper = true and bound <= cast.getUpperBound()
-    or
-    upper = false and bound >= cast.getLowerBound()
-  )
-}
-
-pragma[noinline]
-private predicate boundedCastExpr(
-  NarrowingCastExpr cast, SemBound b, int delta, boolean upper, boolean fromBackEdge, int origdelta,
-  SemReason reason
-) {
-  bounded(cast.getOperand(), b, delta, upper, fromBackEdge, origdelta, reason)
-}
-
-/**
- * Holds if `b + delta` is a valid bound for `e`.
- * - `upper = true`  : `e <= b + delta`
- * - `upper = false` : `e >= b + delta`
- */
-private predicate bounded(
-  SemExpr e, SemBound b, int delta, boolean upper, boolean fromBackEdge, int origdelta,
-  SemReason reason
-) {
-  not Specific::ignoreExprBound(e) and
-  (
-    e = b.getExpr(delta) and
-    (upper = true or upper = false) and
-    fromBackEdge = false and
-    origdelta = delta and
-    reason = TSemNoReason()
-    or
-    baseBound(e, delta, upper) and
-    b instanceof SemZeroBound and
-    fromBackEdge = false and
-    origdelta = delta and
-    reason = TSemNoReason()
-    or
-    exists(SemSsaVariable v, SemSsaReadPositionBlock bb |
-      boundedSsa(v, bb, b, delta, upper, fromBackEdge, origdelta, reason) and
-      e = v.getAUse() and
-      bb.getBlock() = e.getBasicBlock()
-    )
-    or
-    exists(SemExpr mid, int d1, int d2 |
-      boundFlowStep(e, mid, d1, upper) and
-      // Constants have easy, base-case bounds, so let's not infer any recursive bounds.
-      not e instanceof SemConstantIntegerExpr and
-      bounded(mid, b, d2, upper, fromBackEdge, origdelta, reason) and
-      // upper = true:  e <= mid + d1 <= b + d1 + d2 = b + delta
-      // upper = false: e >= mid + d1 >= b + d1 + d2 = b + delta
-      delta = d1 + d2
-    )
-    or
-    exists(SemSsaPhiNode phi |
-      boundedPhi(phi, b, delta, upper, fromBackEdge, origdelta, reason) and
-      e = phi.getAUse()
-    )
-    or
-    exists(SemExpr mid, int factor, int d |
-      boundFlowStepMul(e, mid, factor) and
-      not e instanceof SemConstantIntegerExpr and
-      bounded(mid, b, d, upper, fromBackEdge, origdelta, reason) and
-      b instanceof SemZeroBound and
-      delta = d * factor
-    )
-    or
-    exists(SemExpr mid, int factor, int d |
-      boundFlowStepDiv(e, mid, factor) and
-      not e instanceof SemConstantIntegerExpr and
-      bounded(mid, b, d, upper, fromBackEdge, origdelta, reason) and
-      b instanceof SemZeroBound and
-      d >= 0 and
-      delta = d / factor
-    )
-    or
-    exists(NarrowingCastExpr cast |
-      cast = e and
-      safeNarrowingCast(cast, upper.booleanNot()) and
-      boundedCastExpr(cast, b, delta, upper, fromBackEdge, origdelta, reason)
-    )
-    or
-    exists(
-      SemConditionalExpr cond, int d1, int d2, boolean fbe1, boolean fbe2, int od1, int od2,
-      SemReason r1, SemReason r2
-    |
-      cond = e and
-      boundedConditionalExpr(cond, b, upper, true, d1, fbe1, od1, r1) and
-      boundedConditionalExpr(cond, b, upper, false, d2, fbe2, od2, r2) and
-      (
-        delta = d1 and fromBackEdge = fbe1 and origdelta = od1 and reason = r1
-        or
-        delta = d2 and fromBackEdge = fbe2 and origdelta = od2 and reason = r2
-      )
-    |
-      upper = true and delta = d1.maximum(d2)
-      or
-      upper = false and delta = d1.minimum(d2)
-    )
-  )
-}
-
-private predicate boundedConditionalExpr(
-  SemConditionalExpr cond, SemBound b, boolean upper, boolean branch, int delta,
-  boolean fromBackEdge, int origdelta, SemReason reason
-) {
-  bounded(cond.getBranchExpr(branch), b, delta, upper, fromBackEdge, origdelta, reason)
-}
+import CppRangeAnalysis

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysisSpecific.qll

@@ -3,86 +3,90 @@
  */
 
 private import experimental.semmle.code.cpp.semantic.Semantic
+private import RangeAnalysisStage
+private import experimental.semmle.code.cpp.semantic.analysis.FloatDelta
 
-/**
- * Holds if the specified expression should be excluded from the result of `ssaRead()`.
- *
- * This predicate is to keep the results identical to the original Java implementation. It should be
- * removed once we have the new implementation matching the old results exactly.
- */
-predicate ignoreSsaReadCopy(SemExpr e) { none() }
+module CppLangImpl implements LangSig<FloatDelta> {
+  /**
+   * Holds if the specified expression should be excluded from the result of `ssaRead()`.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreSsaReadCopy(SemExpr e) { none() }
 
-/**
- * Ignore the bound on this expression.
- *
- * This predicate is to keep the results identical to the original Java implementation. It should be
- * removed once we have the new implementation matching the old results exactly.
- */
-predicate ignoreExprBound(SemExpr e) { none() }
+  /**
+   * Ignore the bound on this expression.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreExprBound(SemExpr e) { none() }
 
-/**
- * Ignore any inferred zero lower bound on this expression.
- *
- * This predicate is to keep the results identical to the original Java implementation. It should be
- * removed once we have the new implementation matching the old results exactly.
- */
-predicate ignoreZeroLowerBound(SemExpr e) { none() }
+  /**
+   * Ignore any inferred zero lower bound on this expression.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreZeroLowerBound(SemExpr e) { none() }
 
-/**
- * Holds if the specified expression should be excluded from the result of `ssaRead()`.
- *
- * This predicate is to keep the results identical to the original Java implementation. It should be
- * removed once we have the new implementation matching the old results exactly.
- */
-predicate ignoreSsaReadArithmeticExpr(SemExpr e) { none() }
+  /**
+   * Holds if the specified expression should be excluded from the result of `ssaRead()`.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreSsaReadArithmeticExpr(SemExpr e) { none() }
 
-/**
- * Holds if the specified variable should be excluded from the result of `ssaRead()`.
- *
- * This predicate is to keep the results identical to the original Java implementation. It should be
- * removed once we have the new implementation matching the old results exactly.
- */
-predicate ignoreSsaReadAssignment(SemSsaVariable v) { none() }
+  /**
+   * Holds if the specified variable should be excluded from the result of `ssaRead()`.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreSsaReadAssignment(SemSsaVariable v) { none() }
 
-/**
- * Adds additional results to `ssaRead()` that are specific to Java.
- *
- * This predicate handles propagation of offsets for post-increment and post-decrement expressions
- * in exactly the same way as the old Java implementation. Once the new implementation matches the
- * old one, we should remove this predicate and propagate deltas for all similar patterns, whether
- * or not they come from a post-increment/decrement expression.
- */
-SemExpr specificSsaRead(SemSsaVariable v, int delta) { none() }
+  /**
+   * Adds additional results to `ssaRead()` that are specific to Java.
+   *
+   * This predicate handles propagation of offsets for post-increment and post-decrement expressions
+   * in exactly the same way as the old Java implementation. Once the new implementation matches the
+   * old one, we should remove this predicate and propagate deltas for all similar patterns, whether
+   * or not they come from a post-increment/decrement expression.
+   */
+  SemExpr specificSsaRead(SemSsaVariable v, float delta) { none() }
 
-/**
- * Holds if `e >= bound` (if `upper = false`) or `e <= bound` (if `upper = true`).
- */
-predicate hasConstantBound(SemExpr e, int bound, boolean upper) { none() }
+  /**
+   * Holds if `e >= bound` (if `upper = false`) or `e <= bound` (if `upper = true`).
+   */
+  predicate hasConstantBound(SemExpr e, float bound, boolean upper) { none() }
 
-/**
- * Holds if `e >= bound + delta` (if `upper = false`) or `e <= bound + delta` (if `upper = true`).
- */
-predicate hasBound(SemExpr e, SemExpr bound, int delta, boolean upper) { none() }
+  /**
+   * Holds if `e >= bound + delta` (if `upper = false`) or `e <= bound + delta` (if `upper = true`).
+   */
+  predicate hasBound(SemExpr e, SemExpr bound, float delta, boolean upper) { none() }
 
-/**
- * Holds if the value of `dest` is known to be `src + delta`.
- */
-predicate additionalValueFlowStep(SemExpr dest, SemExpr src, int delta) { none() }
+  /**
+   * Holds if the value of `dest` is known to be `src + delta`.
+   */
+  predicate additionalValueFlowStep(SemExpr dest, SemExpr src, float delta) { none() }
 
-/**
- * Gets the type that range analysis should use to track the result of the specified expression,
- * if a type other than the original type of the expression is to be used.
- *
- * This predicate is commonly used in languages that support immutable "boxed" types that are
- * actually references but whose values can be tracked as the type contained in the box.
- */
-SemType getAlternateType(SemExpr e) { none() }
+  /**
+   * Gets the type that range analysis should use to track the result of the specified expression,
+   * if a type other than the original type of the expression is to be used.
+   *
+   * This predicate is commonly used in languages that support immutable "boxed" types that are
+   * actually references but whose values can be tracked as the type contained in the box.
+   */
+  SemType getAlternateType(SemExpr e) { none() }
 
-/**
- * Gets the type that range analysis should use to track the result of the specified source
- * variable, if a type other than the original type of the expression is to be used.
- *
- * This predicate is commonly used in languages that support immutable "boxed" types that are
- * actually references but whose values can be tracked as the type contained in the box.
- */
-SemType getAlternateTypeForSsaVariable(SemSsaVariable var) { none() }
+  /**
+   * Gets the type that range analysis should use to track the result of the specified source
+   * variable, if a type other than the original type of the expression is to be used.
+   *
+   * This predicate is commonly used in languages that support immutable "boxed" types that are
+   * actually references but whose values can be tracked as the type contained in the box.
+   */
+  SemType getAlternateTypeForSsaVariable(SemSsaVariable var) { none() }
+}

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeUtils.qll

@@ -3,133 +3,138 @@
  */
 
 private import experimental.semmle.code.cpp.semantic.Semantic
-private import RangeAnalysisSpecific as Specific
+private import RangeAnalysisSpecific
+private import RangeAnalysisStage as Range
 private import ConstantAnalysis
 
-/**
- * Gets an expression that equals `v - d`.
- */
-SemExpr semSsaRead(SemSsaVariable v, int delta) {
-  // There are various language-specific extension points that can be removed once we no longer
-  // expect to match the original Java implementation's results exactly.
-  result = v.getAUse() and delta = 0
-  or
-  exists(int d1, SemConstantIntegerExpr c |
-    result.(SemAddExpr).hasOperands(semSsaRead(v, d1), c) and
-    delta = d1 - c.getIntValue() and
-    not Specific::ignoreSsaReadArithmeticExpr(result)
-  )
-  or
-  exists(SemSubExpr sub, int d1, SemConstantIntegerExpr c |
-    result = sub and
-    sub.getLeftOperand() = semSsaRead(v, d1) and
-    sub.getRightOperand() = c and
-    delta = d1 + c.getIntValue() and
-    not Specific::ignoreSsaReadArithmeticExpr(result)
-  )
-  or
-  result = v.(SemSsaExplicitUpdate).getSourceExpr() and
-  delta = 0 and
-  not Specific::ignoreSsaReadAssignment(v)
-  or
-  result = Specific::specificSsaRead(v, delta)
-  or
-  result.(SemCopyValueExpr).getOperand() = semSsaRead(v, delta) and
-  not Specific::ignoreSsaReadCopy(result)
-  or
-  result.(SemStoreExpr).getOperand() = semSsaRead(v, delta)
-}
-
-/**
- * Gets a condition that tests whether `v` equals `e + delta`.
- *
- * If the condition evaluates to `testIsTrue`:
- * - `isEq = true`  : `v == e + delta`
- * - `isEq = false` : `v != e + delta`
- */
-SemGuard semEqFlowCond(SemSsaVariable v, SemExpr e, int delta, boolean isEq, boolean testIsTrue) {
-  exists(boolean eqpolarity |
-    result.isEquality(semSsaRead(v, delta), e, eqpolarity) and
-    (testIsTrue = true or testIsTrue = false) and
-    eqpolarity.booleanXor(testIsTrue).booleanNot() = isEq
-  )
-  or
-  exists(boolean testIsTrue0 |
-    semImplies_v2(result, testIsTrue, semEqFlowCond(v, e, delta, isEq, testIsTrue0), testIsTrue0)
-  )
-}
-
-/**
- * Holds if `v` is an `SsaExplicitUpdate` that equals `e + delta`.
- */
-predicate semSsaUpdateStep(SemSsaExplicitUpdate v, SemExpr e, int delta) {
-  exists(SemExpr defExpr | defExpr = v.getSourceExpr() |
-    defExpr.(SemCopyValueExpr).getOperand() = e and delta = 0
+module RangeUtil<Range::DeltaSig D, Range::LangSig<D> Lang> implements Range::UtilSig<D> {
+  /**
+   * Gets an expression that equals `v - d`.
+   */
+  SemExpr semSsaRead(SemSsaVariable v, D::Delta delta) {
+    // There are various language-specific extension points that can be removed once we no longer
+    // expect to match the original Java implementation's results exactly.
+    result = v.getAUse() and delta = D::fromInt(0)
     or
-    defExpr.(SemStoreExpr).getOperand() = e and delta = 0
+    exists(D::Delta d1, SemConstantIntegerExpr c |
+      result.(SemAddExpr).hasOperands(semSsaRead(v, d1), c) and
+      delta = D::fromFloat(D::toFloat(d1) - c.getIntValue()) and
+      not Lang::ignoreSsaReadArithmeticExpr(result)
+    )
     or
-    defExpr.(SemAddOneExpr).getOperand() = e and delta = 1
+    exists(SemSubExpr sub, D::Delta d1, SemConstantIntegerExpr c |
+      result = sub and
+      sub.getLeftOperand() = semSsaRead(v, d1) and
+      sub.getRightOperand() = c and
+      delta = D::fromFloat(D::toFloat(d1) + c.getIntValue()) and
+      not Lang::ignoreSsaReadArithmeticExpr(result)
+    )
     or
-    defExpr.(SemSubOneExpr).getOperand() = e and delta = -1
+    result = v.(SemSsaExplicitUpdate).getSourceExpr() and
+    delta = D::fromFloat(0) and
+    not Lang::ignoreSsaReadAssignment(v)
     or
-    e = defExpr and
-    not (
-      defExpr instanceof SemCopyValueExpr or
-      defExpr instanceof SemStoreExpr or
-      defExpr instanceof SemAddOneExpr or
-      defExpr instanceof SemSubOneExpr
-    ) and
-    delta = 0
-  )
-}
+    result = Lang::specificSsaRead(v, delta)
+    or
+    result.(SemCopyValueExpr).getOperand() = semSsaRead(v, delta) and
+    not Lang::ignoreSsaReadCopy(result)
+    or
+    result.(SemStoreExpr).getOperand() = semSsaRead(v, delta)
+  }
 
-/**
- * Holds if `e1 + delta` equals `e2`.
- */
-predicate semValueFlowStep(SemExpr e2, SemExpr e1, int delta) {
-  e2.(SemCopyValueExpr).getOperand() = e1 and delta = 0
-  or
-  e2.(SemStoreExpr).getOperand() = e1 and delta = 0
-  or
-  e2.(SemAddOneExpr).getOperand() = e1 and delta = 1
-  or
-  e2.(SemSubOneExpr).getOperand() = e1 and delta = -1
-  or
-  Specific::additionalValueFlowStep(e2, e1, delta)
-  or
-  exists(SemExpr x | e2.(SemAddExpr).hasOperands(e1, x) |
-    x.(SemConstantIntegerExpr).getIntValue() = delta
-  )
-  or
-  exists(SemExpr x, SemSubExpr sub |
-    e2 = sub and
-    sub.getLeftOperand() = e1 and
-    sub.getRightOperand() = x
-  |
-    x.(SemConstantIntegerExpr).getIntValue() = -delta
-  )
-}
+  /**
+   * Gets a condition that tests whether `v` equals `e + delta`.
+   *
+   * If the condition evaluates to `testIsTrue`:
+   * - `isEq = true`  : `v == e + delta`
+   * - `isEq = false` : `v != e + delta`
+   */
+  SemGuard semEqFlowCond(
+    SemSsaVariable v, SemExpr e, D::Delta delta, boolean isEq, boolean testIsTrue
+  ) {
+    exists(boolean eqpolarity |
+      result.isEquality(semSsaRead(v, delta), e, eqpolarity) and
+      (testIsTrue = true or testIsTrue = false) and
+      eqpolarity.booleanXor(testIsTrue).booleanNot() = isEq
+    )
+    or
+    exists(boolean testIsTrue0 |
+      semImplies_v2(result, testIsTrue, semEqFlowCond(v, e, delta, isEq, testIsTrue0), testIsTrue0)
+    )
+  }
 
-/**
- * Gets the type used to track the specified expression's range information.
- *
- * Usually, this just `e.getSemType()`, but the language can override this to track immutable boxed
- * primitive types as the underlying primitive type.
- */
-SemType getTrackedType(SemExpr e) {
-  result = Specific::getAlternateType(e)
-  or
-  not exists(Specific::getAlternateType(e)) and result = e.getSemType()
-}
+  /**
+   * Holds if `v` is an `SsaExplicitUpdate` that equals `e + delta`.
+   */
+  predicate semSsaUpdateStep(SemSsaExplicitUpdate v, SemExpr e, D::Delta delta) {
+    exists(SemExpr defExpr | defExpr = v.getSourceExpr() |
+      defExpr.(SemCopyValueExpr).getOperand() = e and delta = D::fromFloat(0)
+      or
+      defExpr.(SemStoreExpr).getOperand() = e and delta = D::fromFloat(0)
+      or
+      defExpr.(SemAddOneExpr).getOperand() = e and delta = D::fromFloat(1)
+      or
+      defExpr.(SemSubOneExpr).getOperand() = e and delta = D::fromFloat(-1)
+      or
+      e = defExpr and
+      not (
+        defExpr instanceof SemCopyValueExpr or
+        defExpr instanceof SemStoreExpr or
+        defExpr instanceof SemAddOneExpr or
+        defExpr instanceof SemSubOneExpr
+      ) and
+      delta = D::fromFloat(0)
+    )
+  }
 
-/**
- * Gets the type used to track the specified source variable's range information.
- *
- * Usually, this just `e.getType()`, but the language can override this to track immutable boxed
- * primitive types as the underlying primitive type.
- */
-SemType getTrackedTypeForSsaVariable(SemSsaVariable var) {
-  result = Specific::getAlternateTypeForSsaVariable(var)
-  or
-  not exists(Specific::getAlternateTypeForSsaVariable(var)) and result = var.getType()
+  /**
+   * Holds if `e1 + delta` equals `e2`.
+   */
+  predicate semValueFlowStep(SemExpr e2, SemExpr e1, D::Delta delta) {
+    e2.(SemCopyValueExpr).getOperand() = e1 and delta = D::fromFloat(0)
+    or
+    e2.(SemStoreExpr).getOperand() = e1 and delta = D::fromFloat(0)
+    or
+    e2.(SemAddOneExpr).getOperand() = e1 and delta = D::fromFloat(1)
+    or
+    e2.(SemSubOneExpr).getOperand() = e1 and delta = D::fromFloat(-1)
+    or
+    Lang::additionalValueFlowStep(e2, e1, delta)
+    or
+    exists(SemExpr x | e2.(SemAddExpr).hasOperands(e1, x) |
+      D::fromInt(x.(SemConstantIntegerExpr).getIntValue()) = delta
+    )
+    or
+    exists(SemExpr x, SemSubExpr sub |
+      e2 = sub and
+      sub.getLeftOperand() = e1 and
+      sub.getRightOperand() = x
+    |
+      D::fromInt(-x.(SemConstantIntegerExpr).getIntValue()) = delta
+    )
+  }
+
+  /**
+   * Gets the type used to track the specified expression's range information.
+   *
+   * Usually, this just `e.getSemType()`, but the language can override this to track immutable boxed
+   * primitive types as the underlying primitive type.
+   */
+  SemType getTrackedType(SemExpr e) {
+    result = Lang::getAlternateType(e)
+    or
+    not exists(Lang::getAlternateType(e)) and result = e.getSemType()
+  }
+
+  /**
+   * Gets the type used to track the specified source variable's range information.
+   *
+   * Usually, this just `e.getType()`, but the language can override this to track immutable boxed
+   * primitive types as the underlying primitive type.
+   */
+  SemType getTrackedTypeForSsaVariable(SemSsaVariable var) {
+    result = Lang::getAlternateTypeForSsaVariable(var)
+    or
+    not exists(Lang::getAlternateTypeForSsaVariable(var)) and result = var.getType()
+  }
 }

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/SignAnalysisCommon.qll

@@ -6,488 +6,494 @@
  * three-valued domain `{negative, zero, positive}`.
  */
 
+private import RangeAnalysisStage
 private import SignAnalysisSpecific as Specific
 private import experimental.semmle.code.cpp.semantic.Semantic
 private import ConstantAnalysis
 private import RangeUtils
 private import Sign
 
-/**
- * An SSA definition for which the analysis can compute the sign.
- *
- * The actual computation of the sign is done in an override of the `getSign()` predicate. The
- * charpred of any subclass must _not_ invoke `getSign()`, directly or indirectly. This ensures
- * that the charpred does not introduce negative recursion. The `getSign()` predicate may be
- * recursive.
- */
-abstract private class SignDef instanceof SemSsaVariable {
-  final string toString() { result = super.toString() }
+module SignAnalysis<DeltaSig D, UtilSig<D> Utils> {
+  /**
+   * An SSA definition for which the analysis can compute the sign.
+   *
+   * The actual computation of the sign is done in an override of the `getSign()` predicate. The
+   * charpred of any subclass must _not_ invoke `getSign()`, directly or indirectly. This ensures
+   * that the charpred does not introduce negative recursion. The `getSign()` predicate may be
+   * recursive.
+   */
+  abstract private class SignDef instanceof SemSsaVariable {
+    final string toString() { result = super.toString() }
 
-  /** Gets the possible signs of this SSA definition. */
-  abstract Sign getSign();
-}
-
-/** An SSA definition whose sign is computed based on standard flow. */
-abstract private class FlowSignDef extends SignDef {
-  abstract override Sign getSign();
-}
-
-/** An SSA definition whose sign is determined by the sign of that definitions source expression. */
-private class ExplicitSignDef extends FlowSignDef instanceof SemSsaExplicitUpdate {
-  final override Sign getSign() { result = semExprSign(super.getSourceExpr()) }
-}
-
-/** An SSA Phi definition, whose sign is the union of the signs of its inputs. */
-private class PhiSignDef extends FlowSignDef instanceof SemSsaPhiNode {
-  final override Sign getSign() {
-    exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge |
-      edge.phiInput(this, inp) and
-      result = semSsaSign(inp, edge)
-    )
-  }
-}
-
-/** An SSA definition whose sign is computed by a language-specific implementation. */
-abstract class CustomSignDef extends SignDef {
-  abstract override Sign getSign();
-}
-
-/**
- * An expression for which the analysis can compute the sign.
- *
- * The actual computation of the sign is done in an override of the `getSign()` predicate. The
- * charpred of any subclass must _not_ invoke `getSign()`, directly or indirectly. This ensures
- * that the charpred does not introduce negative recursion. The `getSign()` predicate may be
- * recursive.
- *
- * Concrete implementations extend one of the following subclasses:
- * - `ConstantSignExpr`, for expressions with a compile-time constant value.
- * - `FlowSignExpr`, for expressions whose sign can be computed from the signs of their operands.
- * - `CustomsignExpr`, for expressions whose sign can be computed by a language-specific
- *   implementation.
- *
- * If the same expression matches more than one of the above subclasses, the sign is computed as
- * follows:
- * - The sign of a `ConstantSignExpr` is computed solely from `ConstantSignExpr.getSign()`,
- *   regardless of any other subclasses.
- * - If a non-`ConstantSignExpr` expression matches exactly one of `FlowSignExpr` or
- *   `CustomSignExpr`, the sign is computed by that class' `getSign()` predicate.
- * - If a non-`ConstantSignExpr` expression matches both `FlowSignExpr` and `CustomSignExpr`, the
- *   sign is the _intersection_ of the signs of those two classes' `getSign()` predicates. Thus,
- *   both classes have the opportunity to _restrict_ the set of possible signs, not to generate new
- *   possible signs.
- * - If an expression does not match any of the three subclasses, then it can have any sign.
- *
- * Note that the `getSign()` predicate is introduced only in subclasses of `SignExpr`.
- */
-abstract class SignExpr instanceof SemExpr {
-  SignExpr() { not Specific::ignoreExprSign(this) }
-
-  final string toString() { result = super.toString() }
-
-  abstract Sign getSign();
-}
-
-/** An expression whose sign is determined by its constant numeric value. */
-private class ConstantSignExpr extends SignExpr {
-  ConstantSignExpr() {
-    this instanceof SemConstantIntegerExpr or
-    exists(this.(SemNumericLiteralExpr).getApproximateFloatValue())
+    /** Gets the possible signs of this SSA definition. */
+    abstract Sign getSign();
   }
 
-  final override Sign getSign() {
-    exists(int i | this.(SemConstantIntegerExpr).getIntValue() = i |
-      i < 0 and result = TNeg()
+  /** An SSA definition whose sign is computed based on standard flow. */
+  abstract private class FlowSignDef extends SignDef {
+    abstract override Sign getSign();
+  }
+
+  /** An SSA definition whose sign is determined by the sign of that definitions source expression. */
+  private class ExplicitSignDef extends FlowSignDef instanceof SemSsaExplicitUpdate {
+    final override Sign getSign() { result = semExprSign(super.getSourceExpr()) }
+  }
+
+  /** An SSA Phi definition, whose sign is the union of the signs of its inputs. */
+  private class PhiSignDef extends FlowSignDef instanceof SemSsaPhiNode {
+    final override Sign getSign() {
+      exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge |
+        edge.phiInput(this, inp) and
+        result = semSsaSign(inp, edge)
+      )
+    }
+  }
+
+  /** An SSA definition whose sign is computed by a language-specific implementation. */
+  abstract class CustomSignDef extends SignDef {
+    abstract override Sign getSign();
+  }
+
+  /**
+   * An expression for which the analysis can compute the sign.
+   *
+   * The actual computation of the sign is done in an override of the `getSign()` predicate. The
+   * charpred of any subclass must _not_ invoke `getSign()`, directly or indirectly. This ensures
+   * that the charpred does not introduce negative recursion. The `getSign()` predicate may be
+   * recursive.
+   *
+   * Concrete implementations extend one of the following subclasses:
+   * - `ConstantSignExpr`, for expressions with a compile-time constant value.
+   * - `FlowSignExpr`, for expressions whose sign can be computed from the signs of their operands.
+   * - `CustomsignExpr`, for expressions whose sign can be computed by a language-specific
+   *   implementation.
+   *
+   * If the same expression matches more than one of the above subclasses, the sign is computed as
+   * follows:
+   * - The sign of a `ConstantSignExpr` is computed solely from `ConstantSignExpr.getSign()`,
+   *   regardless of any other subclasses.
+   * - If a non-`ConstantSignExpr` expression matches exactly one of `FlowSignExpr` or
+   *   `CustomSignExpr`, the sign is computed by that class' `getSign()` predicate.
+   * - If a non-`ConstantSignExpr` expression matches both `FlowSignExpr` and `CustomSignExpr`, the
+   *   sign is the _intersection_ of the signs of those two classes' `getSign()` predicates. Thus,
+   *   both classes have the opportunity to _restrict_ the set of possible signs, not to generate new
+   *   possible signs.
+   * - If an expression does not match any of the three subclasses, then it can have any sign.
+   *
+   * Note that the `getSign()` predicate is introduced only in subclasses of `SignExpr`.
+   */
+  abstract class SignExpr instanceof SemExpr {
+    SignExpr() { not Specific::ignoreExprSign(this) }
+
+    final string toString() { result = super.toString() }
+
+    abstract Sign getSign();
+  }
+
+  /** An expression whose sign is determined by its constant numeric value. */
+  private class ConstantSignExpr extends SignExpr {
+    ConstantSignExpr() {
+      this instanceof SemConstantIntegerExpr or
+      exists(this.(SemNumericLiteralExpr).getApproximateFloatValue())
+    }
+
+    final override Sign getSign() {
+      exists(int i | this.(SemConstantIntegerExpr).getIntValue() = i |
+        i < 0 and result = TNeg()
+        or
+        i = 0 and result = TZero()
+        or
+        i > 0 and result = TPos()
+      )
       or
-      i = 0 and result = TZero()
-      or
-      i > 0 and result = TPos()
-    )
-    or
-    not exists(this.(SemConstantIntegerExpr).getIntValue()) and
-    exists(float f | f = this.(SemNumericLiteralExpr).getApproximateFloatValue() |
-      f < 0 and result = TNeg()
-      or
-      f = 0 and result = TZero()
-      or
-      f > 0 and result = TPos()
-    )
-  }
-}
-
-abstract private class NonConstantSignExpr extends SignExpr {
-  NonConstantSignExpr() { not this instanceof ConstantSignExpr }
-
-  final override Sign getSign() {
-    // The result is the _intersection_ of the signs computed from flow and by the language.
-    (result = this.(FlowSignExpr).getSignRestriction() or not this instanceof FlowSignExpr) and
-    (result = this.(CustomSignExpr).getSignRestriction() or not this instanceof CustomSignExpr)
-  }
-}
-
-/** An expression whose sign is computed from the signs of its operands. */
-abstract private class FlowSignExpr extends NonConstantSignExpr {
-  abstract Sign getSignRestriction();
-}
-
-/** An expression whose sign is computed by a language-specific implementation. */
-abstract class CustomSignExpr extends NonConstantSignExpr {
-  abstract Sign getSignRestriction();
-}
-
-/** An expression whose sign is unknown. */
-private class UnknownSignExpr extends SignExpr {
-  UnknownSignExpr() {
-    not this instanceof FlowSignExpr and
-    not this instanceof CustomSignExpr and
-    not this instanceof ConstantSignExpr and
-    (
-      // Only track numeric types.
-      getTrackedType(this) instanceof SemNumericType
-      or
-      // Unless the language says to track this expression anyway.
-      Specific::trackUnknownNonNumericExpr(this)
-    )
+      not exists(this.(SemConstantIntegerExpr).getIntValue()) and
+      exists(float f | f = this.(SemNumericLiteralExpr).getApproximateFloatValue() |
+        f < 0 and result = TNeg()
+        or
+        f = 0 and result = TZero()
+        or
+        f > 0 and result = TPos()
+      )
+    }
   }
 
-  final override Sign getSign() { semAnySign(result) }
-}
+  abstract private class NonConstantSignExpr extends SignExpr {
+    NonConstantSignExpr() { not this instanceof ConstantSignExpr }
 
-/**
- * A `Load` expression whose sign is computed from the sign of its SSA definition, restricted by
- * inference from any intervening guards.
- */
-class UseSignExpr extends FlowSignExpr {
-  SemSsaVariable v;
-
-  UseSignExpr() { v.getAUse() = this }
-
-  override Sign getSignRestriction() {
-    // Propagate via SSA
-    // Propagate the sign from the def of `v`, incorporating any inference from guards.
-    result = semSsaSign(v, any(SemSsaReadPositionBlock bb | bb.getAnExpr() = this))
-    or
-    // No block for this read. Just use the sign of the def.
-    // REVIEW: How can this happen?
-    not exists(SemSsaReadPositionBlock bb | bb.getAnExpr() = this) and
-    result = semSsaDefSign(v)
+    final override Sign getSign() {
+      // The result is the _intersection_ of the signs computed from flow and by the language.
+      (result = this.(FlowSignExpr).getSignRestriction() or not this instanceof FlowSignExpr) and
+      (result = this.(CustomSignExpr).getSignRestriction() or not this instanceof CustomSignExpr)
+    }
   }
-}
 
-/** A binary expression whose sign is computed from the signs of its operands. */
-private class BinarySignExpr extends FlowSignExpr {
-  SemBinaryExpr binary;
+  /** An expression whose sign is computed from the signs of its operands. */
+  abstract private class FlowSignExpr extends NonConstantSignExpr {
+    abstract Sign getSignRestriction();
+  }
 
-  BinarySignExpr() { binary = this }
+  /** An expression whose sign is computed by a language-specific implementation. */
+  abstract class CustomSignExpr extends NonConstantSignExpr {
+    abstract Sign getSignRestriction();
+  }
 
-  override Sign getSignRestriction() {
-    exists(SemExpr left, SemExpr right |
-      binaryExprOperands(binary, left, right) and
+  /** An expression whose sign is unknown. */
+  private class UnknownSignExpr extends SignExpr {
+    UnknownSignExpr() {
+      not this instanceof FlowSignExpr and
+      not this instanceof CustomSignExpr and
+      not this instanceof ConstantSignExpr and
+      (
+        // Only track numeric types.
+        Utils::getTrackedType(this) instanceof SemNumericType
+        or
+        // Unless the language says to track this expression anyway.
+        Specific::trackUnknownNonNumericExpr(this)
+      )
+    }
+
+    final override Sign getSign() { semAnySign(result) }
+  }
+
+  /**
+   * A `Load` expression whose sign is computed from the sign of its SSA definition, restricted by
+   * inference from any intervening guards.
+   */
+  class UseSignExpr extends FlowSignExpr {
+    SemSsaVariable v;
+
+    UseSignExpr() { v.getAUse() = this }
+
+    override Sign getSignRestriction() {
+      // Propagate via SSA
+      // Propagate the sign from the def of `v`, incorporating any inference from guards.
+      result = semSsaSign(v, any(SemSsaReadPositionBlock bb | bb.getAnExpr() = this))
+      or
+      // No block for this read. Just use the sign of the def.
+      // REVIEW: How can this happen?
+      not exists(SemSsaReadPositionBlock bb | bb.getAnExpr() = this) and
+      result = semSsaDefSign(v)
+    }
+  }
+
+  /** A binary expression whose sign is computed from the signs of its operands. */
+  private class BinarySignExpr extends FlowSignExpr {
+    SemBinaryExpr binary;
+
+    BinarySignExpr() { binary = this }
+
+    override Sign getSignRestriction() {
+      exists(SemExpr left, SemExpr right |
+        binaryExprOperands(binary, left, right) and
+        result =
+          semExprSign(pragma[only_bind_out](left))
+              .applyBinaryOp(semExprSign(pragma[only_bind_out](right)), binary.getOpcode())
+      )
+      or
+      exists(SemDivExpr div | div = binary |
+        result = semExprSign(div.getLeftOperand()) and
+        result != TZero() and
+        div.getRightOperand().(SemFloatingPointLiteralExpr).getFloatValue() = 0
+      )
+    }
+  }
+
+  pragma[nomagic]
+  private predicate binaryExprOperands(SemBinaryExpr binary, SemExpr left, SemExpr right) {
+    binary.getLeftOperand() = left and binary.getRightOperand() = right
+  }
+
+  /**
+   * A `Convert`, `Box`, or `Unbox` expression.
+   */
+  private class SemCastExpr instanceof SemUnaryExpr {
+    string toString() { result = super.toString() }
+
+    SemCastExpr() {
+      this instanceof SemConvertExpr
+      or
+      this instanceof SemBoxExpr
+      or
+      this instanceof SemUnboxExpr
+    }
+  }
+
+  /** A unary expression whose sign is computed from the sign of its operand. */
+  private class UnarySignExpr extends FlowSignExpr {
+    SemUnaryExpr unary;
+
+    UnarySignExpr() { unary = this and not this instanceof SemCastExpr }
+
+    override Sign getSignRestriction() {
       result =
-        semExprSign(pragma[only_bind_out](left))
-            .applyBinaryOp(semExprSign(pragma[only_bind_out](right)), binary.getOpcode())
-    )
-    or
-    exists(SemDivExpr div | div = binary |
-      result = semExprSign(div.getLeftOperand()) and
-      result != TZero() and
-      div.getRightOperand().(SemFloatingPointLiteralExpr).getFloatValue() = 0
+        semExprSign(pragma[only_bind_out](unary.getOperand())).applyUnaryOp(unary.getOpcode())
+    }
+  }
+
+  /**
+   * A `Convert`, `Box`, or `Unbox` expression, whose sign is computed based on
+   * the sign of its operand and the source and destination types.
+   */
+  abstract private class CastSignExpr extends FlowSignExpr {
+    SemUnaryExpr cast;
+
+    CastSignExpr() { cast = this and cast instanceof SemCastExpr }
+
+    override Sign getSignRestriction() { result = semExprSign(cast.getOperand()) }
+  }
+
+  /**
+   * A `Convert` expression.
+   */
+  private class ConvertSignExpr extends CastSignExpr {
+    override SemConvertExpr cast;
+  }
+
+  /**
+   * A `Box` expression.
+   */
+  private class BoxSignExpr extends CastSignExpr {
+    override SemBoxExpr cast;
+  }
+
+  /**
+   * An `Unbox` expression.
+   */
+  private class UnboxSignExpr extends CastSignExpr {
+    override SemUnboxExpr cast;
+
+    UnboxSignExpr() {
+      exists(SemType fromType | fromType = Utils::getTrackedType(cast.getOperand()) |
+        // Only numeric source types are handled here.
+        fromType instanceof SemNumericType
+      )
+    }
+  }
+
+  private predicate unknownSign(SemExpr e) { e instanceof UnknownSignExpr }
+
+  /**
+   * Holds if `lowerbound` is a lower bound for `v` at `pos`. This is restricted
+   * to only include bounds for which we might determine a sign.
+   */
+  private predicate lowerBound(
+    SemExpr lowerbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isStrict
+  ) {
+    exists(boolean testIsTrue, SemRelationalExpr comp |
+      pos.hasReadOfVar(v) and
+      semGuardControlsSsaRead(semGetComparisonGuard(comp), pos, testIsTrue) and
+      not unknownSign(lowerbound)
+    |
+      testIsTrue = true and
+      comp.getLesserOperand() = lowerbound and
+      comp.getGreaterOperand() = Utils::semSsaRead(v, D::fromInt(0)) and
+      (if comp.isStrict() then isStrict = true else isStrict = false)
+      or
+      testIsTrue = false and
+      comp.getGreaterOperand() = lowerbound and
+      comp.getLesserOperand() = Utils::semSsaRead(v, D::fromInt(0)) and
+      (if comp.isStrict() then isStrict = false else isStrict = true)
     )
   }
-}
 
-pragma[nomagic]
-private predicate binaryExprOperands(SemBinaryExpr binary, SemExpr left, SemExpr right) {
-  binary.getLeftOperand() = left and binary.getRightOperand() = right
-}
-
-/**
- * A `Convert`, `Box`, or `Unbox` expression.
- */
-private class SemCastExpr extends SemUnaryExpr {
-  SemCastExpr() {
-    this instanceof SemConvertExpr
-    or
-    this instanceof SemBoxExpr
-    or
-    this instanceof SemUnboxExpr
-  }
-}
-
-/** A unary expression whose sign is computed from the sign of its operand. */
-private class UnarySignExpr extends FlowSignExpr {
-  SemUnaryExpr unary;
-
-  UnarySignExpr() { unary = this and not this instanceof SemCastExpr }
-
-  override Sign getSignRestriction() {
-    result = semExprSign(pragma[only_bind_out](unary.getOperand())).applyUnaryOp(unary.getOpcode())
-  }
-}
-
-/**
- * A `Convert`, `Box`, or `Unbox` expression, whose sign is computed based on
- * the sign of its operand and the source and destination types.
- */
-abstract private class CastSignExpr extends FlowSignExpr {
-  SemUnaryExpr cast;
-
-  CastSignExpr() { cast = this and cast instanceof SemCastExpr }
-
-  override Sign getSignRestriction() { result = semExprSign(cast.getOperand()) }
-}
-
-/**
- * A `Convert` expression.
- */
-private class ConvertSignExpr extends CastSignExpr {
-  override SemConvertExpr cast;
-}
-
-/**
- * A `Box` expression.
- */
-private class BoxSignExpr extends CastSignExpr {
-  override SemBoxExpr cast;
-}
-
-/**
- * An `Unbox` expression.
- */
-private class UnboxSignExpr extends CastSignExpr {
-  override SemUnboxExpr cast;
-
-  UnboxSignExpr() {
-    exists(SemType fromType | fromType = getTrackedType(cast.getOperand()) |
-      // Only numeric source types are handled here.
-      fromType instanceof SemNumericType
+  /**
+   * Holds if `upperbound` is an upper bound for `v` at `pos`. This is restricted
+   * to only include bounds for which we might determine a sign.
+   */
+  private predicate upperBound(
+    SemExpr upperbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isStrict
+  ) {
+    exists(boolean testIsTrue, SemRelationalExpr comp |
+      pos.hasReadOfVar(v) and
+      semGuardControlsSsaRead(semGetComparisonGuard(comp), pos, testIsTrue) and
+      not unknownSign(upperbound)
+    |
+      testIsTrue = true and
+      comp.getGreaterOperand() = upperbound and
+      comp.getLesserOperand() = Utils::semSsaRead(v, D::fromInt(0)) and
+      (if comp.isStrict() then isStrict = true else isStrict = false)
+      or
+      testIsTrue = false and
+      comp.getLesserOperand() = upperbound and
+      comp.getGreaterOperand() = Utils::semSsaRead(v, D::fromInt(0)) and
+      (if comp.isStrict() then isStrict = false else isStrict = true)
     )
   }
-}
 
-private predicate unknownSign(SemExpr e) { e instanceof UnknownSignExpr }
+  /**
+   * Holds if `eqbound` is an equality/inequality for `v` at `pos`. This is
+   * restricted to only include bounds for which we might determine a sign. The
+   * boolean `isEq` gives the polarity:
+   *  - `isEq = true` : `v = eqbound`
+   *  - `isEq = false` : `v != eqbound`
+   */
+  private predicate eqBound(SemExpr eqbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isEq) {
+    exists(SemGuard guard, boolean testIsTrue, boolean polarity |
+      pos.hasReadOfVar(v) and
+      semGuardControlsSsaRead(guard, pos, testIsTrue) and
+      guard.isEquality(eqbound, Utils::semSsaRead(v, D::fromInt(0)), polarity) and
+      isEq = polarity.booleanXor(testIsTrue).booleanNot() and
+      not unknownSign(eqbound)
+    )
+  }
 
-/**
- * Holds if `lowerbound` is a lower bound for `v` at `pos`. This is restricted
- * to only include bounds for which we might determine a sign.
- */
-private predicate lowerBound(
-  SemExpr lowerbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isStrict
-) {
-  exists(boolean testIsTrue, SemRelationalExpr comp |
-    pos.hasReadOfVar(v) and
-    semGuardControlsSsaRead(semGetComparisonGuard(comp), pos, testIsTrue) and
-    not unknownSign(lowerbound)
-  |
-    testIsTrue = true and
-    comp.getLesserOperand() = lowerbound and
-    comp.getGreaterOperand() = semSsaRead(v, 0) and
-    (if comp.isStrict() then isStrict = true else isStrict = false)
+  /**
+   * Holds if `bound` is a bound for `v` at `pos` that needs to be positive in
+   * order for `v` to be positive.
+   */
+  private predicate posBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
+    upperBound(bound, v, pos, _) or
+    eqBound(bound, v, pos, true)
+  }
+
+  /**
+   * Holds if `bound` is a bound for `v` at `pos` that needs to be negative in
+   * order for `v` to be negative.
+   */
+  private predicate negBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
+    lowerBound(bound, v, pos, _) or
+    eqBound(bound, v, pos, true)
+  }
+
+  /**
+   * Holds if `bound` is a bound for `v` at `pos` that can restrict whether `v`
+   * can be zero.
+   */
+  private predicate zeroBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
+    lowerBound(bound, v, pos, _) or
+    upperBound(bound, v, pos, _) or
+    eqBound(bound, v, pos, _)
+  }
+
+  /** Holds if `bound` allows `v` to be positive at `pos`. */
+  private predicate posBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
+    posBound(bound, v, pos) and TPos() = semExprSign(bound)
+  }
+
+  /** Holds if `bound` allows `v` to be negative at `pos`. */
+  private predicate negBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
+    negBound(bound, v, pos) and TNeg() = semExprSign(bound)
+  }
+
+  /** Holds if `bound` allows `v` to be zero at `pos`. */
+  private predicate zeroBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
+    lowerBound(bound, v, pos, _) and TNeg() = semExprSign(bound)
     or
-    testIsTrue = false and
-    comp.getGreaterOperand() = lowerbound and
-    comp.getLesserOperand() = semSsaRead(v, 0) and
-    (if comp.isStrict() then isStrict = false else isStrict = true)
-  )
-}
-
-/**
- * Holds if `upperbound` is an upper bound for `v` at `pos`. This is restricted
- * to only include bounds for which we might determine a sign.
- */
-private predicate upperBound(
-  SemExpr upperbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isStrict
-) {
-  exists(boolean testIsTrue, SemRelationalExpr comp |
-    pos.hasReadOfVar(v) and
-    semGuardControlsSsaRead(semGetComparisonGuard(comp), pos, testIsTrue) and
-    not unknownSign(upperbound)
-  |
-    testIsTrue = true and
-    comp.getGreaterOperand() = upperbound and
-    comp.getLesserOperand() = semSsaRead(v, 0) and
-    (if comp.isStrict() then isStrict = true else isStrict = false)
+    lowerBound(bound, v, pos, false) and TZero() = semExprSign(bound)
     or
-    testIsTrue = false and
-    comp.getLesserOperand() = upperbound and
-    comp.getGreaterOperand() = semSsaRead(v, 0) and
-    (if comp.isStrict() then isStrict = false else isStrict = true)
-  )
-}
+    upperBound(bound, v, pos, _) and TPos() = semExprSign(bound)
+    or
+    upperBound(bound, v, pos, false) and TZero() = semExprSign(bound)
+    or
+    eqBound(bound, v, pos, true) and TZero() = semExprSign(bound)
+    or
+    eqBound(bound, v, pos, false) and TZero() != semExprSign(bound)
+  }
 
-/**
- * Holds if `eqbound` is an equality/inequality for `v` at `pos`. This is
- * restricted to only include bounds for which we might determine a sign. The
- * boolean `isEq` gives the polarity:
- *  - `isEq = true` : `v = eqbound`
- *  - `isEq = false` : `v != eqbound`
- */
-private predicate eqBound(SemExpr eqbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isEq) {
-  exists(SemGuard guard, boolean testIsTrue, boolean polarity |
+  /**
+   * Holds if there is a bound that might restrict whether `v` has the sign `s`
+   * at `pos`.
+   */
+  private predicate hasGuard(SemSsaVariable v, SemSsaReadPosition pos, Sign s) {
+    s = TPos() and posBound(_, v, pos)
+    or
+    s = TNeg() and negBound(_, v, pos)
+    or
+    s = TZero() and zeroBound(_, v, pos)
+  }
+
+  /**
+   * Gets a possible sign of `v` at `pos` based on its definition, where the sign
+   * might be ruled out by a guard.
+   */
+  pragma[noinline]
+  private Sign guardedSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
+    result = semSsaDefSign(v) and
     pos.hasReadOfVar(v) and
-    semGuardControlsSsaRead(guard, pos, testIsTrue) and
-    guard.isEquality(eqbound, semSsaRead(v, 0), polarity) and
-    isEq = polarity.booleanXor(testIsTrue).booleanNot() and
-    not unknownSign(eqbound)
-  )
-}
-
-/**
- * Holds if `bound` is a bound for `v` at `pos` that needs to be positive in
- * order for `v` to be positive.
- */
-private predicate posBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
-  upperBound(bound, v, pos, _) or
-  eqBound(bound, v, pos, true)
-}
-
-/**
- * Holds if `bound` is a bound for `v` at `pos` that needs to be negative in
- * order for `v` to be negative.
- */
-private predicate negBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
-  lowerBound(bound, v, pos, _) or
-  eqBound(bound, v, pos, true)
-}
-
-/**
- * Holds if `bound` is a bound for `v` at `pos` that can restrict whether `v`
- * can be zero.
- */
-private predicate zeroBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
-  lowerBound(bound, v, pos, _) or
-  upperBound(bound, v, pos, _) or
-  eqBound(bound, v, pos, _)
-}
-
-/** Holds if `bound` allows `v` to be positive at `pos`. */
-private predicate posBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
-  posBound(bound, v, pos) and TPos() = semExprSign(bound)
-}
-
-/** Holds if `bound` allows `v` to be negative at `pos`. */
-private predicate negBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
-  negBound(bound, v, pos) and TNeg() = semExprSign(bound)
-}
-
-/** Holds if `bound` allows `v` to be zero at `pos`. */
-private predicate zeroBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
-  lowerBound(bound, v, pos, _) and TNeg() = semExprSign(bound)
-  or
-  lowerBound(bound, v, pos, false) and TZero() = semExprSign(bound)
-  or
-  upperBound(bound, v, pos, _) and TPos() = semExprSign(bound)
-  or
-  upperBound(bound, v, pos, false) and TZero() = semExprSign(bound)
-  or
-  eqBound(bound, v, pos, true) and TZero() = semExprSign(bound)
-  or
-  eqBound(bound, v, pos, false) and TZero() != semExprSign(bound)
-}
-
-/**
- * Holds if there is a bound that might restrict whether `v` has the sign `s`
- * at `pos`.
- */
-private predicate hasGuard(SemSsaVariable v, SemSsaReadPosition pos, Sign s) {
-  s = TPos() and posBound(_, v, pos)
-  or
-  s = TNeg() and negBound(_, v, pos)
-  or
-  s = TZero() and zeroBound(_, v, pos)
-}
-
-/**
- * Gets a possible sign of `v` at `pos` based on its definition, where the sign
- * might be ruled out by a guard.
- */
-pragma[noinline]
-private Sign guardedSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
-  result = semSsaDefSign(v) and
-  pos.hasReadOfVar(v) and
-  hasGuard(v, pos, result)
-}
-
-/**
- * Gets a possible sign of `v` at `pos` based on its definition, where no guard
- * can rule it out.
- */
-pragma[noinline]
-private Sign unguardedSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
-  result = semSsaDefSign(v) and
-  pos.hasReadOfVar(v) and
-  not hasGuard(v, pos, result)
-}
-
-/**
- * Gets a possible sign of `v` at read position `pos`, where a guard could have
- * ruled out the sign but does not.
- * This does not check that the definition of `v` also allows the sign.
- */
-private Sign guardedSsaSignOk(SemSsaVariable v, SemSsaReadPosition pos) {
-  result = TPos() and
-  forex(SemExpr bound | posBound(bound, v, pos) | posBoundOk(bound, v, pos))
-  or
-  result = TNeg() and
-  forex(SemExpr bound | negBound(bound, v, pos) | negBoundOk(bound, v, pos))
-  or
-  result = TZero() and
-  forex(SemExpr bound | zeroBound(bound, v, pos) | zeroBoundOk(bound, v, pos))
-}
-
-/** Gets a possible sign for `v` at `pos`. */
-private Sign semSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
-  result = unguardedSsaSign(v, pos)
-  or
-  result = guardedSsaSign(v, pos) and
-  result = guardedSsaSignOk(v, pos)
-}
-
-/** Gets a possible sign for `v`. */
-pragma[nomagic]
-Sign semSsaDefSign(SemSsaVariable v) { result = v.(SignDef).getSign() }
-
-/** Gets a possible sign for `e`. */
-cached
-Sign semExprSign(SemExpr e) {
-  exists(Sign s | s = e.(SignExpr).getSign() |
-    if
-      getTrackedType(e) instanceof SemUnsignedIntegerType and
-      s = TNeg() and
-      not Specific::ignoreTypeRestrictions(e)
-    then result = TPos()
-    else result = s
-  )
-}
-
-/**
- * Dummy predicate that holds for any sign. This is added to improve readability
- * of cases where the sign is unrestricted.
- */
-predicate semAnySign(Sign s) { any() }
-
-/** Holds if `e` can be positive and cannot be negative. */
-predicate semPositive(SemExpr e) {
-  semExprSign(e) = TPos() and
-  not semExprSign(e) = TNeg()
-}
-
-/** Holds if `e` can be negative and cannot be positive. */
-predicate semNegative(SemExpr e) {
-  semExprSign(e) = TNeg() and
-  not semExprSign(e) = TPos()
-}
-
-/** Holds if `e` is strictly positive. */
-predicate semStrictlyPositive(SemExpr e) {
-  semExprSign(e) = TPos() and
-  not semExprSign(e) = TNeg() and
-  not semExprSign(e) = TZero()
-}
-
-/** Holds if `e` is strictly negative. */
-predicate semStrictlyNegative(SemExpr e) {
-  semExprSign(e) = TNeg() and
-  not semExprSign(e) = TPos() and
-  not semExprSign(e) = TZero()
+    hasGuard(v, pos, result)
+  }
+
+  /**
+   * Gets a possible sign of `v` at `pos` based on its definition, where no guard
+   * can rule it out.
+   */
+  pragma[noinline]
+  private Sign unguardedSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
+    result = semSsaDefSign(v) and
+    pos.hasReadOfVar(v) and
+    not hasGuard(v, pos, result)
+  }
+
+  /**
+   * Gets a possible sign of `v` at read position `pos`, where a guard could have
+   * ruled out the sign but does not.
+   * This does not check that the definition of `v` also allows the sign.
+   */
+  private Sign guardedSsaSignOk(SemSsaVariable v, SemSsaReadPosition pos) {
+    result = TPos() and
+    forex(SemExpr bound | posBound(bound, v, pos) | posBoundOk(bound, v, pos))
+    or
+    result = TNeg() and
+    forex(SemExpr bound | negBound(bound, v, pos) | negBoundOk(bound, v, pos))
+    or
+    result = TZero() and
+    forex(SemExpr bound | zeroBound(bound, v, pos) | zeroBoundOk(bound, v, pos))
+  }
+
+  /** Gets a possible sign for `v` at `pos`. */
+  private Sign semSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
+    result = unguardedSsaSign(v, pos)
+    or
+    result = guardedSsaSign(v, pos) and
+    result = guardedSsaSignOk(v, pos)
+  }
+
+  /** Gets a possible sign for `v`. */
+  pragma[nomagic]
+  Sign semSsaDefSign(SemSsaVariable v) { result = v.(SignDef).getSign() }
+
+  /** Gets a possible sign for `e`. */
+  cached
+  Sign semExprSign(SemExpr e) {
+    exists(Sign s | s = e.(SignExpr).getSign() |
+      if
+        Utils::getTrackedType(e) instanceof SemUnsignedIntegerType and
+        s = TNeg() and
+        not Specific::ignoreTypeRestrictions(e)
+      then result = TPos()
+      else result = s
+    )
+  }
+
+  /**
+   * Dummy predicate that holds for any sign. This is added to improve readability
+   * of cases where the sign is unrestricted.
+   */
+  predicate semAnySign(Sign s) { any() }
+
+  /** Holds if `e` can be positive and cannot be negative. */
+  predicate semPositive(SemExpr e) {
+    semExprSign(e) = TPos() and
+    not semExprSign(e) = TNeg()
+  }
+
+  /** Holds if `e` can be negative and cannot be positive. */
+  predicate semNegative(SemExpr e) {
+    semExprSign(e) = TNeg() and
+    not semExprSign(e) = TPos()
+  }
+
+  /** Holds if `e` is strictly positive. */
+  predicate semStrictlyPositive(SemExpr e) {
+    semExprSign(e) = TPos() and
+    not semExprSign(e) = TNeg() and
+    not semExprSign(e) = TZero()
+  }
+
+  /** Holds if `e` is strictly negative. */
+  predicate semStrictlyNegative(SemExpr e) {
+    semExprSign(e) = TNeg() and
+    not semExprSign(e) = TPos() and
+    not semExprSign(e) = TZero()
+  }
 }

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.5.0
+version: 0.5.2
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -318,7 +318,7 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
   MetricFunction getMetrics() { result = this }
 
   /** Holds if this function calls the function `f`. */
-  predicate calls(Function f) { exists(Locatable l | this.calls(f, l)) }
+  predicate calls(Function f) { this.calls(f, _) }
 
   /**
    * Holds if this function calls the function `f` in the `FunctionCall`
@@ -335,7 +335,7 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
   }
 
   /** Holds if this function accesses a function or variable or enumerator `a`. */
-  predicate accesses(Declaration a) { exists(Locatable l | this.accesses(a, l)) }
+  predicate accesses(Declaration a) { this.accesses(a, _) }
 
   /**
    * Holds if this function accesses a function or variable or enumerator `a`

cpp/ql/lib/semmle/code/cpp/Location.qll

@@ -10,12 +10,14 @@ import semmle.code.cpp.File
  */
 class Location extends @location {
   /** Gets the container corresponding to this location. */
+  pragma[nomagic]
   Container getContainer() { this.fullLocationInfo(result, _, _, _, _) }
 
   /** Gets the file corresponding to this location, if any. */
   File getFile() { result = this.getContainer() }
 
   /** Gets the 1-based line number (inclusive) where this location starts. */
+  pragma[nomagic]
   int getStartLine() { this.fullLocationInfo(_, result, _, _, _) }
 
   /** Gets the 1-based column number (inclusive) where this location starts. */

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -816,6 +816,12 @@ private predicate floatingPointTypeMapping(
   or
   // _Float128x
   kind = 50 and base = 2 and domain = TRealDomain() and realKind = 50 and extended = true
+  or
+  // _Float16
+  kind = 52 and base = 2 and domain = TRealDomain() and realKind = 52 and extended = false
+  or
+  // _Complex _Float16
+  kind = 53 and base = 2 and domain = TComplexDomain() and realKind = 52 and extended = false
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/commons/Dependency.qll

@@ -33,7 +33,7 @@ DependencyOptions getDependencyOptions() { any() }
 class DependsSource extends Element {
   DependsSource() {
     // not inside a template instantiation
-    not exists(Element other | this.isFromTemplateInstantiation(other)) or
+    not this.isFromTemplateInstantiation(_) or
     // allow DeclarationEntrys of template specializations
     this.(DeclarationEntry).getDeclaration().(Function).isConstructedFrom(_) or
     this.(DeclarationEntry).getDeclaration().(Class).isConstructedFrom(_)

cpp/ql/lib/semmle/code/cpp/commons/Exclusions.qll

@@ -69,12 +69,9 @@ predicate functionContainsDisabledCode(Function f) {
  */
 predicate functionContainsPreprocCode(Function f) {
   // `f` contains a preprocessor branch
-  exists(
-    PreprocessorBranchDirective pbd, string file, int pbdStartLine, int fBlockStartLine,
-    int fBlockEndLine
-  |
+  exists(string file, int pbdStartLine, int fBlockStartLine, int fBlockEndLine |
     functionLocation(f, file, fBlockStartLine, fBlockEndLine) and
-    pbdLocation(pbd, file, pbdStartLine) and
+    pbdLocation(_, file, pbdStartLine) and
     pbdStartLine <= fBlockEndLine and
     pbdStartLine >= fBlockStartLine
   )

cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll

@@ -244,9 +244,7 @@ class ScanfFormatLiteral extends Expr {
   /**
    * Gets the maximum width option of the nth input (empty string if none is given).
    */
-  string getMaxWidthOpt(int n) {
-    exists(string spec, string len, string conv | this.parseConvSpec(n, spec, result, len, conv))
-  }
+  string getMaxWidthOpt(int n) { this.parseConvSpec(n, _, result, _, _) }
 
   /**
    * Gets the maximum width of the nth input.
@@ -256,18 +254,12 @@ class ScanfFormatLiteral extends Expr {
   /**
    * Gets the length flag of the nth conversion specifier.
    */
-  string getLength(int n) {
-    exists(string spec, string width, string conv |
-      this.parseConvSpec(n, spec, width, result, conv)
-    )
-  }
+  string getLength(int n) { this.parseConvSpec(n, _, _, result, _) }
 
   /**
    * Gets the conversion character of the nth conversion specifier.
    */
-  string getConversionChar(int n) {
-    exists(string spec, string width, string len | this.parseConvSpec(n, spec, width, len, result))
-  }
+  string getConversionChar(int n) { this.parseConvSpec(n, _, _, _, result) }
 
   /**
    * Gets the maximum length of the string that can be produced by the nth

cpp/ql/lib/semmle/code/cpp/controlflow/SubBasicBlocks.qll

@@ -54,7 +54,7 @@ class SubBasicBlock extends ControlFlowNodeBase {
    * only condition under which a `SubBasicBlock` may have multiple
    * predecessors.
    */
-  predicate firstInBB() { exists(BasicBlock bb | this.getRankInBasicBlock(bb) = 1) }
+  predicate firstInBB() { this.getRankInBasicBlock(_) = 1 }
 
   /**
    * Holds if this `SubBasicBlock` comes last in its basic block. This is the

cpp/ql/lib/semmle/code/cpp/controlflow/internal/ConstantExprs.qll

@@ -441,8 +441,8 @@ library class ExprEvaluator extends int {
       req = mid.(AssignExpr).getRValue()
     )
     or
-    exists(VariableAccess va, Variable v, boolean sub1 |
-      this.interestingVariableAccess(e, va, v, sub1) and
+    exists(Variable v, boolean sub1 |
+      this.interestingVariableAccess(e, _, v, sub1) and
       req = v.getAnAssignedValue() and
       (sub1 = true implies not this.ignoreVariableAssignment(e, v, req)) and
       sub = false
@@ -876,7 +876,7 @@ private predicate nonAnalyzableVariableDefinition(Variable v, StmtParent def) {
  * empirically to have effect only on a few rare and pathological examples.
  */
 private predicate tractableVariable(Variable v) {
-  not exists(StmtParent def | nonAnalyzableVariableDefinition(v, def)) or
+  not nonAnalyzableVariableDefinition(v, _) or
   strictcount(StmtParent def | nonAnalyzableVariableDefinition(v, def)) < 1000
 }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

@@ -876,9 +876,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
     )
   }
 
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
       PrevStage::readStepCand(node1, _, _, config)
     }
 
+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
     }
 
     pragma[nomagic]
@@ -1731,8 +1735,8 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
       )
       or
@@ -1901,8 +1905,8 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
         parameterFlowsThroughRev(p, ap, pos, _, config)
       )
     }
@@ -1923,8 +1927,8 @@ private module MkStage<StageSig PrevStage> {
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
       )
     }
@@ -3749,8 +3753,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4212,17 +4216,15 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
     }
 
   pragma[nomagic]
@@ -4230,19 +4232,17 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -876,9 +876,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
     )
   }
 
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
       PrevStage::readStepCand(node1, _, _, config)
     }
 
+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
     }
 
     pragma[nomagic]
@@ -1731,8 +1735,8 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
       )
       or
@@ -1901,8 +1905,8 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
         parameterFlowsThroughRev(p, ap, pos, _, config)
       )
     }
@@ -1923,8 +1927,8 @@ private module MkStage<StageSig PrevStage> {
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
       )
     }
@@ -3749,8 +3753,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4212,17 +4216,15 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
     }
 
   pragma[nomagic]
@@ -4230,19 +4232,17 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -876,9 +876,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
     )
   }
 
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
       PrevStage::readStepCand(node1, _, _, config)
     }
 
+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
     }
 
     pragma[nomagic]
@@ -1731,8 +1735,8 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
       )
       or
@@ -1901,8 +1905,8 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
         parameterFlowsThroughRev(p, ap, pos, _, config)
       )
     }
@@ -1923,8 +1927,8 @@ private module MkStage<StageSig PrevStage> {
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
       )
     }
@@ -3749,8 +3753,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4212,17 +4216,15 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
     }
 
   pragma[nomagic]
@@ -4230,19 +4232,17 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -876,9 +876,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
     )
   }
 
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
       PrevStage::readStepCand(node1, _, _, config)
     }
 
+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
     }
 
     pragma[nomagic]
@@ -1731,8 +1735,8 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
       )
       or
@@ -1901,8 +1905,8 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
         parameterFlowsThroughRev(p, ap, pos, _, config)
       )
     }
@@ -1923,8 +1927,8 @@ private module MkStage<StageSig PrevStage> {
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
       )
     }
@@ -3749,8 +3753,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4212,17 +4216,15 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
     }
 
   pragma[nomagic]
@@ -4230,19 +4232,17 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll

@@ -45,6 +45,16 @@ module Consistency {
     ) {
       none()
     }
+
+    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodeAtPosition`. */
+    predicate uniqueParameterNodeAtPositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
+      none()
+    }
+
+    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodePosition`. */
+    predicate uniqueParameterNodePositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
+      none()
+    }
   }
 
   private class RelevantNode extends Node {
@@ -101,9 +111,7 @@ module Consistency {
     exists(int c |
       c =
         strictcount(Node n |
-          not exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
-            n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-          ) and
+          not n.hasLocationInfo(_, _, _, _, _) and
           not any(ConsistencyConfiguration conf).missingLocationExclude(n)
         ) and
       msg = "Nodes without location: " + c
@@ -248,6 +256,7 @@ module Consistency {
   query predicate uniqueParameterNodeAtPosition(
     DataFlowCallable c, ParameterPosition pos, Node p, string msg
   ) {
+    not any(ConsistencyConfiguration conf).uniqueParameterNodeAtPositionExclude(c, pos, p) and
     isParameterNode(p, c, pos) and
     not exists(unique(Node p0 | isParameterNode(p0, c, pos))) and
     msg = "Parameters with overlapping positions."
@@ -256,6 +265,7 @@ module Consistency {
   query predicate uniqueParameterNodePosition(
     DataFlowCallable c, ParameterPosition pos, Node p, string msg
   ) {
+    not any(ConsistencyConfiguration conf).uniqueParameterNodePositionExclude(c, pos, p) and
     isParameterNode(p, c, pos) and
     not exists(unique(ParameterPosition pos0 | isParameterNode(p, c, pos0))) and
     msg = "Parameter node with multiple positions."

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -876,9 +876,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
     )
   }
 
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
       PrevStage::readStepCand(node1, _, _, config)
     }
 
+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
     }
 
     pragma[nomagic]
@@ -1731,8 +1735,8 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
       )
       or
@@ -1901,8 +1905,8 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
         parameterFlowsThroughRev(p, ap, pos, _, config)
       )
     }
@@ -1923,8 +1927,8 @@ private module MkStage<StageSig PrevStage> {
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
       )
     }
@@ -3749,8 +3753,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4212,17 +4216,15 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
     }
 
   pragma[nomagic]
@@ -4230,19 +4232,17 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowVar.qll

@@ -450,10 +450,8 @@ module FlowVar_internal {
     }
 
     override string toString() {
-      exists(Expr e |
-        this.definedByExpr(e, _) and
-        result = "assignment to " + v
-      )
+      this.definedByExpr(_, _) and
+      result = "assignment to " + v
       or
       this.definedByInitialValue(_) and
       result = "initial value of " + v

cpp/ql/lib/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll

@@ -54,7 +54,7 @@ class SubBasicBlock extends ControlFlowNodeBase {
    * only condition under which a `SubBasicBlock` may have multiple
    * predecessors.
    */
-  predicate firstInBB() { exists(BasicBlock bb | this.getRankInBasicBlock(bb) = 1) }
+  predicate firstInBB() { this.getRankInBasicBlock(_) = 1 }
 
   /**
    * Holds if this `SubBasicBlock` comes last in its basic block. This is the

cpp/ql/lib/semmle/code/cpp/dispatch/VirtualDispatchPrototype.qll

@@ -70,8 +70,8 @@ module VirtualDispatch {
    * that is, `c` or one of its supertypes overrides `f`.
    */
   private predicate cannotInherit(Class c, MemberFunction f) {
-    exists(Class overridingType, MemberFunction override |
-      cannotInheritHelper(c, f, overridingType, override) and
+    exists(MemberFunction override |
+      cannotInheritHelper(c, f, _, override) and
       override.overrides+(f)
     )
   }

cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll

@@ -53,7 +53,7 @@ class Expr extends StmtParent, @expr {
   Declaration getEnclosingDeclaration() { result = exprEnclosingElement(this) }
 
   /** Gets a child of this expression. */
-  Expr getAChild() { exists(int n | result = this.getChild(n)) }
+  Expr getAChild() { result = this.getChild(_) }
 
   /** Gets the parent of this expression, if any. */
   Element getParent() { exprparents(underlyingElement(this), _, unresolveElement(result)) }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -876,9 +876,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
     )
   }
 
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
       PrevStage::readStepCand(node1, _, _, config)
     }
 
+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
     }
 
     pragma[nomagic]
@@ -1731,8 +1735,8 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
       )
       or
@@ -1901,8 +1905,8 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
         parameterFlowsThroughRev(p, ap, pos, _, config)
       )
     }
@@ -1923,8 +1927,8 @@ private module MkStage<StageSig PrevStage> {
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
       )
     }
@@ -3749,8 +3753,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4212,17 +4216,15 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
     }
 
   pragma[nomagic]
@@ -4230,19 +4232,17 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -876,9 +876,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
     )
   }
 
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
       PrevStage::readStepCand(node1, _, _, config)
     }
 
+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
     }
 
     pragma[nomagic]
@@ -1731,8 +1735,8 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
       )
       or
@@ -1901,8 +1905,8 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
         parameterFlowsThroughRev(p, ap, pos, _, config)
       )
     }
@@ -1923,8 +1927,8 @@ private module MkStage<StageSig PrevStage> {
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
       )
     }
@@ -3749,8 +3753,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4212,17 +4216,15 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
     }
 
   pragma[nomagic]
@@ -4230,19 +4232,17 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -876,9 +876,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
     )
   }
 
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
       PrevStage::readStepCand(node1, _, _, config)
     }
 
+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
     }
 
     pragma[nomagic]
@@ -1731,8 +1735,8 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
       )
       or
@@ -1901,8 +1905,8 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
         parameterFlowsThroughRev(p, ap, pos, _, config)
       )
     }
@@ -1923,8 +1927,8 @@ private module MkStage<StageSig PrevStage> {
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
       )
     }
@@ -3749,8 +3753,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4212,17 +4216,15 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
     }
 
   pragma[nomagic]
@@ -4230,19 +4232,17 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -876,9 +876,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(DataFlowCall call, NodeEx out |
+    exists(NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
     )
   }
 
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
       PrevStage::readStepCand(node1, _, _, config)
     }
 
+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
     }
 
     pragma[nomagic]
@@ -1731,8 +1735,8 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
       )
       or
@@ -1901,8 +1905,8 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(RetNodeEx ret, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and
+      exists(ReturnPosition pos |
+        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
         parameterFlowsThroughRev(p, ap, pos, _, config)
       )
     }
@@ -1923,8 +1927,8 @@ private module MkStage<StageSig PrevStage> {
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
+      exists(ParamNodeEx p, Ap innerReturnAp |
+        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
         flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
       )
     }
@@ -3749,8 +3753,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret |
-    pathNode(mid, ret, state, cc, sc, ap, config, _) and
+  exists(RetNodeEx ret |
+    pathNode(_, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4212,17 +4216,15 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      exists(PartialPathNodeRev mid |
-        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
-        (
-          notExpectsContent(node) or
-          expectsContentEx(node, ap.getHead())
-        ) and
-        not fullBarrier(node, config) and
-        not stateBarrier(node, state, config) and
-        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
-      )
+      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
+      not clearsContentEx(node, ap.getHead()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead())
+      ) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
     }
 
   pragma[nomagic]
@@ -4230,19 +4232,17 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeFwd mid |
-      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead().getContent())
-      ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), ap.getType())
-      else any()
-    )
+    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
+    not fullBarrier(node, config) and
+    not stateBarrier(node, state, config) and
+    not clearsContentEx(node, ap.getHead().getContent()) and
+    (
+      notExpectsContent(node) or
+      expectsContentEx(node, ap.getHead().getContent())
+    ) and
+    if node.asNode() instanceof CastingNode
+    then compatibleTypes(node.getDataFlowType(), ap.getType())
+    else any()
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll

@@ -45,6 +45,16 @@ module Consistency {
     ) {
       none()
     }
+
+    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodeAtPosition`. */
+    predicate uniqueParameterNodeAtPositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
+      none()
+    }
+
+    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodePosition`. */
+    predicate uniqueParameterNodePositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
+      none()
+    }
   }
 
   private class RelevantNode extends Node {
@@ -101,9 +111,7 @@ module Consistency {
     exists(int c |
       c =
         strictcount(Node n |
-          not exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
-            n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-          ) and
+          not n.hasLocationInfo(_, _, _, _, _) and
           not any(ConsistencyConfiguration conf).missingLocationExclude(n)
         ) and
       msg = "Nodes without location: " + c
@@ -248,6 +256,7 @@ module Consistency {
   query predicate uniqueParameterNodeAtPosition(
     DataFlowCallable c, ParameterPosition pos, Node p, string msg
   ) {
+    not any(ConsistencyConfiguration conf).uniqueParameterNodeAtPositionExclude(c, pos, p) and
     isParameterNode(p, c, pos) and
     not exists(unique(Node p0 | isParameterNode(p0, c, pos))) and
     msg = "Parameters with overlapping positions."
@@ -256,6 +265,7 @@ module Consistency {
   query predicate uniqueParameterNodePosition(
     DataFlowCallable c, ParameterPosition pos, Node p, string msg
   ) {
+    not any(ConsistencyConfiguration conf).uniqueParameterNodePositionExclude(c, pos, p) and
     isParameterNode(p, c, pos) and
     not exists(unique(ParameterPosition pos0 | isParameterNode(p, c, pos0))) and
     msg = "Parameter node with multiple positions."

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

@@ -169,19 +169,11 @@ predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
  */
 predicate modeledTaintStep(Operand nodeIn, Instruction nodeOut) {
   exists(CallInstruction call, TaintFunction func, FunctionInput modelIn, FunctionOutput modelOut |
-    (
-      nodeIn = callInput(call, modelIn)
-      or
-      exists(int n |
-        modelIn.isParameterDerefOrQualifierObject(n) and
-        if n = -1
-        then nodeIn = callInput(call, any(InQualifierObject inQualifier))
-        else nodeIn = callInput(call, any(InParameter inParam | inParam.getIndex() = n))
-      )
-    ) and
-    nodeOut = callOutput(call, modelOut) and
     call.getStaticCallTarget() = func and
     func.hasTaintFlow(modelIn, modelOut)
+  |
+    nodeIn = callInput(call, modelIn) and
+    nodeOut = callOutput(call, modelOut)
   )
   or
   // Taint flow from one argument to another and data flow from an argument to a

cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll

@@ -30,6 +30,7 @@ private newtype TOpcode =
   TNegate() or
   TShiftLeft() or
   TShiftRight() or
+  TUnsignedShiftRight() or
   TBitAnd() or
   TBitOr() or
   TBitXor() or
@@ -652,6 +653,15 @@ module Opcode {
     final override string toString() { result = "ShiftRight" }
   }
 
+  /**
+   * The `Opcode` for a `UnsignedShiftRightInstruction`.
+   *
+   * See the `UnsignedShiftRightInstruction` documentation for more details.
+   */
+  class UnsignedShiftRight extends BinaryBitwiseOpcode, TUnsignedShiftRight {
+    final override string toString() { result = "UnsignedShiftRight" }
+  }
+
   /**
    * The `Opcode` for a `BitAndInstruction`.
    *

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -1204,6 +1204,17 @@ class ShiftRightInstruction extends BinaryBitwiseInstruction {
   ShiftRightInstruction() { this.getOpcode() instanceof Opcode::ShiftRight }
 }
 
+/**
+ * An instruction that shifts its left operand to the right by the number of bits specified by its
+ * right operand.
+ *
+ * Both operands must have an integer type. The result has the same type as the left operand.
+ * The leftmost bits are zero-filled.
+ */
+class UnsignedShiftRightInstruction extends BinaryBitwiseInstruction {
+  UnsignedShiftRightInstruction() { this.getOpcode() instanceof Opcode::UnsignedShiftRight }
+}
+
 /**
  * An instruction that performs a binary arithmetic operation involving at least one pointer
  * operand.

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll

@@ -45,7 +45,7 @@ class Operand extends TStageOperand {
       this = reusedPhiOperand(use, def, predecessorBlock, _)
     )
     or
-    exists(Instruction use | this = chiOperand(use, _))
+    this = chiOperand(_, _)
   }
 
   /** Gets a textual representation of this element. */
@@ -412,6 +412,9 @@ class CallTargetOperand extends RegisterOperand {
  */
 class ArgumentOperand extends RegisterOperand {
   override ArgumentOperandTag tag;
+
+  /** Gets the `CallInstruction` for which this is an argument. */
+  CallInstruction getCall() { result.getAnArgumentOperand() = this }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -329,12 +329,12 @@ private module Cached {
   cached
   Instruction getChiInstructionTotalOperand(ChiInstruction chiInstr) {
     exists(
-      Alias::VirtualVariable vvar, OldInstruction oldInstr, Alias::MemoryLocation defLocation,
-      OldBlock defBlock, int defRank, int defOffset, OldBlock useBlock, int useRank
+      Alias::VirtualVariable vvar, OldInstruction oldInstr, OldBlock defBlock, int defRank,
+      int defOffset, OldBlock useBlock, int useRank
     |
       chiInstr = getChi(oldInstr) and
       vvar = Alias::getResultMemoryLocation(oldInstr).getVirtualVariable() and
-      hasDefinitionAtRank(vvar, defLocation, defBlock, defRank, defOffset) and
+      hasDefinitionAtRank(vvar, _, defBlock, defRank, defOffset) and
       hasUseAtRank(vvar, useBlock, useRank, oldInstr) and
       definitionReachesUse(vvar, defBlock, defRank, useBlock, useRank) and
       result = getDefinitionOrChiInstruction(defBlock, defOffset, vvar, _)

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -1204,6 +1204,17 @@ class ShiftRightInstruction extends BinaryBitwiseInstruction {
   ShiftRightInstruction() { this.getOpcode() instanceof Opcode::ShiftRight }
 }
 
+/**
+ * An instruction that shifts its left operand to the right by the number of bits specified by its
+ * right operand.
+ *
+ * Both operands must have an integer type. The result has the same type as the left operand.
+ * The leftmost bits are zero-filled.
+ */
+class UnsignedShiftRightInstruction extends BinaryBitwiseInstruction {
+  UnsignedShiftRightInstruction() { this.getOpcode() instanceof Opcode::UnsignedShiftRight }
+}
+
 /**
  * An instruction that performs a binary arithmetic operation involving at least one pointer
  * operand.

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll

@@ -45,7 +45,7 @@ class Operand extends TStageOperand {
       this = reusedPhiOperand(use, def, predecessorBlock, _)
     )
     or
-    exists(Instruction use | this = chiOperand(use, _))
+    this = chiOperand(_, _)
   }
 
   /** Gets a textual representation of this element. */
@@ -412,6 +412,9 @@ class CallTargetOperand extends RegisterOperand {
  */
 class ArgumentOperand extends RegisterOperand {
   override ArgumentOperandTag tag;
+
+  /** Gets the `CallInstruction` for which this is an argument. */
+  CallInstruction getCall() { result.getAnArgumentOperand() = this }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll

@@ -298,11 +298,11 @@ class TranslatedStringLiteralInitialization extends TranslatedDirectInitializati
     opcode instanceof Opcode::Store and
     resultType = getTypeForPRValue(expr.getType())
     or
-    exists(int startIndex, int elementCount |
+    exists(int elementCount |
       // If the initializer string isn't large enough to fill the target, then
       // we have to generate another instruction sequence to store a constant
       // zero into the remainder of the array.
-      zeroInitRange(startIndex, elementCount) and
+      zeroInitRange(_, elementCount) and
       (
         // Create a constant zero whose size is the size of the remaining
         // space in the target array.

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -1204,6 +1204,17 @@ class ShiftRightInstruction extends BinaryBitwiseInstruction {
   ShiftRightInstruction() { this.getOpcode() instanceof Opcode::ShiftRight }
 }
 
+/**
+ * An instruction that shifts its left operand to the right by the number of bits specified by its
+ * right operand.
+ *
+ * Both operands must have an integer type. The result has the same type as the left operand.
+ * The leftmost bits are zero-filled.
+ */
+class UnsignedShiftRightInstruction extends BinaryBitwiseInstruction {
+  UnsignedShiftRightInstruction() { this.getOpcode() instanceof Opcode::UnsignedShiftRight }
+}
+
 /**
  * An instruction that performs a binary arithmetic operation involving at least one pointer
  * operand.

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll

@@ -45,7 +45,7 @@ class Operand extends TStageOperand {
       this = reusedPhiOperand(use, def, predecessorBlock, _)
     )
     or
-    exists(Instruction use | this = chiOperand(use, _))
+    this = chiOperand(_, _)
   }
 
   /** Gets a textual representation of this element. */
@@ -412,6 +412,9 @@ class CallTargetOperand extends RegisterOperand {
  */
 class ArgumentOperand extends RegisterOperand {
   override ArgumentOperandTag tag;
+
+  /** Gets the `CallInstruction` for which this is an argument. */
+  CallInstruction getCall() { result.getAnArgumentOperand() = this }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll

@@ -329,12 +329,12 @@ private module Cached {
   cached
   Instruction getChiInstructionTotalOperand(ChiInstruction chiInstr) {
     exists(
-      Alias::VirtualVariable vvar, OldInstruction oldInstr, Alias::MemoryLocation defLocation,
-      OldBlock defBlock, int defRank, int defOffset, OldBlock useBlock, int useRank
+      Alias::VirtualVariable vvar, OldInstruction oldInstr, OldBlock defBlock, int defRank,
+      int defOffset, OldBlock useBlock, int useRank
     |
       chiInstr = getChi(oldInstr) and
       vvar = Alias::getResultMemoryLocation(oldInstr).getVirtualVariable() and
-      hasDefinitionAtRank(vvar, defLocation, defBlock, defRank, defOffset) and
+      hasDefinitionAtRank(vvar, _, defBlock, defRank, defOffset) and
       hasUseAtRank(vvar, useBlock, useRank, oldInstr) and
       definitionReachesUse(vvar, defBlock, defRank, useBlock, useRank) and
       result = getDefinitionOrChiInstruction(defBlock, defOffset, vvar, _)

cpp/ql/lib/semmle/code/cpp/ir/internal/IRCppLanguage.qll

@@ -67,9 +67,7 @@ class Class = Cpp::Class; // Used for inheritance conversions
 
 predicate getIdentityString = Print::getIdentityString/1;
 
-predicate hasCaseEdge(string minValue, string maxValue) {
-  exists(Cpp::SwitchCase switchCase | hasCaseEdge(switchCase, minValue, maxValue))
-}
+predicate hasCaseEdge(string minValue, string maxValue) { hasCaseEdge(_, minValue, maxValue) }
 
 predicate hasPositionalArgIndex(int argIndex) {
   exists(Cpp::FunctionCall call | exists(call.getArgument(argIndex))) or

cpp/ql/lib/semmle/code/cpp/metrics/MetricClass.qll

@@ -99,10 +99,10 @@ class MetricClass extends Class {
   }
 
   /** Gets any method that accesses some local field. */
-  Function getAccessingMethod() { exists(Field f | this.accessesLocalField(result, f)) }
+  Function getAccessingMethod() { this.accessesLocalField(result, _) }
 
   /** Gets any field that is accessed by a local method. */
-  Field getAccessedField() { exists(Function func | this.accessesLocalField(func, result)) }
+  Field getAccessedField() { this.accessesLocalField(_, result) }
 
   /** Gets the Henderson-Sellers lack-of-cohesion metric. */
   float getLackOfCohesionHS() {
@@ -517,10 +517,10 @@ private predicate dependsOnClassSimple(Class source, Class dest) {
     )
     or
     // a class depends on classes for which a call to its member function is done from a function
-    exists(MemberFunction target, MemberFunction f, Locatable l |
+    exists(MemberFunction target, MemberFunction f |
       f.getDeclaringType() = source and
       f instanceof MemberFunction and
-      f.calls(target, l) and
+      f.calls(target, _) and
       target instanceof MemberFunction and
       target.getDeclaringType() = dest
     )

cpp/ql/lib/semmle/code/cpp/models/implementations/Iterator.qll

@@ -107,130 +107,34 @@ private FunctionInput getIteratorArgumentInput(Operator op, int index) {
   )
 }
 
-/**
- * A non-member prefix `operator*` function for an iterator type.
- */
-private class IteratorPointerDereferenceOperator extends Operator, TaintFunction,
-  IteratorReferenceFunction {
-  FunctionInput iteratorInput;
-
-  IteratorPointerDereferenceOperator() {
-    this.hasName("operator*") and
-    iteratorInput = getIteratorArgumentInput(this, 0)
-  }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input = iteratorInput and
-    output.isReturnValue()
-    or
-    input.isReturnValueDeref() and
-    output.isParameterDeref(0)
-  }
-}
-
 /**
  * A non-member `operator++` or `operator--` function for an iterator type.
+ *
+ * Note that this class _only_ matches non-member functions. To find both
+ * non-member and versions, use `IteratorCrementOperator`.
  */
-private class IteratorCrementOperator extends Operator, DataFlowFunction {
-  FunctionInput iteratorInput;
-
-  IteratorCrementOperator() {
+class IteratorCrementNonMemberOperator extends Operator {
+  IteratorCrementNonMemberOperator() {
     this.hasName(["operator++", "operator--"]) and
-    iteratorInput = getIteratorArgumentInput(this, 0)
-  }
-
-  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
-    input = iteratorInput and
-    output.isReturnValue()
-    or
-    input.isParameterDeref(0) and output.isReturnValueDeref()
-  }
-}
-
-/**
- * A non-member `operator+` function for an iterator type.
- */
-private class IteratorAddOperator extends Operator, TaintFunction {
-  FunctionInput iteratorInput;
-
-  IteratorAddOperator() {
-    this.hasName("operator+") and
-    iteratorInput = getIteratorArgumentInput(this, [0, 1])
-  }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input = iteratorInput and
-    output.isReturnValue()
-  }
-}
-
-/**
- * A non-member `operator-` function that takes a pointer difference type as its second argument.
- */
-private class IteratorSubOperator extends Operator, TaintFunction {
-  FunctionInput iteratorInput;
-
-  IteratorSubOperator() {
-    this.hasName("operator-") and
-    iteratorInput = getIteratorArgumentInput(this, 0) and
-    this.getParameter(1).getUnspecifiedType() instanceof IntegralType // not an iterator difference
-  }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input = iteratorInput and
-    output.isReturnValue()
-  }
-}
-
-/**
- * A non-member `operator+=` or `operator-=` function for an iterator type.
- */
-class IteratorAssignArithmeticOperator extends Operator {
-  IteratorAssignArithmeticOperator() {
-    this.hasName(["operator+=", "operator-="]) and
     exists(getIteratorArgumentInput(this, 0))
   }
 }
 
-private class IteratorAssignArithmeticOperatorModel extends IteratorAssignArithmeticOperator,
-  DataFlowFunction, TaintFunction {
+private class IteratorCrementNonMemberOperatorModel extends IteratorCrementNonMemberOperator,
+  DataFlowFunction {
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
-    input.isParameter(0) and
+    input = getIteratorArgumentInput(this, 0) and
     output.isReturnValue()
-  }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    or
     input.isParameterDeref(0) and output.isReturnValueDeref()
-    or
-    // reverse flow from returned reference to the object referenced by the first parameter
-    input.isReturnValueDeref() and
-    output.isParameterDeref(0)
-    or
-    input.isParameterDeref(1) and
-    output.isParameterDeref(0)
-  }
-}
-
-/**
- * A prefix `operator*` member function for an iterator type.
- */
-class IteratorPointerDereferenceMemberOperator extends MemberFunction, TaintFunction,
-  IteratorReferenceFunction {
-  IteratorPointerDereferenceMemberOperator() {
-    this.getClassAndName("operator*") instanceof Iterator
-  }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and
-    output.isReturnValue()
-    or
-    input.isReturnValueDeref() and
-    output.isQualifierObject()
   }
 }
 
 /**
  * An `operator++` or `operator--` member function for an iterator type.
+ *
+ * Note that this class _only_ matches member functions. To find both
+ * non-member and member versions, use `IteratorCrementOperator`.
  */
 class IteratorCrementMemberOperator extends MemberFunction {
   IteratorCrementMemberOperator() {
@@ -258,25 +162,49 @@ private class IteratorCrementMemberOperatorModel extends IteratorCrementMemberOp
 }
 
 /**
- * A member `operator->` function for an iterator type.
+ * A (member or non-member) `operator++` or `operator--` function for an iterator type.
  */
-private class IteratorFieldMemberOperator extends Operator, TaintFunction {
-  IteratorFieldMemberOperator() { this.getClassAndName("operator->") instanceof Iterator }
+class IteratorCrementOperator extends Function {
+  IteratorCrementOperator() {
+    this instanceof IteratorCrementNonMemberOperator or
+    this instanceof IteratorCrementMemberOperator
+  }
+}
 
+/**
+ * A non-member `operator+` function for an iterator type.
+ *
+ * Note that this class _only_ matches non-member functions. To find both
+ * non-member and member versions, use `IteratorBinaryAddOperator`.
+ */
+class IteratorAddNonMemberOperator extends Operator {
+  IteratorAddNonMemberOperator() {
+    this.hasName("operator+") and
+    exists(getIteratorArgumentInput(this, [0, 1]))
+  }
+}
+
+private class IteratorAddNonMemberOperatorModel extends IteratorAddNonMemberOperator, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and
+    input = getIteratorArgumentInput(this, [0, 1]) and
     output.isReturnValue()
   }
 }
 
 /**
  * An `operator+` or `operator-` member function of an iterator class.
+ *
+ * Note that this class _only_ matches member functions. To find both
+ * non-member and member versions, use `IteratorBinaryAddOperator`.
  */
-private class IteratorBinaryArithmeticMemberOperator extends MemberFunction, TaintFunction {
+class IteratorBinaryArithmeticMemberOperator extends MemberFunction {
   IteratorBinaryArithmeticMemberOperator() {
     this.getClassAndName(["operator+", "operator-"]) instanceof Iterator
   }
+}
 
+private class IteratorBinaryArithmeticMemberOperatorModel extends IteratorBinaryArithmeticMemberOperator,
+  TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierObject() and
     output.isReturnValue()
@@ -284,14 +212,84 @@ private class IteratorBinaryArithmeticMemberOperator extends MemberFunction, Tai
 }
 
 /**
- * An `operator+=` or `operator-=` member function of an iterator class.
+ * A (member or non-member) `operator+` or `operator-` function for an iterator type.
  */
-private class IteratorAssignArithmeticMemberOperator extends MemberFunction, DataFlowFunction,
-  TaintFunction {
+class IteratorBinaryArithmeticOperator extends Function {
+  IteratorBinaryArithmeticOperator() {
+    this instanceof IteratorAddNonMemberOperator or
+    this instanceof IteratorSubNonMemberOperator or
+    this instanceof IteratorBinaryArithmeticMemberOperator
+  }
+}
+
+/**
+ * A non-member `operator-` function that takes a pointer difference type as its second argument.
+ *
+ * Note that this class _only_ matches non-member functions. To find both
+ * non-member and member versions, use `IteratorBinaryArithmeticOperator` (which also
+ * includes `operator+` versions).
+ */
+class IteratorSubNonMemberOperator extends Operator {
+  IteratorSubNonMemberOperator() {
+    this.hasName("operator-") and
+    exists(getIteratorArgumentInput(this, 0)) and
+    this.getParameter(1).getUnspecifiedType() instanceof IntegralType // not an iterator difference
+  }
+}
+
+private class IteratorSubOperatorModel extends IteratorSubNonMemberOperator, TaintFunction {
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input = getIteratorArgumentInput(this, 0) and
+    output.isReturnValue()
+  }
+}
+
+/**
+ * A non-member `operator+=` or `operator-=` function for an iterator type.
+ *
+ * Note that this class _only_ matches non-member functions. To find both
+ * non-member and member versions, use `IteratorAssignArithmeticOperator`.
+ */
+class IteratorAssignArithmeticNonMemberOperator extends Operator {
+  IteratorAssignArithmeticNonMemberOperator() {
+    this.hasName(["operator+=", "operator-="]) and
+    exists(getIteratorArgumentInput(this, 0))
+  }
+}
+
+private class IteratorAssignArithmeticNonMemberOperatorModel extends IteratorAssignArithmeticNonMemberOperator,
+  DataFlowFunction, TaintFunction {
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    input.isParameter(0) and
+    output.isReturnValue()
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isParameterDeref(0) and output.isReturnValueDeref()
+    or
+    // reverse flow from returned reference to the object referenced by the first parameter
+    input.isReturnValueDeref() and
+    output.isParameterDeref(0)
+    or
+    (input.isParameter(1) or input.isParameterDeref(1)) and
+    output.isParameterDeref(0)
+  }
+}
+
+/**
+ * An `operator+=` or `operator-=` member function of an iterator class.
+ *
+ * Note that this class _only_ matches member functions. To find both
+ * non-member and member versions, use `IteratorAssignArithmeticOperator`.
+ */
+class IteratorAssignArithmeticMemberOperator extends MemberFunction {
   IteratorAssignArithmeticMemberOperator() {
     this.getClassAndName(["operator+=", "operator-="]) instanceof Iterator
   }
+}
 
+private class IteratorAssignArithmeticMemberOperatorModel extends IteratorAssignArithmeticMemberOperator,
+  DataFlowFunction, TaintFunction {
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierAddress() and
     output.isReturnValue()
@@ -305,11 +303,88 @@ private class IteratorAssignArithmeticMemberOperator extends MemberFunction, Dat
     input.isReturnValueDeref() and
     output.isQualifierObject()
     or
-    input.isParameterDeref(0) and
+    (input.isParameter(0) or input.isParameterDeref(0)) and
     output.isQualifierObject()
   }
 }
 
+/**
+ * A (member or non-member) `operator+=` or `operator-=` function for an iterator type.
+ */
+class IteratorAssignArithmeticOperator extends Function {
+  IteratorAssignArithmeticOperator() {
+    this instanceof IteratorAssignArithmeticNonMemberOperator or
+    this instanceof IteratorAssignArithmeticMemberOperator
+  }
+}
+
+/**
+ * A prefix `operator*` member function for an iterator type.
+ *
+ * Note that this class _only_ matches member functions. To find both
+ * non-member and member versions, use `IteratorPointerDereferenceOperator`.
+ */
+class IteratorPointerDereferenceMemberOperator extends MemberFunction, TaintFunction,
+  IteratorReferenceFunction {
+  IteratorPointerDereferenceMemberOperator() {
+    this.getClassAndName("operator*") instanceof Iterator
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValue()
+    or
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
+  }
+}
+
+/**
+ * A non-member prefix `operator*` function for an iterator type.
+ *
+ * Note that this class _only_ matches non-member functions. To find both
+ * non-member and member versions, use `IteratorPointerDereferenceOperator`.
+ */
+class IteratorPointerDereferenceNonMemberOperator extends Operator, IteratorReferenceFunction {
+  IteratorPointerDereferenceNonMemberOperator() {
+    this.hasName("operator*") and
+    exists(getIteratorArgumentInput(this, 0))
+  }
+}
+
+private class IteratorPointerDereferenceNonMemberOperatorModel extends IteratorPointerDereferenceNonMemberOperator,
+  TaintFunction {
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input = getIteratorArgumentInput(this, 0) and
+    output.isReturnValue()
+    or
+    input.isReturnValueDeref() and
+    output.isParameterDeref(0)
+  }
+}
+
+/**
+ * A (member or non-member) prefix `operator*` function for an iterator type.
+ */
+class IteratorPointerDereferenceOperator extends Function {
+  IteratorPointerDereferenceOperator() {
+    this instanceof IteratorPointerDereferenceNonMemberOperator or
+    this instanceof IteratorPointerDereferenceMemberOperator
+  }
+}
+
+/**
+ * A member `operator->` function for an iterator type.
+ */
+private class IteratorFieldMemberOperator extends Operator, TaintFunction {
+  IteratorFieldMemberOperator() { this.getClassAndName("operator->") instanceof Iterator }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
+
 /**
  * An `operator[]` member function of an iterator class.
  */
@@ -326,17 +401,24 @@ private class IteratorArrayMemberOperator extends MemberFunction, TaintFunction,
 /**
  * An `operator=` member function of an iterator class that is not a copy or move assignment
  * operator.
- *
- * The `hasTaintFlow` override provides flow through output iterators that return themselves with
- * `operator*` and use their own `operator=` to assign to the container.
  */
-private class IteratorAssignmentMemberOperator extends MemberFunction, TaintFunction {
+class IteratorAssignmentMemberOperator extends MemberFunction {
   IteratorAssignmentMemberOperator() {
     this.getClassAndName("operator=") instanceof Iterator and
     not this instanceof CopyAssignmentOperator and
     not this instanceof MoveAssignmentOperator
   }
+}
 
+/**
+ * An `operator=` member function of an iterator class that is not a copy or move assignment
+ * operator.
+ *
+ * The `hasTaintFlow` override provides flow through output iterators that return themselves with
+ * `operator*` and use their own `operator=` to assign to the container.
+ */
+private class IteratorAssignmentMemberOperatorModel extends IteratorAssignmentMemberOperator,
+  TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameterDeref(0) and
     output.isQualifierObject()

cpp/ql/lib/semmle/code/cpp/models/implementations/StdSet.qll

@@ -27,7 +27,12 @@ private class StdSetConstructor extends Constructor, TaintFunction {
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // taint flow from any parameter of an iterator type to the qualifier
-    input.isParameterDeref(this.getAnIteratorParameterIndex()) and
+    (
+      // AST dataflow doesn't have indirection for iterators.
+      // Once we deprecate AST dataflow we can delete this first disjunct.
+      input.isParameter(this.getAnIteratorParameterIndex()) or
+      input.isParameterDeref(this.getAnIteratorParameterIndex())
+    ) and
     (
       output.isReturnValue() // TODO: this is only needed for AST data flow, which treats constructors as returning the new object
       or
@@ -45,7 +50,12 @@ private class StdSetInsert extends TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from last parameter to qualifier and return value
     // (where the return value is a pair, this should really flow just to the first part of it)
-    input.isParameterDeref(this.getNumberOfParameters() - 1) and
+    (
+      // AST dataflow doesn't have indirection for iterators.
+      // Once we deprecate AST dataflow we can delete this first disjunct.
+      input.isParameter(this.getNumberOfParameters() - 1) or
+      input.isParameterDeref(this.getNumberOfParameters() - 1)
+    ) and
     (
       output.isQualifierObject() or
       output.isReturnValue()

cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll

@@ -38,8 +38,7 @@ private class StdBasicStringIterator extends Iterator, Type {
  */
 abstract private class StdStringTaintFunction extends TaintFunction {
   /**
-   * Gets the index of a parameter to this function that is a string (or
-   * character).
+   * Gets the index of a parameter to this function that is a string.
    */
   final int getAStringParameterIndex() {
     exists(Type paramType | paramType = this.getParameter(result).getUnspecifiedType() |
@@ -50,7 +49,14 @@ abstract private class StdStringTaintFunction extends TaintFunction {
       paramType instanceof ReferenceType and
       not paramType.(ReferenceType).getBaseType() =
         this.getDeclaringType().getTemplateArgument(2).(Type).getUnspecifiedType()
-      or
+    )
+  }
+
+  /**
+   * Gets the index of a parameter to this function that is a character.
+   */
+  final int getACharParameterIndex() {
+    exists(Type paramType | paramType = this.getParameter(result).getUnspecifiedType() |
       // i.e. `std::basic_string::CharT`
       paramType = this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType()
     )
@@ -79,6 +85,7 @@ private class StdStringConstructor extends Constructor, StdStringTaintFunction {
     // taint flow from any parameter of the value type to the returned object
     (
       input.isParameterDeref(this.getAStringParameterIndex()) or
+      input.isParameter(this.getACharParameterIndex()) or
       input.isParameter(this.getAnIteratorParameterIndex())
     ) and
     (
@@ -128,7 +135,7 @@ private class StdStringPush extends StdStringTaintFunction {
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from parameter to qualifier
-    input.isParameterDeref(0) and
+    input.isParameter(0) and
     output.isQualifierObject()
   }
 }
@@ -180,6 +187,7 @@ private class StdStringAppend extends StdStringTaintFunction {
     (
       input.isQualifierObject() or
       input.isParameterDeref(this.getAStringParameterIndex()) or
+      input.isParameter(this.getACharParameterIndex()) or
       input.isParameter(this.getAnIteratorParameterIndex())
     ) and
     (
@@ -210,6 +218,7 @@ private class StdStringInsert extends StdStringTaintFunction {
     (
       input.isQualifierObject() or
       input.isParameterDeref(this.getAStringParameterIndex()) or
+      input.isParameter(this.getACharParameterIndex()) or
       input.isParameter(this.getAnIteratorParameterIndex())
     ) and
     (
@@ -236,6 +245,7 @@ private class StdStringAssign extends StdStringTaintFunction {
     // flow from parameter to string itself (qualifier) and return value
     (
       input.isParameterDeref(this.getAStringParameterIndex()) or
+      input.isParameter(this.getACharParameterIndex()) or
       input.isParameter(this.getAnIteratorParameterIndex())
     ) and
     (

cpp/ql/lib/semmle/code/cpp/models/interfaces/Allocation.qll

@@ -133,13 +133,15 @@ abstract class HeuristicAllocationExpr extends Expr {
 
   /**
    * Gets a constant multiplier for the allocation size given by `getSizeExpr`,
-   * in bytes.
+   * in bytes. This predicate should be used with caution as it can be
+   * inaccurate for allocations identified using heuristics.
    */
   int getSizeMult() { none() }
 
   /**
    * Gets the size of this allocation in bytes, if it is a fixed size and that
-   * size can be determined.
+   * size can be determined. This predicate should be used with caution as it
+   * can be inaccurate for allocations identified using heuristics.
    */
   int getSizeBytes() { none() }
 

cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll

@@ -158,11 +158,10 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction {
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     exists(int arg |
-      (
-        arg = getFormatParameterIndex() or
-        arg >= getFirstFormatArgumentIndex()
-      ) and
-      input.isParameterDeref(arg) and
+      arg = getFormatParameterIndex() or
+      arg >= getFirstFormatArgumentIndex()
+    |
+      (input.isParameterDeref(arg) or input.isParameter(arg)) and
       output.isParameterDeref(getOutputParameterIndex(_))
     )
   }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll

@@ -296,7 +296,7 @@ private predicate analyzableExpr(Expr e) {
     or
     // Also allow variable accesses, provided that they have SSA
     // information.
-    exists(RangeSsaDefinition def, StackVariable v | e = def.getAUse(v))
+    exists(RangeSsaDefinition def | e = def.getAUse(_))
     or
     e instanceof UnsignedBitwiseAndExpr
     or

cpp/ql/lib/semmle/code/cpp/security/TaintTrackingImpl.qll

@@ -127,9 +127,9 @@ deprecated private predicate betweenFunctionsValueMoveTo(
   not unreachable(src) and
   not unreachable(dest) and
   (
-    exists(Call call, Function called, int i |
+    exists(Call call, int i |
       src = call.getArgument(i) and
-      resolveCallWithParam(call, called, i, dest) and
+      resolveCallWithParam(call, _, i, dest) and
       destFromArg = true
     )
     or
@@ -151,8 +151,8 @@ deprecated private predicate betweenFunctionsValueMoveTo(
     )
     or
     // If a parameter of type reference is tainted inside a function, taint the argument too
-    exists(Call call, Function f, int pi, Parameter p |
-      resolveCallWithParam(call, f, pi, p) and
+    exists(Call call, int pi, Parameter p |
+      resolveCallWithParam(call, _, pi, p) and
       p.getType() instanceof ReferenceType and
       src = p and
       dest = call.getArgument(pi) and

cpp/ql/lib/semmle/code/cpp/stmts/Stmt.qll

@@ -34,7 +34,7 @@ class Stmt extends StmtParent, @stmt {
   }
 
   /** Gets a child of this statement. */
-  Element getAChild() { exists(int n | result = this.getChild(n)) }
+  Element getAChild() { result = this.getChild(_) }
 
   /** Gets the parent of this statement, if any. */
   StmtParent getParent() { stmtparents(underlyingElement(this), _, unresolveElement(result)) }

cpp/ql/lib/semmle/code/cpp/valuenumbering/HashCons.qll

@@ -475,9 +475,7 @@ private predicate mk_NonmemberFunctionCall(Function fcn, HC_Args args, FunctionC
   fc.getTarget() = fcn and
   analyzableNonmemberFunctionCall(fc) and
   (
-    exists(HashCons head, HC_Args tail |
-      mk_ArgConsInner(head, tail, fc.getNumberOfArguments() - 1, args, fc)
-    )
+    mk_ArgConsInner(_, _, fc.getNumberOfArguments() - 1, args, fc)
     or
     fc.getNumberOfArguments() = 0 and
     args = HC_EmptyArgs()
@@ -494,9 +492,7 @@ private predicate analyzableExprCall(ExprCall ec) {
 private predicate mk_ExprCall(HashCons hc, HC_Args args, ExprCall ec) {
   hc.getAnExpr() = ec.getExpr() and
   (
-    exists(HashCons head, HC_Args tail |
-      mk_ArgConsInner(head, tail, ec.getNumberOfArguments() - 1, args, ec)
-    )
+    mk_ArgConsInner(_, _, ec.getNumberOfArguments() - 1, args, ec)
     or
     ec.getNumberOfArguments() = 0 and
     args = HC_EmptyArgs()
@@ -516,9 +512,7 @@ private predicate mk_MemberFunctionCall(Function fcn, HashCons qual, HC_Args arg
   analyzableMemberFunctionCall(fc) and
   hashCons(fc.getQualifier().getFullyConverted()) = qual and
   (
-    exists(HashCons head, HC_Args tail |
-      mk_ArgConsInner(head, tail, fc.getNumberOfArguments() - 1, args, fc)
-    )
+    mk_ArgConsInner(_, _, fc.getNumberOfArguments() - 1, args, fc)
     or
     fc.getNumberOfArguments() = 0 and
     args = HC_EmptyArgs()
@@ -541,10 +535,8 @@ private predicate mk_ArgCons(HashCons hc, int i, HC_Args list, Call c) {
   analyzableCall(c) and
   hc = hashCons(c.getArgument(i).getFullyConverted()) and
   (
-    exists(HashCons head, HC_Args tail |
-      mk_ArgConsInner(head, tail, i - 1, list, c) and
-      i > 0
-    )
+    mk_ArgConsInner(_, _, i - 1, list, c) and
+    i > 0
     or
     i = 0 and
     list = HC_EmptyArgs()

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -303,12 +303,11 @@ affectedbymacroexpansion(
     int inv: @macroinvocation ref
 );
 
-/*
-  case @macroinvocations.kind of
-    1 = macro expansion
-  | 2 = other macro reference
-  ;
-*/
+case @macroinvocation.kind of
+  1 = @macro_expansion
+| 2 = @other_macro_reference
+;
+
 macroinvocations(
     unique int id: @macroinvocation,
     int macro_id: @ppd_define ref,
@@ -345,28 +344,37 @@ macro_argument_expanded(
 );
 
 /*
-  case @function.kind of
-    1 = normal
-  | 2 = constructor
-  | 3 = destructor
-  | 4 = conversion
-  | 5 = operator
-  | 6 = builtin     // GCC built-in functions, e.g. __builtin___memcpy_chk
-  ;
+case @function.kind of
+  1 = @normal_function
+| 2 = @constructor
+| 3 = @destructor
+| 4 = @conversion_function
+| 5 = @operator
+| 6 = @builtin_function     // GCC built-in functions, e.g. __builtin___memcpy_chk
+;
 */
+
 functions(
     unique int id: @function,
     string name: string ref,
     int kind: int ref
 );
 
-function_entry_point(int id: @function ref, unique int entry_point: @stmt ref);
+function_entry_point(
+    int id: @function ref,
+    unique int entry_point: @stmt ref
+);
 
-function_return_type(int id: @function ref, int return_type: @type ref);
+function_return_type(
+    int id: @function ref,
+    int return_type: @type ref
+);
 
-/** If `function` is a coroutine, then this gives the
-    std::experimental::resumable_traits instance associated with it,
-    and the variables representing the `handle` and `promise` for it. */
+/**
+ * If `function` is a coroutine, then this gives the `std::experimental::resumable_traits`
+ * instance associated with it, and the variables representing the `handle` and `promise`
+ * for it.
+ */
 coroutine(
   unique int function: @function ref,
   int traits: @type ref,
@@ -392,7 +400,10 @@ function_deleted(unique int id: @function ref);
 
 function_defaulted(unique int id: @function ref);
 
-member_function_this_type(unique int id: @function ref, int this_type: @type ref);
+member_function_this_type(
+    unique int id: @function ref,
+    int this_type: @type ref
+);
 
 #keyset[id, type_id]
 fun_decls(
@@ -495,7 +506,10 @@ params(
     int type_id: @type ref
 );
 
-overrides(int new: @function ref, int old: @function ref);
+overrides(
+    int new: @function ref,
+    int old: @function ref
+);
 
 #keyset[id, type_id]
 membervariables(
@@ -541,63 +555,65 @@ enumconstants(
 
 @localscopevariable = @localvariable | @parameter;
 
-/*
-  Built-in types are the fundamental types, e.g., integral, floating, and void.
+/**
+ * Built-in types are the fundamental types, e.g., integral, floating, and void.
+ */
+case @builtintype.kind of
+   1 = @errortype
+|  2 = @unknowntype
+|  3 = @void
+|  4 = @boolean
+|  5 = @char
+|  6 = @unsigned_char
+|  7 = @signed_char
+|  8 = @short
+|  9 = @unsigned_short
+| 10 = @signed_short
+| 11 = @int
+| 12 = @unsigned_int
+| 13 = @signed_int
+| 14 = @long
+| 15 = @unsigned_long
+| 16 = @signed_long
+| 17 = @long_long
+| 18 = @unsigned_long_long
+| 19 = @signed_long_long
+// ... 20 Microsoft-specific __int8
+// ... 21 Microsoft-specific __int16
+// ... 22 Microsoft-specific __int32
+// ... 23 Microsoft-specific __int64
+| 24 = @float
+| 25 = @double
+| 26 = @long_double
+| 27 = @complex_float         // C99-specific _Complex float
+| 28 = @complex_double        // C99-specific _Complex double
+| 29 = @complex_long_double   // C99-specific _Complex long double
+| 30 = @imaginary_float       // C99-specific _Imaginary float
+| 31 = @imaginary_double      // C99-specific _Imaginary double
+| 32 = @imaginary_long_double // C99-specific _Imaginary long double
+| 33 = @wchar_t               // Microsoft-specific
+| 34 = @decltype_nullptr      // C++11
+| 35 = @int128                // __int128
+| 36 = @unsigned_int128       // unsigned __int128
+| 37 = @signed_int128         // signed __int128
+| 38 = @float128              // __float128
+| 39 = @complex_float128      // _Complex __float128
+| 40 = @decimal32             // _Decimal32
+| 41 = @decimal64             // _Decimal64
+| 42 = @decimal128            // _Decimal128
+| 43 = @char16_t
+| 44 = @char32_t
+| 45 = @std_float32           // _Float32
+| 46 = @float32x              // _Float32x
+| 47 = @std_float64           // _Float64
+| 48 = @float64x              // _Float64x
+| 49 = @std_float128          // _Float128
+| 50 = @float128x             // _Float128x
+| 51 = @char8_t
+| 52 = @float16               // _Float16
+| 53 = @complex_float16       // _Complex _Float16
+;
 
-  case @builtintype.kind of
-    1 = error
-  | 2 = unknown
-  | 3 = void
-  | 4 = boolean
-  | 5 = char
-  | 6 = unsigned_char
-  | 7 = signed_char
-  | 8 = short
-  | 9 = unsigned_short
-  | 10 = signed_short
-  | 11 = int
-  | 12 = unsigned_int
-  | 13 = signed_int
-  | 14 = long
-  | 15 = unsigned_long
-  | 16 = signed_long
-  | 17 = long_long
-  | 18 = unsigned_long_long
-  | 19 = signed_long_long
-  | 20 = __int8                 // Microsoft-specific
-  | 21 = __int16                // Microsoft-specific
-  | 22 = __int32                // Microsoft-specific
-  | 23 = __int64                // Microsoft-specific
-  | 24 = float
-  | 25 = double
-  | 26 = long_double
-  | 27 = _Complex_float         // C99-specific
-  | 28 = _Complex_double        // C99-specific
-  | 29 = _Complex_long double   // C99-specific
-  | 30 = _Imaginary_float       // C99-specific
-  | 31 = _Imaginary_double      // C99-specific
-  | 32 = _Imaginary_long_double // C99-specific
-  | 33 = wchar_t                // Microsoft-specific
-  | 34 = decltype_nullptr       // C++11
-  | 35 = __int128
-  | 36 = unsigned___int128
-  | 37 = signed___int128
-  | 38 = __float128
-  | 39 = _Complex___float128
-  | 40 = _Decimal32
-  | 41 = _Decimal64
-  | 42 = _Decimal128
-  | 43 = char16_t
-  | 44 = char32_t
-  | 45 = _Float32
-  | 46 = _Float32x
-  | 47 = _Float64
-  | 48 = _Float64x
-  | 49 = _Float128
-  | 50 = _Float128x
-  | 51 = char8_t
-  ;
-*/
 builtintypes(
     unique int id: @builtintype,
     string name: string ref,
@@ -607,23 +623,23 @@ builtintypes(
     int alignment: int ref
 );
 
-/*
-  Derived types are types that are directly derived from existing types and
-  point to, refer to, transform type data to return a new type.
-
-  case @derivedtype.kind of
-    1 = pointer
-  | 2 = reference
-  | 3 = type_with_specifiers
-  | 4 = array
-  | 5 = gnu_vector
-  | 6 = routineptr
-  | 7 = routinereference
-  | 8 = rvalue_reference // C++11
+/**
+ * Derived types are types that are directly derived from existing types and
+ * point to, refer to, transform type data to return a new type.
+ */
+case @derivedtype.kind of
+   1 = @pointer
+|  2 = @reference
+|  3 = @type_with_specifiers
+|  4 = @array
+|  5 = @gnu_vector
+|  6 = @routineptr
+|  7 = @routinereference
+|  8 = @rvalue_reference // C++11
 // ... 9 type_conforming_to_protocols deprecated
-  | 10 = block
-  ;
-*/
+| 10 = @block
+;
+
 derivedtypes(
     unique int id: @derivedtype,
     string name: string ref,
@@ -675,23 +691,24 @@ decltypes(
 );
 
 /*
-  case @usertype.kind of
-    1 = struct
-  | 2 = class
-  | 3 = union
-  | 4 = enum
-  | 5 = typedef                       // classic C: typedef typedef type name
-  | 6 = template
-  | 7 = template_parameter
-  | 8 = template_template_parameter
-  | 9 = proxy_class                   // a proxy class associated with a template parameter
+case @usertype.kind of
+   1 = @struct
+|  2 = @class
+|  3 = @union
+|  4 = @enum
+|  5 = @typedef                       // classic C: typedef typedef type name
+|  6 = @template
+|  7 = @template_parameter
+|  8 = @template_template_parameter
+|  9 = @proxy_class                   // a proxy class associated with a template parameter
 // ... 10 objc_class deprecated
 // ... 11 objc_protocol deprecated
 // ... 12 objc_category deprecated
-  | 13 = scoped_enum
-  | 14 = using_alias                  // a using name = type style typedef
-  ;
+| 13 = @scoped_enum
+| 14 = @using_alias                  // a using name = type style typedef
+;
 */
+
 usertypes(
     unique int id: @usertype,
     string name: string ref,
@@ -1162,7 +1179,10 @@ case @funbindexpr.kind of
 | 2 = @adl_call     // a call whose target is only found by ADL
 ;
 */
-iscall(unique int caller: @funbindexpr ref, int kind: int ref);
+iscall(
+    unique int caller: @funbindexpr ref,
+    int kind: int ref
+);
 
 numtemplatearguments(
     unique int expr_id: @expr ref,

cpp/ql/lib/upgrades/625f706f2a44ae8dc3fc168bfe2637e65c30b012/upgrade.properties

@@ -0,0 +1,2 @@
+description: Uncomment case splits in dbscheme
+compatibility: full

cpp/ql/lib/upgrades/ba86bebea4c7a8235c2fa0e220391fbd4446a087/upgrade.properties

@@ -0,0 +1,2 @@
+description: Introduce (_Complex) _Float16 type
+compatibility: full