Fix typo in documentation

Co-authored-by: hubwriter <hubwriter@github.com>

.github/ISSUE_TEMPLATE/ql---general.md

@@ -10,5 +10,5 @@ assignees: ''
 **Description of the issue**
 
 <!-- Please explain briefly what is the problem.
-If it is about a GitHub project, please include its URL. -->
+If it is about an LGTM project, please include its URL.-->
 

.github/ISSUE_TEMPLATE/ql--false-positive.md

@@ -1,5 +1,5 @@
 ---
-name: CodeQL false positive
+name: CodeQL False positive
 about: Report CodeQL alerts that you think should not have been detected (not applicable, not exploitable, etc.)
 title: False positive
 labels: false-positive

.github/actions/cache-query-compilation/action.yml

@@ -14,7 +14,8 @@ outputs:
 runs:
   using: composite
   steps:
-    # calculate the merge-base with main, in a way that works both on PRs and pushes to main.
+    # Cache the query compilation caches.
+    # calculate the merge-base with main, in a way that works both on PRs and pushes to main. 
     - name: Calculate merge-base
       shell: bash
       if: ${{ github.event_name == 'pull_request' }}
@@ -23,32 +24,38 @@ runs:
       run: |
         MERGE_BASE=$(git cat-file commit $GITHUB_SHA | grep '^parent ' | head -1 | cut -f 2 -d " ")
         echo "merge_base=$MERGE_BASE" >> $GITHUB_ENV
-    - name: Restore cache (PR)
+    - name: Read CodeQL query compilation - PR
       if: ${{ github.event_name == 'pull_request' }}
-      uses: actions/cache/restore@v3
+      uses: erik-krogh/actions-cache@a88d0603fe5fb5606db9f002dfcadeb32b5f84c6
       with:
         path: '**/.cache'
-        key: codeql-compile-${{ inputs.key }}-pr-${{ github.sha }}
+        read-only: true
+        key: codeql-compile-${{ inputs.key }}-pr-${{ github.sha }} # deliberately not using the `compile-compile-main` keys here.
         restore-keys: |
           codeql-compile-${{ inputs.key }}-${{ github.base_ref }}-${{ env.merge_base }}
           codeql-compile-${{ inputs.key }}-${{ github.base_ref }}-
           codeql-compile-${{ inputs.key }}-main-
-    - name: Fill cache (only branch push)
+    - name: Fill CodeQL query compilation cache - main
       if: ${{ github.event_name != 'pull_request' }}
-      uses: actions/cache@v3
+      uses: erik-krogh/actions-cache@a88d0603fe5fb5606db9f002dfcadeb32b5f84c6
       with:
         path: '**/.cache'
         key: codeql-compile-${{ inputs.key }}-${{ github.ref_name }}-${{ github.sha }} # just fill on main
-        restore-keys: | # restore the latest cache if the exact cache is unavailable, to speed up compilation.
-          codeql-compile-${{ inputs.key }}-${{ github.ref_name }}-
+        restore-keys: | # restore from another random commit, to speed up compilation.
+          codeql-compile-${{ inputs.key }}-${{ github.ref_name }}- 
           codeql-compile-${{ inputs.key }}-main-
     - name: Fill compilation cache directory
       id: fill-compilation-dir
-      shell: bash
+      shell: bash 
       run: |
         # Move all the existing cache into another folder, so we only preserve the cache for the current queries.
-        node $GITHUB_WORKSPACE/.github/actions/cache-query-compilation/move-caches.js ${COMBINED_CACHE_DIR}
+        mkdir -p ${COMBINED_CACHE_DIR}
+        rm -f **/.cache/{lock,size} # -f to avoid errors if the cache is empty.
+        # copy the contents of the .cache folders into the combined cache folder.
+        cp -r **/.cache/* ${COMBINED_CACHE_DIR}/ || : # ignore missing files
+        # clean up the .cache folders
+        rm -rf **/.cache/*
 
         echo "compdir=${COMBINED_CACHE_DIR}" >> $GITHUB_OUTPUT
-      env:
-        COMBINED_CACHE_DIR: ${{ runner.temp }}/compilation-dir
+      env: 
+        COMBINED_CACHE_DIR: ${{ github.workspace }}/compilation-dir

.github/actions/cache-query-compilation/move-caches.js

@@ -1,75 +0,0 @@
-// # Move all the existing cache into another folder, so we only preserve the cache for the current queries.
-// mkdir -p ${COMBINED_CACHE_DIR}
-// rm -f **/.cache/{lock,size} # -f to avoid errors if the cache is empty.
-// # copy the contents of the .cache folders into the combined cache folder.
-// cp -r **/.cache/* ${COMBINED_CACHE_DIR}/ || : # ignore missing files
-// # clean up the .cache folders
-// rm -rf **/.cache/*
-
-const fs = require("fs");
-const path = require("path");
-
-// the first argv is the cache folder to create.
-const COMBINED_CACHE_DIR = process.argv[2];
-
-function* walkCaches(dir) {
-  const files = fs.readdirSync(dir, { withFileTypes: true });
-  for (const file of files) {
-    if (file.isDirectory()) {
-      const filePath = path.join(dir, file.name);
-      yield* walkCaches(filePath);
-      if (file.name === ".cache") {
-        yield filePath;
-      }
-    }
-  }
-}
-
-async function copyDir(src, dest) {
-  for await (const file of await fs.promises.readdir(src, { withFileTypes: true })) {
-    const srcPath = path.join(src, file.name);
-    const destPath = path.join(dest, file.name);
-    if (file.isDirectory()) {
-      if (!fs.existsSync(destPath)) {
-        fs.mkdirSync(destPath);
-      }
-      await copyDir(srcPath, destPath);
-    } else {
-      await fs.promises.copyFile(srcPath, destPath);
-    }
-  }
-}
-
-async function main() {
-  const cacheDirs = [...walkCaches(".")];
-
-  for (const dir of cacheDirs) {
-    console.log(`Found .cache dir at ${dir}`);
-  }
-
-  // mkdir -p ${COMBINED_CACHE_DIR}
-  fs.mkdirSync(COMBINED_CACHE_DIR, { recursive: true });
-
-  // rm -f **/.cache/{lock,size} # -f to avoid errors if the cache is empty.
-  await Promise.all(
-    cacheDirs.map((cacheDir) =>
-      (async function () {
-        await fs.promises.rm(path.join(cacheDir, "lock"), { force: true });
-        await fs.promises.rm(path.join(cacheDir, "size"), { force: true });
-      })()
-    )
-  );
-
-  // # copy the contents of the .cache folders into the combined cache folder.
-  // cp -r **/.cache/* ${COMBINED_CACHE_DIR}/ || : # ignore missing files
-  await Promise.all(
-    cacheDirs.map((cacheDir) => copyDir(cacheDir, COMBINED_CACHE_DIR))
-  );
-
-  // # clean up the .cache folders
-  // rm -rf **/.cache/*
-  await Promise.all(
-    cacheDirs.map((cacheDir) => fs.promises.rm(cacheDir, { recursive: true }))
-  );
-}
-main();

.github/actions/find-latest-bundle/action.yml

@@ -1,26 +0,0 @@
-name: Find Latest CodeQL Bundle
-description: Finds the URL of the latest released version of the CodeQL bundle.
-outputs:
-  url:
-    description: The download URL of the latest CodeQL bundle release
-    value: ${{ steps.find-latest.outputs.url }}
-runs:
-  using: composite
-  steps:
-    - name: Find Latest Release
-      id: find-latest
-      shell: pwsh
-      run: |
-        $Latest = gh release list --repo github/codeql-action --exclude-drafts --limit 1000 |
-          ForEach-Object { $C = $_ -split "`t"; return @{ type = $C[1]; tag = $C[2]; } } |
-          Where-Object { $_.type -eq 'Latest' }
-
-        $Tag = $Latest.tag
-        if ($Tag -eq '') {
-          throw 'Failed to find latest bundle release.'
-        }
-
-        Write-Output "Latest bundle tag is '${Tag}'."
-        "url=https://github.com/github/codeql-action/releases/download/${Tag}/codeql-bundle-linux64.tar.gz" >> $env:GITHUB_OUTPUT
-      env:
-        GITHUB_TOKEN: ${{ github.token }}

.github/workflows/atm-check-query-suite.yml

@@ -13,7 +13,7 @@ on:
 
 jobs:
   atm-check-query-suite:
-    runs-on: ubuntu-latest-xl
+    runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v3
@@ -23,12 +23,6 @@ jobs:
         with:
           channel: release
 
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with: 
-          key: atm-suite
-
       - name: Install ATM model
         run: |
           set -exu
@@ -56,13 +50,10 @@ jobs:
           echo "SARIF_PATH=${SARIF_PATH}" >> "${GITHUB_ENV}"
 
           codeql database analyze \
-            --threads=0 \
-            --ram 50000 \
             --format sarif-latest \
             --output "${SARIF_PATH}" \
             --sarif-group-rules-by-pack \
             -vv \
-            --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" \
             -- \
             "${DB_PATH}" \
             "${QUERY_PACK}/${QUERY_SUITE}"

.github/workflows/check-query-ids.yml

@@ -1,21 +0,0 @@
-name: Check query IDs
-
-on:
-  pull_request:
-    paths:
-      - "**/src/**/*.ql"
-      - misc/scripts/check-query-ids.py
-      - .github/workflows/check-query-ids.yml
-    branches:
-      - main
-      - "rc/*"
-  workflow_dispatch:
-
-jobs:
-  check:
-    name: Check query IDs
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - name: Check for duplicate query IDs
-        run: python3 misc/scripts/check-query-ids.py

.github/workflows/close-stale.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/stale@v7
+    - uses: actions/stale@v6
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'

.github/workflows/compile-queries.yml

@@ -35,3 +35,5 @@ jobs:
         if : ${{ github.event_name != 'pull_request' }}
         shell: bash
         run: codeql query compile -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+        env: 
+          COMBINED_CACHE_DIR: ${{ github.workspace }}/compilation-dir

.github/workflows/csharp-qltest.yml

@@ -67,7 +67,7 @@ jobs:
           mv "$CODEQL_PATH/csharp/tools/extractor-asp.jar" "${{ github.workspace }}/csharp/extractor-pack/tools"
           # Safe guard against using the bundled extractor
           rm -rf "$CODEQL_PATH/csharp"
-          codeql test run --threads=0 --ram 50000 --slice ${{ matrix.slice }} --search-path "${{ github.workspace }}/csharp/extractor-pack" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --threads=0 --ram 52000 --slice ${{ matrix.slice }} --search-path "${{ github.workspace }}/csharp/extractor-pack" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}
   unit-tests:

.github/workflows/go-tests-other-os.yml

@@ -1,80 +0,0 @@
-name: "Go: Run Tests - Other OS"
-on:
-  pull_request:
-    paths:
-      - "go/**"
-      - "!go/ql/**" # don't run other-os if only ql/ files changed
-      - .github/workflows/go-tests-other-os.yml
-      - .github/actions/**
-      - codeql-workspace.yml
-jobs:
-  test-mac:
-    name: Test MacOS
-    runs-on: macos-latest
-    steps:
-      - name: Set up Go 1.19
-        uses: actions/setup-go@v3
-        with:
-          go-version: 1.19
-        id: go
-
-      - name: Check out code
-        uses: actions/checkout@v2
-
-      - name: Set up CodeQL CLI
-        uses: ./.github/actions/fetch-codeql
-
-      - name: Enable problem matchers in repository
-        shell: bash
-        run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
-
-      - name: Build
-        run: |
-          cd go
-          make
-
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with:
-          key: go-qltest
-      - name: Test
-        run: |
-          cd go
-          make test cache="${{ steps.query-cache.outputs.cache-dir }}"
-
-  test-win:
-    name: Test Windows
-    runs-on: windows-latest-xl
-    steps:
-      - name: Set up Go 1.19
-        uses: actions/setup-go@v3
-        with:
-          go-version: 1.19
-        id: go
-
-      - name: Check out code
-        uses: actions/checkout@v2
-
-      - name: Set up CodeQL CLI
-        uses: ./.github/actions/fetch-codeql
-
-      - name: Enable problem matchers in repository
-        shell: bash
-        run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
-
-      - name: Build
-        run: |
-          cd go
-          make
-
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with:
-          key: go-qltest
-
-      - name: Test
-        run: |
-          cd go
-          make test cache="${{ steps.query-cache.outputs.cache-dir }}"

.github/workflows/go-tests.yml

@@ -1,24 +1,15 @@
 name: "Go: Run Tests"
 on:
-  push:
-    paths:
-      - "go/**"
-      - .github/workflows/go-tests.yml
-      - .github/actions/**
-      - codeql-workspace.yml
-    branches:
-      - main
-      - "rc/*"
   pull_request:
     paths:
       - "go/**"
       - .github/workflows/go-tests.yml
-      - .github/actions/**
+      - .github/actions/fetch-codeql/action.yml
       - codeql-workspace.yml
 jobs:
   test-linux:
     name: Test Linux (Ubuntu)
-    runs-on: ubuntu-latest-xl
+    runs-on: ubuntu-latest
     steps:
       - name: Set up Go 1.19
         uses: actions/setup-go@v3
@@ -41,7 +32,7 @@ jobs:
           cd go
           make
 
-      - name: Check that all Go code is autoformatted
+      - name: Check that all QL and Go code is autoformatted
         run: |
           cd go
           make check-formatting
@@ -57,13 +48,67 @@ jobs:
           name: qhelp-markdown
           path: go/qhelp-out/**/*.md
 
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
+      - name: Test
+        run: |
+          cd go
+          make test
+
+  test-mac:
+    name: Test MacOS
+    runs-on: macos-latest
+    steps:
+      - name: Set up Go 1.19
+        uses: actions/setup-go@v3
         with:
-          key: go-qltest
+          go-version: 1.19
+        id: go
+
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Set up CodeQL CLI
+        uses: ./.github/actions/fetch-codeql
+
+      - name: Enable problem matchers in repository
+        shell: bash
+        run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
+
+      - name: Build
+        run: |
+          cd go
+          make
 
       - name: Test
         run: |
           cd go
-          make test cache="${{ steps.query-cache.outputs.cache-dir }}"
+          make test
+
+  test-win:
+    name: Test Windows
+    runs-on: windows-2019
+    steps:
+      - name: Set up Go 1.19
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+        id: go
+
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Set up CodeQL CLI
+        uses: ./.github/actions/fetch-codeql
+
+      - name: Enable problem matchers in repository
+        shell: bash
+        run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
+
+      - name: Build
+        run: |
+          cd go
+          make
+
+      - name: Test
+        run: |
+          cd go
+          make test

.github/workflows/js-ml-tests.yml

@@ -23,9 +23,9 @@ defaults:
     working-directory: javascript/ql/experimental/adaptivethreatmodeling
 
 jobs:
-  qltest:
-    name: Test QL
-    runs-on: ubuntu-latest-xl
+  qlcompile:
+    name: Check QL compilation
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
 
@@ -33,33 +33,36 @@ jobs:
 
       - name: Install pack dependencies
         run: |
-          for pack in modelbuilding src test; do
+          for pack in modelbuilding src; do
             codeql pack install --mode verify -- "${pack}"
           done
-      
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with: 
-          key: js-ml-test
 
       - name: Check QL compilation
         run: |
           codeql query compile \
             --check-only \
-            --ram 50000 \
+            --ram 5120 \
             --additional-packs "${{ github.workspace }}" \
             --threads=0 \
-            --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" \
             -- \
             lib modelbuilding src
 
+  qltest:
+    name: Run QL tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: ./.github/actions/fetch-codeql
+
+      - name: Install pack dependencies
+        run: codeql pack install -- test
+
       - name: Run QL tests
         run: |
           codeql test run \
             --threads=0 \
-            --ram 50000 \
+            --ram 5120 \
             --additional-packs "${{ github.workspace }}" \
-            --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" \
             -- \
-            test
+            test

.github/workflows/mad_modelDiff.yml

@@ -61,8 +61,8 @@ jobs:
             DATABASE=$2
             cd codeql-$QL_VARIANT
             SHORTNAME=`basename $DATABASE`
-            python java/ql/src/utils/model-generator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE ${SHORTNAME}.temp.model.yml
-            mv java/ql/lib/ext/generated/${SHORTNAME}.temp.model.yml $MODELS/${SHORTNAME}Generated_${QL_VARIANT}.model.yml
+            python java/ql/src/utils/model-generator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $MODELS/${SHORTNAME}.qll
+            mv $MODELS/${SHORTNAME}.qll $MODELS/${SHORTNAME}Generated_${QL_VARIANT}.qll
             cd ..
           }
 
@@ -85,16 +85,16 @@ jobs:
           set -x
           MODELS=`pwd`/tmp-models
           ls -1 tmp-models/
-          for m in $MODELS/*_main.model.yml ; do
+          for m in $MODELS/*_main.qll ; do
             t="${m/main/"pr"}"
             basename=`basename $m`
-            name="diff_${basename/_main.model.yml/""}"
+            name="diff_${basename/_main.qll/""}"
             (diff -w -u $m $t | diff2html -i stdin -F $MODELS/$name.html) || true
           done
       - uses: actions/upload-artifact@v3
         with:
           name: models
-          path: tmp-models/*.model.yml
+          path: tmp-models/*.qll
           retention-days: 20
       - uses: actions/upload-artifact@v3
         with:

.github/workflows/mad_regenerate-models.yml

@@ -53,7 +53,7 @@ jobs:
           java/ql/src/utils/model-generator/RegenerateModels.py "${SLUG}" dbs/${SHORTNAME}
       - name: Stage changes
         run: |
-          find java -name "*.model.yml" -print0 | xargs -0 git add
+          find java -name "*.qll" -print0 | xargs -0 git add
           git status
           git diff --cached > models.patch
       - uses: actions/upload-artifact@v3

.github/workflows/ql-for-ql-build.yml

@@ -22,15 +22,11 @@ jobs:
     steps:
       ### Build the queries ###
       - uses: actions/checkout@v3
-      - name: Find latest bundle
-        id: find-latest-bundle
-        uses: ./.github/actions/find-latest-bundle
       - name: Find codeql
         id: find-codeql
         uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
         with:
           languages: javascript # does not matter
-          tools: ${{ steps.find-latest-bundle.outputs.url }}
       - name: Get CodeQL version
         id: get-codeql-version
         run: |
@@ -142,7 +138,6 @@ jobs:
           languages: ql
           db-location: ${{ runner.temp }}/db
           config-file: ./ql-for-ql-config.yml
-          tools: ${{ steps.find-latest-bundle.outputs.url }}
       - name: Move pack cache
         run: |
           cp -r ${PACK}/.cache ql/ql/src/.cache

.github/workflows/ruby-build.yml

@@ -48,19 +48,7 @@ jobs:
         run: |
           brew install gnu-tar
           echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
-      - name: Cache entire extractor
-        uses: actions/cache@v3
-        id: cache-extractor
-        with:
-          path: |
-            ruby/target/release/ruby-autobuilder
-            ruby/target/release/ruby-autobuilder.exe
-            ruby/target/release/ruby-extractor
-            ruby/target/release/ruby-extractor.exe
-            ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
-          key: ${{ runner.os }}-ruby-extractor-${{ hashFiles('ruby/rust-toolchain.toml', 'ruby/**/Cargo.lock') }}--${{ hashFiles('ruby/**/*.rs') }}
       - uses: actions/cache@v3
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
         with:
           path: |
             ~/.cargo/registry
@@ -68,19 +56,15 @@ jobs:
             ruby/target
           key: ${{ runner.os }}-ruby-rust-cargo-${{ hashFiles('ruby/rust-toolchain.toml', 'ruby/**/Cargo.lock') }}
       - name: Check formatting
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
         run: cargo fmt --all -- --check
       - name: Build
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
         run: cargo build --verbose
       - name: Run tests
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
         run: cargo test --verbose
       - name: Release build
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
         run: cargo build --release
       - name: Generate dbscheme
-        if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}}
+        if: ${{ matrix.os == 'ubuntu-latest' }}
         run: target/release/ruby-generator --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
       - uses: actions/upload-artifact@v3
         if: ${{ matrix.os == 'ubuntu-latest' }}
@@ -115,10 +99,9 @@ jobs:
       - name: Build Query Pack
         run: |
           rm -rf target/packs
+          codeql pack create ../shared/ssa --output target/packs
           codeql pack create ../misc/suite-helpers --output target/packs
           codeql pack create ../shared/regex --output target/packs
-          codeql pack create ../shared/ssa --output target/packs
-          codeql pack create ../shared/tutorial --output target/packs
           codeql pack create ql/lib --output target/packs
           codeql pack create -j0 ql/src --output target/packs --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
           PACK_FOLDER=$(readlink -f target/packs/codeql/ruby-queries/*)

.github/workflows/ruby-qltest.yml

@@ -62,6 +62,6 @@ jobs:
           key: ruby-qltest
       - name: Run QL tests
         run: |
-          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}/ruby/extractor-pack" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --threads=0 --ram 52000 --search-path "${{ github.workspace }}/ruby/extractor-pack" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/swift.yml

@@ -7,77 +7,96 @@ on:
       - "misc/bazel/**"
       - "*.bazel*"
       - .github/workflows/swift.yml
-      - .github/actions/**
+      - .github/actions/fetch-codeql/action.yml
       - codeql-workspace.yml
       - .pre-commit-config.yaml
       - "!**/*.md"
       - "!**/*.qhelp"
     branches:
       - main
-      - rc/*
-  push:
-    paths:
-      - "swift/**"
-      - "misc/bazel/**"
-      - "*.bazel*"
-      - .github/workflows/swift.yml
-      - .github/actions/**
-      - codeql-workspace.yml
-      - "!**/*.md"
-      - "!**/*.qhelp"
-    branches:
-      - main
-      - rc/*
 
 jobs:
+  changes:
+    runs-on: ubuntu-latest
+    outputs:
+      codegen: ${{ steps.filter.outputs.codegen }}
+      ql: ${{ steps.filter.outputs.ql }}
+    steps:
+      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50
+        id: filter
+        with:
+          filters: |
+            codegen:
+              - '.github/workflows/swift.yml'
+              - "misc/bazel/**"
+              - "*.bazel*"
+              - 'swift/actions/setup-env/**'
+              - '.pre-commit-config.yaml'
+              - 'swift/codegen/**'
+              - 'swift/schema.py'
+              - 'swift/**/*.dbscheme'
+              - 'swift/ql/lib/codeql/swift/elements.qll'
+              - 'swift/ql/lib/codeql/swift/elements/**'
+              - 'swift/ql/lib/codeql/swift/generated/**'
+              - 'swift/ql/test/extractor-tests/generated/**'
+              - 'swift/ql/.generated.list'
+            ql:
+              - 'github/workflows/swift.yml'
+              - 'swift/**/*.ql'
+              - 'swift/**/*.qll'
   # not using a matrix as you cannot depend on a specific job in a matrix, and we want to start linux checks
   # without waiting for the macOS build
   build-and-test-macos:
     runs-on: macos-12-xl
     steps:
       - uses: actions/checkout@v3
-      - uses: ./swift/actions/build-and-test
+      - uses: ./swift/actions/create-extractor-pack
+      - uses: ./swift/actions/run-quick-tests
+      - uses: ./swift/actions/print-unextracted
   build-and-test-linux:
-    runs-on: ubuntu-latest-xl
+    runs-on: ubuntu-20.04
     steps:
       - uses: actions/checkout@v3
-      - uses: ./swift/actions/build-and-test
+      - uses: ./swift/actions/create-extractor-pack
+      - uses: ./swift/actions/run-quick-tests
+      - uses: ./swift/actions/print-unextracted
   qltests-linux:
     needs: build-and-test-linux
-    runs-on: ubuntu-latest-xl
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
       - uses: ./swift/actions/run-ql-tests
   qltests-macos:
-    if : ${{ github.event_name == 'pull_request' }}
     needs: build-and-test-macos
     runs-on: macos-12-xl
+    strategy:
+      fail-fast: false
+      matrix:
+        slice: ["1/2", "2/2"]
     steps:
       - uses: actions/checkout@v3
       - uses: ./swift/actions/run-ql-tests
+        with:
+          flags: --slice ${{ matrix.slice }}
   integration-tests-linux:
     needs: build-and-test-linux
-    runs-on: ubuntu-latest-xl
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
       - uses: ./swift/actions/run-integration-tests
   integration-tests-macos:
-    if : ${{ github.event_name == 'pull_request' }}
     needs: build-and-test-macos
     runs-on: macos-12-xl
-    timeout-minutes: 60
     steps:
       - uses: actions/checkout@v3
       - uses: ./swift/actions/run-integration-tests
   codegen:
-    if : ${{ github.event_name == 'pull_request' }}
     runs-on: ubuntu-latest
+    needs: changes
+    if: ${{ needs.changes.outputs.codegen == 'true' }}
     steps:
       - uses: actions/checkout@v3
-      - uses: bazelbuild/setup-bazelisk@v2
-      - uses: actions/setup-python@v4
-        with:
-          python-version-file: 'swift/.python-version'
+      - uses: ./swift/actions/setup-env
       - uses: pre-commit/action@v3.0.0
         name: Check that python code is properly formatted
         with:
@@ -95,7 +114,6 @@ jobs:
           name: swift-generated-cpp-files
           path: generated-cpp-files/**
   database-upgrade-scripts:
-    if : ${{ github.event_name == 'pull_request' }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3

CODEOWNERS

@@ -12,6 +12,13 @@
 # ML-powered queries
 /javascript/ql/experimental/adaptivethreatmodeling/ @github/codeql-ml-powered-queries-reviewers
 
+# Notify members of codeql-go about PRs to the shared data-flow library files
+/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll @github/codeql-java @github/codeql-go
+/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll @github/codeql-java @github/codeql-go
+/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll @github/codeql-java @github/codeql-go
+/java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
+/java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
+
 # CodeQL tools and associated docs
 /docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
 /docs/codeql/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers

codeql-workspace.yml

@@ -25,7 +25,6 @@ provide:
   - "misc/suite-helpers/qlpack.yml"
   - "ruby/extractor-pack/codeql-extractor.yml"
   - "swift/extractor-pack/codeql-extractor.yml"
-  - "swift/integration-tests/qlpack.yml"
   - "ql/extractor-pack/codeql-extractor.yml"
 
 versionPolicies:

config/identical-files.json

@@ -1,5 +1,5 @@
 {
-  "DataFlow Java/C++/C#/Go/Python/Ruby/Swift": [
+  "DataFlow Java/C++/C#/Python": [
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll",
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll",
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
@@ -27,8 +27,6 @@
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplForContentDataFlow.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
@@ -40,18 +38,17 @@
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForPathname.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl.qll"
   ],
-  "DataFlow Java/C++/C#/Go/Python/Ruby/Swift Common": [
+  "DataFlow Java/C++/C#/Python Common": [
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
     "cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/DataFlowImplCommon.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplCommon.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplCommon.qll"
   ],
-  "TaintTracking::Configuration Java/C++/C#/Go/Python/Ruby/Swift": [
+  "TaintTracking::Configuration Java/C++/C#/Python": [
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
@@ -65,8 +62,6 @@
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
     "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
     "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
     "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
@@ -77,7 +72,7 @@
     "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
   ],
-  "DataFlow Java/C++/C#/Python/Ruby/Swift Consistency checks": [
+  "DataFlow Java/C++/C#/Python Consistency checks": [
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
@@ -87,10 +82,9 @@
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplConsistency.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplConsistency.qll"
   ],
-  "DataFlow Java/C#/Go/Ruby/Python/Swift Flow Summaries": [
+  "DataFlow Java/C#/Ruby/Python/Swift Flow Summaries": [
     "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll"
@@ -470,10 +464,6 @@
     "javascript/ql/src/Comments/CommentedOutCodeReferences.inc.qhelp",
     "python/ql/src/Lexical/CommentedOutCodeReferences.inc.qhelp"
   ],
-  "ThreadResourceAbuse qhelp": [
-    "java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.qhelp",
-    "java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qhelp"
-  ],
   "IDE Contextual Queries": [
     "cpp/ql/lib/IDEContextual.qll",
     "csharp/ql/lib/IDEContextual.qll",
@@ -505,9 +495,16 @@
     "python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll",
     "ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll"
   ],
+  "CodeQL Tutorial": [
+    "cpp/ql/lib/tutorial.qll",
+    "csharp/ql/lib/tutorial.qll",
+    "java/ql/lib/tutorial.qll",
+    "javascript/ql/lib/tutorial.qll",
+    "python/ql/lib/tutorial.qll",
+    "ruby/ql/lib/tutorial.qll"
+  ],
   "AccessPathSyntax": [
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/AccessPathSyntax.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/AccessPathSyntax.qll",
     "java/ql/lib/semmle/code/java/dataflow/internal/AccessPathSyntax.qll",
     "javascript/ql/lib/semmle/javascript/frameworks/data/internal/AccessPathSyntax.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll",
@@ -523,16 +520,16 @@
     "ruby/ql/lib/codeql/ruby/internal/ConceptsShared.qll",
     "javascript/ql/lib/semmle/javascript/internal/ConceptsShared.qll"
   ],
+  "Hostname Regexp queries": [
+    "javascript/ql/src/Security/CWE-020/HostnameRegexpShared.qll",
+    "python/ql/src/Security/CWE-020/HostnameRegexpShared.qll",
+    "ruby/ql/src/queries/security/cwe-020/HostnameRegexpShared.qll"
+  ],
   "ApiGraphModels": [
     "javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll",
     "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll",
     "python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll"
   ],
-  "ApiGraphModelsExtensions": [
-    "javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsExtensions.qll",
-    "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsExtensions.qll",
-    "python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModelsExtensions.qll"
-  ],
   "TaintedFormatStringQuery Ruby/JS": [
     "javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll",
     "ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll"
@@ -576,9 +573,5 @@
   "IncompleteMultiCharacterSanitization JS/Ruby": [
     "javascript/ql/lib/semmle/javascript/security/IncompleteMultiCharacterSanitizationQuery.qll",
     "ruby/ql/lib/codeql/ruby/security/IncompleteMultiCharacterSanitizationQuery.qll"
-  ],
-  "EncryptionKeySizes Python/Java": [
-    "python/ql/lib/semmle/python/security/internal/EncryptionKeySizes.qll",
-    "java/ql/lib/semmle/code/java/security/internal/EncryptionKeySizes.qll"
   ]
 }

cpp/ql/lib/CHANGELOG.md

@@ -1,32 +1,3 @@
-## 0.5.0
-
-### Breaking Changes
-
-The predicates in the `MustFlow::Configuration` class used by the `MustFlow` library (`semmle.code.cpp.ir.dataflow.MustFlow`) have changed to be defined directly in terms of the C++ IR instead of IR dataflow nodes.
-
-### Deprecated APIs
-
-* Deprecated `semmle.code.cpp.ir.dataflow.DefaultTaintTracking`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
-* Deprecated `semmle.code.cpp.security.TaintTrackingImpl`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
-* Deprecated `semmle.code.cpp.valuenumbering.GlobalValueNumberingImpl`. Use `semmle.code.cpp.valuenumbering.GlobalValueNumbering`, which exposes the same API.
-
-### Minor Analysis Improvements
-
-* The `ArgvSource` flow source now uses the second parameter of `main` as its source instead of the uses of this parameter.
-* The `ArgvSource` flow source has been generalized to handle cases where the argument vector of `main` is not named `argv`.
-* The `getaddrinfo` function is now recognized as a flow source.
-* The `secure_getenv` and `_wgetenv` functions are now recognized as local flow sources.
-* The `scanf` and `fscanf` functions and their variants are now recognized as flow sources.
-* Deleted the deprecated `getName` and `getShortName` predicates from the `Folder` class.
-
-## 0.4.6
-
-No user-facing changes.
-
-## 0.4.5
-
-No user-facing changes.
-
 ## 0.4.4
 
 No user-facing changes.

cpp/ql/lib/change-notes/2022-11-14-deprecate-ast-gvn.md

@@ -0,0 +1,6 @@
+---
+category: deprecated
+---
+
+
+* Deprecated `semmle.code.cpp.valuenumbering.GlobalValueNumberingImpl`. Use `semmle.code.cpp.valuenumbering.GlobalValueNumbering`, which exposes the same API.

cpp/ql/lib/change-notes/2022-11-16-must-flow.md

@@ -0,0 +1,4 @@
+---
+category: breaking
+---
+The predicates in the `MustFlow::Configuration` class used by the `MustFlow` library (`semmle.code.cpp.ir.dataflow.MustFlow`) have changed to be defined directly in terms of the C++ IR instead of IR dataflow nodes.

cpp/ql/lib/change-notes/2022-11-17-deleted-deps.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Deleted the deprecated `getName` and `getShortName` predicates from the `Folder` class.

cpp/ql/lib/change-notes/released/0.4.5.md

@@ -1,3 +0,0 @@
-## 0.4.5
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/0.4.6.md

@@ -1,3 +0,0 @@
-## 0.4.6
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/0.5.0.md

@@ -1,20 +0,0 @@
-## 0.5.0
-
-### Breaking Changes
-
-The predicates in the `MustFlow::Configuration` class used by the `MustFlow` library (`semmle.code.cpp.ir.dataflow.MustFlow`) have changed to be defined directly in terms of the C++ IR instead of IR dataflow nodes.
-
-### Deprecated APIs
-
-* Deprecated `semmle.code.cpp.ir.dataflow.DefaultTaintTracking`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
-* Deprecated `semmle.code.cpp.security.TaintTrackingImpl`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
-* Deprecated `semmle.code.cpp.valuenumbering.GlobalValueNumberingImpl`. Use `semmle.code.cpp.valuenumbering.GlobalValueNumbering`, which exposes the same API.
-
-### Minor Analysis Improvements
-
-* The `ArgvSource` flow source now uses the second parameter of `main` as its source instead of the uses of this parameter.
-* The `ArgvSource` flow source has been generalized to handle cases where the argument vector of `main` is not named `argv`.
-* The `getaddrinfo` function is now recognized as a flow source.
-* The `secure_getenv` and `_wgetenv` functions are now recognized as local flow sources.
-* The `scanf` and `fscanf` functions and their variants are now recognized as flow sources.
-* Deleted the deprecated `getName` and `getShortName` predicates from the `Folder` class.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.0
+lastReleaseVersion: 0.4.4

cpp/ql/lib/definitions.qll

@@ -12,8 +12,8 @@ import IDEContextual
  *
  * In some cases it is preferable to modify locations (the
  * `hasLocationInfo()` predicate) so that they are short, and
- * non-overlapping with other locations that might be reported as
- * code scanning alerts on GitHub.
+ * non-overlapping with other locations that might be highlighted in
+ * the LGTM interface.
  *
  * We need to give locations that may not be in the database, so
  * we use `hasLocationInfo()` rather than `getLocation()`.

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll

@@ -915,57 +915,18 @@ private module Cached {
     TDataFlowCallNone() or
     TDataFlowCallSome(DataFlowCall call)
 
-  cached
-  newtype TParamNodeOption =
-    TParamNodeNone() or
-    TParamNodeSome(ParamNode p)
-
-  cached
-  newtype TReturnCtx =
-    TReturnCtxNone() or
-    TReturnCtxNoFlowThrough() or
-    TReturnCtxMaybeFlowThrough(ReturnPosition pos)
-
-  cached
-  newtype TTypedContentApprox =
-    MkTypedContentApprox(ContentApprox c, DataFlowType t) {
-      exists(Content cont |
-        c = getContentApprox(cont) and
-        store(_, cont, _, _, t)
-      )
-    }
-
   cached
   newtype TTypedContent = MkTypedContent(Content c, DataFlowType t) { store(_, c, _, _, t) }
 
-  cached
-  TypedContent getATypedContent(TypedContentApprox c) {
-    exists(ContentApprox cls, DataFlowType t, Content cont |
-      c = MkTypedContentApprox(cls, pragma[only_bind_into](t)) and
-      result = MkTypedContent(cont, pragma[only_bind_into](t)) and
-      cls = getContentApprox(cont)
-    )
-  }
-
   cached
   newtype TAccessPathFront =
     TFrontNil(DataFlowType t) or
     TFrontHead(TypedContent tc)
 
-  cached
-  newtype TApproxAccessPathFront =
-    TApproxFrontNil(DataFlowType t) or
-    TApproxFrontHead(TypedContentApprox tc)
-
   cached
   newtype TAccessPathFrontOption =
     TAccessPathFrontNone() or
     TAccessPathFrontSome(AccessPathFront apf)
-
-  cached
-  newtype TApproxAccessPathFrontOption =
-    TApproxAccessPathFrontNone() or
-    TApproxAccessPathFrontSome(ApproxAccessPathFront apf)
 }
 
 /**
@@ -1343,113 +1304,6 @@ class DataFlowCallOption extends TDataFlowCallOption {
   }
 }
 
-/** An optional `ParamNode`. */
-class ParamNodeOption extends TParamNodeOption {
-  string toString() {
-    this = TParamNodeNone() and
-    result = "(none)"
-    or
-    exists(ParamNode p |
-      this = TParamNodeSome(p) and
-      result = p.toString()
-    )
-  }
-}
-
-/**
- * A return context used to calculate flow summaries in reverse flow.
- *
- * The possible values are:
- *
- * - `TReturnCtxNone()`: no return flow.
- * - `TReturnCtxNoFlowThrough()`: return flow, but flow through is not possible.
- * - `TReturnCtxMaybeFlowThrough(ReturnPosition pos)`: return flow, of kind `pos`, and
- *    flow through may be possible.
- */
-class ReturnCtx extends TReturnCtx {
-  string toString() {
-    this = TReturnCtxNone() and
-    result = "(none)"
-    or
-    this = TReturnCtxNoFlowThrough() and
-    result = "(no flow through)"
-    or
-    exists(ReturnPosition pos |
-      this = TReturnCtxMaybeFlowThrough(pos) and
-      result = pos.toString()
-    )
-  }
-}
-
-/** An approximated `Content` tagged with the type of a containing object. */
-class TypedContentApprox extends MkTypedContentApprox {
-  private ContentApprox c;
-  private DataFlowType t;
-
-  TypedContentApprox() { this = MkTypedContentApprox(c, t) }
-
-  /** Gets a typed content approximated by this value. */
-  TypedContent getATypedContent() { result = getATypedContent(this) }
-
-  /** Gets the container type. */
-  DataFlowType getContainerType() { result = t }
-
-  /** Gets a textual representation of this approximated content. */
-  string toString() { result = c.toString() }
-}
-
-/**
- * The front of an approximated access path. This is either a head or a nil.
- */
-abstract class ApproxAccessPathFront extends TApproxAccessPathFront {
-  abstract string toString();
-
-  abstract DataFlowType getType();
-
-  abstract boolean toBoolNonEmpty();
-
-  pragma[nomagic]
-  TypedContent getAHead() {
-    exists(TypedContentApprox cont |
-      this = TApproxFrontHead(cont) and
-      result = cont.getATypedContent()
-    )
-  }
-}
-
-class ApproxAccessPathFrontNil extends ApproxAccessPathFront, TApproxFrontNil {
-  private DataFlowType t;
-
-  ApproxAccessPathFrontNil() { this = TApproxFrontNil(t) }
-
-  override string toString() { result = ppReprType(t) }
-
-  override DataFlowType getType() { result = t }
-
-  override boolean toBoolNonEmpty() { result = false }
-}
-
-class ApproxAccessPathFrontHead extends ApproxAccessPathFront, TApproxFrontHead {
-  private TypedContentApprox tc;
-
-  ApproxAccessPathFrontHead() { this = TApproxFrontHead(tc) }
-
-  override string toString() { result = tc.toString() }
-
-  override DataFlowType getType() { result = tc.getContainerType() }
-
-  override boolean toBoolNonEmpty() { result = true }
-}
-
-/** An optional approximated access path front. */
-class ApproxAccessPathFrontOption extends TApproxAccessPathFrontOption {
-  string toString() {
-    this = TApproxAccessPathFrontNone() and result = "<none>"
-    or
-    this = TApproxAccessPathFrontSome(any(ApproxAccessPathFront apf | result = apf.toString()))
-  }
-}
-
 /** A `Content` tagged with the type of a containing object. */
 class TypedContent extends MkTypedContent {
   private Content c;
@@ -1482,7 +1336,7 @@ abstract class AccessPathFront extends TAccessPathFront {
 
   abstract DataFlowType getType();
 
-  abstract ApproxAccessPathFront toApprox();
+  abstract boolean toBoolNonEmpty();
 
   TypedContent getHead() { this = TFrontHead(result) }
 }
@@ -1496,7 +1350,7 @@ class AccessPathFrontNil extends AccessPathFront, TFrontNil {
 
   override DataFlowType getType() { result = t }
 
-  override ApproxAccessPathFront toApprox() { result = TApproxFrontNil(t) }
+  override boolean toBoolNonEmpty() { result = false }
 }
 
 class AccessPathFrontHead extends AccessPathFront, TFrontHead {
@@ -1508,7 +1362,7 @@ class AccessPathFrontHead extends AccessPathFront, TFrontHead {
 
   override DataFlowType getType() { result = tc.getContainerType() }
 
-  override ApproxAccessPathFront toApprox() { result.getAHead() = tc }
+  override boolean toBoolNonEmpty() { result = true }
 }
 
 /** An optional access path front. */

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll

@@ -244,25 +244,4 @@ module Consistency {
     not callable = viableCallable(call) and
     not any(ConsistencyConfiguration c).viableImplInCallContextTooLargeExclude(call, ctx, callable)
   }
-
-  query predicate uniqueParameterNodeAtPosition(
-    DataFlowCallable c, ParameterPosition pos, Node p, string msg
-  ) {
-    isParameterNode(p, c, pos) and
-    not exists(unique(Node p0 | isParameterNode(p0, c, pos))) and
-    msg = "Parameters with overlapping positions."
-  }
-
-  query predicate uniqueParameterNodePosition(
-    DataFlowCallable c, ParameterPosition pos, Node p, string msg
-  ) {
-    isParameterNode(p, c, pos) and
-    not exists(unique(ParameterPosition pos0 | isParameterNode(p, c, pos0))) and
-    msg = "Parameter node with multiple positions."
-  }
-
-  query predicate uniqueContentApprox(Content c, string msg) {
-    not exists(unique(ContentApprox approx | approx = getContentApprox(c))) and
-    msg = "Non-unique content approximation."
-  }
 }

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -551,13 +551,6 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves
  */
 predicate allowParameterReturnInSelf(ParameterNode p) { none() }
 
-/** An approximated `Content`. */
-class ContentApprox = Unit;
-
-/** Gets an approximated value for content `c`. */
-pragma[inline]
-ContentApprox getContentApprox(Content c) { any() }
-
 private class MyConsistencyConfiguration extends Consistency::ConsistencyConfiguration {
   override predicate argHasPostUpdateExclude(ArgumentNode n) {
     // The rules for whether an IR argument gets a post-update node are too

cpp/ql/lib/experimental/semmle/code/cpp/semantic/SemanticExprSpecific.qll

@@ -292,8 +292,12 @@ module SemanticExprConfig {
     final Location getLocation() { result = super.getLocation() }
   }
 
-  private class ValueNumberBound extends Bound instanceof IRBound::ValueNumberBound {
-    override string toString() { result = IRBound::ValueNumberBound.super.toString() }
+  private class ValueNumberBound extends Bound {
+    IRBound::ValueNumberBound bound;
+
+    ValueNumberBound() { bound = this }
+
+    override string toString() { result = bound.toString() }
   }
 
   predicate zeroBound(Bound bound) { bound instanceof IRBound::ZeroBound }

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/SignAnalysisCommon.qll

@@ -33,15 +33,23 @@ abstract private class FlowSignDef extends SignDef {
 }
 
 /** An SSA definition whose sign is determined by the sign of that definitions source expression. */
-private class ExplicitSignDef extends FlowSignDef instanceof SemSsaExplicitUpdate {
-  final override Sign getSign() { result = semExprSign(super.getSourceExpr()) }
+private class ExplicitSignDef extends FlowSignDef {
+  SemSsaExplicitUpdate update;
+
+  ExplicitSignDef() { update = this }
+
+  final override Sign getSign() { result = semExprSign(update.getSourceExpr()) }
 }
 
 /** An SSA Phi definition, whose sign is the union of the signs of its inputs. */
-private class PhiSignDef extends FlowSignDef instanceof SemSsaPhiNode {
+private class PhiSignDef extends FlowSignDef {
+  SemSsaPhiNode phi;
+
+  PhiSignDef() { phi = this }
+
   final override Sign getSign() {
     exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge |
-      edge.phiInput(this, inp) and
+      edge.phiInput(phi, inp) and
       result = semSsaSign(inp, edge)
     )
   }

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.5.0
+version: 0.4.5-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
@@ -7,4 +7,3 @@ library: true
 upgrades: upgrades
 dependencies:
   codeql/ssa: ${workspace}
-  codeql/tutorial: ${workspace}

cpp/ql/lib/semmle/code/cpp/commons/Printf.qll

@@ -397,8 +397,11 @@ private int lengthInBase16(float f) {
 /**
  * A class to represent format strings that occur as arguments to invocations of formatting functions.
  */
-class FormatLiteral extends Literal instanceof StringLiteral {
-  FormatLiteral() { exists(FormattingFunctionCall ffc | ffc.getFormat() = this) }
+class FormatLiteral extends Literal {
+  FormatLiteral() {
+    exists(FormattingFunctionCall ffc | ffc.getFormat() = this) and
+    this instanceof StringLiteral
+  }
 
   /**
    * Gets the function call where this format string is used.

cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll

@@ -30,12 +30,15 @@ abstract class ScanfFunction extends Function {
 /**
  * The standard function `scanf` (and variations).
  */
-class Scanf extends ScanfFunction instanceof TopLevelFunction {
+class Scanf extends ScanfFunction {
   Scanf() {
-    this.hasGlobalOrStdOrBslName("scanf") or // scanf(format, args...)
-    this.hasGlobalOrStdOrBslName("wscanf") or // wscanf(format, args...)
-    this.hasGlobalName("_scanf_l") or // _scanf_l(format, locale, args...)
-    this.hasGlobalName("_wscanf_l")
+    this instanceof TopLevelFunction and
+    (
+      this.hasGlobalOrStdOrBslName("scanf") or // scanf(format, args...)
+      this.hasGlobalOrStdOrBslName("wscanf") or // wscanf(format, args...)
+      this.hasGlobalName("_scanf_l") or // _scanf_l(format, locale, args...)
+      this.hasGlobalName("_wscanf_l") // _wscanf_l(format, locale, args...)
+    )
   }
 
   override int getInputParameterIndex() { none() }
@@ -46,12 +49,15 @@ class Scanf extends ScanfFunction instanceof TopLevelFunction {
 /**
  * The standard function `fscanf` (and variations).
  */
-class Fscanf extends ScanfFunction instanceof TopLevelFunction {
+class Fscanf extends ScanfFunction {
   Fscanf() {
-    this.hasGlobalOrStdOrBslName("fscanf") or // fscanf(src_stream, format, args...)
-    this.hasGlobalOrStdOrBslName("fwscanf") or // fwscanf(src_stream, format, args...)
-    this.hasGlobalName("_fscanf_l") or // _fscanf_l(src_stream, format, locale, args...)
-    this.hasGlobalName("_fwscanf_l")
+    this instanceof TopLevelFunction and
+    (
+      this.hasGlobalOrStdOrBslName("fscanf") or // fscanf(src_stream, format, args...)
+      this.hasGlobalOrStdOrBslName("fwscanf") or // fwscanf(src_stream, format, args...)
+      this.hasGlobalName("_fscanf_l") or // _fscanf_l(src_stream, format, locale, args...)
+      this.hasGlobalName("_fwscanf_l") // _fwscanf_l(src_stream, format, locale, args...)
+    )
   }
 
   override int getInputParameterIndex() { result = 0 }
@@ -62,12 +68,15 @@ class Fscanf extends ScanfFunction instanceof TopLevelFunction {
 /**
  * The standard function `sscanf` (and variations).
  */
-class Sscanf extends ScanfFunction instanceof TopLevelFunction {
+class Sscanf extends ScanfFunction {
   Sscanf() {
-    this.hasGlobalOrStdOrBslName("sscanf") or // sscanf(src_stream, format, args...)
-    this.hasGlobalOrStdOrBslName("swscanf") or // swscanf(src, format, args...)
-    this.hasGlobalName("_sscanf_l") or // _sscanf_l(src, format, locale, args...)
-    this.hasGlobalName("_swscanf_l")
+    this instanceof TopLevelFunction and
+    (
+      this.hasGlobalOrStdOrBslName("sscanf") or // sscanf(src_stream, format, args...)
+      this.hasGlobalOrStdOrBslName("swscanf") or // swscanf(src, format, args...)
+      this.hasGlobalName("_sscanf_l") or // _sscanf_l(src, format, locale, args...)
+      this.hasGlobalName("_swscanf_l") // _swscanf_l(src, format, locale, args...)
+    )
   }
 
   override int getInputParameterIndex() { result = 0 }
@@ -78,12 +87,17 @@ class Sscanf extends ScanfFunction instanceof TopLevelFunction {
 /**
  * The standard(ish) function `snscanf` (and variations).
  */
-class Snscanf extends ScanfFunction instanceof TopLevelFunction {
+class Snscanf extends ScanfFunction {
   Snscanf() {
-    this.hasGlobalName("_snscanf") or // _snscanf(src, max_amount, format, args...)
-    this.hasGlobalName("_snwscanf") or // _snwscanf(src, max_amount, format, args...)
-    this.hasGlobalName("_snscanf_l") or // _snscanf_l(src, max_amount, format, locale, args...)
-    this.hasGlobalName("_snwscanf_l")
+    this instanceof TopLevelFunction and
+    (
+      this.hasGlobalName("_snscanf") or // _snscanf(src, max_amount, format, args...)
+      this.hasGlobalName("_snwscanf") or // _snwscanf(src, max_amount, format, args...)
+      this.hasGlobalName("_snscanf_l") or // _snscanf_l(src, max_amount, format, locale, args...)
+      this.hasGlobalName("_snwscanf_l") // _snwscanf_l(src, max_amount, format, locale, args...)
+      // note that the max_amount is not a limit on the output length, it's an input length
+      // limit used with non null-terminated strings.
+    )
   }
 
   override int getInputParameterIndex() { result = 0 }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll

@@ -915,57 +915,18 @@ private module Cached {
     TDataFlowCallNone() or
     TDataFlowCallSome(DataFlowCall call)
 
-  cached
-  newtype TParamNodeOption =
-    TParamNodeNone() or
-    TParamNodeSome(ParamNode p)
-
-  cached
-  newtype TReturnCtx =
-    TReturnCtxNone() or
-    TReturnCtxNoFlowThrough() or
-    TReturnCtxMaybeFlowThrough(ReturnPosition pos)
-
-  cached
-  newtype TTypedContentApprox =
-    MkTypedContentApprox(ContentApprox c, DataFlowType t) {
-      exists(Content cont |
-        c = getContentApprox(cont) and
-        store(_, cont, _, _, t)
-      )
-    }
-
   cached
   newtype TTypedContent = MkTypedContent(Content c, DataFlowType t) { store(_, c, _, _, t) }
 
-  cached
-  TypedContent getATypedContent(TypedContentApprox c) {
-    exists(ContentApprox cls, DataFlowType t, Content cont |
-      c = MkTypedContentApprox(cls, pragma[only_bind_into](t)) and
-      result = MkTypedContent(cont, pragma[only_bind_into](t)) and
-      cls = getContentApprox(cont)
-    )
-  }
-
   cached
   newtype TAccessPathFront =
     TFrontNil(DataFlowType t) or
     TFrontHead(TypedContent tc)
 
-  cached
-  newtype TApproxAccessPathFront =
-    TApproxFrontNil(DataFlowType t) or
-    TApproxFrontHead(TypedContentApprox tc)
-
   cached
   newtype TAccessPathFrontOption =
     TAccessPathFrontNone() or
     TAccessPathFrontSome(AccessPathFront apf)
-
-  cached
-  newtype TApproxAccessPathFrontOption =
-    TApproxAccessPathFrontNone() or
-    TApproxAccessPathFrontSome(ApproxAccessPathFront apf)
 }
 
 /**
@@ -1343,113 +1304,6 @@ class DataFlowCallOption extends TDataFlowCallOption {
   }
 }
 
-/** An optional `ParamNode`. */
-class ParamNodeOption extends TParamNodeOption {
-  string toString() {
-    this = TParamNodeNone() and
-    result = "(none)"
-    or
-    exists(ParamNode p |
-      this = TParamNodeSome(p) and
-      result = p.toString()
-    )
-  }
-}
-
-/**
- * A return context used to calculate flow summaries in reverse flow.
- *
- * The possible values are:
- *
- * - `TReturnCtxNone()`: no return flow.
- * - `TReturnCtxNoFlowThrough()`: return flow, but flow through is not possible.
- * - `TReturnCtxMaybeFlowThrough(ReturnPosition pos)`: return flow, of kind `pos`, and
- *    flow through may be possible.
- */
-class ReturnCtx extends TReturnCtx {
-  string toString() {
-    this = TReturnCtxNone() and
-    result = "(none)"
-    or
-    this = TReturnCtxNoFlowThrough() and
-    result = "(no flow through)"
-    or
-    exists(ReturnPosition pos |
-      this = TReturnCtxMaybeFlowThrough(pos) and
-      result = pos.toString()
-    )
-  }
-}
-
-/** An approximated `Content` tagged with the type of a containing object. */
-class TypedContentApprox extends MkTypedContentApprox {
-  private ContentApprox c;
-  private DataFlowType t;
-
-  TypedContentApprox() { this = MkTypedContentApprox(c, t) }
-
-  /** Gets a typed content approximated by this value. */
-  TypedContent getATypedContent() { result = getATypedContent(this) }
-
-  /** Gets the container type. */
-  DataFlowType getContainerType() { result = t }
-
-  /** Gets a textual representation of this approximated content. */
-  string toString() { result = c.toString() }
-}
-
-/**
- * The front of an approximated access path. This is either a head or a nil.
- */
-abstract class ApproxAccessPathFront extends TApproxAccessPathFront {
-  abstract string toString();
-
-  abstract DataFlowType getType();
-
-  abstract boolean toBoolNonEmpty();
-
-  pragma[nomagic]
-  TypedContent getAHead() {
-    exists(TypedContentApprox cont |
-      this = TApproxFrontHead(cont) and
-      result = cont.getATypedContent()
-    )
-  }
-}
-
-class ApproxAccessPathFrontNil extends ApproxAccessPathFront, TApproxFrontNil {
-  private DataFlowType t;
-
-  ApproxAccessPathFrontNil() { this = TApproxFrontNil(t) }
-
-  override string toString() { result = ppReprType(t) }
-
-  override DataFlowType getType() { result = t }
-
-  override boolean toBoolNonEmpty() { result = false }
-}
-
-class ApproxAccessPathFrontHead extends ApproxAccessPathFront, TApproxFrontHead {
-  private TypedContentApprox tc;
-
-  ApproxAccessPathFrontHead() { this = TApproxFrontHead(tc) }
-
-  override string toString() { result = tc.toString() }
-
-  override DataFlowType getType() { result = tc.getContainerType() }
-
-  override boolean toBoolNonEmpty() { result = true }
-}
-
-/** An optional approximated access path front. */
-class ApproxAccessPathFrontOption extends TApproxAccessPathFrontOption {
-  string toString() {
-    this = TApproxAccessPathFrontNone() and result = "<none>"
-    or
-    this = TApproxAccessPathFrontSome(any(ApproxAccessPathFront apf | result = apf.toString()))
-  }
-}
-
 /** A `Content` tagged with the type of a containing object. */
 class TypedContent extends MkTypedContent {
   private Content c;
@@ -1482,7 +1336,7 @@ abstract class AccessPathFront extends TAccessPathFront {
 
   abstract DataFlowType getType();
 
-  abstract ApproxAccessPathFront toApprox();
+  abstract boolean toBoolNonEmpty();
 
   TypedContent getHead() { this = TFrontHead(result) }
 }
@@ -1496,7 +1350,7 @@ class AccessPathFrontNil extends AccessPathFront, TFrontNil {
 
   override DataFlowType getType() { result = t }
 
-  override ApproxAccessPathFront toApprox() { result = TApproxFrontNil(t) }
+  override boolean toBoolNonEmpty() { result = false }
 }
 
 class AccessPathFrontHead extends AccessPathFront, TFrontHead {
@@ -1508,7 +1362,7 @@ class AccessPathFrontHead extends AccessPathFront, TFrontHead {
 
   override DataFlowType getType() { result = tc.getContainerType() }
 
-  override ApproxAccessPathFront toApprox() { result.getAHead() = tc }
+  override boolean toBoolNonEmpty() { result = true }
 }
 
 /** An optional access path front. */

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll

@@ -244,25 +244,4 @@ module Consistency {
     not callable = viableCallable(call) and
     not any(ConsistencyConfiguration c).viableImplInCallContextTooLargeExclude(call, ctx, callable)
   }
-
-  query predicate uniqueParameterNodeAtPosition(
-    DataFlowCallable c, ParameterPosition pos, Node p, string msg
-  ) {
-    isParameterNode(p, c, pos) and
-    not exists(unique(Node p0 | isParameterNode(p0, c, pos))) and
-    msg = "Parameters with overlapping positions."
-  }
-
-  query predicate uniqueParameterNodePosition(
-    DataFlowCallable c, ParameterPosition pos, Node p, string msg
-  ) {
-    isParameterNode(p, c, pos) and
-    not exists(unique(ParameterPosition pos0 | isParameterNode(p, c, pos0))) and
-    msg = "Parameter node with multiple positions."
-  }
-
-  query predicate uniqueContentApprox(Content c, string msg) {
-    not exists(unique(ContentApprox approx | approx = getContentApprox(c))) and
-    msg = "Non-unique content approximation."
-  }
 }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll

@@ -296,13 +296,6 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves
  */
 predicate allowParameterReturnInSelf(ParameterNode p) { none() }
 
-/** An approximated `Content`. */
-class ContentApprox = Unit;
-
-/** Gets an approximated value for content `c`. */
-pragma[inline]
-ContentApprox getContentApprox(Content c) { any() }
-
 private class MyConsistencyConfiguration extends Consistency::ConsistencyConfiguration {
   override predicate argHasPostUpdateExclude(ArgumentNode n) {
     // Is the null pointer (or something that's not really a pointer)

cpp/ql/lib/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll

@@ -1,21 +1,642 @@
 /**
- * DEPRECATED: Use `semmle.code.cpp.ir.dataflow.TaintTracking` as a replacement.
- *
  * An IR taint tracking library that uses an IR DataFlow configuration to track
  * taint from user inputs as defined by `semmle.code.cpp.security.Security`.
  */
 
 import cpp
 import semmle.code.cpp.security.Security
-private import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl as DefaultTaintTrackingImpl
+private import semmle.code.cpp.ir.dataflow.DataFlow
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
+private import semmle.code.cpp.ir.dataflow.DataFlow3
+private import semmle.code.cpp.ir.IR
+private import semmle.code.cpp.ir.dataflow.ResolveCall
+private import semmle.code.cpp.controlflow.IRGuards
+private import semmle.code.cpp.models.interfaces.Taint
+private import semmle.code.cpp.models.interfaces.DataFlow
+private import semmle.code.cpp.ir.dataflow.TaintTracking
+private import semmle.code.cpp.ir.dataflow.TaintTracking2
+private import semmle.code.cpp.ir.dataflow.TaintTracking3
+private import semmle.code.cpp.ir.dataflow.internal.ModelUtil
 
-deprecated predicate predictableOnlyFlow = DefaultTaintTrackingImpl::predictableOnlyFlow/1;
+/**
+ * A predictable instruction is one where an external user can predict
+ * the value. For example, a literal in the source code is considered
+ * predictable.
+ */
+private predicate predictableInstruction(Instruction instr) {
+  instr instanceof ConstantInstruction
+  or
+  instr instanceof StringConstantInstruction
+  or
+  // This could be a conversion on a string literal
+  predictableInstruction(instr.(UnaryInstruction).getUnary())
+}
 
-deprecated predicate tainted = DefaultTaintTrackingImpl::tainted/2;
+/**
+ * Functions that we should only allow taint to flow through (to the return
+ * value) if all but the source argument are 'predictable'.  This is done to
+ * emulate the old security library's implementation rather than due to any
+ * strong belief that this is the right approach.
+ *
+ * Note that the list itself is not very principled; it consists of all the
+ * functions listed in the old security library's [default] `isPureFunction`
+ * that have more than one argument, but are not in the old taint tracking
+ * library's `returnArgument` predicate.
+ */
+predicate predictableOnlyFlow(string name) {
+  name =
+    [
+      "strcasestr", "strchnul", "strchr", "strchrnul", "strcmp", "strcspn", "strncmp", "strndup",
+      "strnlen", "strrchr", "strspn", "strstr", "strtod", "strtof", "strtol", "strtoll", "strtoq",
+      "strtoul"
+    ]
+}
 
-deprecated predicate taintedIncludingGlobalVars =
-  DefaultTaintTrackingImpl::taintedIncludingGlobalVars/3;
+private DataFlow::Node getNodeForSource(Expr source) {
+  isUserInput(source, _) and
+  result = getNodeForExpr(source)
+}
 
-deprecated predicate globalVarFromId = DefaultTaintTrackingImpl::globalVarFromId/1;
+private DataFlow::Node getNodeForExpr(Expr node) {
+  result = DataFlow::exprNode(node)
+  or
+  // Some of the sources in `isUserInput` are intended to match the value of
+  // an expression, while others (those modeled below) are intended to match
+  // the taint that propagates out of an argument, like the `char *` argument
+  // to `gets`. It's impossible here to tell which is which, but the "access
+  // to argv" source is definitely not intended to match an output argument,
+  // and it causes false positives if we let it.
+  //
+  // This case goes together with the similar (but not identical) rule in
+  // `nodeIsBarrierIn`.
+  result = DataFlow::definitionByReferenceNodeFromArgument(node) and
+  not argv(node.(VariableAccess).getTarget())
+}
 
-deprecated module TaintedWithPath = DefaultTaintTrackingImpl::TaintedWithPath;
+private class DefaultTaintTrackingCfg extends TaintTracking::Configuration {
+  DefaultTaintTrackingCfg() { this = "DefaultTaintTrackingCfg" }
+
+  override predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
+
+  override predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
+
+  override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
+
+  override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
+}
+
+private class ToGlobalVarTaintTrackingCfg extends TaintTracking::Configuration {
+  ToGlobalVarTaintTrackingCfg() { this = "GlobalVarTaintTrackingCfg" }
+
+  override predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink.asVariable() instanceof GlobalOrNamespaceVariable
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+    writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
+    or
+    readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
+
+  override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
+}
+
+private class FromGlobalVarTaintTrackingCfg extends TaintTracking2::Configuration {
+  FromGlobalVarTaintTrackingCfg() { this = "FromGlobalVarTaintTrackingCfg" }
+
+  override predicate isSource(DataFlow::Node source) {
+    // This set of sources should be reasonably small, which is good for
+    // performance since the set of sinks is very large.
+    exists(ToGlobalVarTaintTrackingCfg otherCfg | otherCfg.hasFlowTo(source))
+  }
+
+  override predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+    // Additional step for flow out of variables. There is no flow _into_
+    // variables in this configuration, so this step only serves to take flow
+    // out of a variable that's a source.
+    readsVariable(n2.asInstruction(), n1.asVariable())
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
+
+  override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
+}
+
+private predicate readsVariable(LoadInstruction load, Variable var) {
+  load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
+}
+
+private predicate writesVariable(StoreInstruction store, Variable var) {
+  store.getDestinationAddress().(VariableAddressInstruction).getAstVariable() = var
+}
+
+/**
+ * A variable that has any kind of upper-bound check anywhere in the program.  This is
+ * biased towards being inclusive because there are a lot of valid ways of doing an
+ * upper bounds checks if we don't consider where it occurs, for example:
+ * ```
+ *   if (x < 10) { sink(x); }
+ *
+ *   if (10 > y) { sink(y); }
+ *
+ *   if (z > 10) { z = 10; }
+ *   sink(z);
+ * ```
+ */
+// TODO: This coarse overapproximation, ported from the old taint tracking
+// library, could be replaced with an actual semantic check that a particular
+// variable _access_ is guarded by an upper-bound check. We probably don't want
+// to do this right away since it could expose a lot of FPs that were
+// previously suppressed by this predicate by coincidence.
+private predicate hasUpperBoundsCheck(Variable var) {
+  exists(RelationalOperation oper, VariableAccess access |
+    oper.getAnOperand() = access and
+    access.getTarget() = var and
+    // Comparing to 0 is not an upper bound check
+    not oper.getAnOperand().getValue() = "0"
+  )
+}
+
+private predicate nodeIsBarrierEqualityCandidate(
+  DataFlow::Node node, Operand access, Variable checkedVar
+) {
+  readsVariable(node.asInstruction(), checkedVar) and
+  any(IRGuardCondition guard).ensuresEq(access, _, _, node.asInstruction().getBlock(), true)
+}
+
+cached
+private module Cached {
+  cached
+  predicate nodeIsBarrier(DataFlow::Node node) {
+    exists(Variable checkedVar |
+      readsVariable(node.asInstruction(), checkedVar) and
+      hasUpperBoundsCheck(checkedVar)
+    )
+    or
+    exists(Variable checkedVar, Operand access |
+      /*
+       * This node is guarded by a condition that forces the accessed variable
+       * to equal something else.  For example:
+       * ```
+       * x = taintsource()
+       * if (x == 10) {
+       *   taintsink(x); // not considered tainted
+       * }
+       * ```
+       */
+
+      nodeIsBarrierEqualityCandidate(node, access, checkedVar) and
+      readsVariable(access.getDef(), checkedVar)
+    )
+  }
+
+  cached
+  predicate nodeIsBarrierIn(DataFlow::Node node) {
+    // don't use dataflow into taint sources, as this leads to duplicate results.
+    exists(Expr source | isUserInput(source, _) |
+      node = DataFlow::exprNode(source)
+      or
+      // This case goes together with the similar (but not identical) rule in
+      // `getNodeForSource`.
+      node = DataFlow::definitionByReferenceNodeFromArgument(source)
+    )
+    or
+    // don't use dataflow into binary instructions if both operands are unpredictable
+    exists(BinaryInstruction iTo |
+      iTo = node.asInstruction() and
+      not predictableInstruction(iTo.getLeft()) and
+      not predictableInstruction(iTo.getRight()) and
+      // propagate taint from either the pointer or the offset, regardless of predictability
+      not iTo instanceof PointerArithmeticInstruction
+    )
+    or
+    // don't use dataflow through calls to pure functions if two or more operands
+    // are unpredictable
+    exists(Instruction iFrom1, Instruction iFrom2, CallInstruction iTo |
+      iTo = node.asInstruction() and
+      isPureFunction(iTo.getStaticCallTarget().getName()) and
+      iFrom1 = iTo.getAnArgument() and
+      iFrom2 = iTo.getAnArgument() and
+      not predictableInstruction(iFrom1) and
+      not predictableInstruction(iFrom2) and
+      iFrom1 != iFrom2
+    )
+  }
+
+  cached
+  Element adjustedSink(DataFlow::Node sink) {
+    // TODO: is it more appropriate to use asConvertedExpr here and avoid
+    // `getConversion*`? Or will that cause us to miss some cases where there's
+    // flow to a conversion (like a `ReferenceDereferenceExpr`) and we want to
+    // pretend there was flow to the converted `Expr` for the sake of
+    // compatibility.
+    sink.asExpr().getConversion*() = result
+    or
+    // For compatibility, send flow from arguments to parameters, even for
+    // functions with no body.
+    exists(FunctionCall call, int i |
+      sink.asExpr() = call.getArgument(pragma[only_bind_into](i)) and
+      result = resolveCall(call).getParameter(pragma[only_bind_into](i))
+    )
+    or
+    // For compatibility, send flow into a `Variable` if there is flow to any
+    // Load or Store of that variable.
+    exists(CopyInstruction copy |
+      copy.getSourceValue() = sink.asInstruction() and
+      (
+        readsVariable(copy, result) or
+        writesVariable(copy, result)
+      ) and
+      not hasUpperBoundsCheck(result)
+    )
+    or
+    // For compatibility, send flow into a `NotExpr` even if it's part of a
+    // short-circuiting condition and thus might get skipped.
+    result.(NotExpr).getOperand() = sink.asExpr()
+    or
+    // Taint postfix and prefix crement operations when their operand is tainted.
+    result.(CrementOperation).getAnOperand() = sink.asExpr()
+    or
+    // Taint `e1 += e2`, `e &= e2` and friends when `e1` or `e2` is tainted.
+    result.(AssignOperation).getAnOperand() = sink.asExpr()
+    or
+    result =
+      sink.asOperand()
+          .(SideEffectOperand)
+          .getUse()
+          .(ReadSideEffectInstruction)
+          .getArgumentDef()
+          .getUnconvertedResultExpression()
+  }
+
+  /**
+   * Step to return value of a modeled function when an input taints the
+   * dereference of the return value.
+   */
+  cached
+  predicate additionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+    exists(CallInstruction call, Function func, FunctionInput modelIn, FunctionOutput modelOut |
+      n1.asOperand() = callInput(call, modelIn) and
+      (
+        func.(TaintFunction).hasTaintFlow(modelIn, modelOut)
+        or
+        func.(DataFlowFunction).hasDataFlow(modelIn, modelOut)
+      ) and
+      call.getStaticCallTarget() = func and
+      modelOut.isReturnValueDeref() and
+      call = n2.asInstruction()
+    )
+  }
+}
+
+private import Cached
+
+/**
+ * Holds if `tainted` may contain taint from `source`.
+ *
+ * A tainted expression is either directly user input, or is
+ * computed from user input in a way that users can probably
+ * control the exact output of the computation.
+ *
+ * This doesn't include data flow through global variables.
+ * If you need that you must call `taintedIncludingGlobalVars`.
+ */
+cached
+predicate tainted(Expr source, Element tainted) {
+  exists(DefaultTaintTrackingCfg cfg, DataFlow::Node sink |
+    cfg.hasFlow(getNodeForSource(source), sink) and
+    tainted = adjustedSink(sink)
+  )
+}
+
+/**
+ * Holds if `tainted` may contain taint from `source`, where the taint passed
+ * through a global variable named `globalVar`.
+ *
+ * A tainted expression is either directly user input, or is
+ * computed from user input in a way that users can probably
+ * control the exact output of the computation.
+ *
+ * This version gives the same results as tainted but also includes
+ * data flow through global variables.
+ *
+ * The parameter `globalVar` is the qualified name of the last global variable
+ * used to move the value from source to tainted. If the taint did not pass
+ * through a global variable, then `globalVar = ""`.
+ */
+cached
+predicate taintedIncludingGlobalVars(Expr source, Element tainted, string globalVar) {
+  tainted(source, tainted) and
+  globalVar = ""
+  or
+  exists(
+    ToGlobalVarTaintTrackingCfg toCfg, FromGlobalVarTaintTrackingCfg fromCfg,
+    DataFlow::VariableNode variableNode, GlobalOrNamespaceVariable global, DataFlow::Node sink
+  |
+    global = variableNode.getVariable() and
+    toCfg.hasFlow(getNodeForSource(source), variableNode) and
+    fromCfg.hasFlow(variableNode, sink) and
+    tainted = adjustedSink(sink) and
+    global = globalVarFromId(globalVar)
+  )
+}
+
+/**
+ * Gets the global variable whose qualified name is `id`. Use this predicate
+ * together with `taintedIncludingGlobalVars`. Example:
+ *
+ * ```
+ * exists(string varName |
+ *   taintedIncludingGlobalVars(source, tainted, varName) and
+ *   var = globalVarFromId(varName)
+ * )
+ * ```
+ */
+GlobalOrNamespaceVariable globalVarFromId(string id) { id = result.getQualifiedName() }
+
+/**
+ * Provides definitions for augmenting source/sink pairs with data-flow paths
+ * between them. From a `@kind path-problem` query, import this module in the
+ * global scope, extend `TaintTrackingConfiguration`, and use `taintedWithPath`
+ * in place of `tainted`.
+ *
+ * Importing this module will also import the query predicates that contain the
+ * taint paths.
+ */
+module TaintedWithPath {
+  private newtype TSingleton = MkSingleton()
+
+  /**
+   * A taint-tracking configuration that matches sources and sinks in the same
+   * way as the `tainted` predicate.
+   *
+   * Override `isSink` and `taintThroughGlobals` as needed, but do not provide
+   * a characteristic predicate.
+   */
+  class TaintTrackingConfiguration extends TSingleton {
+    /** Override this to specify which elements are sources in this configuration. */
+    predicate isSource(Expr source) { exists(getNodeForSource(source)) }
+
+    /** Override this to specify which elements are sinks in this configuration. */
+    abstract predicate isSink(Element e);
+
+    /** Override this to specify which expressions are barriers in this configuration. */
+    predicate isBarrier(Expr e) { nodeIsBarrier(getNodeForExpr(e)) }
+
+    /**
+     * Override this predicate to `any()` to allow taint to flow through global
+     * variables.
+     */
+    predicate taintThroughGlobals() { none() }
+
+    /** Gets a textual representation of this element. */
+    string toString() { result = "TaintTrackingConfiguration" }
+  }
+
+  private class AdjustedConfiguration extends TaintTracking3::Configuration {
+    AdjustedConfiguration() { this = "AdjustedConfiguration" }
+
+    override predicate isSource(DataFlow::Node source) {
+      exists(TaintTrackingConfiguration cfg, Expr e |
+        cfg.isSource(e) and source = getNodeForExpr(e)
+      )
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+      exists(TaintTrackingConfiguration cfg | cfg.isSink(adjustedSink(sink)))
+    }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+      // Steps into and out of global variables
+      exists(TaintTrackingConfiguration cfg | cfg.taintThroughGlobals() |
+        writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
+        or
+        readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
+      )
+      or
+      additionalTaintStep(n1, n2)
+    }
+
+    override predicate isSanitizer(DataFlow::Node node) {
+      exists(TaintTrackingConfiguration cfg, Expr e | cfg.isBarrier(e) and node = getNodeForExpr(e))
+    }
+
+    override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
+  }
+
+  /*
+   * A sink `Element` may map to multiple `DataFlowX::PathNode`s via (the
+   * inverse of) `adjustedSink`. For example, an `Expr` maps to all its
+   * conversions, and a `Variable` maps to all loads and stores from it. Because
+   * the path node is part of the tuple that constitutes the alert, this leads
+   * to duplicate alerts.
+   *
+   * To avoid showing duplicates, we edit the graph to replace the final node
+   * coming from the data-flow library with a node that matches exactly the
+   * `Element` sink that's requested.
+   *
+   * The same is done for sources.
+   */
+
+  private newtype TPathNode =
+    TWrapPathNode(DataFlow3::PathNode n) or
+    // There's a single newtype constructor for both sources and sinks since
+    // that makes it easiest to deal with the case where source = sink.
+    TEndpointPathNode(Element e) {
+      exists(AdjustedConfiguration cfg, DataFlow3::Node sourceNode, DataFlow3::Node sinkNode |
+        cfg.hasFlow(sourceNode, sinkNode)
+      |
+        sourceNode = getNodeForExpr(e) and
+        exists(TaintTrackingConfiguration ttCfg | ttCfg.isSource(e))
+        or
+        e = adjustedSink(sinkNode) and
+        exists(TaintTrackingConfiguration ttCfg | ttCfg.isSink(e))
+      )
+    }
+
+  /** An opaque type used for the nodes of a data-flow path. */
+  class PathNode extends TPathNode {
+    /** Gets a textual representation of this element. */
+    string toString() { none() }
+
+    /**
+     * Holds if this element is at the specified location.
+     * The location spans column `startcolumn` of line `startline` to
+     * column `endcolumn` of line `endline` in file `filepath`.
+     * For more information, see
+     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+     */
+    predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      none()
+    }
+  }
+
+  /**
+   * INTERNAL: Do not use.
+   */
+  module Private {
+    /** Gets a predecessor `PathNode` of `pathNode`, if any. */
+    PathNode getAPredecessor(PathNode pathNode) { edges(result, pathNode) }
+
+    /** Gets the element that `pathNode` wraps, if any. */
+    Element getElementFromPathNode(PathNode pathNode) {
+      exists(DataFlow::Node node | node = pathNode.(WrapPathNode).inner().getNode() |
+        result = node.asInstruction().getAst()
+        or
+        result = node.asOperand().getDef().getAst()
+      )
+      or
+      result = pathNode.(EndpointPathNode).inner()
+    }
+  }
+
+  private class WrapPathNode extends PathNode, TWrapPathNode {
+    DataFlow3::PathNode inner() { this = TWrapPathNode(result) }
+
+    override string toString() { result = this.inner().toString() }
+
+    override predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      this.inner().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    }
+  }
+
+  private class EndpointPathNode extends PathNode, TEndpointPathNode {
+    Expr inner() { this = TEndpointPathNode(result) }
+
+    override string toString() { result = this.inner().toString() }
+
+    override predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      this.inner()
+          .getLocation()
+          .hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    }
+  }
+
+  /** A PathNode whose `Element` is a source. It may also be a sink. */
+  private class InitialPathNode extends EndpointPathNode {
+    InitialPathNode() { exists(TaintTrackingConfiguration cfg | cfg.isSource(this.inner())) }
+  }
+
+  /** A PathNode whose `Element` is a sink. It may also be a source. */
+  private class FinalPathNode extends EndpointPathNode {
+    FinalPathNode() { exists(TaintTrackingConfiguration cfg | cfg.isSink(this.inner())) }
+  }
+
+  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
+  query predicate edges(PathNode a, PathNode b) {
+    DataFlow3::PathGraph::edges(a.(WrapPathNode).inner(), b.(WrapPathNode).inner())
+    or
+    // To avoid showing trivial-looking steps, we _replace_ the last node instead
+    // of adding an edge out of it.
+    exists(WrapPathNode sinkNode |
+      DataFlow3::PathGraph::edges(a.(WrapPathNode).inner(), sinkNode.inner()) and
+      b.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
+    )
+    or
+    // Same for the first node
+    exists(WrapPathNode sourceNode |
+      DataFlow3::PathGraph::edges(sourceNode.inner(), b.(WrapPathNode).inner()) and
+      sourceNode.inner().getNode() = getNodeForExpr(a.(InitialPathNode).inner())
+    )
+    or
+    // Finally, handle the case where the path goes directly from a source to a
+    // sink, meaning that they both need to be translated.
+    exists(WrapPathNode sinkNode, WrapPathNode sourceNode |
+      DataFlow3::PathGraph::edges(sourceNode.inner(), sinkNode.inner()) and
+      sourceNode.inner().getNode() = getNodeForExpr(a.(InitialPathNode).inner()) and
+      b.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
+    )
+  }
+
+  /**
+   * Holds if there is flow from `arg` to `out` across a call that can by summarized by the flow
+   * from `par` to `ret` within it, in the graph of data flow path explanations.
+   */
+  query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
+    DataFlow3::PathGraph::subpaths(arg.(WrapPathNode).inner(), par.(WrapPathNode).inner(),
+      ret.(WrapPathNode).inner(), out.(WrapPathNode).inner())
+    or
+    // To avoid showing trivial-looking steps, we _replace_ the last node instead
+    // of adding an edge out of it.
+    exists(WrapPathNode sinkNode |
+      DataFlow3::PathGraph::subpaths(arg.(WrapPathNode).inner(), par.(WrapPathNode).inner(),
+        ret.(WrapPathNode).inner(), sinkNode.inner()) and
+      out.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
+    )
+    or
+    // Same for the first node
+    exists(WrapPathNode sourceNode |
+      DataFlow3::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
+        ret.(WrapPathNode).inner(), out.(WrapPathNode).inner()) and
+      sourceNode.inner().getNode() = getNodeForExpr(arg.(InitialPathNode).inner())
+    )
+    or
+    // Finally, handle the case where the path goes directly from a source to a
+    // sink, meaning that they both need to be translated.
+    exists(WrapPathNode sinkNode, WrapPathNode sourceNode |
+      DataFlow3::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
+        ret.(WrapPathNode).inner(), sinkNode.inner()) and
+      sourceNode.inner().getNode() = getNodeForExpr(arg.(InitialPathNode).inner()) and
+      out.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
+    )
+  }
+
+  /** Holds if `n` is a node in the graph of data flow path explanations. */
+  query predicate nodes(PathNode n, string key, string val) {
+    key = "semmle.label" and val = n.toString()
+  }
+
+  /**
+   * Holds if `tainted` may contain taint from `source`, where `sourceNode` and
+   * `sinkNode` are the corresponding `PathNode`s that can be used in a query
+   * to provide path explanations. Extend `TaintTrackingConfiguration` to use
+   * this predicate.
+   *
+   * A tainted expression is either directly user input, or is computed from
+   * user input in a way that users can probably control the exact output of
+   * the computation.
+   */
+  predicate taintedWithPath(Expr source, Element tainted, PathNode sourceNode, PathNode sinkNode) {
+    exists(AdjustedConfiguration cfg, DataFlow3::Node flowSource, DataFlow3::Node flowSink |
+      source = sourceNode.(InitialPathNode).inner() and
+      flowSource = getNodeForExpr(source) and
+      cfg.hasFlow(flowSource, flowSink) and
+      tainted = adjustedSink(flowSink) and
+      tainted = sinkNode.(FinalPathNode).inner()
+    )
+  }
+
+  private predicate isGlobalVariablePathNode(WrapPathNode n) {
+    n.inner().getNode().asVariable() instanceof GlobalOrNamespaceVariable
+  }
+
+  private predicate edgesWithoutGlobals(PathNode a, PathNode b) {
+    edges(a, b) and
+    not isGlobalVariablePathNode(a) and
+    not isGlobalVariablePathNode(b)
+  }
+
+  /**
+   * Holds if `tainted` can be reached from a taint source without passing
+   * through a global variable.
+   */
+  predicate taintedWithoutGlobals(Element tainted) {
+    exists(AdjustedConfiguration cfg, PathNode sourceNode, FinalPathNode sinkNode |
+      cfg.isSource(sourceNode.(WrapPathNode).inner().getNode()) and
+      edgesWithoutGlobals+(sourceNode, sinkNode) and
+      tainted = sinkNode.inner()
+    )
+  }
+}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll

@@ -915,57 +915,18 @@ private module Cached {
     TDataFlowCallNone() or
     TDataFlowCallSome(DataFlowCall call)
 
-  cached
-  newtype TParamNodeOption =
-    TParamNodeNone() or
-    TParamNodeSome(ParamNode p)
-
-  cached
-  newtype TReturnCtx =
-    TReturnCtxNone() or
-    TReturnCtxNoFlowThrough() or
-    TReturnCtxMaybeFlowThrough(ReturnPosition pos)
-
-  cached
-  newtype TTypedContentApprox =
-    MkTypedContentApprox(ContentApprox c, DataFlowType t) {
-      exists(Content cont |
-        c = getContentApprox(cont) and
-        store(_, cont, _, _, t)
-      )
-    }
-
   cached
   newtype TTypedContent = MkTypedContent(Content c, DataFlowType t) { store(_, c, _, _, t) }
 
-  cached
-  TypedContent getATypedContent(TypedContentApprox c) {
-    exists(ContentApprox cls, DataFlowType t, Content cont |
-      c = MkTypedContentApprox(cls, pragma[only_bind_into](t)) and
-      result = MkTypedContent(cont, pragma[only_bind_into](t)) and
-      cls = getContentApprox(cont)
-    )
-  }
-
   cached
   newtype TAccessPathFront =
     TFrontNil(DataFlowType t) or
     TFrontHead(TypedContent tc)
 
-  cached
-  newtype TApproxAccessPathFront =
-    TApproxFrontNil(DataFlowType t) or
-    TApproxFrontHead(TypedContentApprox tc)
-
   cached
   newtype TAccessPathFrontOption =
     TAccessPathFrontNone() or
     TAccessPathFrontSome(AccessPathFront apf)
-
-  cached
-  newtype TApproxAccessPathFrontOption =
-    TApproxAccessPathFrontNone() or
-    TApproxAccessPathFrontSome(ApproxAccessPathFront apf)
 }
 
 /**
@@ -1343,113 +1304,6 @@ class DataFlowCallOption extends TDataFlowCallOption {
   }
 }
 
-/** An optional `ParamNode`. */
-class ParamNodeOption extends TParamNodeOption {
-  string toString() {
-    this = TParamNodeNone() and
-    result = "(none)"
-    or
-    exists(ParamNode p |
-      this = TParamNodeSome(p) and
-      result = p.toString()
-    )
-  }
-}
-
-/**
- * A return context used to calculate flow summaries in reverse flow.
- *
- * The possible values are:
- *
- * - `TReturnCtxNone()`: no return flow.
- * - `TReturnCtxNoFlowThrough()`: return flow, but flow through is not possible.
- * - `TReturnCtxMaybeFlowThrough(ReturnPosition pos)`: return flow, of kind `pos`, and
- *    flow through may be possible.
- */
-class ReturnCtx extends TReturnCtx {
-  string toString() {
-    this = TReturnCtxNone() and
-    result = "(none)"
-    or
-    this = TReturnCtxNoFlowThrough() and
-    result = "(no flow through)"
-    or
-    exists(ReturnPosition pos |
-      this = TReturnCtxMaybeFlowThrough(pos) and
-      result = pos.toString()
-    )
-  }
-}
-
-/** An approximated `Content` tagged with the type of a containing object. */
-class TypedContentApprox extends MkTypedContentApprox {
-  private ContentApprox c;
-  private DataFlowType t;
-
-  TypedContentApprox() { this = MkTypedContentApprox(c, t) }
-
-  /** Gets a typed content approximated by this value. */
-  TypedContent getATypedContent() { result = getATypedContent(this) }
-
-  /** Gets the container type. */
-  DataFlowType getContainerType() { result = t }
-
-  /** Gets a textual representation of this approximated content. */
-  string toString() { result = c.toString() }
-}
-
-/**
- * The front of an approximated access path. This is either a head or a nil.
- */
-abstract class ApproxAccessPathFront extends TApproxAccessPathFront {
-  abstract string toString();
-
-  abstract DataFlowType getType();
-
-  abstract boolean toBoolNonEmpty();
-
-  pragma[nomagic]
-  TypedContent getAHead() {
-    exists(TypedContentApprox cont |
-      this = TApproxFrontHead(cont) and
-      result = cont.getATypedContent()
-    )
-  }
-}
-
-class ApproxAccessPathFrontNil extends ApproxAccessPathFront, TApproxFrontNil {
-  private DataFlowType t;
-
-  ApproxAccessPathFrontNil() { this = TApproxFrontNil(t) }
-
-  override string toString() { result = ppReprType(t) }
-
-  override DataFlowType getType() { result = t }
-
-  override boolean toBoolNonEmpty() { result = false }
-}
-
-class ApproxAccessPathFrontHead extends ApproxAccessPathFront, TApproxFrontHead {
-  private TypedContentApprox tc;
-
-  ApproxAccessPathFrontHead() { this = TApproxFrontHead(tc) }
-
-  override string toString() { result = tc.toString() }
-
-  override DataFlowType getType() { result = tc.getContainerType() }
-
-  override boolean toBoolNonEmpty() { result = true }
-}
-
-/** An optional approximated access path front. */
-class ApproxAccessPathFrontOption extends TApproxAccessPathFrontOption {
-  string toString() {
-    this = TApproxAccessPathFrontNone() and result = "<none>"
-    or
-    this = TApproxAccessPathFrontSome(any(ApproxAccessPathFront apf | result = apf.toString()))
-  }
-}
-
 /** A `Content` tagged with the type of a containing object. */
 class TypedContent extends MkTypedContent {
   private Content c;
@@ -1482,7 +1336,7 @@ abstract class AccessPathFront extends TAccessPathFront {
 
   abstract DataFlowType getType();
 
-  abstract ApproxAccessPathFront toApprox();
+  abstract boolean toBoolNonEmpty();
 
   TypedContent getHead() { this = TFrontHead(result) }
 }
@@ -1496,7 +1350,7 @@ class AccessPathFrontNil extends AccessPathFront, TFrontNil {
 
   override DataFlowType getType() { result = t }
 
-  override ApproxAccessPathFront toApprox() { result = TApproxFrontNil(t) }
+  override boolean toBoolNonEmpty() { result = false }
 }
 
 class AccessPathFrontHead extends AccessPathFront, TFrontHead {
@@ -1508,7 +1362,7 @@ class AccessPathFrontHead extends AccessPathFront, TFrontHead {
 
   override DataFlowType getType() { result = tc.getContainerType() }
 
-  override ApproxAccessPathFront toApprox() { result.getAHead() = tc }
+  override boolean toBoolNonEmpty() { result = true }
 }
 
 /** An optional access path front. */

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll

@@ -244,25 +244,4 @@ module Consistency {
     not callable = viableCallable(call) and
     not any(ConsistencyConfiguration c).viableImplInCallContextTooLargeExclude(call, ctx, callable)
   }
-
-  query predicate uniqueParameterNodeAtPosition(
-    DataFlowCallable c, ParameterPosition pos, Node p, string msg
-  ) {
-    isParameterNode(p, c, pos) and
-    not exists(unique(Node p0 | isParameterNode(p0, c, pos))) and
-    msg = "Parameters with overlapping positions."
-  }
-
-  query predicate uniqueParameterNodePosition(
-    DataFlowCallable c, ParameterPosition pos, Node p, string msg
-  ) {
-    isParameterNode(p, c, pos) and
-    not exists(unique(ParameterPosition pos0 | isParameterNode(p, c, pos0))) and
-    msg = "Parameter node with multiple positions."
-  }
-
-  query predicate uniqueContentApprox(Content c, string msg) {
-    not exists(unique(ContentApprox approx | approx = getContentApprox(c))) and
-    msg = "Non-unique content approximation."
-  }
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -400,13 +400,6 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves
  */
 predicate allowParameterReturnInSelf(ParameterNode p) { none() }
 
-/** An approximated `Content`. */
-class ContentApprox = Unit;
-
-/** Gets an approximated value for content `c`. */
-pragma[inline]
-ContentApprox getContentApprox(Content c) { any() }
-
 private class MyConsistencyConfiguration extends Consistency::ConsistencyConfiguration {
   override predicate argHasPostUpdateExclude(ArgumentNode n) {
     // The rules for whether an IR argument gets a post-update node are too

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DefaultTaintTrackingImpl.qll

@@ -1,644 +0,0 @@
-/**
- * INTERNAL: Do not use.
- *
- * An IR taint tracking library that uses an IR DataFlow configuration to track
- * taint from user inputs as defined by `semmle.code.cpp.security.Security`.
- */
-
-import cpp
-import semmle.code.cpp.security.Security
-private import semmle.code.cpp.ir.dataflow.DataFlow
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
-private import semmle.code.cpp.ir.dataflow.DataFlow3
-private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.dataflow.ResolveCall
-private import semmle.code.cpp.controlflow.IRGuards
-private import semmle.code.cpp.models.interfaces.Taint
-private import semmle.code.cpp.models.interfaces.DataFlow
-private import semmle.code.cpp.ir.dataflow.TaintTracking
-private import semmle.code.cpp.ir.dataflow.TaintTracking2
-private import semmle.code.cpp.ir.dataflow.TaintTracking3
-private import semmle.code.cpp.ir.dataflow.internal.ModelUtil
-
-/**
- * A predictable instruction is one where an external user can predict
- * the value. For example, a literal in the source code is considered
- * predictable.
- */
-private predicate predictableInstruction(Instruction instr) {
-  instr instanceof ConstantInstruction
-  or
-  instr instanceof StringConstantInstruction
-  or
-  // This could be a conversion on a string literal
-  predictableInstruction(instr.(UnaryInstruction).getUnary())
-}
-
-/**
- * Functions that we should only allow taint to flow through (to the return
- * value) if all but the source argument are 'predictable'.  This is done to
- * emulate the old security library's implementation rather than due to any
- * strong belief that this is the right approach.
- *
- * Note that the list itself is not very principled; it consists of all the
- * functions listed in the old security library's [default] `isPureFunction`
- * that have more than one argument, but are not in the old taint tracking
- * library's `returnArgument` predicate.
- */
-predicate predictableOnlyFlow(string name) {
-  name =
-    [
-      "strcasestr", "strchnul", "strchr", "strchrnul", "strcmp", "strcspn", "strncmp", "strndup",
-      "strnlen", "strrchr", "strspn", "strstr", "strtod", "strtof", "strtol", "strtoll", "strtoq",
-      "strtoul"
-    ]
-}
-
-private DataFlow::Node getNodeForSource(Expr source) {
-  isUserInput(source, _) and
-  result = getNodeForExpr(source)
-}
-
-private DataFlow::Node getNodeForExpr(Expr node) {
-  result = DataFlow::exprNode(node)
-  or
-  // Some of the sources in `isUserInput` are intended to match the value of
-  // an expression, while others (those modeled below) are intended to match
-  // the taint that propagates out of an argument, like the `char *` argument
-  // to `gets`. It's impossible here to tell which is which, but the "access
-  // to argv" source is definitely not intended to match an output argument,
-  // and it causes false positives if we let it.
-  //
-  // This case goes together with the similar (but not identical) rule in
-  // `nodeIsBarrierIn`.
-  result = DataFlow::definitionByReferenceNodeFromArgument(node) and
-  not argv(node.(VariableAccess).getTarget())
-}
-
-private class DefaultTaintTrackingCfg extends TaintTracking::Configuration {
-  DefaultTaintTrackingCfg() { this = "DefaultTaintTrackingCfg" }
-
-  override predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
-
-  override predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
-
-  override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
-
-  override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
-}
-
-private class ToGlobalVarTaintTrackingCfg extends TaintTracking::Configuration {
-  ToGlobalVarTaintTrackingCfg() { this = "GlobalVarTaintTrackingCfg" }
-
-  override predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
-
-  override predicate isSink(DataFlow::Node sink) {
-    sink.asVariable() instanceof GlobalOrNamespaceVariable
-  }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
-    writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
-    or
-    readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
-  }
-
-  override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
-
-  override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
-}
-
-private class FromGlobalVarTaintTrackingCfg extends TaintTracking2::Configuration {
-  FromGlobalVarTaintTrackingCfg() { this = "FromGlobalVarTaintTrackingCfg" }
-
-  override predicate isSource(DataFlow::Node source) {
-    // This set of sources should be reasonably small, which is good for
-    // performance since the set of sinks is very large.
-    exists(ToGlobalVarTaintTrackingCfg otherCfg | otherCfg.hasFlowTo(source))
-  }
-
-  override predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
-    // Additional step for flow out of variables. There is no flow _into_
-    // variables in this configuration, so this step only serves to take flow
-    // out of a variable that's a source.
-    readsVariable(n2.asInstruction(), n1.asVariable())
-  }
-
-  override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
-
-  override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
-}
-
-private predicate readsVariable(LoadInstruction load, Variable var) {
-  load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
-}
-
-private predicate writesVariable(StoreInstruction store, Variable var) {
-  store.getDestinationAddress().(VariableAddressInstruction).getAstVariable() = var
-}
-
-/**
- * A variable that has any kind of upper-bound check anywhere in the program.  This is
- * biased towards being inclusive because there are a lot of valid ways of doing an
- * upper bounds checks if we don't consider where it occurs, for example:
- * ```
- *   if (x < 10) { sink(x); }
- *
- *   if (10 > y) { sink(y); }
- *
- *   if (z > 10) { z = 10; }
- *   sink(z);
- * ```
- */
-// TODO: This coarse overapproximation, ported from the old taint tracking
-// library, could be replaced with an actual semantic check that a particular
-// variable _access_ is guarded by an upper-bound check. We probably don't want
-// to do this right away since it could expose a lot of FPs that were
-// previously suppressed by this predicate by coincidence.
-private predicate hasUpperBoundsCheck(Variable var) {
-  exists(RelationalOperation oper, VariableAccess access |
-    oper.getAnOperand() = access and
-    access.getTarget() = var and
-    // Comparing to 0 is not an upper bound check
-    not oper.getAnOperand().getValue() = "0"
-  )
-}
-
-private predicate nodeIsBarrierEqualityCandidate(
-  DataFlow::Node node, Operand access, Variable checkedVar
-) {
-  readsVariable(node.asInstruction(), checkedVar) and
-  any(IRGuardCondition guard).ensuresEq(access, _, _, node.asInstruction().getBlock(), true)
-}
-
-cached
-private module Cached {
-  cached
-  predicate nodeIsBarrier(DataFlow::Node node) {
-    exists(Variable checkedVar |
-      readsVariable(node.asInstruction(), checkedVar) and
-      hasUpperBoundsCheck(checkedVar)
-    )
-    or
-    exists(Variable checkedVar, Operand access |
-      /*
-       * This node is guarded by a condition that forces the accessed variable
-       * to equal something else.  For example:
-       * ```
-       * x = taintsource()
-       * if (x == 10) {
-       *   taintsink(x); // not considered tainted
-       * }
-       * ```
-       */
-
-      nodeIsBarrierEqualityCandidate(node, access, checkedVar) and
-      readsVariable(access.getDef(), checkedVar)
-    )
-  }
-
-  cached
-  predicate nodeIsBarrierIn(DataFlow::Node node) {
-    // don't use dataflow into taint sources, as this leads to duplicate results.
-    exists(Expr source | isUserInput(source, _) |
-      node = DataFlow::exprNode(source)
-      or
-      // This case goes together with the similar (but not identical) rule in
-      // `getNodeForSource`.
-      node = DataFlow::definitionByReferenceNodeFromArgument(source)
-    )
-    or
-    // don't use dataflow into binary instructions if both operands are unpredictable
-    exists(BinaryInstruction iTo |
-      iTo = node.asInstruction() and
-      not predictableInstruction(iTo.getLeft()) and
-      not predictableInstruction(iTo.getRight()) and
-      // propagate taint from either the pointer or the offset, regardless of predictability
-      not iTo instanceof PointerArithmeticInstruction
-    )
-    or
-    // don't use dataflow through calls to pure functions if two or more operands
-    // are unpredictable
-    exists(Instruction iFrom1, Instruction iFrom2, CallInstruction iTo |
-      iTo = node.asInstruction() and
-      isPureFunction(iTo.getStaticCallTarget().getName()) and
-      iFrom1 = iTo.getAnArgument() and
-      iFrom2 = iTo.getAnArgument() and
-      not predictableInstruction(iFrom1) and
-      not predictableInstruction(iFrom2) and
-      iFrom1 != iFrom2
-    )
-  }
-
-  cached
-  Element adjustedSink(DataFlow::Node sink) {
-    // TODO: is it more appropriate to use asConvertedExpr here and avoid
-    // `getConversion*`? Or will that cause us to miss some cases where there's
-    // flow to a conversion (like a `ReferenceDereferenceExpr`) and we want to
-    // pretend there was flow to the converted `Expr` for the sake of
-    // compatibility.
-    sink.asExpr().getConversion*() = result
-    or
-    // For compatibility, send flow from arguments to parameters, even for
-    // functions with no body.
-    exists(FunctionCall call, int i |
-      sink.asExpr() = call.getArgument(pragma[only_bind_into](i)) and
-      result = resolveCall(call).getParameter(pragma[only_bind_into](i))
-    )
-    or
-    // For compatibility, send flow into a `Variable` if there is flow to any
-    // Load or Store of that variable.
-    exists(CopyInstruction copy |
-      copy.getSourceValue() = sink.asInstruction() and
-      (
-        readsVariable(copy, result) or
-        writesVariable(copy, result)
-      ) and
-      not hasUpperBoundsCheck(result)
-    )
-    or
-    // For compatibility, send flow into a `NotExpr` even if it's part of a
-    // short-circuiting condition and thus might get skipped.
-    result.(NotExpr).getOperand() = sink.asExpr()
-    or
-    // Taint postfix and prefix crement operations when their operand is tainted.
-    result.(CrementOperation).getAnOperand() = sink.asExpr()
-    or
-    // Taint `e1 += e2`, `e &= e2` and friends when `e1` or `e2` is tainted.
-    result.(AssignOperation).getAnOperand() = sink.asExpr()
-    or
-    result =
-      sink.asOperand()
-          .(SideEffectOperand)
-          .getUse()
-          .(ReadSideEffectInstruction)
-          .getArgumentDef()
-          .getUnconvertedResultExpression()
-  }
-
-  /**
-   * Step to return value of a modeled function when an input taints the
-   * dereference of the return value.
-   */
-  cached
-  predicate additionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
-    exists(CallInstruction call, Function func, FunctionInput modelIn, FunctionOutput modelOut |
-      n1.asOperand() = callInput(call, modelIn) and
-      (
-        func.(TaintFunction).hasTaintFlow(modelIn, modelOut)
-        or
-        func.(DataFlowFunction).hasDataFlow(modelIn, modelOut)
-      ) and
-      call.getStaticCallTarget() = func and
-      modelOut.isReturnValueDeref() and
-      call = n2.asInstruction()
-    )
-  }
-}
-
-private import Cached
-
-/**
- * Holds if `tainted` may contain taint from `source`.
- *
- * A tainted expression is either directly user input, or is
- * computed from user input in a way that users can probably
- * control the exact output of the computation.
- *
- * This doesn't include data flow through global variables.
- * If you need that you must call `taintedIncludingGlobalVars`.
- */
-cached
-predicate tainted(Expr source, Element tainted) {
-  exists(DefaultTaintTrackingCfg cfg, DataFlow::Node sink |
-    cfg.hasFlow(getNodeForSource(source), sink) and
-    tainted = adjustedSink(sink)
-  )
-}
-
-/**
- * Holds if `tainted` may contain taint from `source`, where the taint passed
- * through a global variable named `globalVar`.
- *
- * A tainted expression is either directly user input, or is
- * computed from user input in a way that users can probably
- * control the exact output of the computation.
- *
- * This version gives the same results as tainted but also includes
- * data flow through global variables.
- *
- * The parameter `globalVar` is the qualified name of the last global variable
- * used to move the value from source to tainted. If the taint did not pass
- * through a global variable, then `globalVar = ""`.
- */
-cached
-predicate taintedIncludingGlobalVars(Expr source, Element tainted, string globalVar) {
-  tainted(source, tainted) and
-  globalVar = ""
-  or
-  exists(
-    ToGlobalVarTaintTrackingCfg toCfg, FromGlobalVarTaintTrackingCfg fromCfg,
-    DataFlow::VariableNode variableNode, GlobalOrNamespaceVariable global, DataFlow::Node sink
-  |
-    global = variableNode.getVariable() and
-    toCfg.hasFlow(getNodeForSource(source), variableNode) and
-    fromCfg.hasFlow(variableNode, sink) and
-    tainted = adjustedSink(sink) and
-    global = globalVarFromId(globalVar)
-  )
-}
-
-/**
- * Gets the global variable whose qualified name is `id`. Use this predicate
- * together with `taintedIncludingGlobalVars`. Example:
- *
- * ```
- * exists(string varName |
- *   taintedIncludingGlobalVars(source, tainted, varName) and
- *   var = globalVarFromId(varName)
- * )
- * ```
- */
-GlobalOrNamespaceVariable globalVarFromId(string id) { id = result.getQualifiedName() }
-
-/**
- * Provides definitions for augmenting source/sink pairs with data-flow paths
- * between them. From a `@kind path-problem` query, import this module in the
- * global scope, extend `TaintTrackingConfiguration`, and use `taintedWithPath`
- * in place of `tainted`.
- *
- * Importing this module will also import the query predicates that contain the
- * taint paths.
- */
-module TaintedWithPath {
-  private newtype TSingleton = MkSingleton()
-
-  /**
-   * A taint-tracking configuration that matches sources and sinks in the same
-   * way as the `tainted` predicate.
-   *
-   * Override `isSink` and `taintThroughGlobals` as needed, but do not provide
-   * a characteristic predicate.
-   */
-  class TaintTrackingConfiguration extends TSingleton {
-    /** Override this to specify which elements are sources in this configuration. */
-    predicate isSource(Expr source) { exists(getNodeForSource(source)) }
-
-    /** Override this to specify which elements are sinks in this configuration. */
-    abstract predicate isSink(Element e);
-
-    /** Override this to specify which expressions are barriers in this configuration. */
-    predicate isBarrier(Expr e) { nodeIsBarrier(getNodeForExpr(e)) }
-
-    /**
-     * Override this predicate to `any()` to allow taint to flow through global
-     * variables.
-     */
-    predicate taintThroughGlobals() { none() }
-
-    /** Gets a textual representation of this element. */
-    string toString() { result = "TaintTrackingConfiguration" }
-  }
-
-  private class AdjustedConfiguration extends TaintTracking3::Configuration {
-    AdjustedConfiguration() { this = "AdjustedConfiguration" }
-
-    override predicate isSource(DataFlow::Node source) {
-      exists(TaintTrackingConfiguration cfg, Expr e |
-        cfg.isSource(e) and source = getNodeForExpr(e)
-      )
-    }
-
-    override predicate isSink(DataFlow::Node sink) {
-      exists(TaintTrackingConfiguration cfg | cfg.isSink(adjustedSink(sink)))
-    }
-
-    override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
-      // Steps into and out of global variables
-      exists(TaintTrackingConfiguration cfg | cfg.taintThroughGlobals() |
-        writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
-        or
-        readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
-      )
-      or
-      additionalTaintStep(n1, n2)
-    }
-
-    override predicate isSanitizer(DataFlow::Node node) {
-      exists(TaintTrackingConfiguration cfg, Expr e | cfg.isBarrier(e) and node = getNodeForExpr(e))
-    }
-
-    override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
-  }
-
-  /*
-   * A sink `Element` may map to multiple `DataFlowX::PathNode`s via (the
-   * inverse of) `adjustedSink`. For example, an `Expr` maps to all its
-   * conversions, and a `Variable` maps to all loads and stores from it. Because
-   * the path node is part of the tuple that constitutes the alert, this leads
-   * to duplicate alerts.
-   *
-   * To avoid showing duplicates, we edit the graph to replace the final node
-   * coming from the data-flow library with a node that matches exactly the
-   * `Element` sink that's requested.
-   *
-   * The same is done for sources.
-   */
-
-  private newtype TPathNode =
-    TWrapPathNode(DataFlow3::PathNode n) or
-    // There's a single newtype constructor for both sources and sinks since
-    // that makes it easiest to deal with the case where source = sink.
-    TEndpointPathNode(Element e) {
-      exists(AdjustedConfiguration cfg, DataFlow3::Node sourceNode, DataFlow3::Node sinkNode |
-        cfg.hasFlow(sourceNode, sinkNode)
-      |
-        sourceNode = getNodeForExpr(e) and
-        exists(TaintTrackingConfiguration ttCfg | ttCfg.isSource(e))
-        or
-        e = adjustedSink(sinkNode) and
-        exists(TaintTrackingConfiguration ttCfg | ttCfg.isSink(e))
-      )
-    }
-
-  /** An opaque type used for the nodes of a data-flow path. */
-  class PathNode extends TPathNode {
-    /** Gets a textual representation of this element. */
-    string toString() { none() }
-
-    /**
-     * Holds if this element is at the specified location.
-     * The location spans column `startcolumn` of line `startline` to
-     * column `endcolumn` of line `endline` in file `filepath`.
-     * For more information, see
-     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-     */
-    predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      none()
-    }
-  }
-
-  /**
-   * INTERNAL: Do not use.
-   */
-  module Private {
-    /** Gets a predecessor `PathNode` of `pathNode`, if any. */
-    PathNode getAPredecessor(PathNode pathNode) { edges(result, pathNode) }
-
-    /** Gets the element that `pathNode` wraps, if any. */
-    Element getElementFromPathNode(PathNode pathNode) {
-      exists(DataFlow::Node node | node = pathNode.(WrapPathNode).inner().getNode() |
-        result = node.asInstruction().getAst()
-        or
-        result = node.asOperand().getDef().getAst()
-      )
-      or
-      result = pathNode.(EndpointPathNode).inner()
-    }
-  }
-
-  private class WrapPathNode extends PathNode, TWrapPathNode {
-    DataFlow3::PathNode inner() { this = TWrapPathNode(result) }
-
-    override string toString() { result = this.inner().toString() }
-
-    override predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      this.inner().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    }
-  }
-
-  private class EndpointPathNode extends PathNode, TEndpointPathNode {
-    Expr inner() { this = TEndpointPathNode(result) }
-
-    override string toString() { result = this.inner().toString() }
-
-    override predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      this.inner()
-          .getLocation()
-          .hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    }
-  }
-
-  /** A PathNode whose `Element` is a source. It may also be a sink. */
-  private class InitialPathNode extends EndpointPathNode {
-    InitialPathNode() { exists(TaintTrackingConfiguration cfg | cfg.isSource(this.inner())) }
-  }
-
-  /** A PathNode whose `Element` is a sink. It may also be a source. */
-  private class FinalPathNode extends EndpointPathNode {
-    FinalPathNode() { exists(TaintTrackingConfiguration cfg | cfg.isSink(this.inner())) }
-  }
-
-  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) {
-    DataFlow3::PathGraph::edges(a.(WrapPathNode).inner(), b.(WrapPathNode).inner())
-    or
-    // To avoid showing trivial-looking steps, we _replace_ the last node instead
-    // of adding an edge out of it.
-    exists(WrapPathNode sinkNode |
-      DataFlow3::PathGraph::edges(a.(WrapPathNode).inner(), sinkNode.inner()) and
-      b.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
-    )
-    or
-    // Same for the first node
-    exists(WrapPathNode sourceNode |
-      DataFlow3::PathGraph::edges(sourceNode.inner(), b.(WrapPathNode).inner()) and
-      sourceNode.inner().getNode() = getNodeForExpr(a.(InitialPathNode).inner())
-    )
-    or
-    // Finally, handle the case where the path goes directly from a source to a
-    // sink, meaning that they both need to be translated.
-    exists(WrapPathNode sinkNode, WrapPathNode sourceNode |
-      DataFlow3::PathGraph::edges(sourceNode.inner(), sinkNode.inner()) and
-      sourceNode.inner().getNode() = getNodeForExpr(a.(InitialPathNode).inner()) and
-      b.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
-    )
-  }
-
-  /**
-   * Holds if there is flow from `arg` to `out` across a call that can by summarized by the flow
-   * from `par` to `ret` within it, in the graph of data flow path explanations.
-   */
-  query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-    DataFlow3::PathGraph::subpaths(arg.(WrapPathNode).inner(), par.(WrapPathNode).inner(),
-      ret.(WrapPathNode).inner(), out.(WrapPathNode).inner())
-    or
-    // To avoid showing trivial-looking steps, we _replace_ the last node instead
-    // of adding an edge out of it.
-    exists(WrapPathNode sinkNode |
-      DataFlow3::PathGraph::subpaths(arg.(WrapPathNode).inner(), par.(WrapPathNode).inner(),
-        ret.(WrapPathNode).inner(), sinkNode.inner()) and
-      out.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
-    )
-    or
-    // Same for the first node
-    exists(WrapPathNode sourceNode |
-      DataFlow3::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
-        ret.(WrapPathNode).inner(), out.(WrapPathNode).inner()) and
-      sourceNode.inner().getNode() = getNodeForExpr(arg.(InitialPathNode).inner())
-    )
-    or
-    // Finally, handle the case where the path goes directly from a source to a
-    // sink, meaning that they both need to be translated.
-    exists(WrapPathNode sinkNode, WrapPathNode sourceNode |
-      DataFlow3::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
-        ret.(WrapPathNode).inner(), sinkNode.inner()) and
-      sourceNode.inner().getNode() = getNodeForExpr(arg.(InitialPathNode).inner()) and
-      out.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
-    )
-  }
-
-  /** Holds if `n` is a node in the graph of data flow path explanations. */
-  query predicate nodes(PathNode n, string key, string val) {
-    key = "semmle.label" and val = n.toString()
-  }
-
-  /**
-   * Holds if `tainted` may contain taint from `source`, where `sourceNode` and
-   * `sinkNode` are the corresponding `PathNode`s that can be used in a query
-   * to provide path explanations. Extend `TaintTrackingConfiguration` to use
-   * this predicate.
-   *
-   * A tainted expression is either directly user input, or is computed from
-   * user input in a way that users can probably control the exact output of
-   * the computation.
-   */
-  predicate taintedWithPath(Expr source, Element tainted, PathNode sourceNode, PathNode sinkNode) {
-    exists(AdjustedConfiguration cfg, DataFlow3::Node flowSource, DataFlow3::Node flowSink |
-      source = sourceNode.(InitialPathNode).inner() and
-      flowSource = getNodeForExpr(source) and
-      cfg.hasFlow(flowSource, flowSink) and
-      tainted = adjustedSink(flowSink) and
-      tainted = sinkNode.(FinalPathNode).inner()
-    )
-  }
-
-  private predicate isGlobalVariablePathNode(WrapPathNode n) {
-    n.inner().getNode().asVariable() instanceof GlobalOrNamespaceVariable
-  }
-
-  private predicate edgesWithoutGlobals(PathNode a, PathNode b) {
-    edges(a, b) and
-    not isGlobalVariablePathNode(a) and
-    not isGlobalVariablePathNode(b)
-  }
-
-  /**
-   * Holds if `tainted` can be reached from a taint source without passing
-   * through a global variable.
-   */
-  predicate taintedWithoutGlobals(Element tainted) {
-    exists(AdjustedConfiguration cfg, PathNode sourceNode, FinalPathNode sinkNode |
-      cfg.isSource(sourceNode.(WrapPathNode).inner().getNode()) and
-      edgesWithoutGlobals+(sourceNode, sinkNode) and
-      tainted = sinkNode.inner()
-    )
-  }
-}

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll

@@ -72,19 +72,7 @@ newtype TInstructionTag =
   AsmInputTag(int elementIndex) { exists(AsmStmt asm | exists(asm.getChild(elementIndex))) } or
   ThisAddressTag() or
   ThisLoadTag() or
-  StructuredBindingAccessTag() or
-  // The next three cases handle generation of the constants -1, 0 and 1 for __except handling.
-  TryExceptGenerateNegativeOne() or
-  TryExceptGenerateZero() or
-  TryExceptGenerateOne() or
-  // The next three cases handle generation of comparisons for __except handling.
-  TryExceptCompareNegativeOne() or
-  TryExceptCompareZero() or
-  TryExceptCompareOne() or
-  // The next three cases handle generation of branching for __except handling.
-  TryExceptCompareNegativeOneBranch() or
-  TryExceptCompareZeroBranch() or
-  TryExceptCompareOneBranch()
+  StructuredBindingAccessTag()
 
 class InstructionTag extends TInstructionTag {
   final string toString() { result = "Tag" }
@@ -236,22 +224,4 @@ string getInstructionTagId(TInstructionTag tag) {
   tag = ThisLoadTag() and result = "ThisLoad"
   or
   tag = StructuredBindingAccessTag() and result = "StructuredBindingAccess"
-  or
-  tag = TryExceptCompareNegativeOne() and result = "TryExceptCompareNegativeOne"
-  or
-  tag = TryExceptCompareZero() and result = "TryExceptCompareZero"
-  or
-  tag = TryExceptCompareOne() and result = "TryExceptCompareOne"
-  or
-  tag = TryExceptGenerateNegativeOne() and result = "TryExceptGenerateNegativeOne"
-  or
-  tag = TryExceptGenerateZero() and result = "TryExceptGenerateNegativeOne"
-  or
-  tag = TryExceptGenerateOne() and result = "TryExceptGenerateOne"
-  or
-  tag = TryExceptCompareNegativeOneBranch() and result = "TryExceptCompareNegativeOneBranch"
-  or
-  tag = TryExceptCompareZeroBranch() and result = "TryExceptCompareZeroBranch"
-  or
-  tag = TryExceptCompareOneBranch() and result = "TryExceptCompareOneBranch"
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -675,7 +675,6 @@ newtype TTranslatedElement =
   } or
   // A statement
   TTranslatedStmt(Stmt stmt) { translateStmt(stmt) } or
-  TTranslatedMicrosoftTryExceptHandler(MicrosoftTryExceptStmt stmt) or
   // A function
   TTranslatedFunction(Function func) { translateFunction(func) } or
   // A constructor init list

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll

@@ -13,222 +13,6 @@ private import TranslatedInitialization
 
 TranslatedStmt getTranslatedStmt(Stmt stmt) { result.getAst() = stmt }
 
-TranslatedMicrosoftTryExceptHandler getTranslatedMicrosoftTryExceptHandler(
-  MicrosoftTryExceptStmt tryExcept
-) {
-  result.getAst() = tryExcept.getExcept()
-}
-
-class TranslatedMicrosoftTryExceptHandler extends TranslatedElement,
-  TTranslatedMicrosoftTryExceptHandler {
-  MicrosoftTryExceptStmt tryExcept;
-
-  TranslatedMicrosoftTryExceptHandler() { this = TTranslatedMicrosoftTryExceptHandler(tryExcept) }
-
-  final override string toString() { result = tryExcept.toString() }
-
-  final override Locatable getAst() { result = tryExcept.getExcept() }
-
-  override Instruction getFirstInstruction() { result = this.getChild(0).getFirstInstruction() }
-
-  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
-    // t1 = -1
-    tag = TryExceptGenerateNegativeOne() and
-    opcode instanceof Opcode::Constant and
-    resultType = getIntType()
-    or
-    // t2 = cmp t1, condition
-    tag = TryExceptCompareNegativeOne() and
-    opcode instanceof Opcode::CompareEQ and
-    resultType = getBoolType()
-    or
-    // if t2 goto ... else goto ...
-    tag = TryExceptCompareNegativeOneBranch() and
-    opcode instanceof Opcode::ConditionalBranch and
-    resultType = getVoidType()
-    or
-    // t1 = 0
-    tag = TryExceptGenerateZero() and
-    opcode instanceof Opcode::Constant and
-    resultType = getIntType()
-    or
-    // t2 = cmp t1, condition
-    tag = TryExceptCompareZero() and
-    opcode instanceof Opcode::CompareEQ and
-    resultType = getBoolType()
-    or
-    // if t2 goto ... else goto ...
-    tag = TryExceptCompareZeroBranch() and
-    opcode instanceof Opcode::ConditionalBranch and
-    resultType = getVoidType()
-    or
-    // t1 = 1
-    tag = TryExceptGenerateOne() and
-    opcode instanceof Opcode::Constant and
-    resultType = getIntType()
-    or
-    // t2 = cmp t1, condition
-    tag = TryExceptCompareOne() and
-    opcode instanceof Opcode::CompareEQ and
-    resultType = getBoolType()
-    or
-    // if t2 goto ... else goto ...
-    tag = TryExceptCompareOneBranch() and
-    opcode instanceof Opcode::ConditionalBranch and
-    resultType = getVoidType()
-    or
-    // unwind stack
-    tag = UnwindTag() and
-    opcode instanceof Opcode::Unwind and
-    resultType = getVoidType()
-  }
-
-  final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
-    tag = TryExceptCompareNegativeOne() and
-    (
-      operandTag instanceof LeftOperandTag and
-      result = this.getTranslatedCondition().getResult()
-      or
-      operandTag instanceof RightOperandTag and
-      result = this.getInstruction(TryExceptGenerateNegativeOne())
-    )
-    or
-    tag = TryExceptCompareNegativeOneBranch() and
-    operandTag instanceof ConditionOperandTag and
-    result = this.getInstruction(TryExceptCompareNegativeOne())
-    or
-    tag = TryExceptCompareZero() and
-    (
-      operandTag instanceof LeftOperandTag and
-      result = this.getTranslatedCondition().getResult()
-      or
-      operandTag instanceof RightOperandTag and
-      result = this.getInstruction(TryExceptGenerateZero())
-    )
-    or
-    tag = TryExceptCompareZeroBranch() and
-    operandTag instanceof ConditionOperandTag and
-    result = this.getInstruction(TryExceptCompareZero())
-    or
-    tag = TryExceptCompareOne() and
-    (
-      operandTag instanceof LeftOperandTag and
-      result = this.getTranslatedCondition().getResult()
-      or
-      operandTag instanceof RightOperandTag and
-      result = this.getInstruction(TryExceptGenerateOne())
-    )
-    or
-    tag = TryExceptCompareOneBranch() and
-    operandTag instanceof ConditionOperandTag and
-    result = this.getInstruction(TryExceptCompareOne())
-  }
-
-  override string getInstructionConstantValue(InstructionTag tag) {
-    tag = TryExceptGenerateNegativeOne() and
-    result = "-1"
-    or
-    tag = TryExceptGenerateZero() and
-    result = "0"
-    or
-    tag = TryExceptGenerateOne() and
-    result = "1"
-  }
-
-  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
-    // Generate -1 -> Compare condition
-    tag = TryExceptGenerateNegativeOne() and
-    kind instanceof GotoEdge and
-    result = this.getInstruction(TryExceptCompareNegativeOne())
-    or
-    // Compare condition -> Branch
-    tag = TryExceptCompareNegativeOne() and
-    kind instanceof GotoEdge and
-    result = this.getInstruction(TryExceptCompareNegativeOneBranch())
-    or
-    // Branch -> Unwind or Generate 0
-    tag = TryExceptCompareNegativeOneBranch() and
-    (
-      kind instanceof TrueEdge and
-      // TODO: This is not really correct. The semantics of `EXCEPTION_CONTINUE_EXECUTION` is that
-      // we should continue execution at the point where the exception occurred. But we don't have
-      // any instruction to model this behavior.
-      result = this.getInstruction(UnwindTag())
-      or
-      kind instanceof FalseEdge and
-      result = this.getInstruction(TryExceptGenerateZero())
-    )
-    or
-    // Generate 0 -> Compare condition
-    tag = TryExceptGenerateZero() and
-    kind instanceof GotoEdge and
-    result = this.getInstruction(TryExceptCompareZero())
-    or
-    // Compare condition -> Branch
-    tag = TryExceptCompareZero() and
-    kind instanceof GotoEdge and
-    result = this.getInstruction(TryExceptCompareZeroBranch())
-    or
-    // Branch -> Unwind or Generate 1
-    tag = TryExceptCompareZeroBranch() and
-    (
-      kind instanceof TrueEdge and
-      result = this.getInstruction(UnwindTag())
-      or
-      kind instanceof FalseEdge and
-      result = this.getInstruction(TryExceptGenerateOne())
-    )
-    or
-    // Generate 1 -> Compare condition
-    tag = TryExceptGenerateOne() and
-    kind instanceof GotoEdge and
-    result = this.getInstruction(TryExceptCompareOne())
-    or
-    // Compare condition -> Branch
-    tag = TryExceptCompareOne() and
-    kind instanceof GotoEdge and
-    result = this.getInstruction(TryExceptCompareOneBranch())
-    or
-    // Branch -> Handler (the condition value is always 0, -1 or 1, and we've checked for 0 or -1 already.)
-    tag = TryExceptCompareOneBranch() and
-    (
-      kind instanceof TrueEdge and
-      result = this.getTranslatedHandler().getFirstInstruction()
-    )
-    or
-    // Unwind -> Parent
-    tag = UnwindTag() and
-    kind instanceof GotoEdge and
-    result = this.getParent().getChildSuccessor(this)
-  }
-
-  override Instruction getChildSuccessor(TranslatedElement child) {
-    child = this.getTranslatedCondition() and
-    result = this.getInstruction(TryExceptGenerateNegativeOne())
-    or
-    child = this.getTranslatedHandler() and
-    result = this.getParent().getChildSuccessor(this)
-  }
-
-  private TranslatedExpr getTranslatedCondition() {
-    result = getTranslatedExpr(tryExcept.getCondition())
-  }
-
-  private TranslatedStmt getTranslatedHandler() {
-    result = getTranslatedStmt(tryExcept.getExcept())
-  }
-
-  override TranslatedElement getChild(int id) {
-    id = 0 and
-    result = this.getTranslatedCondition()
-    or
-    id = 1 and
-    result = this.getTranslatedHandler()
-  }
-
-  final override Function getFunction() { result = tryExcept.getEnclosingFunction() }
-}
-
 abstract class TranslatedStmt extends TranslatedElement, TTranslatedStmt {
   Stmt stmt;
 
@@ -465,57 +249,15 @@ class TranslatedUnreachableReturnStmt extends TranslatedReturnStmt {
 }
 
 /**
- * A C/C++ `try` statement, or a `__try __except` or `__try __finally` statement.
- */
-private class TryOrMicrosoftTryStmt extends Stmt {
-  TryOrMicrosoftTryStmt() {
-    this instanceof TryStmt or
-    this instanceof MicrosoftTryStmt
-  }
-
-  /** Gets the number of `catch block`s of this statement. */
-  int getNumberOfCatchClauses() {
-    result = this.(TryStmt).getNumberOfCatchClauses()
-    or
-    this instanceof MicrosoftTryExceptStmt and
-    result = 1
-    or
-    this instanceof MicrosoftTryFinallyStmt and
-    result = 0
-  }
-
-  /** Gets the `body` statement of this statement. */
-  Stmt getStmt() {
-    result = this.(TryStmt).getStmt()
-    or
-    result = this.(MicrosoftTryStmt).getStmt()
-  }
-
-  /** Gets the `i`th translated handler of this statement. */
-  TranslatedElement getTranslatedHandler(int index) {
-    result = getTranslatedStmt(this.(TryStmt).getChild(index + 1))
-    or
-    index = 0 and
-    result = getTranslatedMicrosoftTryExceptHandler(this)
-  }
-
-  /** Gets the `finally` statement (usually a BlockStmt), if any. */
-  Stmt getFinally() { result = this.(MicrosoftTryFinallyStmt).getFinally() }
-}
-
-/**
- * The IR translation of a C++ `try` (or a `__try __except` or `__try __finally`) statement.
+ * The IR translation of a C++ `try` statement.
  */
 class TranslatedTryStmt extends TranslatedStmt {
-  override TryOrMicrosoftTryStmt stmt;
+  override TryStmt stmt;
 
   override TranslatedElement getChild(int id) {
     id = 0 and result = getBody()
     or
     result = getHandler(id - 1)
-    or
-    id = stmt.getNumberOfCatchClauses() + 1 and
-    result = this.getFinally()
   }
 
   override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
@@ -527,20 +269,8 @@ class TranslatedTryStmt extends TranslatedStmt {
   override Instruction getFirstInstruction() { result = getBody().getFirstInstruction() }
 
   override Instruction getChildSuccessor(TranslatedElement child) {
-    // All non-finally children go to the successor of the `try` if
-    // there is no finally block, but if there is a finally block
-    // then we go to that one.
-    child = [this.getBody(), this.getHandler(_)] and
-    (
-      not exists(this.getFinally()) and
-      result = this.getParent().getChildSuccessor(this)
-      or
-      result = this.getFinally().getFirstInstruction()
-    )
-    or
-    // And after the finally block we go to the successor of the `try`.
-    child = this.getFinally() and
-    result = this.getParent().getChildSuccessor(this)
+    // All children go to the successor of the `try`.
+    child = getAChild() and result = getParent().getChildSuccessor(this)
   }
 
   final Instruction getNextHandler(TranslatedHandler handler) {
@@ -560,9 +290,9 @@ class TranslatedTryStmt extends TranslatedStmt {
     result = getHandler(0).getFirstInstruction()
   }
 
-  private TranslatedElement getHandler(int index) { result = stmt.getTranslatedHandler(index) }
-
-  private TranslatedStmt getFinally() { result = getTranslatedStmt(stmt.getFinally()) }
+  private TranslatedHandler getHandler(int index) {
+    result = getTranslatedStmt(stmt.getChild(index + 1))
+  }
 
   private TranslatedStmt getBody() { result = getTranslatedStmt(stmt.getStmt()) }
 }

cpp/ql/lib/semmle/code/cpp/models/Models.qll

@@ -27,7 +27,7 @@ private import implementations.StdString
 private import implementations.Swap
 private import implementations.GetDelim
 private import implementations.SmartPointer
-private import implementations.Scanf
+private import implementations.Sscanf
 private import implementations.Send
 private import implementations.Recv
 private import implementations.Accept

cpp/ql/lib/semmle/code/cpp/models/implementations/Fread.qll

@@ -15,6 +15,6 @@ private class Fread extends AliasFunction, RemoteFlowSourceFunction {
 
   override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
     output.isParameterDeref(0) and
-    description = "string read by " + this.getName()
+    description = "String read by " + this.getName()
   }
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/GetDelim.qll

@@ -36,6 +36,6 @@ private class GetDelimFunction extends TaintFunction, AliasFunction, SideEffectF
 
   override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
     output.isParameterDeref(0) and
-    description = "string read by " + this.getName()
+    description = "String read by " + this.getName()
   }
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Getenv.qll

@@ -1,19 +1,15 @@
 /**
- * Provides an implementation class modeling the POSIX function `getenv` and
- * various similar functions.
+ * Provides an implementation class modeling the POSIX function `getenv`.
  */
 
 import cpp
 import semmle.code.cpp.models.interfaces.FlowSource
 
 /**
- * The POSIX function `getenv`, the GNU function `secure_getenv`, and the
- * Windows function `_wgetenv`.
+ * The POSIX function `getenv`.
  */
 class Getenv extends LocalFlowSourceFunction {
-  Getenv() {
-    this.hasGlobalOrStdOrBslName("getenv") or this.hasGlobalName(["secure_getenv", "_wgetenv"])
-  }
+  Getenv() { this.hasGlobalOrStdOrBslName("getenv") }
 
   override predicate hasLocalFlowSource(FunctionOutput output, string description) {
     (

cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll

@@ -49,10 +49,10 @@ private class FgetsFunction extends DataFlowFunction, TaintFunction, ArrayFuncti
 
   override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
     output.isParameterDeref(0) and
-    description = "string read by " + this.getName()
+    description = "String read by " + this.getName()
     or
     output.isReturnValue() and
-    description = "string read by " + this.getName()
+    description = "String read by " + this.getName()
   }
 
   override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
@@ -98,10 +98,10 @@ private class GetsFunction extends DataFlowFunction, ArrayFunction, AliasFunctio
 
   override predicate hasLocalFlowSource(FunctionOutput output, string description) {
     output.isParameterDeref(0) and
-    description = "string read by " + this.getName()
+    description = "String read by " + this.getName()
     or
     output.isReturnValue() and
-    description = "string read by " + this.getName()
+    description = "String read by " + this.getName()
   }
 
   override predicate hasArrayWithUnknownSize(int bufParam) { bufParam = 0 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Inet.qll

@@ -1,10 +1,9 @@
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.ArrayFunction
-import semmle.code.cpp.models.interfaces.FlowSource
 
 private class InetNtoa extends TaintFunction {
-  InetNtoa() { this.hasGlobalName("inet_ntoa") }
+  InetNtoa() { hasGlobalName("inet_ntoa") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameter(0) and
@@ -13,7 +12,7 @@ private class InetNtoa extends TaintFunction {
 }
 
 private class InetAton extends TaintFunction, ArrayFunction {
-  InetAton() { this.hasGlobalName("inet_aton") }
+  InetAton() { hasGlobalName("inet_aton") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameterDeref(0) and
@@ -33,7 +32,7 @@ private class InetAton extends TaintFunction, ArrayFunction {
 }
 
 private class InetAddr extends TaintFunction, ArrayFunction, AliasFunction {
-  InetAddr() { this.hasGlobalName("inet_addr") }
+  InetAddr() { hasGlobalName("inet_addr") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameterDeref(0) and
@@ -52,7 +51,7 @@ private class InetAddr extends TaintFunction, ArrayFunction, AliasFunction {
 }
 
 private class InetNetwork extends TaintFunction, ArrayFunction {
-  InetNetwork() { this.hasGlobalName("inet_network") }
+  InetNetwork() { hasGlobalName("inet_network") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameterDeref(0) and
@@ -65,7 +64,7 @@ private class InetNetwork extends TaintFunction, ArrayFunction {
 }
 
 private class InetMakeaddr extends TaintFunction {
-  InetMakeaddr() { this.hasGlobalName("inet_makeaddr") }
+  InetMakeaddr() { hasGlobalName("inet_makeaddr") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     (
@@ -77,7 +76,7 @@ private class InetMakeaddr extends TaintFunction {
 }
 
 private class InetLnaof extends TaintFunction {
-  InetLnaof() { this.hasGlobalName("inet_lnaof") }
+  InetLnaof() { hasGlobalName("inet_lnaof") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameter(0) and
@@ -86,7 +85,7 @@ private class InetLnaof extends TaintFunction {
 }
 
 private class InetNetof extends TaintFunction {
-  InetNetof() { this.hasGlobalName("inet_netof") }
+  InetNetof() { hasGlobalName("inet_netof") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameter(0) and
@@ -95,7 +94,7 @@ private class InetNetof extends TaintFunction {
 }
 
 private class InetPton extends TaintFunction, ArrayFunction {
-  InetPton() { this.hasGlobalName("inet_pton") }
+  InetPton() { hasGlobalName("inet_pton") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     (
@@ -115,7 +114,7 @@ private class InetPton extends TaintFunction, ArrayFunction {
 }
 
 private class Gethostbyname extends TaintFunction, ArrayFunction {
-  Gethostbyname() { this.hasGlobalName("gethostbyname") }
+  Gethostbyname() { hasGlobalName("gethostbyname") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameterDeref(0) and
@@ -128,7 +127,7 @@ private class Gethostbyname extends TaintFunction, ArrayFunction {
 }
 
 private class Gethostbyaddr extends TaintFunction, ArrayFunction {
-  Gethostbyaddr() { this.hasGlobalName("gethostbyaddr") }
+  Gethostbyaddr() { hasGlobalName("gethostbyaddr") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     (
@@ -143,21 +142,3 @@ private class Gethostbyaddr extends TaintFunction, ArrayFunction {
 
   override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 0 }
 }
-
-private class Getaddrinfo extends TaintFunction, ArrayFunction, RemoteFlowSourceFunction {
-  Getaddrinfo() { this.hasGlobalName("getaddrinfo") }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isParameterDeref([0 .. 2]) and
-    output.isParameterDeref(3)
-  }
-
-  override predicate hasArrayInput(int bufParam) { bufParam in [0, 1] }
-
-  override predicate hasArrayWithNullTerminator(int bufParam) { bufParam in [0, 1] }
-
-  override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
-    output.isParameterDeref(3) and
-    description = "address returned by " + this.getName()
-  }
-}

cpp/ql/lib/semmle/code/cpp/models/implementations/Iterator.qll

@@ -31,17 +31,7 @@ private class IteratorTraits extends Class {
  * `std::iterator_traits` instantiation for it.
  */
 private class IteratorByTraits extends Iterator {
-  IteratorTraits trait;
-
-  IteratorByTraits() { trait.getIteratorType() = this }
-
-  override Type getValueType() {
-    exists(TypedefType t |
-      trait.getAMember() = t and
-      t.getName() = "value_type" and
-      result = t.getUnderlyingType()
-    )
-  }
+  IteratorByTraits() { exists(IteratorTraits it | it.getIteratorType() = this) }
 }
 
 /**
@@ -52,27 +42,20 @@ private class IteratorByTraits extends Iterator {
  */
 private class IteratorByPointer extends Iterator instanceof PointerType {
   IteratorByPointer() { not this instanceof IteratorByTraits }
-
-  override Type getValueType() { result = super.getBaseType() }
 }
 
 /**
  * A type which has the typedefs expected for an iterator.
  */
 private class IteratorByTypedefs extends Iterator, Class {
-  TypedefType valueType;
-
   IteratorByTypedefs() {
     this.getAMember().(TypedefType).hasName("difference_type") and
-    valueType = this.getAMember() and
-    valueType.hasName("value_type") and
+    this.getAMember().(TypedefType).hasName("value_type") and
     this.getAMember().(TypedefType).hasName("pointer") and
     this.getAMember().(TypedefType).hasName("reference") and
     this.getAMember().(TypedefType).hasName("iterator_category") and
     not this.hasQualifiedName(["std", "bsl"], "iterator_traits")
   }
-
-  override Type getValueType() { result = valueType.getUnderlyingType() }
 }
 
 /**
@@ -80,8 +63,6 @@ private class IteratorByTypedefs extends Iterator, Class {
  */
 private class StdIterator extends Iterator, Class {
   StdIterator() { this.hasQualifiedName(["std", "bsl"], "iterator") }
-
-  override Type getValueType() { result = this.getTemplateArgument(1).(Type).getUnderlyingType() }
 }
 
 /**
@@ -185,15 +166,12 @@ private class IteratorSubOperator extends Operator, TaintFunction {
 /**
  * A non-member `operator+=` or `operator-=` function for an iterator type.
  */
-class IteratorAssignArithmeticOperator extends Operator {
+private class IteratorAssignArithmeticOperator extends Operator, DataFlowFunction, TaintFunction {
   IteratorAssignArithmeticOperator() {
     this.hasName(["operator+=", "operator-="]) and
     exists(getIteratorArgumentInput(this, 0))
   }
-}
 
-private class IteratorAssignArithmeticOperatorModel extends IteratorAssignArithmeticOperator,
-  DataFlowFunction, TaintFunction {
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     input.isParameter(0) and
     output.isReturnValue()
@@ -232,14 +210,11 @@ class IteratorPointerDereferenceMemberOperator extends MemberFunction, TaintFunc
 /**
  * An `operator++` or `operator--` member function for an iterator type.
  */
-class IteratorCrementMemberOperator extends MemberFunction {
+private class IteratorCrementMemberOperator extends MemberFunction, DataFlowFunction, TaintFunction {
   IteratorCrementMemberOperator() {
     this.getClassAndName(["operator++", "operator--"]) instanceof Iterator
   }
-}
 
-private class IteratorCrementMemberOperatorModel extends IteratorCrementMemberOperator,
-  DataFlowFunction, TaintFunction {
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierAddress() and
     output.isReturnValue()

cpp/ql/lib/semmle/code/cpp/models/implementations/Recv.qll

@@ -83,7 +83,7 @@ private class Recv extends AliasFunction, ArrayFunction, SideEffectFunction,
       or
       this.hasGlobalName("recvfrom") and output.isParameterDeref([4, 5])
     ) and
-    description = "buffer read by " + this.getName()
+    description = "Buffer read by " + this.getName()
   }
 
   override predicate hasSocketInput(FunctionInput input) { input.isParameter(0) }

cpp/ql/lib/semmle/code/cpp/models/implementations/Send.qll

@@ -58,7 +58,7 @@ private class Send extends AliasFunction, ArrayFunction, SideEffectFunction, Rem
   override ParameterIndex getParameterSizeIndex(ParameterIndex i) { i = 1 and result = 2 }
 
   override predicate hasRemoteFlowSink(FunctionInput input, string description) {
-    input.isParameterDeref(1) and description = "buffer sent by " + this.getName()
+    input.isParameterDeref(1) and description = "Buffer sent by " + this.getName()
   }
 
   override predicate hasSocketInput(FunctionInput input) { input.isParameter(0) }

cpp/ql/lib/semmle/code/cpp/models/implementations/Sscanf.qll

@@ -1,6 +1,6 @@
 /**
- * Provides implementation classes modeling the `scanf` family of functions.
- * See `semmle.code.cpp.models.Models` for usage information.
+ * Provides implementation classes modeling `sscanf`, `fscanf` and various similar
+ * functions. See `semmle.code.cpp.models.Models` for usage information.
  */
 
 import semmle.code.cpp.Function
@@ -9,15 +9,18 @@ import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
-import semmle.code.cpp.models.interfaces.FlowSource
 
 /**
- * The `scanf` family of functions.
+ * The standard function `sscanf`, `fscanf` and its assorted variants
  */
-abstract private class ScanfFunctionModel extends ArrayFunction, TaintFunction, AliasFunction,
-  SideEffectFunction {
+private class SscanfModel extends ArrayFunction, TaintFunction, AliasFunction, SideEffectFunction {
+  SscanfModel() { this instanceof Sscanf or this instanceof Fscanf or this instanceof Snscanf }
+
   override predicate hasArrayWithNullTerminator(int bufParam) {
     bufParam = this.(ScanfFunction).getFormatParameterIndex()
+    or
+    not this instanceof Fscanf and
+    bufParam = this.(ScanfFunction).getInputParameterIndex()
   }
 
   override predicate hasArrayInput(int bufParam) { this.hasArrayWithNullTerminator(bufParam) }
@@ -33,7 +36,7 @@ abstract private class ScanfFunctionModel extends ArrayFunction, TaintFunction,
     )
   }
 
-  int getArgsStartPosition() { result = this.getNumberOfParameters() }
+  private int getArgsStartPosition() { result = this.getNumberOfParameters() }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameterDeref(this.(ScanfFunction).getInputParameterIndex()) and
@@ -67,36 +70,3 @@ abstract private class ScanfFunctionModel extends ArrayFunction, TaintFunction,
       ]
   }
 }
-
-/**
- * The standard function `scanf` and its assorted variants
- */
-private class ScanfModel extends ScanfFunctionModel, LocalFlowSourceFunction instanceof Scanf {
-  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
-    output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
-    description = "value read by " + this.getName()
-  }
-}
-
-/**
- * The standard function `fscanf` and its assorted variants
- */
-private class FscanfModel extends ScanfFunctionModel, RemoteFlowSourceFunction instanceof Fscanf {
-  override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
-    output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
-    description = "value read by " + this.getName()
-  }
-}
-
-/**
- * The standard function `sscanf` and its assorted variants
- */
-private class SscanfModel extends ScanfFunctionModel {
-  SscanfModel() { this instanceof Sscanf or this instanceof Snscanf }
-
-  override predicate hasArrayWithNullTerminator(int bufParam) {
-    super.hasArrayWithNullTerminator(bufParam)
-    or
-    bufParam = this.(ScanfFunction).getInputParameterIndex()
-  }
-}

cpp/ql/lib/semmle/code/cpp/models/implementations/StdContainer.qll

@@ -5,53 +5,38 @@
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.Iterator
 
-/**
- * A sequence container template class (for example, `std::vector`) from the
- * standard library.
- */
-abstract class StdSequenceContainer extends Class {
-  Type getElementType() { result = this.getTemplateArgument(0) }
-}
-
 /**
  * The `std::array` template class.
  */
-private class Array extends StdSequenceContainer {
+private class Array extends Class {
   Array() { this.hasQualifiedName(["std", "bsl"], "array") }
 }
 
-/**
- * The `std::string` template class.
- */
-private class String extends StdSequenceContainer {
-  String() { this.hasQualifiedName(["std", "bsl"], "basic_string") }
-}
-
 /**
  * The `std::deque` template class.
  */
-private class Deque extends StdSequenceContainer {
+private class Deque extends Class {
   Deque() { this.hasQualifiedName(["std", "bsl"], "deque") }
 }
 
 /**
  * The `std::forward_list` template class.
  */
-private class ForwardList extends StdSequenceContainer {
+private class ForwardList extends Class {
   ForwardList() { this.hasQualifiedName(["std", "bsl"], "forward_list") }
 }
 
 /**
  * The `std::list` template class.
  */
-private class List extends StdSequenceContainer {
+private class List extends Class {
   List() { this.hasQualifiedName(["std", "bsl"], "list") }
 }
 
 /**
  * The `std::vector` template class.
  */
-private class Vector extends StdSequenceContainer {
+private class Vector extends Class {
   Vector() { this.hasQualifiedName(["std", "bsl"], "vector") }
 }
 

cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll

@@ -17,15 +17,6 @@ private class StdBasicString extends ClassTemplateInstantiation {
 
 /**
  * The `std::basic_string::iterator` declaration.
- *
- * Intuitively, this class shouldn't be necessary as it's already captured
- * by the `StdIterator` class. However, this class ensures that the typedef inside the
- * body of the `std::string` class is also seen as an iterator.
- *
- * Eventually, we should be consistent about which of the following should be recognized as iterators:
- * 1. The typedef type.
- * 2. The template class of the resolved type.
- * 3. Any instantiation of the resolved type.
  */
 private class StdBasicStringIterator extends Iterator, Type {
   StdBasicStringIterator() {

cpp/ql/lib/semmle/code/cpp/models/interfaces/Allocation.qll

@@ -11,6 +11,38 @@
 import semmle.code.cpp.Function
 import semmle.code.cpp.models.Models
 
+/**
+ * An allocation function such as `malloc`.
+ */
+abstract class AllocationFunction extends Function {
+  /**
+   * Gets the index of the argument for the allocation size, if any. The actual
+   * allocation size is the value of this argument multiplied by the result of
+   * `getSizeMult()`, in bytes.
+   */
+  int getSizeArg() { none() }
+
+  /**
+   * Gets the index of an argument that multiplies the allocation size given by
+   * `getSizeArg`, if any.
+   */
+  int getSizeMult() { none() }
+
+  /**
+   * Gets the index of the input pointer argument to be reallocated, if this
+   * is a `realloc` function.
+   */
+  int getReallocPtrArg() { none() }
+
+  /**
+   * Whether or not this allocation requires a corresponding deallocation of
+   * some sort (most do, but `alloca` for example does not).  If it is unclear,
+   * we default to no (for example a placement `new` allocation may or may not
+   * require a corresponding `delete`).
+   */
+  predicate requiresDealloc() { any() }
+}
+
 /**
  * An allocation expression such as call to `malloc` or a `new` expression.
  */
@@ -54,41 +86,6 @@ abstract class AllocationExpr extends Expr {
   predicate requiresDealloc() { any() }
 }
 
-/**
- * An allocation function such as `malloc`.
- *
- * Note: `AllocationExpr` includes calls to allocation functions, so prefer
- * to use that class unless you specifically need to reason about functions.
- */
-abstract class AllocationFunction extends Function {
-  /**
-   * Gets the index of the argument for the allocation size, if any. The actual
-   * allocation size is the value of this argument multiplied by the result of
-   * `getSizeMult()`, in bytes.
-   */
-  int getSizeArg() { none() }
-
-  /**
-   * Gets the index of an argument that multiplies the allocation size given by
-   * `getSizeArg`, if any.
-   */
-  int getSizeMult() { none() }
-
-  /**
-   * Gets the index of the input pointer argument to be reallocated, if this
-   * is a `realloc` function.
-   */
-  int getReallocPtrArg() { none() }
-
-  /**
-   * Whether or not this allocation requires a corresponding deallocation of
-   * some sort (most do, but `alloca` for example does not).  If it is unclear,
-   * we default to no (for example a placement `new` allocation may or may not
-   * require a corresponding `delete`).
-   */
-  predicate requiresDealloc() { any() }
-}
-
 /**
  * An `operator new` or `operator new[]` function that may be associated with
  * `new` or `new[]` expressions.  Note that `new` and `new[]` are not function

cpp/ql/lib/semmle/code/cpp/models/interfaces/Deallocation.qll

@@ -11,6 +11,16 @@
 import semmle.code.cpp.Function
 import semmle.code.cpp.models.Models
 
+/**
+ * A deallocation function such as `free`.
+ */
+abstract class DeallocationFunction extends Function {
+  /**
+   * Gets the index of the argument that is freed by this function.
+   */
+  int getFreedArg() { none() }
+}
+
 /**
  * An deallocation expression such as call to `free` or a `delete` expression.
  */
@@ -21,19 +31,6 @@ abstract class DeallocationExpr extends Expr {
   Expr getFreedExpr() { none() }
 }
 
-/**
- * A deallocation function such as `free`.
- *
- * Note: `DeallocationExpr` includes calls to deallocation functions, so prefer
- * to use that class unless you specifically need to reason about functions.
- */
-abstract class DeallocationFunction extends Function {
-  /**
-   * Gets the index of the argument that is freed by this function.
-   */
-  int getFreedArg() { none() }
-}
-
 /**
  * An `operator delete` or `operator delete[]` function that may be associated
  * with `delete` or `delete[]` expressions.  Note that `delete` and `delete[]`

cpp/ql/lib/semmle/code/cpp/models/interfaces/Iterator.qll

@@ -29,17 +29,5 @@ abstract class GetIteratorFunction extends Function {
 
 /**
  * A type which can be used as an iterator.
- *
- * Note: Do _not_ `extend` when inheriting from this class in queries. Always use `instanceof`:
- * ```
- * class MyIterator instanceof Iterator { ... }
- * ```
  */
-abstract class Iterator extends Type {
-  /**
-   * Gets the value type of this iterator, if any.
-   *
-   * For example, the value type of a `std::vector<int>::iterator` is `int`.
-   */
-  Type getValueType() { none() }
-}
+abstract class Iterator extends Type { }

cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll

@@ -89,10 +89,10 @@ private class LocalParameterSource extends LocalFlowSource {
 
 private class ArgvSource extends LocalFlowSource {
   ArgvSource() {
-    exists(Function main, Parameter argv |
-      main.hasGlobalName("main") and
-      main.getParameter(1) = argv and
-      this.asParameter() = argv
+    exists(Parameter argv |
+      argv.hasName("argv") and
+      argv.getFunction().hasGlobalName("main") and
+      this.asExpr() = argv.getAnAccess()
     )
   }
 

cpp/ql/lib/semmle/code/cpp/security/TaintTrackingImpl.qll

@@ -121,9 +121,7 @@ private predicate moveToDependingOnSide(Expr src, Expr dest) {
  *   (this is done to avoid false positives). Because of this we need to track if the tainted element came from an argument
  *   or not, and for that we use destFromArg
  */
-deprecated private predicate betweenFunctionsValueMoveTo(
-  Element src, Element dest, boolean destFromArg
-) {
+private predicate betweenFunctionsValueMoveTo(Element src, Element dest, boolean destFromArg) {
   not unreachable(src) and
   not unreachable(dest) and
   (
@@ -164,13 +162,13 @@ deprecated private predicate betweenFunctionsValueMoveTo(
 // predicate folding for proper join-order
 // bad magic: pushes down predicate that ruins join-order
 pragma[nomagic]
-deprecated private predicate resolveCallWithParam(Call call, Function called, int i, Parameter p) {
+private predicate resolveCallWithParam(Call call, Function called, int i, Parameter p) {
   called = resolveCall(call) and
   p = called.getParameter(i)
 }
 
 /** A variable for which flow through is allowed. */
-deprecated library class FlowVariable extends Variable {
+library class FlowVariable extends Variable {
   FlowVariable() {
     (
       this instanceof LocalScopeVariable or
@@ -181,11 +179,11 @@ deprecated library class FlowVariable extends Variable {
 }
 
 /** A local scope variable for which flow through is allowed. */
-deprecated library class FlowLocalScopeVariable extends Variable {
+library class FlowLocalScopeVariable extends Variable {
   FlowLocalScopeVariable() { this instanceof LocalScopeVariable }
 }
 
-deprecated private predicate insideFunctionValueMoveTo(Element src, Element dest) {
+private predicate insideFunctionValueMoveTo(Element src, Element dest) {
   not unreachable(src) and
   not unreachable(dest) and
   (
@@ -326,7 +324,7 @@ private predicate unionAccess(Variable v, Field f, FieldAccess a) {
   a.getQualifier() = v.getAnAccess()
 }
 
-deprecated GlobalOrNamespaceVariable globalVarFromId(string id) {
+GlobalOrNamespaceVariable globalVarFromId(string id) {
   if result instanceof NamespaceVariable
   then id = result.getNamespace() + "::" + result.getName()
   else id = result.getName()
@@ -355,7 +353,7 @@ private predicate hasUpperBoundsCheck(Variable var) {
 }
 
 cached
-deprecated private predicate taintedWithArgsAndGlobalVars(
+private predicate taintedWithArgsAndGlobalVars(
   Element src, Element dest, boolean destFromArg, string globalVar
 ) {
   isUserInput(src, _) and
@@ -397,7 +395,7 @@ deprecated private predicate taintedWithArgsAndGlobalVars(
  * This doesn't include data flow through global variables.
  * If you need that you must call taintedIncludingGlobalVars.
  */
-deprecated predicate tainted(Expr source, Element tainted) {
+predicate tainted(Expr source, Element tainted) {
   taintedWithArgsAndGlobalVars(source, tainted, _, "")
 }
 
@@ -412,7 +410,7 @@ deprecated predicate tainted(Expr source, Element tainted) {
  * The parameter `globalVar` is the name of the last global variable used to move the
  * value from source to tainted.
  */
-deprecated predicate taintedIncludingGlobalVars(Expr source, Element tainted, string globalVar) {
+predicate taintedIncludingGlobalVars(Expr source, Element tainted, string globalVar) {
   taintedWithArgsAndGlobalVars(source, tainted, _, globalVar)
 }
 
@@ -543,14 +541,14 @@ private predicate returnArgument(Function f, int sourceArg) {
  * targets a virtual method, simple data flow analysis is performed
  * in order to identify target(s).
  */
-deprecated Function resolveCall(Call call) {
+Function resolveCall(Call call) {
   result = call.getTarget()
   or
   result = call.(DataSensitiveCallExpr).resolve()
 }
 
 /** A data sensitive call expression. */
-abstract deprecated library class DataSensitiveCallExpr extends Expr {
+abstract library class DataSensitiveCallExpr extends Expr {
   DataSensitiveCallExpr() { not unreachable(this) }
 
   abstract Expr getSrc();
@@ -581,7 +579,7 @@ abstract deprecated library class DataSensitiveCallExpr extends Expr {
 }
 
 /** Call through a function pointer. */
-deprecated library class DataSensitiveExprCall extends DataSensitiveCallExpr, ExprCall {
+library class DataSensitiveExprCall extends DataSensitiveCallExpr, ExprCall {
   override Expr getSrc() { result = getExpr() }
 
   override Function resolve() {
@@ -590,8 +588,7 @@ deprecated library class DataSensitiveExprCall extends DataSensitiveCallExpr, Ex
 }
 
 /** Call to a virtual function. */
-deprecated library class DataSensitiveOverriddenFunctionCall extends DataSensitiveCallExpr,
-  FunctionCall {
+library class DataSensitiveOverriddenFunctionCall extends DataSensitiveCallExpr, FunctionCall {
   DataSensitiveOverriddenFunctionCall() {
     exists(getTarget().(VirtualFunction).getAnOverridingFunction())
   }

cpp/ql/lib/semmle/code/cpp/valuenumbering/GlobalValueNumberingImpl.qll

@@ -183,7 +183,7 @@ private newtype GvnBase =
   // global variable will only get the same value number if they are
   // guaranteed to have the same value.
   GVN_OtherVariable(Variable x, ControlFlowNode dominator) { mk_OtherVariable(x, dominator, _) } or
-  deprecated GVN_FieldAccess(GVN s, Field f) {
+  GVN_FieldAccess(GVN s, Field f) {
     mk_DotFieldAccess(s, f, _) or
     mk_PointerFieldAccess_with_deref(s, f, _) or
     mk_ImplicitThisFieldAccess_with_deref(s, f, _)
@@ -192,7 +192,7 @@ private newtype GvnBase =
   // time the pointer was dereferenced, so we need to include a definition
   // location. As a crude (but safe) approximation, we use
   // `mostRecentSideEffect` to compute a definition location.
-  deprecated GVN_Deref(GVN p, ControlFlowNode dominator) {
+  GVN_Deref(GVN p, ControlFlowNode dominator) {
     mk_Deref(p, dominator, _) or
     mk_PointerFieldAccess(p, _, dominator, _) or
     mk_ImplicitThisFieldAccess_with_qualifier(p, _, dominator, _)
@@ -201,12 +201,10 @@ private newtype GvnBase =
     mk_ThisExpr(fcn, _) or
     mk_ImplicitThisFieldAccess(fcn, _, _, _)
   } or
-  deprecated GVN_Conversion(Type t, GVN child) { mk_Conversion(t, child, _) } or
-  deprecated GVN_BinaryOp(GVN lhs, GVN rhs, string opname) { mk_BinaryOp(lhs, rhs, opname, _) } or
-  deprecated GVN_UnaryOp(GVN child, string opname) { mk_UnaryOp(child, opname, _) } or
-  deprecated GVN_ArrayAccess(GVN x, GVN i, ControlFlowNode dominator) {
-    mk_ArrayAccess(x, i, dominator, _)
-  } or
+  GVN_Conversion(Type t, GVN child) { mk_Conversion(t, child, _) } or
+  GVN_BinaryOp(GVN lhs, GVN rhs, string opname) { mk_BinaryOp(lhs, rhs, opname, _) } or
+  GVN_UnaryOp(GVN child, string opname) { mk_UnaryOp(child, opname, _) } or
+  GVN_ArrayAccess(GVN x, GVN i, ControlFlowNode dominator) { mk_ArrayAccess(x, i, dominator, _) } or
   // Any expression that is not handled by the cases above is
   // given a unique number based on the expression itself.
   GVN_Unanalyzable(Expr e) { not analyzableExpr(e) }
@@ -342,7 +340,7 @@ private predicate analyzableDotFieldAccess(DotFieldAccess access) {
   not analyzableConst(access)
 }
 
-deprecated private predicate mk_DotFieldAccess(GVN qualifier, Field target, DotFieldAccess access) {
+private predicate mk_DotFieldAccess(GVN qualifier, Field target, DotFieldAccess access) {
   analyzableDotFieldAccess(access) and
   target = access.getTarget() and
   qualifier = globalValueNumber(access.getQualifier().getFullyConverted())
@@ -355,7 +353,7 @@ private predicate analyzablePointerFieldAccess(PointerFieldAccess access) {
   not analyzableConst(access)
 }
 
-deprecated private predicate mk_PointerFieldAccess(
+private predicate mk_PointerFieldAccess(
   GVN qualifier, Field target, ControlFlowNode dominator, PointerFieldAccess access
 ) {
   analyzablePointerFieldAccess(access) and
@@ -368,7 +366,7 @@ deprecated private predicate mk_PointerFieldAccess(
  * `obj->field` is equivalent to `(*obj).field`, so we need to wrap an
  * extra `GVN_Deref` around the qualifier.
  */
-deprecated private predicate mk_PointerFieldAccess_with_deref(
+private predicate mk_PointerFieldAccess_with_deref(
   GVN new_qualifier, Field target, PointerFieldAccess access
 ) {
   exists(GVN qualifier, ControlFlowNode dominator |
@@ -393,7 +391,7 @@ private predicate mk_ImplicitThisFieldAccess(
   fcn = access.getEnclosingFunction()
 }
 
-deprecated private predicate mk_ImplicitThisFieldAccess_with_qualifier(
+private predicate mk_ImplicitThisFieldAccess_with_qualifier(
   GVN qualifier, Field target, ControlFlowNode dominator, ImplicitThisFieldAccess access
 ) {
   exists(Function fcn |
@@ -402,7 +400,7 @@ deprecated private predicate mk_ImplicitThisFieldAccess_with_qualifier(
   )
 }
 
-deprecated private predicate mk_ImplicitThisFieldAccess_with_deref(
+private predicate mk_ImplicitThisFieldAccess_with_deref(
   GVN new_qualifier, Field target, ImplicitThisFieldAccess access
 ) {
   exists(GVN qualifier, ControlFlowNode dominator |
@@ -436,7 +434,7 @@ private predicate analyzableConversion(Conversion conv) {
   not analyzableConst(conv)
 }
 
-deprecated private predicate mk_Conversion(Type t, GVN child, Conversion conv) {
+private predicate mk_Conversion(Type t, GVN child, Conversion conv) {
   analyzableConversion(conv) and
   t = conv.getUnspecifiedType() and
   child = globalValueNumber(conv.getExpr())
@@ -450,7 +448,7 @@ private predicate analyzableBinaryOp(BinaryOperation op) {
   not analyzableConst(op)
 }
 
-deprecated private predicate mk_BinaryOp(GVN lhs, GVN rhs, string opname, BinaryOperation op) {
+private predicate mk_BinaryOp(GVN lhs, GVN rhs, string opname, BinaryOperation op) {
   analyzableBinaryOp(op) and
   lhs = globalValueNumber(op.getLeftOperand().getFullyConverted()) and
   rhs = globalValueNumber(op.getRightOperand().getFullyConverted()) and
@@ -465,7 +463,7 @@ private predicate analyzableUnaryOp(UnaryOperation op) {
   not analyzableConst(op)
 }
 
-deprecated private predicate mk_UnaryOp(GVN child, string opname, UnaryOperation op) {
+private predicate mk_UnaryOp(GVN child, string opname, UnaryOperation op) {
   analyzableUnaryOp(op) and
   child = globalValueNumber(op.getOperand().getFullyConverted()) and
   opname = op.getOperator()
@@ -488,9 +486,7 @@ private predicate analyzableArrayAccess(ArrayExpr ae) {
   not analyzableConst(ae)
 }
 
-deprecated private predicate mk_ArrayAccess(
-  GVN base, GVN offset, ControlFlowNode dominator, ArrayExpr ae
-) {
+private predicate mk_ArrayAccess(GVN base, GVN offset, ControlFlowNode dominator, ArrayExpr ae) {
   analyzableArrayAccess(ae) and
   base = globalValueNumber(ae.getArrayBase().getFullyConverted()) and
   offset = globalValueNumber(ae.getArrayOffset().getFullyConverted()) and
@@ -503,7 +499,7 @@ private predicate analyzablePointerDereferenceExpr(PointerDereferenceExpr deref)
   not analyzableConst(deref)
 }
 
-deprecated private predicate mk_Deref(GVN p, ControlFlowNode dominator, PointerDereferenceExpr deref) {
+private predicate mk_Deref(GVN p, ControlFlowNode dominator, PointerDereferenceExpr deref) {
   analyzablePointerDereferenceExpr(deref) and
   p = globalValueNumber(deref.getOperand().getFullyConverted()) and
   dominator = mostRecentSideEffect(deref)

cpp/ql/lib/tutorial.qll

@@ -4,11 +4,6 @@
  * Note: Data is usually stored in a separate database and the QL libraries only contain predicates,
  * but for this tutorial both the data and the predicates are stored in the library.
  */
-
-/**
- * A person known to the QL detective tutorials, represented by a string
- * (their first name).
- */
 class Person extends string {
   Person() {
     this =

cpp/ql/src/AlertSuppression.ql

@@ -5,37 +5,78 @@
  * @id cpp/alert-suppression
  */
 
-private import codeql.util.suppression.AlertSuppression as AS
-private import semmle.code.cpp.Element
+import cpp
 
-class AstNode extends Locatable {
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-}
+/**
+ * An alert suppression comment.
+ */
+class SuppressionComment extends Comment {
+  string annotation;
+  string text;
 
-class SingleLineComment extends Comment, AstNode {
-  private string text;
-
-  SingleLineComment() {
-    this instanceof CppStyleComment and
-    // strip the beginning slashes
-    text = this.getContents().suffix(2)
-    or
-    this instanceof CStyleComment and
-    // strip both the beginning /* and the end */ the comment
-    exists(string text0 |
-      text0 = this.getContents().suffix(2) and
-      text = text0.prefix(text0.length() - 2)
+  SuppressionComment() {
+    (
+      this instanceof CppStyleComment and
+      // strip the beginning slashes
+      text = this.getContents().suffix(2)
+      or
+      this instanceof CStyleComment and
+      // strip both the beginning /* and the end */ the comment
+      exists(string text0 |
+        text0 = this.getContents().suffix(2) and
+        text = text0.prefix(text0.length() - 2)
+      ) and
+      // The /* */ comment must be a single-line comment
+      not text.matches("%\n%")
     ) and
-    // The /* */ comment must be a single-line comment
-    not text.matches("%\n%")
+    (
+      // match `lgtm[...]` anywhere in the comment
+      annotation = text.regexpFind("(?i)\\blgtm\\s*\\[[^\\]]*\\]", _, _)
+      or
+      // match `lgtm` at the start of the comment and after semicolon
+      annotation = text.regexpFind("(?i)(?<=^|;)\\s*lgtm(?!\\B|\\s*\\[)", _, _).trim()
+    )
   }
 
   /** Gets the text in this comment, excluding the leading //. */
   string getText() { result = text }
+
+  /** Gets the suppression annotation in this comment. */
+  string getAnnotation() { result = annotation }
+
+  /**
+   * Holds if this comment applies to the range from column `startcolumn` of line `startline`
+   * to column `endcolumn` of line `endline` in file `filepath`.
+   */
+  predicate covers(string filepath, int startline, int startcolumn, int endline, int endcolumn) {
+    this.getLocation().hasLocationInfo(filepath, startline, _, endline, endcolumn) and
+    startcolumn = 1
+  }
+
+  /** Gets the scope of this suppression. */
+  SuppressionScope getScope() { result = this }
 }
 
-import AS::Make<AstNode, SingleLineComment>
+/**
+ * The scope of an alert suppression comment.
+ */
+class SuppressionScope extends ElementBase instanceof SuppressionComment {
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.covers(filepath, startline, startcolumn, endline, endcolumn)
+  }
+}
+
+from SuppressionComment c
+select c, // suppression comment
+  c.getText(), // text of suppression comment (excluding delimiters)
+  c.getAnnotation(), // text of suppression annotation
+  c.getScope() // scope of suppression

cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql

@@ -15,7 +15,6 @@
 
 import cpp
 
-pragma[nomagic]
 predicate beforeArrayAccess(Variable v, ArrayExpr access, Expr before) {
   exists(LogicalAndExpr andexpr |
     access.getArrayOffset() = v.getAnAccess() and
@@ -24,7 +23,6 @@ predicate beforeArrayAccess(Variable v, ArrayExpr access, Expr before) {
   )
 }
 
-pragma[nomagic]
 predicate afterArrayAccess(Variable v, ArrayExpr access, Expr after) {
   exists(LogicalAndExpr andexpr |
     access.getArrayOffset() = v.getAnAccess() and

cpp/ql/src/CHANGELOG.md

@@ -1,18 +1,3 @@
-## 0.5.0
-
-### Minor Analysis Improvements
-
-* The `AlertSuppression.ql` query has been updated to support the new `// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy `// lgtm` and `// lgtm[query-id]` comments can now also be placed on the line before an alert.
-* The `cpp/missing-check-scanf` query no longer reports the free'ing of `scanf` output variables as potential reads.
-
-## 0.4.6
-
-No user-facing changes.
-
-## 0.4.5
-
-No user-facing changes.
-
 ## 0.4.4
 
 No user-facing changes.

cpp/ql/src/Critical/MissingCheckScanf.ql

@@ -115,8 +115,7 @@ BasicBlock blockGuardedBy(int value, string op, ScanfFunctionCall call) {
 from ScanfOutput output, ScanfFunctionCall call, Access access
 where
   output.getCall() = call and
-  output.hasGuardedAccess(access, false) and
-  not exists(DeallocationExpr dealloc | dealloc.getFreedExpr() = access)
+  output.hasGuardedAccess(access, false)
 select access,
   "This variable is read, but may not have been written. " +
     "It should be guarded by a check that the $@ returns at least " +

cpp/ql/src/JPL_C/LOC-4/Rule 23/MismatchedIfdefs.ql

@@ -66,7 +66,9 @@ class ElseDirective extends Directive {
   override predicate mismatched() { depth() < 1 }
 }
 
-class EndifDirective extends Directive instanceof PreprocessorEndif {
+class EndifDirective extends Directive {
+  EndifDirective() { this instanceof PreprocessorEndif }
+
   override int depthChange() { result = -1 }
 
   override predicate mismatched() { depth() < 0 }

cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql

@@ -12,8 +12,8 @@
  */
 
 /*
- * Note: this query is not assigned a precision yet because we don't want it
- * to be included in query suites until its performance is well understood.
+ * Note: this query is not assigned a precision yet because we don't want it on
+ * LGTM until its performance is well understood.
  */
 
 import cpp

cpp/ql/src/Metrics/Dependencies/ExternalDependencies.qll

@@ -52,7 +52,7 @@ class Library extends LibraryT {
     // The versions reported for C/C++ dependencies are just the versions that
     // happen to be installed on the system where the build takes place.
     // Reporting those versions is likely to cause misunderstandings, both for
-    // people reading them and for vulnerability checkers.
+    // people reading them and for the vulnerability checker of lgtm.
     result = "unknown"
   }
 

cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql

@@ -16,10 +16,9 @@
 
 import cpp
 import semmle.code.cpp.security.FunctionWithWrappers
-import semmle.code.cpp.security.FlowSources
-import semmle.code.cpp.ir.IR
-import semmle.code.cpp.ir.dataflow.TaintTracking
-import DataFlow::PathGraph
+import semmle.code.cpp.security.Security
+import semmle.code.cpp.security.TaintTracking
+import TaintedWithPath
 
 /**
  * A function for opening a file.
@@ -47,69 +46,19 @@ class FileFunction extends FunctionWithWrappers {
   override predicate interestingArg(int arg) { arg = 0 }
 }
 
-Expr asSinkExpr(DataFlow::Node node) {
-  result =
-    node.asOperand()
-        .(SideEffectOperand)
-        .getUse()
-        .(ReadSideEffectInstruction)
-        .getArgumentDef()
-        .getUnconvertedResultExpression()
-}
-
-/**
- * Holds for a variable that has any kind of upper-bound check anywhere in the program.
- * This is biased towards being inclusive and being a coarse overapproximation because
- * there are a lot of valid ways of doing an upper bounds checks if we don't consider
- * where it occurs, for example:
- * ```cpp
- *   if (x < 10) { sink(x); }
- *
- *   if (10 > y) { sink(y); }
- *
- *   if (z > 10) { z = 10; }
- *   sink(z);
- * ```
- */
-predicate hasUpperBoundsCheck(Variable var) {
-  exists(RelationalOperation oper, VariableAccess access |
-    oper.getAnOperand() = access and
-    access.getTarget() = var and
-    // Comparing to 0 is not an upper bound check
-    not oper.getAnOperand().getValue() = "0"
-  )
-}
-
-class TaintedPathConfiguration extends TaintTracking::Configuration {
-  TaintedPathConfiguration() { this = "TaintedPathConfiguration" }
-
-  override predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
-
-  override predicate isSink(DataFlow::Node node) {
-    exists(FileFunction fileFunction |
-      fileFunction.outermostWrapperFunctionCall(asSinkExpr(node), _)
-    )
-  }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    node.asExpr().(Call).getTarget().getUnspecifiedType() instanceof ArithmeticType
-    or
-    exists(LoadInstruction load, Variable checkedVar |
-      load = node.asInstruction() and
-      checkedVar = load.getSourceAddress().(VariableAddressInstruction).getAstVariable() and
-      hasUpperBoundsCheck(checkedVar)
-    )
+class TaintedPathConfiguration extends TaintTrackingConfiguration {
+  override predicate isSink(Element tainted) {
+    exists(FileFunction fileFunction | fileFunction.outermostWrapperFunctionCall(tainted, _))
   }
 }
 
 from
-  FileFunction fileFunction, Expr taintedArg, FlowSource taintSource, TaintedPathConfiguration cfg,
-  DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode, string callChain
+  FileFunction fileFunction, Expr taintedArg, Expr taintSource, PathNode sourceNode,
+  PathNode sinkNode, string taintCause, string callChain
 where
-  taintedArg = asSinkExpr(sinkNode.getNode()) and
   fileFunction.outermostWrapperFunctionCall(taintedArg, callChain) and
-  cfg.hasFlowPath(sourceNode, sinkNode) and
-  taintSource = sourceNode.getNode()
+  taintedWithPath(taintSource, taintedArg, sourceNode, sinkNode) and
+  isUserInput(taintSource, taintCause)
 select taintedArg, sourceNode, sinkNode,
   "This argument to a file access function is derived from $@ and then passed to " + callChain + ".",
-  taintSource, "user input (" + taintSource.getSourceType() + ")"
+  taintSource, "user input (" + taintCause + ")"

cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql

@@ -13,7 +13,7 @@
 
 import cpp
 import semmle.code.cpp.commons.Environment
-import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
+import semmle.code.cpp.security.TaintTracking
 import TaintedWithPath
 
 /** A call that prints its arguments to `stdout`. */

cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql

@@ -15,7 +15,7 @@
 import cpp
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.FunctionWithWrappers
-import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
+import semmle.code.cpp.security.TaintTracking
 import TaintedWithPath
 
 class SqlLikeFunction extends FunctionWithWrappers {

cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql

@@ -14,7 +14,7 @@
 
 import cpp
 import semmle.code.cpp.security.Security
-import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
+import semmle.code.cpp.security.TaintTracking
 import TaintedWithPath
 
 predicate isProcessOperationExplanation(Expr arg, string processOperation) {

cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql

@@ -16,7 +16,7 @@
 
 import semmle.code.cpp.security.BufferWrite
 import semmle.code.cpp.security.Security
-import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
+import semmle.code.cpp.security.TaintTracking
 import TaintedWithPath
 
 /*

cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql

@@ -116,6 +116,10 @@ class ImproperArrayIndexValidationConfig extends TaintTracking::Configuration {
   }
 }
 
+/** Gets `str` where the first letter has been lowercased. */
+bindingset[str]
+string lowerFirst(string str) { result = str.prefix(1).toLowerCase() + str.suffix(1) }
+
 from
   ImproperArrayIndexValidationConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink,
   string sourceType
@@ -124,4 +128,4 @@ where
   isFlowSource(source.getNode(), sourceType)
 select sink.getNode(), source, sink,
   "An array indexing expression depends on $@ that might be outside the bounds of the array.",
-  source.getNode(), sourceType
+  source.getNode(), lowerFirst(sourceType)

cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql

@@ -16,7 +16,7 @@
 import cpp
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.FunctionWithWrappers
-import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
+import semmle.code.cpp.security.TaintTracking
 import TaintedWithPath
 
 class Configuration extends TaintTrackingConfiguration {

cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql

@@ -16,7 +16,7 @@
 import cpp
 import semmle.code.cpp.security.FunctionWithWrappers
 import semmle.code.cpp.security.Security
-import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
+import semmle.code.cpp.security.TaintTracking
 import TaintedWithPath
 
 class Configuration extends TaintTrackingConfiguration {

cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql

@@ -12,7 +12,7 @@
 
 import cpp
 import semmle.code.cpp.commons.NullTermination
-import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
+import semmle.code.cpp.security.TaintTracking
 
 /** A user-controlled expression that may not be null terminated. */
 class TaintSource extends VariableAccess {

cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql

@@ -15,7 +15,7 @@
 import cpp
 import semmle.code.cpp.security.Overflow
 import semmle.code.cpp.security.Security
-import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
+import semmle.code.cpp.security.TaintTracking
 import TaintedWithPath
 import Bounded
 

cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql

@@ -17,7 +17,7 @@
 import cpp
 import semmle.code.cpp.security.Overflow
 import semmle.code.cpp.security.Security
-import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
+import semmle.code.cpp.security.TaintTracking
 
 predicate isMaxValue(Expr mie) {
   exists(MacroInvocation mi |