Merge pull request #13684 from github/release-prep/2.14.0

Release preparation for version 2.14.0
Update swift/ql/lib/change-notes/released/0.2.0.md
2026-05-17 20:57:07 +02:00 · 2023-07-07 12:30:09 +01:00 · 2023-07-07 11:06:07 +02:00 · 2023-07-07 09:25:03 +01:00 · 2023-07-07 09:24:56 +01:00 · 2023-07-07 09:24:50 +01:00
3877 changed files with 216853 additions and 117250 deletions
--- a/.bazelrc
+++ b/.bazelrc
@@ -1,3 +1,9 @@
-build --repo_env=CC=clang --repo_env=CXX=clang++ --cxxopt="-std=c++17"
+common --enable_platform_specific_config
+
+build --repo_env=CC=clang --repo_env=CXX=clang++
+
+build:linux --cxxopt=-std=c++20
+build:macos --cxxopt=-std=c++20 --cpu=darwin_x86_64
+build:windows --cxxopt=/std:c++20 --cxxopt=/Zc:preprocessor

 try-import %workspace%/local.bazelrc
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -1,6 +1,6 @@
 {
  "extensions": [
-    "rust-lang.rust",
+    "rust-lang.rust-analyzer",
    "bungcip.better-toml",
    "github.vscode-codeql",
    "hbenl.vscode-test-explorer",
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -11,7 +11,7 @@ Go:
  - change-notes/**/*go.*

 Java:
-  - any: [ 'java/**/*', '!java/kotlin-extractor/**/*', '!java/kotlin-explorer/**/*', '!java/ql/test/kotlin/**/*' ]
+  - any: [ 'java/**/*', '!java/kotlin-extractor/**/*', '!java/ql/test/kotlin/**/*' ]
  - change-notes/**/*java.*

 JS:
@@ -20,7 +20,6 @@ JS:

 Kotlin:
  - java/kotlin-extractor/**/*
-  - java/kotlin-explorer/**/*
  - java/ql/test/kotlin/**/*

 Python:
--- a/.github/workflows/check-change-note.yml
+++ b/.github/workflows/check-change-note.yml
@@ -11,7 +11,6 @@ on:
      - "*/ql/lib/**/*.yml"
      - "!**/experimental/**"
      - "!ql/**"
-      - "!swift/**"
      - ".github/workflows/check-change-note.yml"

 jobs:
@@ -27,9 +26,9 @@ jobs:
        run: |
          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
          grep true -c
-      - name: Fail if the change note filename doesn't match the expected format. The file name must be of the form 'YYYY-MM-DD.md' or 'YYYY-MM-DD-{title}.md', where '{title}' is arbitrary text.
+      - name: Fail if the change note filename doesn't match the expected format. The file name must be of the form 'YYYY-MM-DD.md', 'YYYY-MM-DD-{title}.md', where '{title}' is arbitrary text, or released/x.y.z.md for released change-notes
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
-          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))] | all(test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$"))' |
+          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))] | all(test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$") or test("/change-notes/released/[0-9]*[.][0-9]*[.][0-9]*[.]md$"))' |
          grep true -c
--- a/.github/workflows/check-implicit-this.yml
+++ b/.github/workflows/check-implicit-this.yml
@@ -0,0 +1,29 @@
+name: "Check implicit this warnings"
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - "**qlpack.yml"
+    branches:
+      - main
+      - "rc/*"
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Check that implicit this warnings is enabled for all packs
+        shell: bash
+        run: |
+          EXIT_CODE=0
+          packs="$(find . -iname 'qlpack.yml')"
+          for pack_file in ${packs}; do
+            option="$(yq '.warnOnImplicitThis' ${pack_file})"
+            if [ "${option}" != "true" ]; then
+              echo "::error file=${pack_file}::warnOnImplicitThis property must be set to 'true' for pack ${pack_file}"
+              EXIT_CODE=1
+            fi
+          done
+          exit "${EXIT_CODE}"
--- a/.github/workflows/csv-coverage-pr-artifacts.yml
+++ b/.github/workflows/csv-coverage-pr-artifacts.yml
@@ -10,6 +10,7 @@ on:
      - "*/ql/src/**/*.qll"
      - "*/ql/lib/**/*.ql"
      - "*/ql/lib/**/*.qll"
+      - "*/ql/lib/ext/**/*.yml"
      - "misc/scripts/library-coverage/*.py"
      # input data files
      - "*/documentation/library-coverage/cwe-sink.csv"
--- a/.github/workflows/ql-for-ql-build.yml
+++ b/.github/workflows/ql-for-ql-build.yml
@@ -32,7 +32,7 @@ jobs:
          path: |
            ql/extractor-pack/
            ql/target/release/buramu
-          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ql/**/*.rs') }}
      - name: Cache cargo
        if: steps.cache-extractor.outputs.cache-hit != 'true'
        uses: actions/cache@v3
--- a/.github/workflows/ruby-build.yml
+++ b/.github/workflows/ruby-build.yml
@@ -61,7 +61,7 @@ jobs:
            ruby/extractor/target/release/codeql-extractor-ruby
            ruby/extractor/target/release/codeql-extractor-ruby.exe
            ruby/extractor/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
-          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}--${{ hashFiles('ruby/extractor/**/*.rs') }}
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ruby/extractor/**/*.rs') }}
      - uses: actions/cache@v3
        if: steps.cache-extractor.outputs.cache-hit != 'true'
        with:
--- a/.github/workflows/swift.yml
+++ b/.github/workflows/swift.yml
@@ -16,6 +16,7 @@ on:
    branches:
      - main
      - rc/*
+      - codeql-cli-*
  push:
    paths:
      - "swift/**"
@@ -30,6 +31,7 @@ on:
    branches:
      - main
      - rc/*
+      - codeql-cli-*

 jobs:
  # not using a matrix as you cannot depend on a specific job in a matrix, and we want to start linux checks
--- a/.github/workflows/sync-files.yml
+++ b/.github/workflows/sync-files.yml
@@ -17,4 +17,6 @@ jobs:
      - uses: actions/checkout@v3
      - name: Check synchronized files
        run: python config/sync-files.py
+      - name: Check dbscheme fragments
+        run: python config/sync-dbscheme-fragments.py

--- a/.github/workflows/tree-sitter-extractor-test.yml
+++ b/.github/workflows/tree-sitter-extractor-test.yml
@@ -0,0 +1,46 @@
+name: Test tree-sitter-extractor
+
+on:
+  push:
+    paths:
+      - "shared/tree-sitter-extractor/**"
+      - .github/workflows/tree-sitter-extractor-test.yml
+    branches:
+      - main
+      - "rc/*"
+  pull_request:
+    paths:
+      - "shared/tree-sitter-extractor/**"
+      - .github/workflows/tree-sitter-extractor-test.yml
+    branches:
+      - main
+      - "rc/*"
+
+env:
+  CARGO_TERM_COLOR: always
+
+defaults:
+  run:
+    working-directory: shared/tree-sitter-extractor
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Check formatting
+        run: cargo fmt --all -- --check
+      - name: Run tests
+        run: cargo test --verbose
+  fmt:
+    runs-on: ubuntu-latest  
+    steps:
+      - uses: actions/checkout@v3
+      - name: Check formatting
+        run: cargo fmt --check
+  clippy:
+    runs-on: ubuntu-latest  
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run clippy
+        run: cargo clippy -- --no-deps -D warnings -A clippy::new_without_default -A clippy::too_many_arguments
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -5,9 +5,9 @@ repos:
    rev: v3.2.0
    hooks:
      - id: trailing-whitespace
-        exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)
+        exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)|.*\.patch
      - id: end-of-file-fixer
-        exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)
+        exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)|.*\.patch

  - repo: https://github.com/pre-commit/mirrors-clang-format
    rev: v13.0.1
@@ -21,6 +21,11 @@ repos:
      - id: autopep8
        files: ^misc/codegen/.*\.py

+  - repo: https://github.com/warchant/pre-commit-buildifier
+    rev: 0.0.2
+    hooks:
+      - id: buildifier
+
  - repo: local
    hooks:
      - id: codeql-format
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -22,6 +22,22 @@
                "command": "${config:python.pythonPath}",
            },
            "problemMatcher": []
+        },
+        {
+            "label": "Accept .expected changes from CI",
+            "type": "process",
+            // Non-Windows OS will usually have Python 3 already installed at /usr/bin/python3.
+            "command": "python3",
+            "args": [
+                "misc/scripts/accept-expected-changes-from-ci.py"
+            ],
+            "group": "build",
+            "windows": {
+                // On Windows, use whatever Python interpreter is configured for this workspace. The default is
+                // just `python`, so if Python is already on the path, this will find it.
+                "command": "${config:python.pythonPath}",
+            },
+            "problemMatcher": []
        }
    ]
-}
+}
--- a/4
+++ b/4
@@ -8,7 +8,6 @@
 /swift/ @github/codeql-swift
 /misc/codegen/ @github/codeql-swift
 /java/kotlin-extractor/ @github/codeql-kotlin
-/java/kotlin-explorer/ @github/codeql-kotlin

 # ML-powered queries
 /javascript/ql/experimental/adaptivethreatmodeling/ @github/codeql-ml-powered-queries-reviewers
@@ -40,3 +39,6 @@ WORKSPACE.bazel @github/codeql-ci-reviewers
 /.github/workflows/ql-for-ql-* @github/codeql-ql-for-ql-reviewers
 /.github/workflows/ruby-* @github/codeql-ruby
 /.github/workflows/swift.yml @github/codeql-swift
+
+# Misc
+/misc/scripts/accept-expected-changes-from-ci.py @RasmusWL
--- a/config/dbscheme-fragments.json
+++ b/config/dbscheme-fragments.json
@@ -0,0 +1,33 @@
+{
+  "files": [
+    "javascript/ql/lib/semmlecode.javascript.dbscheme",
+    "python/ql/lib/semmlecode.python.dbscheme",
+    "ruby/ql/lib/ruby.dbscheme",
+    "ql/ql/src/ql.dbscheme"
+  ],
+  "fragments": [
+    "/*- External data -*/",
+    "/*- Files and folders -*/",
+    "/*- Diagnostic messages -*/",
+    "/*- Diagnostic messages: severity -*/",
+    "/*- Source location prefix -*/",
+    "/*- Lines of code -*/",
+    "/*- Configuration files with key value pairs -*/",
+    "/*- YAML -*/",
+    "/*- XML Files -*/",
+    "/*- XML: sourceline -*/",
+    "/*- DEPRECATED: External defects and metrics -*/",
+    "/*- DEPRECATED: Snapshot date -*/",
+    "/*- DEPRECATED: Duplicate code -*/",
+    "/*- DEPRECATED: Version control data -*/",
+    "/*- JavaScript-specific part -*/",
+    "/*- Ruby dbscheme -*/",
+    "/*- Erb dbscheme -*/",
+    "/*- QL dbscheme -*/",
+    "/*- Dbscheme dbscheme -*/",
+    "/*- Yaml dbscheme -*/",
+    "/*- Blame dbscheme -*/",
+    "/*- JSON dbscheme -*/",
+    "/*- Python dbscheme -*/"
+  ]
+}
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -40,7 +40,6 @@
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll",
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll",
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplForContentDataFlow.qll",
    "go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll",
    "go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll",
    "go/ql/lib/semmle/go/dataflow/internal/DataFlowImplForStringsNewReplacer.qll",
@@ -48,7 +47,6 @@
    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplForRegExp.qll",
    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll",
    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll",
    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForHttpClientLibraries.qll",
@@ -513,7 +511,8 @@
  "SensitiveDataHeuristics Python/JS": [
    "javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
    "python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll",
-    "ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll"
+    "ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll",
+    "swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qll"
  ],
  "CFG": [
    "csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll",
@@ -524,6 +523,10 @@
    "python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll",
    "ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll"
  ],
+  "SummaryTypeTracker": [
+    "python/ql/lib/semmle/python/dataflow/new/internal/SummaryTypeTracker.qll",
+    "ruby/ql/lib/codeql/ruby/typetracking/internal/SummaryTypeTracker.qll"
+  ],
  "AccessPathSyntax": [
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/AccessPathSyntax.qll",
    "go/ql/lib/semmle/go/dataflow/internal/AccessPathSyntax.qll",
@@ -600,4 +603,4 @@
    "python/ql/lib/semmle/python/security/internal/EncryptionKeySizes.qll",
    "java/ql/lib/semmle/code/java/security/internal/EncryptionKeySizes.qll"
  ]
-}
+}
--- a/config/sync-dbscheme-fragments.py
+++ b/config/sync-dbscheme-fragments.py
@@ -0,0 +1,86 @@
+#!/usr/bin/env python3
+
+import argparse
+import json
+import os
+import pathlib
+import re
+
+
+def make_groups(blocks):
+    groups = {}
+    for block in blocks:
+        groups.setdefault("".join(block["lines"]), []).append(block)
+    return list(groups.values())
+
+
+def validate_fragments(fragments):
+    ok = True
+    for header, blocks in fragments.items():
+        groups = make_groups(blocks)
+        if len(groups) > 1:
+            ok = False
+            print("Warning: dbscheme fragments with header '{}' are different for {}".format(header, ["{}:{}:{}".format(
+                group[0]["file"], group[0]["start"], group[0]["end"]) for group in groups]))
+    return ok
+
+
+def main():
+    script_path = os.path.realpath(__file__)
+    script_dir = os.path.dirname(script_path)
+    parser = argparse.ArgumentParser(
+        prog=os.path.basename(script_path),
+        description='Sync dbscheme fragments across files.'
+    )
+    parser.add_argument('files', metavar='dbscheme_file', type=pathlib.Path, nargs='*', default=[],
+                        help='dbscheme files to check')
+    args = parser.parse_args()
+
+    with open(os.path.join(script_dir, "dbscheme-fragments.json"), "r") as f:
+        config = json.load(f)
+
+    fragment_headers = set(config["fragments"])
+    fragments = {}
+    ok = True
+    for file in args.files + config["files"]:
+        with open(os.path.join(os.path.dirname(script_dir), file), "r") as dbscheme:
+            header = None
+            line_number = 1
+            block = {"file": file, "start": line_number,
+                     "end": None, "lines": []}
+
+            def end_block():
+                block["end"] = line_number - 1
+                if len(block["lines"]) > 0:
+                    if header is None:
+                        if re.match(r'(?m)\A(\s|//.*$|/\*(\**[^\*])*\*+/)*\Z', "".join(block["lines"])):
+                            # Ignore comments at the beginning of the file
+                            pass
+                        else:
+                            ok = False
+                            print("Warning: dbscheme fragment without header: {}:{}:{}".format(
+                                block["file"], block["start"], block["end"]))
+                    else:
+                        fragments.setdefault(header, []).append(block)
+            for line in dbscheme:
+                m = re.match(r"^\/\*-.*-\*\/$", line)
+                if m:
+                    end_block()
+                    header = line.strip()
+                    if header not in fragment_headers:
+                        ok = False
+                        print("Warning: unknown header for dbscheme fragment: '{}': {}:{}".format(
+                            header, file, line_number))
+                    block = {"file": file, "start": line_number,
+                             "end": None, "lines": []}
+                block["lines"].append(line)
+                line_number += 1
+            block["lines"].append('\n')
+            line_number += 1
+            end_block()
+    if not ok or not validate_fragments(fragments):
+        exit(1)
+
+
+if __name__ == "__main__":
+    main()
--- a/cpp/downgrades/qlpack.yml
+++ b/cpp/downgrades/qlpack.yml
@@ -2,3 +2,4 @@ name: codeql/cpp-downgrades
 groups: cpp
 downgrades: .
 library: true
+warnOnImplicitThis: true
--- a/cpp/ql/examples/qlpack.yml
+++ b/cpp/ql/examples/qlpack.yml
@@ -4,3 +4,4 @@ groups:
  - examples
 dependencies:
  codeql/cpp-all: ${workspace}
+warnOnImplicitThis: true
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,41 @@
+## 0.8.0
+
+### New Features
+
+* The `ProductFlow::StateConfigSig` signature now includes default predicates for `isBarrier1`, `isBarrier2`, `isAdditionalFlowStep1`, and `isAdditionalFlowStep1`. Hence, it is no longer needed to provide `none()` implementations of these predicates if they are not needed.
+
+### Minor Analysis Improvements
+
+* Deleted the deprecated `getURL` predicate from the `Container`, `Folder`, and `File` classes. Use the `getLocation` predicate instead.
+
+## 0.7.4
+
+No user-facing changes.
+
+## 0.7.3
+
+### Minor Analysis Improvements
+
+* Deleted the deprecated `hasCopyConstructor` predicate from the `Class` class in `Class.qll`.
+* Deleted many deprecated predicates and classes with uppercase `AST`, `SSA`, `CFG`, `API`, etc. in their names. Use the PascalCased versions instead.
+* Deleted the deprecated `CodeDuplication.qll` file.
+
+## 0.7.2
+
+### New Features
+
+* Added an AST-based interface (`semmle.code.cpp.rangeanalysis.new.RangeAnalysis`) for the relative range analysis library.
+* A new predicate `BarrierGuard::getAnIndirectBarrierNode` has been added to the new dataflow library (`semmle.code.cpp.dataflow.new.DataFlow`) to mark indirect expressions as barrier nodes using the `BarrierGuard` API.
+
+### Major Analysis Improvements
+
+* In the intermediate representation, handling of control flow after non-returning calls has been improved. This should remove false positives in queries that use the intermedite representation or libraries based on it, including the new data flow library.
+
+### Minor Analysis Improvements
+
+* The `StdNamespace` class now also includes all inline namespaces that are children of `std` namespace.
+* The new dataflow (`semmle.code.cpp.dataflow.new.DataFlow`) and taint-tracking libraries (`semmle.code.cpp.dataflow.new.TaintTracking`) now support tracking flow through static local variables.
+
 ## 0.7.1

 No user-facing changes.
--- a/cpp/ql/lib/change-notes/released/0.7.2.md
+++ b/cpp/ql/lib/change-notes/released/0.7.2.md
@@ -0,0 +1,15 @@
+## 0.7.2
+
+### New Features
+
+* Added an AST-based interface (`semmle.code.cpp.rangeanalysis.new.RangeAnalysis`) for the relative range analysis library.
+* A new predicate `BarrierGuard::getAnIndirectBarrierNode` has been added to the new dataflow library (`semmle.code.cpp.dataflow.new.DataFlow`) to mark indirect expressions as barrier nodes using the `BarrierGuard` API.
+
+### Major Analysis Improvements
+
+* In the intermediate representation, handling of control flow after non-returning calls has been improved. This should remove false positives in queries that use the intermedite representation or libraries based on it, including the new data flow library.
+
+### Minor Analysis Improvements
+
+* The `StdNamespace` class now also includes all inline namespaces that are children of `std` namespace.
+* The new dataflow (`semmle.code.cpp.dataflow.new.DataFlow`) and taint-tracking libraries (`semmle.code.cpp.dataflow.new.TaintTracking`) now support tracking flow through static local variables.
--- a/cpp/ql/lib/change-notes/released/0.7.3.md
+++ b/cpp/ql/lib/change-notes/released/0.7.3.md
@@ -0,0 +1,7 @@
+## 0.7.3
+
+### Minor Analysis Improvements
+
+* Deleted the deprecated `hasCopyConstructor` predicate from the `Class` class in `Class.qll`.
+* Deleted many deprecated predicates and classes with uppercase `AST`, `SSA`, `CFG`, `API`, etc. in their names. Use the PascalCased versions instead.
+* Deleted the deprecated `CodeDuplication.qll` file.
--- a/cpp/ql/lib/change-notes/released/0.7.4.md
+++ b/cpp/ql/lib/change-notes/released/0.7.4.md
@@ -0,0 +1,3 @@
+## 0.7.4
+
+No user-facing changes.
--- a/cpp/ql/lib/change-notes/released/0.8.0.md
+++ b/cpp/ql/lib/change-notes/released/0.8.0.md
@@ -0,0 +1,9 @@
+## 0.8.0
+
+### New Features
+
+* The `ProductFlow::StateConfigSig` signature now includes default predicates for `isBarrier1`, `isBarrier2`, `isAdditionalFlowStep1`, and `isAdditionalFlowStep1`. Hence, it is no longer needed to provide `none()` implementations of these predicates if they are not needed.
+
+### Minor Analysis Improvements
+
+* Deleted the deprecated `getURL` predicate from the `Container`, `Folder`, and `File` classes. Use the `getLocation` predicate instead.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.7.1
+lastReleaseVersion: 0.8.0
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll
@@ -238,7 +238,7 @@ class NoReason extends Reason, TNoReason {
 class CondReason extends Reason, TCondReason {
  IRGuardCondition getCond() { this = TCondReason(result) }

-  override string toString() { result = getCond().toString() }
+  override string toString() { result = this.getCond().toString() }
 }

 /**
@@ -260,14 +260,14 @@ private predicate typeBound(IRIntegerType typ, int lowerbound, int upperbound) {
 private class NarrowingCastInstruction extends ConvertInstruction {
  NarrowingCastInstruction() {
    not this instanceof SafeCastInstruction and
-    typeBound(getResultIRType(), _, _)
+    typeBound(this.getResultIRType(), _, _)
  }

  /** Gets the lower bound of the resulting type. */
-  int getLowerBound() { typeBound(getResultIRType(), result, _) }
+  int getLowerBound() { typeBound(this.getResultIRType(), result, _) }

  /** Gets the upper bound of the resulting type. */
-  int getUpperBound() { typeBound(getResultIRType(), _, result) }
+  int getUpperBound() { typeBound(this.getResultIRType(), _, result) }
 }

 /**
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeUtils.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeUtils.qll
@@ -109,8 +109,8 @@ private predicate safeCast(IRIntegerType fromtyp, IRIntegerType totyp) {
 */
 class PtrToPtrCastInstruction extends ConvertInstruction {
  PtrToPtrCastInstruction() {
-    getResultIRType() instanceof IRAddressType and
-    getUnary().getResultIRType() instanceof IRAddressType
+    this.getResultIRType() instanceof IRAddressType and
+    this.getUnary().getResultIRType() instanceof IRAddressType
  }
 }

@@ -119,7 +119,7 @@ class PtrToPtrCastInstruction extends ConvertInstruction {
 * that cannot overflow or underflow.
 */
 class SafeIntCastInstruction extends ConvertInstruction {
-  SafeIntCastInstruction() { safeCast(getUnary().getResultIRType(), getResultIRType()) }
+  SafeIntCastInstruction() { safeCast(this.getUnary().getResultIRType(), this.getResultIRType()) }
 }

 /**
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/ConstantBitwiseAndExprRange.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/ConstantBitwiseAndExprRange.qll
@@ -50,8 +50,8 @@ private class ConstantBitwiseAndExprRange extends SimpleRangeAnalysisExpr {
    // If an operand can have negative values, the lower bound is unconstrained.
    // Otherwise, the lower bound is zero.
    exists(float lLower, float rLower |
-      lLower = getFullyConvertedLowerBounds(getLeftOperand()) and
-      rLower = getFullyConvertedLowerBounds(getRightOperand()) and
+      lLower = getFullyConvertedLowerBounds(this.getLeftOperand()) and
+      rLower = getFullyConvertedLowerBounds(this.getRightOperand()) and
      (
        (lLower < 0 or rLower < 0) and
        result = exprMinVal(this)
@@ -68,10 +68,10 @@ private class ConstantBitwiseAndExprRange extends SimpleRangeAnalysisExpr {
    // If an operand can have negative values, the upper bound is unconstrained.
    // Otherwise, the upper bound is the minimum of the upper bounds of the operands
    exists(float lLower, float lUpper, float rLower, float rUpper |
-      lLower = getFullyConvertedLowerBounds(getLeftOperand()) and
-      lUpper = getFullyConvertedUpperBounds(getLeftOperand()) and
-      rLower = getFullyConvertedLowerBounds(getRightOperand()) and
-      rUpper = getFullyConvertedUpperBounds(getRightOperand()) and
+      lLower = getFullyConvertedLowerBounds(this.getLeftOperand()) and
+      lUpper = getFullyConvertedUpperBounds(this.getLeftOperand()) and
+      rLower = getFullyConvertedLowerBounds(this.getRightOperand()) and
+      rUpper = getFullyConvertedUpperBounds(this.getRightOperand()) and
      (
        (lLower < 0 or rLower < 0) and
        result = exprMaxVal(this)
@@ -85,6 +85,6 @@ private class ConstantBitwiseAndExprRange extends SimpleRangeAnalysisExpr {
  }

  override predicate dependsOnChild(Expr child) {
-    child = getLeftOperand() or child = getRightOperand()
+    child = this.getLeftOperand() or child = this.getRightOperand()
  }
 }
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/ConstantShiftExprRange.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/ConstantShiftExprRange.qll
@@ -50,7 +50,7 @@ class ConstantRShiftExprRange extends SimpleRangeAnalysisExpr {
   * We don't handle the case where `a` and `b` are both non-constant values.
   */
  ConstantRShiftExprRange() {
-    getUnspecifiedType() instanceof IntegralType and
+    this.getUnspecifiedType() instanceof IntegralType and
    exists(Expr l, Expr r |
      l = this.(RShiftExpr).getLeftOperand() and
      r = this.(RShiftExpr).getRightOperand()
@@ -84,10 +84,10 @@ class ConstantRShiftExprRange extends SimpleRangeAnalysisExpr {

  override float getLowerBounds() {
    exists(int lLower, int lUpper, int rLower, int rUpper |
-      lLower = getFullyConvertedLowerBounds(getLeftOperand()) and
-      lUpper = getFullyConvertedUpperBounds(getLeftOperand()) and
-      rLower = getFullyConvertedLowerBounds(getRightOperand()) and
-      rUpper = getFullyConvertedUpperBounds(getRightOperand()) and
+      lLower = getFullyConvertedLowerBounds(this.getLeftOperand()) and
+      lUpper = getFullyConvertedUpperBounds(this.getLeftOperand()) and
+      rLower = getFullyConvertedLowerBounds(this.getRightOperand()) and
+      rUpper = getFullyConvertedUpperBounds(this.getRightOperand()) and
      lLower <= lUpper and
      rLower <= rUpper
    |
@@ -95,8 +95,8 @@ class ConstantRShiftExprRange extends SimpleRangeAnalysisExpr {
        lLower < 0
        or
        not (
-          isValidShiftExprShift(rLower, getLeftOperand()) and
-          isValidShiftExprShift(rUpper, getLeftOperand())
+          isValidShiftExprShift(rLower, this.getLeftOperand()) and
+          isValidShiftExprShift(rUpper, this.getLeftOperand())
        )
      then
        // We don't want to deal with shifting negative numbers at the moment,
@@ -111,10 +111,10 @@ class ConstantRShiftExprRange extends SimpleRangeAnalysisExpr {

  override float getUpperBounds() {
    exists(int lLower, int lUpper, int rLower, int rUpper |
-      lLower = getFullyConvertedLowerBounds(getLeftOperand()) and
-      lUpper = getFullyConvertedUpperBounds(getLeftOperand()) and
-      rLower = getFullyConvertedLowerBounds(getRightOperand()) and
-      rUpper = getFullyConvertedUpperBounds(getRightOperand()) and
+      lLower = getFullyConvertedLowerBounds(this.getLeftOperand()) and
+      lUpper = getFullyConvertedUpperBounds(this.getLeftOperand()) and
+      rLower = getFullyConvertedLowerBounds(this.getRightOperand()) and
+      rUpper = getFullyConvertedUpperBounds(this.getRightOperand()) and
      lLower <= lUpper and
      rLower <= rUpper
    |
@@ -122,8 +122,8 @@ class ConstantRShiftExprRange extends SimpleRangeAnalysisExpr {
        lLower < 0
        or
        not (
-          isValidShiftExprShift(rLower, getLeftOperand()) and
-          isValidShiftExprShift(rUpper, getLeftOperand())
+          isValidShiftExprShift(rLower, this.getLeftOperand()) and
+          isValidShiftExprShift(rUpper, this.getLeftOperand())
        )
      then
        // We don't want to deal with shifting negative numbers at the moment,
@@ -137,7 +137,7 @@ class ConstantRShiftExprRange extends SimpleRangeAnalysisExpr {
  }

  override predicate dependsOnChild(Expr child) {
-    child = getLeftOperand() or child = getRightOperand()
+    child = this.getLeftOperand() or child = this.getRightOperand()
  }
 }

@@ -163,7 +163,7 @@ class ConstantLShiftExprRange extends SimpleRangeAnalysisExpr {
   * We don't handle the case where `a` and `b` are both non-constant values.
   */
  ConstantLShiftExprRange() {
-    getUnspecifiedType() instanceof IntegralType and
+    this.getUnspecifiedType() instanceof IntegralType and
    exists(Expr l, Expr r |
      l = this.(LShiftExpr).getLeftOperand() and
      r = this.(LShiftExpr).getRightOperand()
@@ -197,10 +197,10 @@ class ConstantLShiftExprRange extends SimpleRangeAnalysisExpr {

  override float getLowerBounds() {
    exists(int lLower, int lUpper, int rLower, int rUpper |
-      lLower = getFullyConvertedLowerBounds(getLeftOperand()) and
-      lUpper = getFullyConvertedUpperBounds(getLeftOperand()) and
-      rLower = getFullyConvertedLowerBounds(getRightOperand()) and
-      rUpper = getFullyConvertedUpperBounds(getRightOperand()) and
+      lLower = getFullyConvertedLowerBounds(this.getLeftOperand()) and
+      lUpper = getFullyConvertedUpperBounds(this.getLeftOperand()) and
+      rLower = getFullyConvertedLowerBounds(this.getRightOperand()) and
+      rUpper = getFullyConvertedUpperBounds(this.getRightOperand()) and
      lLower <= lUpper and
      rLower <= rUpper
    |
@@ -208,8 +208,8 @@ class ConstantLShiftExprRange extends SimpleRangeAnalysisExpr {
        lLower < 0
        or
        not (
-          isValidShiftExprShift(rLower, getLeftOperand()) and
-          isValidShiftExprShift(rUpper, getLeftOperand())
+          isValidShiftExprShift(rLower, this.getLeftOperand()) and
+          isValidShiftExprShift(rUpper, this.getLeftOperand())
        )
      then
        // We don't want to deal with shifting negative numbers at the moment,
@@ -228,10 +228,10 @@ class ConstantLShiftExprRange extends SimpleRangeAnalysisExpr {

  override float getUpperBounds() {
    exists(int lLower, int lUpper, int rLower, int rUpper |
-      lLower = getFullyConvertedLowerBounds(getLeftOperand()) and
-      lUpper = getFullyConvertedUpperBounds(getLeftOperand()) and
-      rLower = getFullyConvertedLowerBounds(getRightOperand()) and
-      rUpper = getFullyConvertedUpperBounds(getRightOperand()) and
+      lLower = getFullyConvertedLowerBounds(this.getLeftOperand()) and
+      lUpper = getFullyConvertedUpperBounds(this.getLeftOperand()) and
+      rLower = getFullyConvertedLowerBounds(this.getRightOperand()) and
+      rUpper = getFullyConvertedUpperBounds(this.getRightOperand()) and
      lLower <= lUpper and
      rLower <= rUpper
    |
@@ -239,8 +239,8 @@ class ConstantLShiftExprRange extends SimpleRangeAnalysisExpr {
        lLower < 0
        or
        not (
-          isValidShiftExprShift(rLower, getLeftOperand()) and
-          isValidShiftExprShift(rUpper, getLeftOperand())
+          isValidShiftExprShift(rLower, this.getLeftOperand()) and
+          isValidShiftExprShift(rUpper, this.getLeftOperand())
        )
      then
        // We don't want to deal with shifting negative numbers at the moment,
@@ -258,6 +258,6 @@ class ConstantLShiftExprRange extends SimpleRangeAnalysisExpr {
  }

  override predicate dependsOnChild(Expr child) {
-    child = getLeftOperand() or child = getRightOperand()
+    child = this.getLeftOperand() or child = this.getRightOperand()
  }
 }
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/RangeNode.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/RangeNode.qll
@@ -83,20 +83,23 @@ private class ExprRangeNode extends DataFlow::ExprNode {
  private string getCallBounds(Call e) {
    result =
      getExprBoundAsString(e) + "(" +
-        concat(Expr arg, int i | arg = e.getArgument(i) | getIntegralBounds(arg) order by i, ",") +
-        ")"
+        concat(Expr arg, int i |
+          arg = e.getArgument(i)
+        |
+          this.getIntegralBounds(arg), "," order by i
+        ) + ")"
  }

  override string toString() {
-    exists(Expr e | e = getExpr() |
+    exists(Expr e | e = this.getExpr() |
      if hasIntegralOrReferenceIntegralType(e)
      then
-        result = super.toString() + ": " + getOperationBounds(e)
+        result = super.toString() + ": " + this.getOperationBounds(e)
        or
-        result = super.toString() + ": " + getCallBounds(e)
+        result = super.toString() + ": " + this.getCallBounds(e)
        or
-        not exists(getOperationBounds(e)) and
-        not exists(getCallBounds(e)) and
+        not exists(this.getOperationBounds(e)) and
+        not exists(this.getCallBounds(e)) and
        result = super.toString() + ": " + getExprBoundAsString(e)
      else result = super.toString()
    )
@@ -108,8 +111,8 @@ private class ExprRangeNode extends DataFlow::ExprNode {
 */
 private class ReferenceArgumentRangeNode extends DataFlow::DefinitionByReferenceNode {
  override string toString() {
-    if hasIntegralOrReferenceIntegralType(asDefiningArgument())
-    then result = super.toString() + ": " + getExprBoundAsString(getArgument())
+    if hasIntegralOrReferenceIntegralType(this.asDefiningArgument())
+    then result = super.toString() + ": " + getExprBoundAsString(this.getArgument())
    else result = super.toString()
  }
 }
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/StrlenLiteralRangeExpr.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/StrlenLiteralRangeExpr.qll
@@ -7,12 +7,12 @@ private import experimental.semmle.code.cpp.models.interfaces.SimpleRangeAnalysi
 */
 class StrlenLiteralRangeExpr extends SimpleRangeAnalysisExpr, FunctionCall {
  StrlenLiteralRangeExpr() {
-    getTarget().hasGlobalOrStdName("strlen") and getArgument(0).isConstant()
+    this.getTarget().hasGlobalOrStdName("strlen") and this.getArgument(0).isConstant()
  }

-  override int getLowerBounds() { result = getArgument(0).getValue().length() }
+  override int getLowerBounds() { result = this.getArgument(0).getValue().length() }

-  override int getUpperBounds() { result = getArgument(0).getValue().length() }
+  override int getUpperBounds() { result = this.getArgument(0).getValue().length() }

  override predicate dependsOnChild(Expr e) { none() }
 }
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/SubtractSelf.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/SubtractSelf.qll
@@ -3,8 +3,8 @@ import experimental.semmle.code.cpp.models.interfaces.SimpleRangeAnalysisExpr
 private class SelfSub extends SimpleRangeAnalysisExpr, SubExpr {
  SelfSub() {
    // Match `x - x` but not `myInt - (unsigned char)myInt`.
-    getLeftOperand().getExplicitlyConverted().(VariableAccess).getTarget() =
-      getRightOperand().getExplicitlyConverted().(VariableAccess).getTarget()
+    this.getLeftOperand().getExplicitlyConverted().(VariableAccess).getTarget() =
+      this.getRightOperand().getExplicitlyConverted().(VariableAccess).getTarget()
  }

  override float getLowerBounds() { result = 0 }
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.7.1
+version: 0.8.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
@@ -9,3 +9,4 @@ dependencies:
  codeql/ssa: ${workspace}
  codeql/tutorial: ${workspace}
  codeql/util: ${workspace}
+warnOnImplicitThis: true
--- a/cpp/ql/lib/semmle/code/cpp/Class.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Class.qll
@@ -176,20 +176,6 @@ class Class extends UserType {
  /** Holds if this class, struct or union has a constructor. */
  predicate hasConstructor() { exists(this.getAConstructor()) }

-  /**
-   * Holds if this class has a copy constructor that is either explicitly
-   * declared (though possibly `= delete`) or is auto-generated, non-trivial
-   * and called from somewhere.
-   *
-   * DEPRECATED: There is more than one reasonable definition of what it means
-   * to have a copy constructor, and we do not want to promote one particular
-   * definition by naming it with this predicate. Having a copy constructor
-   * could mean that such a member is declared or defined in the source or that
-   * it is callable by a particular caller. For C++11, there's also a question
-   * of whether to include members that are defaulted or deleted.
-   */
-  deprecated predicate hasCopyConstructor() { this.getAMemberFunction() instanceof CopyConstructor }
-
  /**
   * Like accessOfBaseMember but returns multiple results if there are multiple
   * paths to `base` through the inheritance graph.
--- a/cpp/ql/lib/semmle/code/cpp/Compilation.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Compilation.qll
@@ -42,7 +42,7 @@ class Compilation extends @compilation {
  }

  /** Gets a file compiled during this invocation. */
-  File getAFileCompiled() { result = getFileCompiled(_) }
+  File getAFileCompiled() { result = this.getFileCompiled(_) }

  /** Gets the `i`th file compiled during this invocation */
  File getFileCompiled(int i) { compilation_compiling_files(this, i, unresolveElement(result)) }
@@ -74,7 +74,7 @@ class Compilation extends @compilation {
  /**
   * Gets an argument passed to the extractor on this invocation.
   */
-  string getAnArgument() { result = getArgument(_) }
+  string getAnArgument() { result = this.getArgument(_) }

  /**
   * Gets the `i`th argument passed to the extractor on this invocation.
--- a/cpp/ql/lib/semmle/code/cpp/Field.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Field.qll
@@ -39,7 +39,8 @@ class Field extends MemberVariable {
   * complete most-derived object.
   */
  int getAByteOffsetIn(Class mostDerivedClass) {
-    result = mostDerivedClass.getABaseClassByteOffset(getDeclaringType()) + getByteOffset()
+    result =
+      mostDerivedClass.getABaseClassByteOffset(this.getDeclaringType()) + this.getByteOffset()
  }

  /**
@@ -116,10 +117,10 @@ class BitField extends Field {
  int getBitOffset() { fieldoffsets(underlyingElement(this), _, result) }

  /** Holds if this bitfield is anonymous. */
-  predicate isAnonymous() { hasName("(unnamed bitfield)") }
+  predicate isAnonymous() { this.hasName("(unnamed bitfield)") }

  override predicate isInitializable() {
    // Anonymous bitfields are not initializable.
-    not isAnonymous()
+    not this.isAnonymous()
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/File.qll
+++ b/cpp/ql/lib/semmle/code/cpp/File.qll
@@ -34,14 +34,6 @@ class Container extends Locatable, @container {
   */
  string getAbsolutePath() { none() } // overridden by subclasses

-  /**
-   * DEPRECATED: Use `getLocation` instead.
-   * Gets a URL representing the location of this container.
-   *
-   * For more information see [Providing URLs](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/#providing-urls).
-   */
-  deprecated string getURL() { none() } // overridden by subclasses
-
  /**
   * Gets the relative path of this file or folder from the root folder of the
   * analyzed source location. The relative path of the root folder itself is
@@ -183,12 +175,6 @@ class Folder extends Container, @folder {
  }

  override string getAPrimaryQlClass() { result = "Folder" }
-
-  /**
-   * DEPRECATED: Use `getLocation` instead.
-   * Gets the URL of this folder.
-   */
-  deprecated override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" }
 }

 /**
@@ -213,12 +199,6 @@ class File extends Container, @file {
    result.hasLocationInfo(_, 0, 0, 0, 0)
  }

-  /**
-   * DEPRECATED: Use `getLocation` instead.
-   * Gets the URL of this file.
-   */
-  deprecated override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" }
-
  /** Holds if this file was compiled as C (at any point). */
  predicate compiledAsC() { fileannotations(underlyingElement(this), 1, "compiled as c", "1") }

--- a/cpp/ql/lib/semmle/code/cpp/Linkage.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Linkage.qll
@@ -24,10 +24,10 @@ class LinkTarget extends @link_target {
   * captured as part of the snapshot, then everything is grouped together
   * into a single dummy link target.
   */
-  predicate isDummy() { getBinary().getAbsolutePath() = "" }
+  predicate isDummy() { this.getBinary().getAbsolutePath() = "" }

  /** Gets a textual representation of this element. */
-  string toString() { result = getBinary().getAbsolutePath() }
+  string toString() { result = this.getBinary().getAbsolutePath() }

  /**
   * Gets a function which was compiled into this link target, or had its
--- a/cpp/ql/lib/semmle/code/cpp/Macro.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Macro.qll
@@ -34,7 +34,7 @@ class Macro extends PreprocessorDirective, @ppd_define {
   * Gets the name of the macro.  For example, `MAX` in
   * `#define MAX(x,y) (((x)>(y))?(x):(y))`.
   */
-  string getName() { result = this.getHead().splitAt("(", 0) }
+  string getName() { result = this.getHead().regexpCapture("([^(]*+).*", 1) }

  /** Holds if the macro has name `name`. */
  predicate hasName(string name) { this.getName() = name }
--- a/cpp/ql/lib/semmle/code/cpp/NameQualifiers.qll
+++ b/cpp/ql/lib/semmle/code/cpp/NameQualifiers.qll
@@ -24,7 +24,7 @@ class NameQualifier extends NameQualifiableElement, @namequalifier {
   * Gets the expression ultimately qualified by the chain of name
   * qualifiers. For example, `f()` in `N1::N2::f()`.
   */
-  Expr getExpr() { result = getQualifiedElement+() }
+  Expr getExpr() { result = this.getQualifiedElement+() }

  /** Gets a location for this name qualifier. */
  override Location getLocation() { namequalifiers(underlyingElement(this), _, _, result) }
@@ -56,12 +56,12 @@ class NameQualifier extends NameQualifiableElement, @namequalifier {
      if nqe instanceof SpecialNameQualifyingElement
      then
        exists(Access a |
-          a = getQualifiedElement() and
+          a = this.getQualifiedElement() and
          result = a.getTarget().getDeclaringType()
        )
        or
        exists(FunctionCall c |
-          c = getQualifiedElement() and
+          c = this.getQualifiedElement() and
          result = c.getTarget().getDeclaringType()
        )
      else result = nqe
@@ -109,7 +109,7 @@ class NameQualifiableElement extends Element, @namequalifiableelement {
   * namespace.
   */
  predicate hasGlobalQualifiedName() {
-    getNameQualifier*().getQualifyingElement() instanceof GlobalNamespace
+    this.getNameQualifier*().getQualifyingElement() instanceof GlobalNamespace
  }

  /**
@@ -119,7 +119,7 @@ class NameQualifiableElement extends Element, @namequalifiableelement {
   */
  predicate hasSuperQualifiedName() {
    exists(NameQualifier nq, SpecialNameQualifyingElement snqe |
-      nq = getNameQualifier*() and
+      nq = this.getNameQualifier*() and
      namequalifiers(unresolveElement(nq), _, unresolveElement(snqe), _) and
      snqe.getName() = "__super"
    )
@@ -164,5 +164,5 @@ library class SpecialNameQualifyingElement extends NameQualifyingElement,
  /** Gets the name of this special qualifying element. */
  override string getName() { specialnamequalifyingelements(underlyingElement(this), result) }

-  override string toString() { result = getName() }
+  override string toString() { result = this.getName() }
 }
--- a/cpp/ql/lib/semmle/code/cpp/Namespace.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Namespace.qll
@@ -230,8 +230,12 @@ class GlobalNamespace extends Namespace {
 }

 /**
- * The C++ `std::` namespace.
+ * The C++ `std::` namespace and its inline namespaces.
 */
 class StdNamespace extends Namespace {
-  StdNamespace() { this.hasName("std") and this.getParentNamespace() instanceof GlobalNamespace }
+  StdNamespace() {
+    this.hasName("std") and this.getParentNamespace() instanceof GlobalNamespace
+    or
+    this.isInline() and this.getParentNamespace() instanceof StdNamespace
+  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/NestedFields.qll
+++ b/cpp/ql/lib/semmle/code/cpp/NestedFields.qll
@@ -37,7 +37,7 @@ class NestedFieldAccess extends FieldAccess {

  NestedFieldAccess() {
    ultimateQualifier = getUltimateQualifier(this) and
-    getTarget() = getANestedField(ultimateQualifier.getType().stripType())
+    this.getTarget() = getANestedField(ultimateQualifier.getType().stripType())
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/PrintAST.qll
+++ b/cpp/ql/lib/semmle/code/cpp/PrintAST.qll
@@ -27,9 +27,6 @@ class PrintAstConfiguration extends TPrintAstConfiguration {
  predicate shouldPrintFunction(Function func) { any() }
 }

-/** DEPRECATED: Alias for PrintAstConfiguration */
-deprecated class PrintASTConfiguration = PrintAstConfiguration;
-
 private predicate shouldPrintFunction(Function func) {
  exists(PrintAstConfiguration config | config.shouldPrintFunction(func))
 }
@@ -130,7 +127,7 @@ class PrintAstNode extends TPrintAstNode {
    // The exact value of `childIndex` doesn't matter, as long as we preserve the correct order.
    result =
      rank[childIndex](PrintAstNode child, int nonConvertedIndex, boolean isConverted |
-        childAndAccessorPredicate(child, _, nonConvertedIndex, isConverted)
+        this.childAndAccessorPredicate(child, _, nonConvertedIndex, isConverted)
      |
        // Unconverted children come first, then sort by original child index within each group.
        child order by isConverted, nonConvertedIndex
@@ -143,7 +140,7 @@ class PrintAstNode extends TPrintAstNode {
   */
  private PrintAstNode getConvertedChild(int childIndex) {
    exists(Expr expr |
-      expr = getChildInternal(childIndex).(AstNode).getAst() and
+      expr = this.getChildInternal(childIndex).(AstNode).getAst() and
      expr.getFullyConverted() instanceof Conversion and
      result.(AstNode).getAst() = expr.getFullyConverted() and
      not expr instanceof Conversion
@@ -155,8 +152,8 @@ class PrintAstNode extends TPrintAstNode {
   * at index `childIndex`, if that node has any conversions.
   */
  private string getConvertedChildAccessorPredicate(int childIndex) {
-    exists(getConvertedChild(childIndex)) and
-    result = getChildAccessorPredicateInternal(childIndex) + ".getFullyConverted()"
+    exists(this.getConvertedChild(childIndex)) and
+    result = this.getChildAccessorPredicateInternal(childIndex) + ".getFullyConverted()"
  }

  /**
@@ -164,12 +161,12 @@ class PrintAstNode extends TPrintAstNode {
   * within a function are printed, but the query can override
   * `PrintASTConfiguration.shouldPrintFunction` to filter the output.
   */
-  final predicate shouldPrint() { shouldPrintFunction(getEnclosingFunction()) }
+  final predicate shouldPrint() { shouldPrintFunction(this.getEnclosingFunction()) }

  /**
   * Gets the children of this node.
   */
-  final PrintAstNode getAChild() { result = getChild(_) }
+  final PrintAstNode getAChild() { result = this.getChild(_) }

  /**
   * Gets the parent of this node, if any.
@@ -187,7 +184,7 @@ class PrintAstNode extends TPrintAstNode {
   */
  string getProperty(string key) {
    key = "semmle.label" and
-    result = toString()
+    result = this.toString()
  }

  /**
@@ -201,12 +198,12 @@ class PrintAstNode extends TPrintAstNode {
  private predicate childAndAccessorPredicate(
    PrintAstNode child, string childPredicate, int nonConvertedIndex, boolean isConverted
  ) {
-    child = getChildInternal(nonConvertedIndex) and
-    childPredicate = getChildAccessorPredicateInternal(nonConvertedIndex) and
+    child = this.getChildInternal(nonConvertedIndex) and
+    childPredicate = this.getChildAccessorPredicateInternal(nonConvertedIndex) and
    isConverted = false
    or
-    child = getConvertedChild(nonConvertedIndex) and
-    childPredicate = getConvertedChildAccessorPredicate(nonConvertedIndex) and
+    child = this.getConvertedChild(nonConvertedIndex) and
+    childPredicate = this.getConvertedChildAccessorPredicate(nonConvertedIndex) and
    isConverted = true
  }

@@ -218,7 +215,7 @@ class PrintAstNode extends TPrintAstNode {
    // The exact value of `childIndex` doesn't matter, as long as we preserve the correct order.
    result =
      rank[childIndex](string childPredicate, int nonConvertedIndex, boolean isConverted |
-        childAndAccessorPredicate(_, childPredicate, nonConvertedIndex, isConverted)
+        this.childAndAccessorPredicate(_, childPredicate, nonConvertedIndex, isConverted)
      |
        // Unconverted children come first, then sort by original child index within each group.
        childPredicate order by isConverted, nonConvertedIndex
@@ -234,12 +231,11 @@ class PrintAstNode extends TPrintAstNode {
  /**
   * Gets the `Function` that contains this node.
   */
-  private Function getEnclosingFunction() { result = getParent*().(FunctionNode).getFunction() }
+  private Function getEnclosingFunction() {
+    result = this.getParent*().(FunctionNode).getFunction()
+  }
 }

-/** DEPRECATED: Alias for PrintAstNode */
-deprecated class PrintASTNode = PrintAstNode;
-
 /**
 * Class that restricts the elements that we compute `qlClass` for.
 */
@@ -253,7 +249,7 @@ private class PrintableElement extends Element {
  }

  pragma[noinline]
-  string getAPrimaryQlClass0() { result = getAPrimaryQlClass() }
+  string getAPrimaryQlClass0() { result = this.getAPrimaryQlClass() }
 }

 /**
@@ -281,12 +277,9 @@ abstract class BaseAstNode extends PrintAstNode {
  final Locatable getAst() { result = ast }

  /** DEPRECATED: Alias for getAst */
-  deprecated Locatable getAST() { result = getAst() }
+  deprecated Locatable getAST() { result = this.getAst() }
 }

-/** DEPRECATED: Alias for BaseAstNode */
-deprecated class BaseASTNode = BaseAstNode;
-
 /**
 * A node representing an AST node other than a `DeclarationEntry`.
 */
@@ -294,9 +287,6 @@ abstract class AstNode extends BaseAstNode, TAstNode {
  AstNode() { this = TAstNode(ast) }
 }

-/** DEPRECATED: Alias for AstNode */
-deprecated class ASTNode = AstNode;
-
 /**
 * A node representing an `Expr`.
 */
@@ -311,7 +301,7 @@ class ExprNode extends AstNode {
    result = super.getProperty(key)
    or
    key = "Value" and
-    result = qlClass(expr) + getValue()
+    result = qlClass(expr) + this.getValue()
    or
    key = "Type" and
    result = qlClass(expr.getType()) + expr.getType().toString()
@@ -321,7 +311,7 @@ class ExprNode extends AstNode {
  }

  override string getChildAccessorPredicateInternal(int childIndex) {
-    result = getChildAccessorWithoutConversions(ast, getChildInternal(childIndex).getAst())
+    result = getChildAccessorWithoutConversions(ast, this.getChildInternal(childIndex).getAst())
  }

  /**
@@ -441,7 +431,7 @@ class StmtNode extends AstNode {
  }

  override string getChildAccessorPredicateInternal(int childIndex) {
-    result = getChildAccessorWithoutConversions(ast, getChildInternal(childIndex).getAst())
+    result = getChildAccessorWithoutConversions(ast, this.getChildInternal(childIndex).getAst())
  }
 }

@@ -517,7 +507,7 @@ class ParametersNode extends PrintAstNode, TParametersNode {
  }

  override string getChildAccessorPredicateInternal(int childIndex) {
-    exists(getChildInternal(childIndex)) and
+    exists(this.getChildInternal(childIndex)) and
    result = "getParameter(" + childIndex.toString() + ")"
  }

@@ -544,7 +534,7 @@ class ConstructorInitializersNode extends PrintAstNode, TConstructorInitializers
  }

  final override string getChildAccessorPredicateInternal(int childIndex) {
-    exists(getChildInternal(childIndex)) and
+    exists(this.getChildInternal(childIndex)) and
    result = "getInitializer(" + childIndex.toString() + ")"
  }

@@ -571,7 +561,7 @@ class DestructorDestructionsNode extends PrintAstNode, TDestructorDestructionsNo
  }

  final override string getChildAccessorPredicateInternal(int childIndex) {
-    exists(getChildInternal(childIndex)) and
+    exists(this.getChildInternal(childIndex)) and
    result = "getDestruction(" + childIndex.toString() + ")"
  }

@@ -628,7 +618,7 @@ class FunctionNode extends AstNode {
  override string getProperty(string key) {
    result = super.getProperty(key)
    or
-    key = "semmle.order" and result = getOrder().toString()
+    key = "semmle.order" and result = this.getOrder().toString()
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/Type.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Type.qll
@@ -1699,7 +1699,28 @@ class AutoType extends TemplateParameter {

 private predicate suppressUnusedThis(Type t) { any() }

-/** A source code location referring to a type */
+/**
+ * A source code location referring to a user-defined type.
+ *
+ * Note that only _user-defined_ types have `TypeMention`s. In particular,
+ * built-in types, and derived types with built-in types as their base don't
+ * have any `TypeMention`s. For example, given
+ * ```cpp
+ * struct S { ... };
+ * void f(S s1, int i1) {
+ *   S s2;
+ *   S* s3;
+ *   S& s4 = s2;
+ *   decltype(s2) s5;
+ *
+ *   int i2;
+ *   int* i3;
+ *   int i4[10];
+ * }
+ * ```
+ * there will be a `TypeMention` for the mention of `S` at `S s1`, `S s2`, and `S& s4 = s2`,
+ * but not at `decltype(s2) s5`. Additionally, there will be no `TypeMention`s for `int`.
+ */
 class TypeMention extends Locatable, @type_mention {
  override string toString() { result = "type mention" }

--- a/cpp/ql/lib/semmle/code/cpp/commons/Strcat.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Strcat.qll
@@ -8,7 +8,7 @@ import cpp
 */
 deprecated class StrcatFunction extends Function {
  StrcatFunction() {
-    getName() =
+    this.getName() =
      [
        "strcat", // strcat(dst, src)
        "strncat", // strncat(dst, src, max_amount)
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/DefinitionsAndUses.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/DefinitionsAndUses.qll
@@ -98,7 +98,7 @@ library class DefOrUse extends ControlFlowNodeBase {

  pragma[noinline]
  private predicate reaches_helper(boolean isDef, SemanticStackVariable v, BasicBlock bb, int i) {
-    getVariable(isDef) = v and
+    this.getVariable(isDef) = v and
    bb.getNode(i) = this
  }

@@ -118,21 +118,21 @@ library class DefOrUse extends ControlFlowNodeBase {
     * predicates are duplicated for now.
     */

-    exists(BasicBlock bb, int i | reaches_helper(isDef, v, bb, i) |
+    exists(BasicBlock bb, int i | this.reaches_helper(isDef, v, bb, i) |
      exists(int j |
        j > i and
        (bbDefAt(bb, j, v, defOrUse) or bbUseAt(bb, j, v, defOrUse)) and
-        not exists(int k | firstBarrierAfterThis(isDef, k, v) and k < j)
+        not exists(int k | this.firstBarrierAfterThis(isDef, k, v) and k < j)
      )
      or
-      not firstBarrierAfterThis(isDef, _, v) and
+      not this.firstBarrierAfterThis(isDef, _, v) and
      bbSuccessorEntryReachesDefOrUse(bb, v, defOrUse, _)
    )
  }

  private predicate firstBarrierAfterThis(boolean isDef, int j, SemanticStackVariable v) {
    exists(BasicBlock bb, int i |
-      getVariable(isDef) = v and
+      this.getVariable(isDef) = v and
      bb.getNode(i) = this and
      j = min(int k | bbBarrierAt(bb, k, v, _) and k > i)
    )
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/SSA.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/SSA.qll
@@ -14,9 +14,6 @@ library class StandardSsa extends SsaHelper {
  StandardSsa() { this = 0 }
 }

-/** DEPRECATED: Alias for StandardSsa */
-deprecated class StandardSSA = StandardSsa;
-
 /**
 * A definition of one or more SSA variables, including phi node definitions.
 * An _SSA variable_, as defined in the literature, is effectively the pair of
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/SSAUtils.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/SSAUtils.qll
@@ -130,7 +130,7 @@ library class SsaHelper extends int {
   * Remove any custom phi nodes that are invalid.
   */
  private predicate sanitized_custom_phi_node(StackVariable v, BasicBlock b) {
-    custom_phi_node(v, b) and
+    this.custom_phi_node(v, b) and
    not addressTakenVariable(v) and
    not isReferenceVar(v) and
    b.isReachable()
@@ -142,7 +142,7 @@ library class SsaHelper extends int {
   */
  cached
  predicate phi_node(StackVariable v, BasicBlock b) {
-    frontier_phi_node(v, b) or sanitized_custom_phi_node(v, b)
+    this.frontier_phi_node(v, b) or this.sanitized_custom_phi_node(v, b)
  }

  /**
@@ -154,14 +154,15 @@ library class SsaHelper extends int {
   */
  private predicate frontier_phi_node(StackVariable v, BasicBlock b) {
    exists(BasicBlock x |
-      dominanceFrontier(x, b) and ssa_defn_rec(pragma[only_bind_into](v), pragma[only_bind_into](x))
+      dominanceFrontier(x, b) and
+      this.ssa_defn_rec(pragma[only_bind_into](v), pragma[only_bind_into](x))
    ) and
    /* We can also eliminate those nodes where the variable is not live on any incoming edge */
    live_at_start_of_bb(pragma[only_bind_into](v), b)
  }

  private predicate ssa_defn_rec(StackVariable v, BasicBlock b) {
-    phi_node(v, b)
+    this.phi_node(v, b)
    or
    variableUpdate(v, _, b, _)
  }
@@ -172,7 +173,7 @@ library class SsaHelper extends int {
   */
  cached
  predicate ssa_defn(StackVariable v, ControlFlowNode node, BasicBlock b, int index) {
-    phi_node(v, b) and b.getStart() = node and index = -1
+    this.phi_node(v, b) and b.getStart() = node and index = -1
    or
    variableUpdate(v, node, b, index)
  }
@@ -196,7 +197,7 @@ library class SsaHelper extends int {
   * basic blocks.
   */
  private predicate defUseRank(StackVariable v, BasicBlock b, int rankix, int i) {
-    i = rank[rankix](int j | ssa_defn(v, _, b, j) or ssa_use(v, _, b, j))
+    i = rank[rankix](int j | this.ssa_defn(v, _, b, j) or ssa_use(v, _, b, j))
  }

  /**
@@ -206,7 +207,7 @@ library class SsaHelper extends int {
   * the block.
   */
  private int lastRank(StackVariable v, BasicBlock b) {
-    result = max(int rankix | defUseRank(v, b, rankix, _)) + 1
+    result = max(int rankix | this.defUseRank(v, b, rankix, _)) + 1
  }

  /**
@@ -215,8 +216,8 @@ library class SsaHelper extends int {
   */
  private predicate ssaDefRank(StackVariable v, ControlFlowNode def, BasicBlock b, int rankix) {
    exists(int i |
-      ssa_defn(v, def, b, i) and
-      defUseRank(v, b, rankix, i)
+      this.ssa_defn(v, def, b, i) and
+      this.defUseRank(v, b, rankix, i)
    )
  }

@@ -232,21 +233,21 @@ library class SsaHelper extends int {
    // use is understood to happen _before_ the definition. Phi nodes are
    // at rankidx -1 and will therefore always reach the first node in the
    // basic block.
-    ssaDefRank(v, def, b, rankix - 1)
+    this.ssaDefRank(v, def, b, rankix - 1)
    or
-    ssaDefReachesRank(v, def, b, rankix - 1) and
-    rankix <= lastRank(v, b) and // Without this, the predicate would be infinite.
-    not ssaDefRank(v, _, b, rankix - 1) // Range is inclusive of but not past next def.
+    this.ssaDefReachesRank(v, def, b, rankix - 1) and
+    rankix <= this.lastRank(v, b) and // Without this, the predicate would be infinite.
+    not this.ssaDefRank(v, _, b, rankix - 1) // Range is inclusive of but not past next def.
  }

  /** Holds if SSA variable `(v, def)` reaches the end of block `b`. */
  cached
  predicate ssaDefinitionReachesEndOfBB(StackVariable v, ControlFlowNode def, BasicBlock b) {
-    live_at_exit_of_bb(v, b) and ssaDefReachesRank(v, def, b, lastRank(v, b))
+    live_at_exit_of_bb(v, b) and this.ssaDefReachesRank(v, def, b, this.lastRank(v, b))
    or
    exists(BasicBlock idom |
-      ssaDefinitionReachesEndOfBB(v, def, idom) and
-      noDefinitionsSinceIDominator(v, idom, b)
+      this.ssaDefinitionReachesEndOfBB(v, def, idom) and
+      this.noDefinitionsSinceIDominator(v, idom, b)
    )
  }

@@ -260,7 +261,7 @@ library class SsaHelper extends int {
  private predicate noDefinitionsSinceIDominator(StackVariable v, BasicBlock idom, BasicBlock b) {
    bbIDominates(idom, b) and // It is sufficient to traverse the dominator graph, cf. discussion above.
    live_at_exit_of_bb(v, b) and
-    not ssa_defn(v, _, b, _)
+    not this.ssa_defn(v, _, b, _)
  }

  /**
@@ -269,8 +270,8 @@ library class SsaHelper extends int {
   */
  private predicate ssaDefinitionReachesUseWithinBB(StackVariable v, ControlFlowNode def, Expr use) {
    exists(BasicBlock b, int rankix, int i |
-      ssaDefReachesRank(v, def, b, rankix) and
-      defUseRank(v, b, rankix, i) and
+      this.ssaDefReachesRank(v, def, b, rankix) and
+      this.defUseRank(v, b, rankix, i) and
      ssa_use(v, use, b, i)
    )
  }
@@ -279,12 +280,12 @@ library class SsaHelper extends int {
   * Holds if SSA variable `(v, def)` reaches the control-flow node `use`.
   */
  private predicate ssaDefinitionReaches(StackVariable v, ControlFlowNode def, Expr use) {
-    ssaDefinitionReachesUseWithinBB(v, def, use)
+    this.ssaDefinitionReachesUseWithinBB(v, def, use)
    or
    exists(BasicBlock b |
      ssa_use(v, use, b, _) and
-      ssaDefinitionReachesEndOfBB(v, def, b.getAPredecessor()) and
-      not ssaDefinitionReachesUseWithinBB(v, _, use)
+      this.ssaDefinitionReachesEndOfBB(v, def, b.getAPredecessor()) and
+      not this.ssaDefinitionReachesUseWithinBB(v, _, use)
    )
  }

@@ -294,10 +295,10 @@ library class SsaHelper extends int {
   */
  cached
  string toString(ControlFlowNode node, StackVariable v) {
-    if phi_node(v, node)
+    if this.phi_node(v, node)
    then result = "SSA phi(" + v.getName() + ")"
    else (
-      ssa_defn(v, node, _, _) and result = "SSA def(" + v.getName() + ")"
+      this.ssa_defn(v, node, _, _) and result = "SSA def(" + v.getName() + ")"
    )
  }

@@ -307,10 +308,7 @@ library class SsaHelper extends int {
   */
  cached
  VariableAccess getAUse(ControlFlowNode def, StackVariable v) {
-    ssaDefinitionReaches(v, def, result) and
+    this.ssaDefinitionReaches(v, def, result) and
    ssa_use(v, result, _, _)
  }
 }
-
-/** DEPRECATED: Alias for SsaHelper */
-deprecated class SSAHelper = SsaHelper;
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/StackVariableReachability.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/StackVariableReachability.qll
@@ -25,7 +25,7 @@ import cpp
 */
 abstract class StackVariableReachability extends string {
  bindingset[this]
-  StackVariableReachability() { length() >= 0 }
+  StackVariableReachability() { this.length() >= 0 }

  /** Holds if `node` is a source for the reachability analysis using variable `v`. */
  abstract predicate isSource(ControlFlowNode node, StackVariable v);
@@ -227,7 +227,7 @@ predicate bbSuccessorEntryReachesLoopInvariant(
 */
 abstract class StackVariableReachabilityWithReassignment extends StackVariableReachability {
  bindingset[this]
-  StackVariableReachabilityWithReassignment() { length() >= 0 }
+  StackVariableReachabilityWithReassignment() { this.length() >= 0 }

  /** Override this predicate rather than `isSource` (`isSource` is used internally). */
  abstract predicate isSourceActual(ControlFlowNode node, StackVariable v);
@@ -330,7 +330,7 @@ abstract class StackVariableReachabilityWithReassignment extends StackVariableRe
 */
 abstract class StackVariableReachabilityExt extends string {
  bindingset[this]
-  StackVariableReachabilityExt() { length() >= 0 }
+  StackVariableReachabilityExt() { this.length() >= 0 }

  /** `node` is a source for the reachability analysis using variable `v`. */
  abstract predicate isSource(ControlFlowNode node, StackVariable v);
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll
@@ -1385,9 +1385,6 @@ private module Cached {
    conditionalSuccessor(n1, _, n2)
  }

-  /** DEPRECATED: Alias for qlCfgSuccessor */
-  deprecated predicate qlCFGSuccessor = qlCfgSuccessor/2;
-
  /**
   * Holds if `n2` is a control-flow node such that the control-flow
   * edge `(n1, n2)` may be taken when `n1` is an expression that is true.
@@ -1398,9 +1395,6 @@ private module Cached {
    not conditionalSuccessor(n1, false, n2)
  }

-  /** DEPRECATED: Alias for qlCfgTrueSuccessor */
-  deprecated predicate qlCFGTrueSuccessor = qlCfgTrueSuccessor/2;
-
  /**
   * Holds if `n2` is a control-flow node such that the control-flow
   * edge `(n1, n2)` may be taken when `n1` is an expression that is false.
@@ -1410,7 +1404,4 @@ private module Cached {
    conditionalSuccessor(n1, false, n2) and
    not conditionalSuccessor(n1, true, n2)
  }
-
-  /** DEPRECATED: Alias for qlCfgFalseSuccessor */
-  deprecated predicate qlCFGFalseSuccessor = qlCfgFalseSuccessor/2;
 }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
@@ -187,7 +187,6 @@ private module LambdaFlow {
    else any()
  }

-  pragma[assume_small_delta]
  pragma[nomagic]
  predicate revLambdaFlow0(
    DataFlowCall lambdaCall, LambdaCallKind kind, Node node, DataFlowType t, boolean toReturn,
@@ -274,7 +273,6 @@ private module LambdaFlow {
    )
  }

-  pragma[assume_small_delta]
  pragma[nomagic]
  predicate revLambdaFlowOut(
    DataFlowCall lambdaCall, LambdaCallKind kind, TReturnPositionSimple pos, DataFlowType t,
@@ -815,24 +813,20 @@ private module Cached {
    )
  }

-  private predicate store(
-    Node node1, Content c, Node node2, DataFlowType contentType, DataFlowType containerType
-  ) {
-    exists(ContentSet cs |
-      c = cs.getAStoreContent() and storeSet(node1, cs, node2, contentType, containerType)
-    )
-  }
-
  /**
   * Holds if data can flow from `node1` to `node2` via a direct assignment to
-   * `f`.
+   * `c`.
   *
   * This includes reverse steps through reads when the result of the read has
   * been stored into, in order to handle cases like `x.f1.f2 = y`.
   */
  cached
-  predicate store(Node node1, TypedContent tc, Node node2, DataFlowType contentType) {
-    store(node1, tc.getContent(), node2, contentType, tc.getContainerType())
+  predicate store(
+    Node node1, Content c, Node node2, DataFlowType contentType, DataFlowType containerType
+  ) {
+    exists(ContentSet cs |
+      c = cs.getAStoreContent() and storeSet(node1, cs, node2, contentType, containerType)
+    )
  }

  /**
@@ -932,36 +926,15 @@ private module Cached {
    TReturnCtxNoFlowThrough() or
    TReturnCtxMaybeFlowThrough(ReturnPosition pos)

-  cached
-  newtype TTypedContentApprox =
-    MkTypedContentApprox(ContentApprox c, DataFlowType t) {
-      exists(Content cont |
-        c = getContentApprox(cont) and
-        store(_, cont, _, _, t)
-      )
-    }
-
-  cached
-  newtype TTypedContent = MkTypedContent(Content c, DataFlowType t) { store(_, c, _, _, t) }
-
-  cached
-  TypedContent getATypedContent(TypedContentApprox c) {
-    exists(ContentApprox cls, DataFlowType t, Content cont |
-      c = MkTypedContentApprox(cls, pragma[only_bind_into](t)) and
-      result = MkTypedContent(cont, pragma[only_bind_into](t)) and
-      cls = getContentApprox(cont)
-    )
-  }
-
  cached
  newtype TAccessPathFront =
-    TFrontNil(DataFlowType t) or
-    TFrontHead(TypedContent tc)
+    TFrontNil() or
+    TFrontHead(Content c)

  cached
  newtype TApproxAccessPathFront =
-    TApproxFrontNil(DataFlowType t) or
-    TApproxFrontHead(TypedContentApprox tc)
+    TApproxFrontNil() or
+    TApproxFrontHead(ContentApprox c)

  cached
  newtype TAccessPathFrontOption =
@@ -986,8 +959,16 @@ predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) {
 /**
 * A `Node` at which a cast can occur such that the type should be checked.
 */
-class CastingNode extends Node {
+class CastingNode instanceof Node {
  CastingNode() { castingNode(this) }
+
+  string toString() { result = super.toString() }
+
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
 }

 private predicate readStepWithTypes(
@@ -1135,9 +1116,17 @@ LocalCallContext getLocalCallContext(CallContext ctx, DataFlowCallable callable)
 * The value of a parameter at function entry, viewed as a node in a data
 * flow graph.
 */
-class ParamNode extends Node {
+class ParamNode instanceof Node {
  ParamNode() { parameterNode(this, _, _) }

+  string toString() { result = super.toString() }
+
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
  /**
   * Holds if this node is the parameter of callable `c` at the specified
   * position.
@@ -1146,9 +1135,17 @@ class ParamNode extends Node {
 }

 /** A data-flow node that represents a call argument. */
-class ArgNode extends Node {
+class ArgNode instanceof Node {
  ArgNode() { argumentNode(this, _, _) }

+  string toString() { result = super.toString() }
+
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
  /** Holds if this argument occurs at the given position in the given call. */
  final predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
    argumentNode(this, call, pos)
@@ -1159,9 +1156,17 @@ class ArgNode extends Node {
 * A node from which flow can return to the caller. This is either a regular
 * `ReturnNode` or a `PostUpdateNode` corresponding to the value of a parameter.
 */
-class ReturnNodeExt extends Node {
+class ReturnNodeExt instanceof Node {
  ReturnNodeExt() { returnNodeExt(this, _) }

+  string toString() { result = super.toString() }
+
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
  /** Gets the kind of this returned value. */
  ReturnKindExt getKind() { returnNodeExt(this, result) }
 }
@@ -1170,8 +1175,16 @@ class ReturnNodeExt extends Node {
 * A node to which data can flow from a call. Either an ordinary out node
 * or a post-update node associated with a call argument.
 */
-class OutNodeExt extends Node {
+class OutNodeExt instanceof Node {
  OutNodeExt() { outNodeExt(this) }
+
+  string toString() { result = super.toString() }
+
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
 }

 /**
@@ -1387,67 +1400,37 @@ class ReturnCtx extends TReturnCtx {
  }
 }

-/** An approximated `Content` tagged with the type of a containing object. */
-class TypedContentApprox extends MkTypedContentApprox {
-  private ContentApprox c;
-  private DataFlowType t;
-
-  TypedContentApprox() { this = MkTypedContentApprox(c, t) }
-
-  /** Gets a typed content approximated by this value. */
-  TypedContent getATypedContent() { result = getATypedContent(this) }
-
-  /** Gets the content. */
-  ContentApprox getContent() { result = c }
-
-  /** Gets the container type. */
-  DataFlowType getContainerType() { result = t }
-
-  /** Gets a textual representation of this approximated content. */
-  string toString() { result = c.toString() }
-}
-
 /**
 * The front of an approximated access path. This is either a head or a nil.
 */
 abstract class ApproxAccessPathFront extends TApproxAccessPathFront {
  abstract string toString();

-  abstract DataFlowType getType();
-
  abstract boolean toBoolNonEmpty();

-  TypedContentApprox getHead() { this = TApproxFrontHead(result) }
+  ContentApprox getHead() { this = TApproxFrontHead(result) }

  pragma[nomagic]
-  TypedContent getAHead() {
-    exists(TypedContentApprox cont |
+  Content getAHead() {
+    exists(ContentApprox cont |
      this = TApproxFrontHead(cont) and
-      result = cont.getATypedContent()
+      cont = getContentApprox(result)
    )
  }
 }

 class ApproxAccessPathFrontNil extends ApproxAccessPathFront, TApproxFrontNil {
-  private DataFlowType t;
-
-  ApproxAccessPathFrontNil() { this = TApproxFrontNil(t) }
-
-  override string toString() { result = ppReprType(t) }
-
-  override DataFlowType getType() { result = t }
+  override string toString() { result = "nil" }

  override boolean toBoolNonEmpty() { result = false }
 }

 class ApproxAccessPathFrontHead extends ApproxAccessPathFront, TApproxFrontHead {
-  private TypedContentApprox tc;
+  private ContentApprox c;

-  ApproxAccessPathFrontHead() { this = TApproxFrontHead(tc) }
+  ApproxAccessPathFrontHead() { this = TApproxFrontHead(c) }

-  override string toString() { result = tc.toString() }
-
-  override DataFlowType getType() { result = tc.getContainerType() }
+  override string toString() { result = c.toString() }

  override boolean toBoolNonEmpty() { result = true }
 }
@@ -1461,65 +1444,31 @@ class ApproxAccessPathFrontOption extends TApproxAccessPathFrontOption {
  }
 }

-/** A `Content` tagged with the type of a containing object. */
-class TypedContent extends MkTypedContent {
-  private Content c;
-  private DataFlowType t;
-
-  TypedContent() { this = MkTypedContent(c, t) }
-
-  /** Gets the content. */
-  Content getContent() { result = c }
-
-  /** Gets the container type. */
-  DataFlowType getContainerType() { result = t }
-
-  /** Gets a textual representation of this content. */
-  string toString() { result = c.toString() }
-
-  /**
-   * Holds if access paths with this `TypedContent` at their head always should
-   * be tracked at high precision. This disables adaptive access path precision
-   * for such access paths.
-   */
-  predicate forceHighPrecision() { forceHighPrecision(c) }
-}
-
 /**
 * The front of an access path. This is either a head or a nil.
 */
 abstract class AccessPathFront extends TAccessPathFront {
  abstract string toString();

-  abstract DataFlowType getType();
-
  abstract ApproxAccessPathFront toApprox();

-  TypedContent getHead() { this = TFrontHead(result) }
+  Content getHead() { this = TFrontHead(result) }
 }

 class AccessPathFrontNil extends AccessPathFront, TFrontNil {
-  private DataFlowType t;
+  override string toString() { result = "nil" }

-  AccessPathFrontNil() { this = TFrontNil(t) }
-
-  override string toString() { result = ppReprType(t) }
-
-  override DataFlowType getType() { result = t }
-
-  override ApproxAccessPathFront toApprox() { result = TApproxFrontNil(t) }
+  override ApproxAccessPathFront toApprox() { result = TApproxFrontNil() }
 }

 class AccessPathFrontHead extends AccessPathFront, TFrontHead {
-  private TypedContent tc;
+  private Content c;

-  AccessPathFrontHead() { this = TFrontHead(tc) }
+  AccessPathFrontHead() { this = TFrontHead(c) }

-  override string toString() { result = tc.toString() }
+  override string toString() { result = c.toString() }

-  override DataFlowType getType() { result = tc.getContainerType() }
-
-  override ApproxAccessPathFront toApprox() { result.getAHead() = tc }
+  override ApproxAccessPathFront toApprox() { result.getAHead() = c }
 }

 /** An optional access path front. */
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll
@@ -58,6 +58,9 @@ module Consistency {
    predicate uniqueParameterNodePositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
      none()
    }
+
+    /** Holds if `n` should be excluded from the consistency test `identityLocalStep`. */
+    predicate identityLocalStepExclude(Node n) { none() }
  }

  private class RelevantNode extends Node {
@@ -287,4 +290,10 @@ module Consistency {
    not exists(unique(ContentApprox approx | approx = getContentApprox(c))) and
    msg = "Non-unique content approximation."
  }
+
+  query predicate identityLocalStep(Node n, string msg) {
+    simpleLocalFlowStep(n, n) and
+    not any(ConsistencyConfiguration c).identityLocalStepExclude(n) and
+    msg = "Node steps to itself"
+  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
@@ -205,6 +205,8 @@ predicate clearsContent(Node n, Content c) {
 */
 predicate expectsContent(Node n, ContentSet c) { none() }

+predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() }
+
 /** Gets the type of `n` used for type pruning. */
 Type getNodeType(Node n) {
  suppressUnusedNode(n) and
@@ -233,6 +235,12 @@ class CastNode extends Node {
  CastNode() { none() } // stub implementation
 }

+/**
+ * Holds if `n` should never be skipped over in the `PathGraph` and in path
+ * explanations.
+ */
+predicate neverSkipInPathGraph(Node n) { none() }
+
 class DataFlowCallable = Function;

 class DataFlowExpr = Expr;
--- a/cpp/ql/lib/semmle/code/cpp/exprs/ComparisonOperation.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/ComparisonOperation.qll
@@ -76,9 +76,9 @@ class GTExpr extends RelationalOperation, @gtexpr {

  override string getOperator() { result = ">" }

-  override Expr getGreaterOperand() { result = getLeftOperand() }
+  override Expr getGreaterOperand() { result = this.getLeftOperand() }

-  override Expr getLesserOperand() { result = getRightOperand() }
+  override Expr getLesserOperand() { result = this.getRightOperand() }
 }

 /**
@@ -92,9 +92,9 @@ class LTExpr extends RelationalOperation, @ltexpr {

  override string getOperator() { result = "<" }

-  override Expr getGreaterOperand() { result = getRightOperand() }
+  override Expr getGreaterOperand() { result = this.getRightOperand() }

-  override Expr getLesserOperand() { result = getLeftOperand() }
+  override Expr getLesserOperand() { result = this.getLeftOperand() }
 }

 /**
@@ -108,9 +108,9 @@ class GEExpr extends RelationalOperation, @geexpr {

  override string getOperator() { result = ">=" }

-  override Expr getGreaterOperand() { result = getLeftOperand() }
+  override Expr getGreaterOperand() { result = this.getLeftOperand() }

-  override Expr getLesserOperand() { result = getRightOperand() }
+  override Expr getLesserOperand() { result = this.getRightOperand() }
 }

 /**
@@ -124,7 +124,7 @@ class LEExpr extends RelationalOperation, @leexpr {

  override string getOperator() { result = "<=" }

-  override Expr getGreaterOperand() { result = getRightOperand() }
+  override Expr getGreaterOperand() { result = this.getRightOperand() }

-  override Expr getLesserOperand() { result = getLeftOperand() }
+  override Expr getLesserOperand() { result = this.getLeftOperand() }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
@@ -187,7 +187,6 @@ private module LambdaFlow {
    else any()
  }

-  pragma[assume_small_delta]
  pragma[nomagic]
  predicate revLambdaFlow0(
    DataFlowCall lambdaCall, LambdaCallKind kind, Node node, DataFlowType t, boolean toReturn,
@@ -274,7 +273,6 @@ private module LambdaFlow {
    )
  }

-  pragma[assume_small_delta]
  pragma[nomagic]
  predicate revLambdaFlowOut(
    DataFlowCall lambdaCall, LambdaCallKind kind, TReturnPositionSimple pos, DataFlowType t,
@@ -815,24 +813,20 @@ private module Cached {
    )
  }

-  private predicate store(
-    Node node1, Content c, Node node2, DataFlowType contentType, DataFlowType containerType
-  ) {
-    exists(ContentSet cs |
-      c = cs.getAStoreContent() and storeSet(node1, cs, node2, contentType, containerType)
-    )
-  }
-
  /**
   * Holds if data can flow from `node1` to `node2` via a direct assignment to
-   * `f`.
+   * `c`.
   *
   * This includes reverse steps through reads when the result of the read has
   * been stored into, in order to handle cases like `x.f1.f2 = y`.
   */
  cached
-  predicate store(Node node1, TypedContent tc, Node node2, DataFlowType contentType) {
-    store(node1, tc.getContent(), node2, contentType, tc.getContainerType())
+  predicate store(
+    Node node1, Content c, Node node2, DataFlowType contentType, DataFlowType containerType
+  ) {
+    exists(ContentSet cs |
+      c = cs.getAStoreContent() and storeSet(node1, cs, node2, contentType, containerType)
+    )
  }

  /**
@@ -932,36 +926,15 @@ private module Cached {
    TReturnCtxNoFlowThrough() or
    TReturnCtxMaybeFlowThrough(ReturnPosition pos)

-  cached
-  newtype TTypedContentApprox =
-    MkTypedContentApprox(ContentApprox c, DataFlowType t) {
-      exists(Content cont |
-        c = getContentApprox(cont) and
-        store(_, cont, _, _, t)
-      )
-    }
-
-  cached
-  newtype TTypedContent = MkTypedContent(Content c, DataFlowType t) { store(_, c, _, _, t) }
-
-  cached
-  TypedContent getATypedContent(TypedContentApprox c) {
-    exists(ContentApprox cls, DataFlowType t, Content cont |
-      c = MkTypedContentApprox(cls, pragma[only_bind_into](t)) and
-      result = MkTypedContent(cont, pragma[only_bind_into](t)) and
-      cls = getContentApprox(cont)
-    )
-  }
-
  cached
  newtype TAccessPathFront =
-    TFrontNil(DataFlowType t) or
-    TFrontHead(TypedContent tc)
+    TFrontNil() or
+    TFrontHead(Content c)

  cached
  newtype TApproxAccessPathFront =
-    TApproxFrontNil(DataFlowType t) or
-    TApproxFrontHead(TypedContentApprox tc)
+    TApproxFrontNil() or
+    TApproxFrontHead(ContentApprox c)

  cached
  newtype TAccessPathFrontOption =
@@ -986,8 +959,16 @@ predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) {
 /**
 * A `Node` at which a cast can occur such that the type should be checked.
 */
-class CastingNode extends Node {
+class CastingNode instanceof Node {
  CastingNode() { castingNode(this) }
+
+  string toString() { result = super.toString() }
+
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
 }

 private predicate readStepWithTypes(
@@ -1135,9 +1116,17 @@ LocalCallContext getLocalCallContext(CallContext ctx, DataFlowCallable callable)
 * The value of a parameter at function entry, viewed as a node in a data
 * flow graph.
 */
-class ParamNode extends Node {
+class ParamNode instanceof Node {
  ParamNode() { parameterNode(this, _, _) }

+  string toString() { result = super.toString() }
+
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
  /**
   * Holds if this node is the parameter of callable `c` at the specified
   * position.
@@ -1146,9 +1135,17 @@ class ParamNode extends Node {
 }

 /** A data-flow node that represents a call argument. */
-class ArgNode extends Node {
+class ArgNode instanceof Node {
  ArgNode() { argumentNode(this, _, _) }

+  string toString() { result = super.toString() }
+
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
  /** Holds if this argument occurs at the given position in the given call. */
  final predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
    argumentNode(this, call, pos)
@@ -1159,9 +1156,17 @@ class ArgNode extends Node {
 * A node from which flow can return to the caller. This is either a regular
 * `ReturnNode` or a `PostUpdateNode` corresponding to the value of a parameter.
 */
-class ReturnNodeExt extends Node {
+class ReturnNodeExt instanceof Node {
  ReturnNodeExt() { returnNodeExt(this, _) }

+  string toString() { result = super.toString() }
+
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
  /** Gets the kind of this returned value. */
  ReturnKindExt getKind() { returnNodeExt(this, result) }
 }
@@ -1170,8 +1175,16 @@ class ReturnNodeExt extends Node {
 * A node to which data can flow from a call. Either an ordinary out node
 * or a post-update node associated with a call argument.
 */
-class OutNodeExt extends Node {
+class OutNodeExt instanceof Node {
  OutNodeExt() { outNodeExt(this) }
+
+  string toString() { result = super.toString() }
+
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
 }

 /**
@@ -1387,67 +1400,37 @@ class ReturnCtx extends TReturnCtx {
  }
 }

-/** An approximated `Content` tagged with the type of a containing object. */
-class TypedContentApprox extends MkTypedContentApprox {
-  private ContentApprox c;
-  private DataFlowType t;
-
-  TypedContentApprox() { this = MkTypedContentApprox(c, t) }
-
-  /** Gets a typed content approximated by this value. */
-  TypedContent getATypedContent() { result = getATypedContent(this) }
-
-  /** Gets the content. */
-  ContentApprox getContent() { result = c }
-
-  /** Gets the container type. */
-  DataFlowType getContainerType() { result = t }
-
-  /** Gets a textual representation of this approximated content. */
-  string toString() { result = c.toString() }
-}
-
 /**
 * The front of an approximated access path. This is either a head or a nil.
 */
 abstract class ApproxAccessPathFront extends TApproxAccessPathFront {
  abstract string toString();

-  abstract DataFlowType getType();
-
  abstract boolean toBoolNonEmpty();

-  TypedContentApprox getHead() { this = TApproxFrontHead(result) }
+  ContentApprox getHead() { this = TApproxFrontHead(result) }

  pragma[nomagic]
-  TypedContent getAHead() {
-    exists(TypedContentApprox cont |
+  Content getAHead() {
+    exists(ContentApprox cont |
      this = TApproxFrontHead(cont) and
-      result = cont.getATypedContent()
+      cont = getContentApprox(result)
    )
  }
 }

 class ApproxAccessPathFrontNil extends ApproxAccessPathFront, TApproxFrontNil {
-  private DataFlowType t;
-
-  ApproxAccessPathFrontNil() { this = TApproxFrontNil(t) }
-
-  override string toString() { result = ppReprType(t) }
-
-  override DataFlowType getType() { result = t }
+  override string toString() { result = "nil" }

  override boolean toBoolNonEmpty() { result = false }
 }

 class ApproxAccessPathFrontHead extends ApproxAccessPathFront, TApproxFrontHead {
-  private TypedContentApprox tc;
+  private ContentApprox c;

-  ApproxAccessPathFrontHead() { this = TApproxFrontHead(tc) }
+  ApproxAccessPathFrontHead() { this = TApproxFrontHead(c) }

-  override string toString() { result = tc.toString() }
-
-  override DataFlowType getType() { result = tc.getContainerType() }
+  override string toString() { result = c.toString() }

  override boolean toBoolNonEmpty() { result = true }
 }
@@ -1461,65 +1444,31 @@ class ApproxAccessPathFrontOption extends TApproxAccessPathFrontOption {
  }
 }

-/** A `Content` tagged with the type of a containing object. */
-class TypedContent extends MkTypedContent {
-  private Content c;
-  private DataFlowType t;
-
-  TypedContent() { this = MkTypedContent(c, t) }
-
-  /** Gets the content. */
-  Content getContent() { result = c }
-
-  /** Gets the container type. */
-  DataFlowType getContainerType() { result = t }
-
-  /** Gets a textual representation of this content. */
-  string toString() { result = c.toString() }
-
-  /**
-   * Holds if access paths with this `TypedContent` at their head always should
-   * be tracked at high precision. This disables adaptive access path precision
-   * for such access paths.
-   */
-  predicate forceHighPrecision() { forceHighPrecision(c) }
-}
-
 /**
 * The front of an access path. This is either a head or a nil.
 */
 abstract class AccessPathFront extends TAccessPathFront {
  abstract string toString();

-  abstract DataFlowType getType();
-
  abstract ApproxAccessPathFront toApprox();

-  TypedContent getHead() { this = TFrontHead(result) }
+  Content getHead() { this = TFrontHead(result) }
 }

 class AccessPathFrontNil extends AccessPathFront, TFrontNil {
-  private DataFlowType t;
+  override string toString() { result = "nil" }

-  AccessPathFrontNil() { this = TFrontNil(t) }
-
-  override string toString() { result = ppReprType(t) }
-
-  override DataFlowType getType() { result = t }
-
-  override ApproxAccessPathFront toApprox() { result = TApproxFrontNil(t) }
+  override ApproxAccessPathFront toApprox() { result = TApproxFrontNil() }
 }

 class AccessPathFrontHead extends AccessPathFront, TFrontHead {
-  private TypedContent tc;
+  private Content c;

-  AccessPathFrontHead() { this = TFrontHead(tc) }
+  AccessPathFrontHead() { this = TFrontHead(c) }

-  override string toString() { result = tc.toString() }
+  override string toString() { result = c.toString() }

-  override DataFlowType getType() { result = tc.getContainerType() }
-
-  override ApproxAccessPathFront toApprox() { result.getAHead() = tc }
+  override ApproxAccessPathFront toApprox() { result.getAHead() = c }
 }

 /** An optional access path front. */
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll
@@ -58,6 +58,9 @@ module Consistency {
    predicate uniqueParameterNodePositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
      none()
    }
+
+    /** Holds if `n` should be excluded from the consistency test `identityLocalStep`. */
+    predicate identityLocalStepExclude(Node n) { none() }
  }

  private class RelevantNode extends Node {
@@ -287,4 +290,10 @@ module Consistency {
    not exists(unique(ContentApprox approx | approx = getContentApprox(c))) and
    msg = "Non-unique content approximation."
  }
+
+  query predicate identityLocalStep(Node n, string msg) {
+    simpleLocalFlowStep(n, n) and
+    not any(ConsistencyConfiguration c).identityLocalStepExclude(n) and
+    msg = "Node steps to itself"
+  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -193,86 +193,89 @@ private class SingleUseOperandNode0 extends OperandNode0, TSingleUseOperandNode0
  SingleUseOperandNode0() { this = TSingleUseOperandNode0(op) }
 }

-/**
- * INTERNAL: Do not use.
- *
- * A node that represents the indirect value of an operand in the IR
- * after `index` number of loads.
- *
- * Note: Unlike `RawIndirectOperand`, a value of type `IndirectOperand` may
- * be an `OperandNode`.
- */
-class IndirectOperand extends Node {
-  Operand operand;
-  int indirectionIndex;
-
-  IndirectOperand() {
-    this.(RawIndirectOperand).getOperand() = operand and
-    this.(RawIndirectOperand).getIndirectionIndex() = indirectionIndex
-    or
-    this.(OperandNode).getOperand() =
-      Ssa::getIRRepresentationOfIndirectOperand(operand, indirectionIndex)
+private module IndirectOperands {
+  /**
+   * INTERNAL: Do not use.
+   *
+   * A node that represents the indirect value of an operand in the IR
+   * after `index` number of loads.
+   *
+   * Note: Unlike `RawIndirectOperand`, a value of type `IndirectOperand` may
+   * be an `OperandNode`.
+   */
+  abstract class IndirectOperand extends Node {
+    /** Gets the underlying operand and the underlying indirection index. */
+    abstract predicate hasOperandAndIndirectionIndex(Operand operand, int indirectionIndex);
  }

-  /** Gets the underlying operand. */
-  Operand getOperand() { result = operand }
+  private class IndirectOperandFromRaw extends IndirectOperand instanceof RawIndirectOperand {
+    override predicate hasOperandAndIndirectionIndex(Operand operand, int indirectionIndex) {
+      operand = RawIndirectOperand.super.getOperand() and
+      indirectionIndex = RawIndirectOperand.super.getIndirectionIndex()
+    }
+  }

-  /** Gets the underlying indirection index. */
-  int getIndirectionIndex() { result = indirectionIndex }
+  private class IndirectOperandFromIRRepr extends IndirectOperand {
+    Operand operand;
+    int indirectionIndex;

-  /**
-   * Holds if this `IndirectOperand` is represented directly in the IR instead of
-   * a `RawIndirectionOperand` with operand `op` and indirection index `index`.
-   */
-  predicate isIRRepresentationOf(Operand op, int index) {
-    this instanceof OperandNode and
-    (
-      op = operand and
-      index = indirectionIndex
-    )
+    IndirectOperandFromIRRepr() {
+      exists(Operand repr |
+        repr = Ssa::getIRRepresentationOfIndirectOperand(operand, indirectionIndex) and
+        nodeHasOperand(this, repr, indirectionIndex - 1)
+      )
+    }
+
+    override predicate hasOperandAndIndirectionIndex(Operand op, int index) {
+      op = operand and index = indirectionIndex
+    }
  }
 }

-/**
- * INTERNAL: Do not use.
- *
- * A node that represents the indirect value of an instruction in the IR
- * after `index` number of loads.
- *
- * Note: Unlike `RawIndirectInstruction`, a value of type `IndirectInstruction` may
- * be an `InstructionNode`.
- */
-class IndirectInstruction extends Node {
-  Instruction instr;
-  int indirectionIndex;
+import IndirectOperands

-  IndirectInstruction() {
-    this.(RawIndirectInstruction).getInstruction() = instr and
-    this.(RawIndirectInstruction).getIndirectionIndex() = indirectionIndex
-    or
-    this.(InstructionNode).getInstruction() =
-      Ssa::getIRRepresentationOfIndirectInstruction(instr, indirectionIndex)
+private module IndirectInstructions {
+  /**
+   * INTERNAL: Do not use.
+   *
+   * A node that represents the indirect value of an instruction in the IR
+   * after `index` number of loads.
+   *
+   * Note: Unlike `RawIndirectInstruction`, a value of type `IndirectInstruction` may
+   * be an `InstructionNode`.
+   */
+  abstract class IndirectInstruction extends Node {
+    /** Gets the underlying operand and the underlying indirection index. */
+    abstract predicate hasInstructionAndIndirectionIndex(Instruction instr, int index);
  }

-  /** Gets the underlying instruction. */
-  Instruction getInstruction() { result = instr }
+  private class IndirectInstructionFromRaw extends IndirectInstruction instanceof RawIndirectInstruction
+  {
+    override predicate hasInstructionAndIndirectionIndex(Instruction instr, int index) {
+      instr = RawIndirectInstruction.super.getInstruction() and
+      index = RawIndirectInstruction.super.getIndirectionIndex()
+    }
+  }

-  /** Gets the underlying indirection index. */
-  int getIndirectionIndex() { result = indirectionIndex }
+  private class IndirectInstructionFromIRRepr extends IndirectInstruction {
+    Instruction instr;
+    int indirectionIndex;

-  /**
-   * Holds if this `IndirectInstruction` is represented directly in the IR instead of
-   * a `RawIndirectionInstruction` with instruction `i` and indirection index `index`.
-   */
-  predicate isIRRepresentationOf(Instruction i, int index) {
-    this instanceof InstructionNode and
-    (
-      i = instr and
-      index = indirectionIndex
-    )
+    IndirectInstructionFromIRRepr() {
+      exists(Instruction repr |
+        repr = Ssa::getIRRepresentationOfIndirectInstruction(instr, indirectionIndex) and
+        nodeHasInstruction(this, repr, indirectionIndex - 1)
+      )
+    }
+
+    override predicate hasInstructionAndIndirectionIndex(Instruction i, int index) {
+      i = instr and index = indirectionIndex
+    }
  }
 }

+import IndirectInstructions
+
 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }

@@ -318,9 +321,11 @@ private class PrimaryArgumentNode extends ArgumentNode, OperandNode {

 private class SideEffectArgumentNode extends ArgumentNode, SideEffectOperandNode {
  override predicate argumentOf(DataFlowCall dfCall, ArgumentPosition pos) {
-    this.getCallInstruction() = dfCall and
-    pos.(IndirectionPosition).getArgumentIndex() = this.getArgumentIndex() and
-    pos.(IndirectionPosition).getIndirectionIndex() = super.getIndirectionIndex()
+    exists(int indirectionIndex |
+      pos = TIndirectionPosition(argumentIndex, pragma[only_bind_into](indirectionIndex)) and
+      this.getCallInstruction() = dfCall and
+      super.hasAddressOperandAndIndirectionIndex(_, pragma[only_bind_into](indirectionIndex))
+    )
  }
 }

@@ -607,13 +612,21 @@ OutNode getAnOutNode(DataFlowCall call, ReturnKind kind) {
  result.getReturnKind() = kind
 }

+/** A variable that behaves like a global variable. */
+class GlobalLikeVariable extends Variable {
+  GlobalLikeVariable() {
+    this instanceof Cpp::GlobalOrNamespaceVariable or
+    this instanceof Cpp::StaticLocalVariable
+  }
+}
+
 /**
 * Holds if data can flow from `node1` to `node2` in a way that loses the
 * calling context. For example, this would happen with flow through a
 * global or static variable.
 */
 predicate jumpStep(Node n1, Node n2) {
-  exists(Cpp::GlobalOrNamespaceVariable v |
+  exists(GlobalLikeVariable v |
    exists(Ssa::GlobalUse globalUse |
      v = globalUse.getVariable() and
      n1.(FinalGlobalValue).getGlobalUse() = globalUse
@@ -640,13 +653,16 @@ predicate jumpStep(Node n1, Node n2) {
 * Holds if data can flow from `node1` to `node2` via an assignment to `f`.
 * Thus, `node2` references an object with a field `f` that contains the
 * value of `node1`.
+ *
+ * The boolean `certain` is true if the destination address does not involve
+ * any pointer arithmetic, and false otherwise.
 */
-predicate storeStep(Node node1, Content c, PostFieldUpdateNode node2) {
+predicate storeStepImpl(Node node1, Content c, PostFieldUpdateNode node2, boolean certain) {
  exists(int indirectionIndex1, int numberOfLoads, StoreInstruction store |
    nodeHasInstruction(node1, store, pragma[only_bind_into](indirectionIndex1)) and
    node2.getIndirectionIndex() = 1 and
    numberOfLoadsFromOperand(node2.getFieldAddress(), store.getDestinationAddressOperand(),
-      numberOfLoads)
+      numberOfLoads, certain)
  |
    exists(FieldContent fc | fc = c |
      fc.getField() = node2.getUpdatedField() and
@@ -660,21 +676,34 @@ predicate storeStep(Node node1, Content c, PostFieldUpdateNode node2) {
  )
 }

+/**
+ * Holds if data can flow from `node1` to `node2` via an assignment to `f`.
+ * Thus, `node2` references an object with a field `f` that contains the
+ * value of `node1`.
+ */
+predicate storeStep(Node node1, Content c, PostFieldUpdateNode node2) {
+  storeStepImpl(node1, c, node2, _)
+}
+
 /**
 * Holds if `operandFrom` flows to `operandTo` using a sequence of conversion-like
 * operations and exactly `n` `LoadInstruction` operations.
 */
-private predicate numberOfLoadsFromOperandRec(Operand operandFrom, Operand operandTo, int ind) {
+private predicate numberOfLoadsFromOperandRec(
+  Operand operandFrom, Operand operandTo, int ind, boolean certain
+) {
  exists(Instruction load | Ssa::isDereference(load, operandFrom) |
-    operandTo = operandFrom and ind = 0
+    operandTo = operandFrom and ind = 0 and certain = true
    or
-    numberOfLoadsFromOperand(load.getAUse(), operandTo, ind - 1)
+    numberOfLoadsFromOperand(load.getAUse(), operandTo, ind - 1, certain)
  )
  or
-  exists(Operand op, Instruction instr |
+  exists(Operand op, Instruction instr, boolean isPointerArith, boolean certain0 |
    instr = op.getDef() and
-    conversionFlow(operandFrom, instr, _, _) and
-    numberOfLoadsFromOperand(op, operandTo, ind)
+    conversionFlow(operandFrom, instr, isPointerArith, _) and
+    numberOfLoadsFromOperand(op, operandTo, ind, certain0)
+  |
+    if isPointerArith = true then certain = false else certain = certain0
  )
 }

@@ -682,13 +711,16 @@ private predicate numberOfLoadsFromOperandRec(Operand operandFrom, Operand opera
 * Holds if `operandFrom` flows to `operandTo` using a sequence of conversion-like
 * operations and exactly `n` `LoadInstruction` operations.
 */
-private predicate numberOfLoadsFromOperand(Operand operandFrom, Operand operandTo, int n) {
-  numberOfLoadsFromOperandRec(operandFrom, operandTo, n)
+private predicate numberOfLoadsFromOperand(
+  Operand operandFrom, Operand operandTo, int n, boolean certain
+) {
+  numberOfLoadsFromOperandRec(operandFrom, operandTo, n, certain)
  or
  not Ssa::isDereference(_, operandFrom) and
  not conversionFlow(operandFrom, _, _, _) and
  operandFrom = operandTo and
-  n = 0
+  n = 0 and
+  certain = true
 }

 // Needed to join on both an operand and an index at the same time.
@@ -718,7 +750,7 @@ predicate readStep(Node node1, Content c, Node node2) {
    // The `1` here matches the `node2.getIndirectionIndex() = 1` conjunct
    // in `storeStep`.
    nodeHasOperand(node1, fa1.getObjectAddressOperand(), 1) and
-    numberOfLoadsFromOperand(fa1, operand, numberOfLoads)
+    numberOfLoadsFromOperand(fa1, operand, numberOfLoads, _)
  |
    exists(FieldContent fc | fc = c |
      fc.getField() = fa1.getField() and
@@ -736,7 +768,33 @@ predicate readStep(Node node1, Content c, Node node2) {
 * Holds if values stored inside content `c` are cleared at node `n`.
 */
 predicate clearsContent(Node n, Content c) {
-  none() // stub implementation
+  n =
+    any(PostUpdateNode pun, Content d | d.impliesClearOf(c) and storeStepImpl(_, d, pun, true) | pun)
+        .getPreUpdateNode() and
+  (
+    // The crement operations and pointer addition and subtraction self-assign. We do not
+    // want to clear the contents if it is indirectly pointed at by any of these operations,
+    // as part of the contents might still be accessible afterwards. If there is no such
+    // indirection clearing the contents is safe.
+    not exists(Operand op, Cpp::Operation p |
+      n.(IndirectOperand).hasOperandAndIndirectionIndex(op, _) and
+      (
+        p instanceof Cpp::AssignPointerAddExpr or
+        p instanceof Cpp::AssignPointerSubExpr or
+        p instanceof Cpp::CrementOperation
+      )
+    |
+      p.getAnOperand() = op.getUse().getAst()
+    )
+    or
+    forex(PostUpdateNode pun, Content d |
+      pragma[only_bind_into](d).impliesClearOf(pragma[only_bind_into](c)) and
+      storeStepImpl(_, d, pun, true) and
+      pun.getPreUpdateNode() = n
+    |
+      c.getIndirectionIndex() = d.getIndirectionIndex()
+    )
+  )
 }

 /**
@@ -745,6 +803,8 @@ predicate clearsContent(Node n, Content c) {
 */
 predicate expectsContent(Node n, ContentSet c) { none() }

+predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() }
+
 /** Gets the type of `n` used for type pruning. */
 DataFlowType getNodeType(Node n) {
  suppressUnusedNode(n) and
@@ -773,6 +833,12 @@ class CastNode extends Node {
  CastNode() { none() } // stub implementation
 }

+/**
+ * Holds if `n` should never be skipped over in the `PathGraph` and in path
+ * explanations.
+ */
+predicate neverSkipInPathGraph(Node n) { none() }
+
 /**
 * A function that may contain code or a variable that may contain itself. When
 * flow crosses from one _enclosing callable_ to another, the interprocedural
@@ -790,7 +856,73 @@ class DataFlowCall extends CallInstruction {
  Function getEnclosingCallable() { result = this.getEnclosingFunction() }
 }

-predicate isUnreachableInCall(Node n, DataFlowCall call) { none() } // stub implementation
+module IsUnreachableInCall {
+  private import semmle.code.cpp.ir.ValueNumbering
+  private import semmle.code.cpp.controlflow.IRGuards as G
+
+  private class ConstantIntegralTypeArgumentNode extends PrimaryArgumentNode {
+    int value;
+
+    ConstantIntegralTypeArgumentNode() {
+      value = op.getDef().(IntegerConstantInstruction).getValue().toInt()
+    }
+
+    int getValue() { result = value }
+  }
+
+  pragma[nomagic]
+  private predicate ensuresEq(Operand left, Operand right, int k, IRBlock block, boolean areEqual) {
+    any(G::IRGuardCondition guard).ensuresEq(left, right, k, block, areEqual)
+  }
+
+  pragma[nomagic]
+  private predicate ensuresLt(Operand left, Operand right, int k, IRBlock block, boolean areEqual) {
+    any(G::IRGuardCondition guard).ensuresLt(left, right, k, block, areEqual)
+  }
+
+  predicate isUnreachableInCall(Node n, DataFlowCall call) {
+    exists(
+      DirectParameterNode paramNode, ConstantIntegralTypeArgumentNode arg,
+      IntegerConstantInstruction constant, int k, Operand left, Operand right, IRBlock block
+    |
+      // arg flows into `paramNode`
+      DataFlowImplCommon::viableParamArg(call, paramNode, arg) and
+      left = constant.getAUse() and
+      right = valueNumber(paramNode.getInstruction()).getAUse() and
+      block = n.getBasicBlock()
+    |
+      // and there's a guard condition which ensures that the result of `left == right + k` is `areEqual`
+      exists(boolean areEqual |
+        ensuresEq(pragma[only_bind_into](left), pragma[only_bind_into](right),
+          pragma[only_bind_into](k), pragma[only_bind_into](block), areEqual)
+      |
+        // this block ensures that left = right + k, but it holds that `left != right + k`
+        areEqual = true and
+        constant.getValue().toInt() != arg.getValue() + k
+        or
+        // this block ensures that or `left != right + k`, but it holds that `left = right + k`
+        areEqual = false and
+        constant.getValue().toInt() = arg.getValue() + k
+      )
+      or
+      // or there's a guard condition which ensures that the result of `left < right + k` is `isLessThan`
+      exists(boolean isLessThan |
+        ensuresLt(pragma[only_bind_into](left), pragma[only_bind_into](right),
+          pragma[only_bind_into](k), pragma[only_bind_into](block), isLessThan)
+      |
+        isLessThan = true and
+        // this block ensures that `left < right + k`, but it holds that `left >= right + k`
+        constant.getValue().toInt() >= arg.getValue() + k
+        or
+        // this block ensures that `left >= right + k`, but it holds that `left < right + k`
+        isLessThan = false and
+        constant.getValue().toInt() < arg.getValue() + k
+      )
+    )
+  }
+}
+
+import IsUnreachableInCall

 int accessPathLimit() { result = 5 }

@@ -829,7 +961,7 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves
 * One example would be to allow flow like `p.foo = p.bar;`, which is disallowed
 * by default as a heuristic.
 */
-predicate allowParameterReturnInSelf(ParameterNode p) { none() }
+predicate allowParameterReturnInSelf(ParameterNode p) { p instanceof IndirectParameterNode }

 private predicate fieldHasApproxName(Field f, string s) {
  s = f.getName().charAt(0) and
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -274,7 +274,7 @@ class Node extends TIRDataFlowNode {
   * represents the value of `**x` going into `f`.
   */
  Expr asIndirectArgument(int index) {
-    this.(SideEffectOperandNode).getIndirectionIndex() = index and
+    this.(SideEffectOperandNode).hasAddressOperandAndIndirectionIndex(_, index) and
    result = this.(SideEffectOperandNode).getArgument()
  }

@@ -317,7 +317,7 @@ class Node extends TIRDataFlowNode {
    index = 0 and
    result = this.(ExplicitParameterNode).getParameter()
    or
-    this.(IndirectParameterNode).getIndirectionIndex() = index and
+    this.(IndirectParameterNode).hasInstructionAndIndirectionIndex(_, index) and
    result = this.(IndirectParameterNode).getParameter()
  }

@@ -562,6 +562,14 @@ class SsaPhiNode extends Node, TSsaPhiNode {

  /** Gets the source variable underlying this phi node. */
  Ssa::SourceVariable getSourceVariable() { result = phi.getSourceVariable() }
+
+  /**
+   * Holds if this phi node is a phi-read node.
+   *
+   * Phi-read nodes are like normal phi nodes, but they are inserted based
+   * on reads instead of writes.
+   */
+  predicate isPhiRead() { phi.isPhiRead() }
 }

 /**
@@ -569,15 +577,20 @@ class SsaPhiNode extends Node, TSsaPhiNode {
 *
 * A node representing a value after leaving a function.
 */
-class SideEffectOperandNode extends Node, IndirectOperand {
+class SideEffectOperandNode extends Node instanceof IndirectOperand {
  CallInstruction call;
  int argumentIndex;

-  SideEffectOperandNode() { operand = call.getArgumentOperand(argumentIndex) }
+  SideEffectOperandNode() {
+    IndirectOperand.super.hasOperandAndIndirectionIndex(call.getArgumentOperand(argumentIndex), _)
+  }

  CallInstruction getCallInstruction() { result = call }

-  Operand getAddressOperand() { result = operand }
+  /** Gets the underlying operand and the underlying indirection index. */
+  predicate hasAddressOperandAndIndirectionIndex(Operand operand, int indirectionIndex) {
+    IndirectOperand.super.hasOperandAndIndirectionIndex(operand, indirectionIndex)
+  }

  int getArgumentIndex() { result = argumentIndex }

@@ -657,10 +670,10 @@ class InitialGlobalValue extends Node, TInitialGlobalValue {
 *
 * A node representing an indirection of a parameter.
 */
-class IndirectParameterNode extends Node, IndirectInstruction {
+class IndirectParameterNode extends Node instanceof IndirectInstruction {
  InitializeParameterInstruction init;

-  IndirectParameterNode() { this.getInstruction() = init }
+  IndirectParameterNode() { IndirectInstruction.super.hasInstructionAndIndirectionIndex(init, _) }

  int getArgumentIndex() { init.hasIndex(result) }

@@ -669,7 +682,12 @@ class IndirectParameterNode extends Node, IndirectInstruction {

  override Declaration getEnclosingCallable() { result = this.getFunction() }

-  override Declaration getFunction() { result = this.getInstruction().getEnclosingFunction() }
+  override Declaration getFunction() { result = init.getEnclosingFunction() }
+
+  /** Gets the underlying operand and the underlying indirection index. */
+  predicate hasInstructionAndIndirectionIndex(Instruction instr, int index) {
+    IndirectInstruction.super.hasInstructionAndIndirectionIndex(instr, index)
+  }

  override Location getLocationImpl() { result = this.getParameter().getLocation() }

@@ -691,7 +709,8 @@ class IndirectReturnNode extends Node {
  IndirectReturnNode() {
    this instanceof FinalParameterNode
    or
-    this.(IndirectOperand).getOperand() = any(ReturnValueInstruction ret).getReturnAddressOperand()
+    this.(IndirectOperand)
+        .hasOperandAndIndirectionIndex(any(ReturnValueInstruction ret).getReturnAddressOperand(), _)
  }

  override Declaration getEnclosingCallable() { result = this.getFunction() }
@@ -714,7 +733,7 @@ class IndirectReturnNode extends Node {
  int getIndirectionIndex() {
    result = this.(FinalParameterNode).getIndirectionIndex()
    or
-    result = this.(IndirectOperand).getIndirectionIndex()
+    this.(IndirectOperand).hasOperandAndIndirectionIndex(_, result)
  }
 }

@@ -1098,7 +1117,8 @@ predicate exprNodeShouldBeInstruction(Node node, Expr e) {
 /** Holds if `node` should be an `IndirectInstruction` that maps `node.asIndirectExpr()` to `e`. */
 predicate indirectExprNodeShouldBeIndirectInstruction(IndirectInstruction node, Expr e) {
  exists(Instruction instr |
-    instr = node.getInstruction() and not indirectExprNodeShouldBeIndirectOperand(_, e)
+    node.hasInstructionAndIndirectionIndex(instr, _) and
+    not indirectExprNodeShouldBeIndirectOperand(_, e)
  |
    e = instr.(VariableAddressInstruction).getAst().(Expr).getFullyConverted()
    or
@@ -1299,8 +1319,8 @@ pragma[noinline]
 private predicate indirectParameterNodeHasArgumentIndexAndIndex(
  IndirectParameterNode node, int argumentIndex, int indirectionIndex
 ) {
-  node.getArgumentIndex() = argumentIndex and
-  node.getIndirectionIndex() = indirectionIndex
+  node.hasInstructionAndIndirectionIndex(_, indirectionIndex) and
+  node.getArgumentIndex() = argumentIndex
 }

 /** A synthetic parameter to model the pointed-to object of a pointer parameter. */
@@ -1471,18 +1491,14 @@ VariableNode variableNode(Variable v) {
 */
 Node uninitializedNode(LocalVariable v) { none() }

-pragma[noinline]
 predicate hasOperandAndIndex(IndirectOperand indirectOperand, Operand operand, int indirectionIndex) {
-  indirectOperand.getOperand() = operand and
-  indirectOperand.getIndirectionIndex() = indirectionIndex
+  indirectOperand.hasOperandAndIndirectionIndex(operand, indirectionIndex)
 }

-pragma[noinline]
 predicate hasInstructionAndIndex(
  IndirectInstruction indirectInstr, Instruction instr, int indirectionIndex
 ) {
-  indirectInstr.getInstruction() = instr and
-  indirectInstr.getIndirectionIndex() = indirectionIndex
+  indirectInstr.hasInstructionAndIndirectionIndex(instr, indirectionIndex)
 }

 cached
@@ -1540,7 +1556,7 @@ private module Cached {
  cached
  predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
    // Post update node -> Node flow
-    Ssa::ssaFlow(nodeFrom.(PostUpdateNode).getPreUpdateNode(), nodeTo)
+    Ssa::postUpdateFlow(nodeFrom, nodeTo)
    or
    // Def-use/Use-use flow
    Ssa::ssaFlow(nodeFrom, nodeTo)
@@ -1632,8 +1648,15 @@ predicate localInstructionFlow(Instruction e1, Instruction e2) {
  localFlow(instructionNode(e1), instructionNode(e2))
 }

+/**
+ * INTERNAL: Do not use.
+ *
+ * Ideally this module would be private, but the `asExprInternal` predicate is
+ * needed in `DefaultTaintTrackingImpl`. Once `DefaultTaintTrackingImpl` is gone
+ * we can make this module private.
+ */
 cached
-private module ExprFlowCached {
+module ExprFlowCached {
  /**
   * Holds if `n` is an indirect operand of a `PointerArithmeticInstruction`, and
   * `e` is the result of loading from the `PointerArithmeticInstruction`.
@@ -1641,8 +1664,7 @@ private module ExprFlowCached {
  private predicate isIndirectBaseOfArrayAccess(IndirectOperand n, Expr e) {
    exists(LoadInstruction load, PointerArithmeticInstruction pai |
      pai = load.getSourceAddress() and
-      pai.getLeftOperand() = n.getOperand() and
-      n.getIndirectionIndex() = 1 and
+      n.hasOperandAndIndirectionIndex(pai.getLeftOperand(), 1) and
      e = load.getConvertedResultExpression()
    )
  }
@@ -1684,7 +1706,8 @@ private module ExprFlowCached {
   * `x[i]` steps to the expression `x[i - 1]` without traversing the
   * entire chain.
   */
-  private Expr asExpr(Node n) {
+  cached
+  Expr asExprInternal(Node n) {
    isIndirectBaseOfArrayAccess(n, result)
    or
    not isIndirectBaseOfArrayAccess(n, _) and
@@ -1696,7 +1719,7 @@ private module ExprFlowCached {
   * dataflow step.
   */
  private predicate localStepFromNonExpr(Node n1, Node n2) {
-    not exists(asExpr(n1)) and
+    not exists(asExprInternal(n1)) and
    localFlowStep(n1, n2)
  }

@@ -1707,7 +1730,7 @@ private module ExprFlowCached {
  pragma[nomagic]
  private predicate localStepsToExpr(Node n1, Node n2, Expr e2) {
    localStepFromNonExpr*(n1, n2) and
-    e2 = asExpr(n2)
+    e2 = asExprInternal(n2)
  }

  /**
@@ -1718,7 +1741,7 @@ private module ExprFlowCached {
    exists(Node mid |
      localFlowStep(n1, mid) and
      localStepsToExpr(mid, n2, e2) and
-      e1 = asExpr(n1)
+      e1 = asExprInternal(n1)
    )
  }

@@ -1809,6 +1832,20 @@ class Content extends TContent {
  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
    path = "" and sl = 0 and sc = 0 and el = 0 and ec = 0
  }
+
+  /** Gets the indirection index of this `Content`. */
+  abstract int getIndirectionIndex();
+
+  /**
+   * INTERNAL: Do not use.
+   *
+   * Holds if a write to this `Content` implies that `c` is
+   * also cleared.
+   *
+   * For example, a write to a field `f` implies that any content of
+   * the form `*f` is also cleared.
+   */
+  abstract predicate impliesClearOf(Content c);
 }

 /** A reference through a non-union instance field. */
@@ -1826,10 +1863,21 @@ class FieldContent extends Content, TFieldContent {

  Field getField() { result = f }

+  /** Gets the indirection index of this `FieldContent`. */
  pragma[inline]
-  int getIndirectionIndex() {
+  override int getIndirectionIndex() {
    pragma[only_bind_into](result) = pragma[only_bind_out](indirectionIndex)
  }
+
+  override predicate impliesClearOf(Content c) {
+    exists(FieldContent fc |
+      fc = c and
+      fc.getField() = f and
+      // If `this` is `f` then `c` is cleared if it's of the
+      // form `*f`, `**f`, etc.
+      fc.getIndirectionIndex() >= indirectionIndex
+    )
+  }
 }

 /** A reference through an instance field of a union. */
@@ -1854,9 +1902,21 @@ class UnionContent extends Content, TUnionContent {

  /** Gets the indirection index of this `UnionContent`. */
  pragma[inline]
-  int getIndirectionIndex() {
+  override int getIndirectionIndex() {
    pragma[only_bind_into](result) = pragma[only_bind_out](indirectionIndex)
  }
+
+  override predicate impliesClearOf(Content c) {
+    exists(UnionContent uc |
+      uc = c and
+      uc.getUnion() = u and
+      // If `this` is `u` then `c` is cleared if it's of the
+      // form `*u`, `**u`, etc. (and we ignore `bytes` because
+      // we know the entire union is overwritten because it's a
+      // union).
+      uc.getIndirectionIndex() >= indirectionIndex
+    )
+  }
 }

 /**
@@ -1903,7 +1963,38 @@ signature predicate guardChecksSig(IRGuardCondition g, Expr e, boolean branch);
 * in data flow and taint tracking.
 */
 module BarrierGuard<guardChecksSig/3 guardChecks> {
-  /** Gets a node that is safely guarded by the given guard check. */
+  /**
+   * Gets an expression node that is safely guarded by the given guard check.
+   *
+   * For example, given the following code:
+   * ```cpp
+   * int x = source();
+   * // ...
+   * if(is_safe_int(x)) {
+   *   sink(x);
+   * }
+   * ```
+   * and the following barrier guard predicate:
+   * ```ql
+   * predicate myGuardChecks(IRGuardCondition g, Expr e, boolean branch) {
+   *   exists(Call call |
+   *     g.getUnconvertedResultExpression() = call and
+   *     call.getTarget().hasName("is_safe_int") and
+   *     e = call.getAnArgument() and
+   *     branch = true
+   *   )
+   * }
+   * ```
+   * implementing `isBarrier` as:
+   * ```ql
+   * predicate isBarrier(DataFlow::Node barrier) {
+   *   barrier = DataFlow::BarrierGuard<myGuardChecks/3>::getABarrierNode()
+   * }
+   * ```
+   * will block flow from `x = source()` to `sink(x)`.
+   *
+   * NOTE: If an indirect expression is tracked, use `getAnIndirectBarrierNode` instead.
+   */
  ExprNode getABarrierNode() {
    exists(IRGuardCondition g, Expr e, ValueNumber value, boolean edge |
      e = value.getAnInstruction().getConvertedResultExpression() and
@@ -1912,6 +2003,84 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
      g.controls(result.getBasicBlock(), edge)
    )
  }
+
+  /**
+   * Gets an indirect expression node that is safely guarded by the given guard check.
+   *
+   * For example, given the following code:
+   * ```cpp
+   * int* p;
+   * // ...
+   * *p = source();
+   * if(is_safe_pointer(p)) {
+   *   sink(*p);
+   * }
+   * ```
+   * and the following barrier guard check:
+   * ```ql
+   * predicate myGuardChecks(IRGuardCondition g, Expr e, boolean branch) {
+   *   exists(Call call |
+   *     g.getUnconvertedResultExpression() = call and
+   *     call.getTarget().hasName("is_safe_pointer") and
+   *     e = call.getAnArgument() and
+   *     branch = true
+   *   )
+   * }
+   * ```
+   * implementing `isBarrier` as:
+   * ```ql
+   * predicate isBarrier(DataFlow::Node barrier) {
+   *   barrier = DataFlow::BarrierGuard<myGuardChecks/3>::getAnIndirectBarrierNode()
+   * }
+   * ```
+   * will block flow from `x = source()` to `sink(x)`.
+   *
+   * NOTE: If a non-indirect expression is tracked, use `getABarrierNode` instead.
+   */
+  IndirectExprNode getAnIndirectBarrierNode() { result = getAnIndirectBarrierNode(_) }
+
+  /**
+   * Gets an indirect expression node with indirection index `indirectionIndex` that is
+   * safely guarded by the given guard check.
+   *
+   * For example, given the following code:
+   * ```cpp
+   * int* p;
+   * // ...
+   * *p = source();
+   * if(is_safe_pointer(p)) {
+   *   sink(*p);
+   * }
+   * ```
+   * and the following barrier guard check:
+   * ```ql
+   * predicate myGuardChecks(IRGuardCondition g, Expr e, boolean branch) {
+   *   exists(Call call |
+   *     g.getUnconvertedResultExpression() = call and
+   *     call.getTarget().hasName("is_safe_pointer") and
+   *     e = call.getAnArgument() and
+   *     branch = true
+   *   )
+   * }
+   * ```
+   * implementing `isBarrier` as:
+   * ```ql
+   * predicate isBarrier(DataFlow::Node barrier) {
+   *   barrier = DataFlow::BarrierGuard<myGuardChecks/3>::getAnIndirectBarrierNode(1)
+   * }
+   * ```
+   * will block flow from `x = source()` to `sink(x)`.
+   *
+   * NOTE: If a non-indirect expression is tracked, use `getABarrierNode` instead.
+   */
+  IndirectExprNode getAnIndirectBarrierNode(int indirectionIndex) {
+    exists(IRGuardCondition g, Expr e, ValueNumber value, boolean edge |
+      e = value.getAnInstruction().getConvertedResultExpression() and
+      result.getConvertedExpr(indirectionIndex) = e and
+      guardChecks(g, value.getAnInstruction().getConvertedResultExpression(), edge) and
+      g.controls(result.getBasicBlock(), edge)
+    )
+  }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DefaultTaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DefaultTaintTrackingImpl.qll
@@ -60,7 +60,7 @@ private DataFlow::Node getNodeForSource(Expr source) {
 }

 private DataFlow::Node getNodeForExpr(Expr node) {
-  result = DataFlow::exprNode(node)
+  node = DataFlow::ExprFlowCached::asExprInternal(result)
  or
  // Some of the sources in `isUserInput` are intended to match the value of
  // an expression, while others (those modeled below) are intended to match
@@ -221,7 +221,7 @@ private module Cached {
  predicate nodeIsBarrierIn(DataFlow::Node node) {
    // don't use dataflow into taint sources, as this leads to duplicate results.
    exists(Expr source | isUserInput(source, _) |
-      node = DataFlow::exprNode(source)
+      source = DataFlow::ExprFlowCached::asExprInternal(node)
      or
      // This case goes together with the similar (but not identical) rule in
      // `getNodeForSource`.
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRFieldFlowSteps.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRFieldFlowSteps.qll
@@ -0,0 +1,38 @@
+/**
+ * Print the dataflow local store steps in IR dumps.
+ */
+
+private import cpp
+private import semmle.code.cpp.ir.IR
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+private import PrintIRUtilities
+
+/** A property provider for local IR dataflow store steps. */
+class FieldFlowPropertyProvider extends IRPropertyProvider {
+  override string getOperandProperty(Operand operand, string key) {
+    exists(PostFieldUpdateNode pfun, Content content |
+      key = "store " + content.toString() and
+      pfun.getPreUpdateNode().(IndirectOperand).hasOperandAndIndirectionIndex(operand, _) and
+      result =
+        strictconcat(string element, Node node |
+          storeStep(node, content, pfun) and
+          element = nodeId(node, _, _)
+        |
+          element, ", "
+        )
+    )
+    or
+    exists(Node node2, Content content |
+      key = "read " + content.toString() and
+      node2.(IndirectOperand).hasOperandAndIndirectionIndex(operand, _) and
+      result =
+        strictconcat(string element, Node node1 |
+          readStep(node1, content, node2) and
+          element = nodeId(node1, _, _)
+        |
+          element, ", "
+        )
+    )
+  }
+}
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRLocalFlow.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRLocalFlow.qll
@@ -1,119 +1,44 @@
 private import cpp
-// The `ValueNumbering` library has to be imported right after `cpp` to ensure
-// that the cached IR gets the same checksum here as it does in queries that use
-// `ValueNumbering` without `DataFlow`.
-private import semmle.code.cpp.ir.ValueNumbering
 private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.dataflow.DataFlow
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
+private import SsaInternals as Ssa
 private import PrintIRUtilities

 /**
 * Gets the local dataflow from other nodes in the same function to this node.
 */
-private string getFromFlow(DataFlow::Node useNode, int order1, int order2) {
-  exists(DataFlow::Node defNode, string prefix |
-    (
-      simpleLocalFlowStep(defNode, useNode) and prefix = ""
-      or
-      any(DataFlow::Configuration cfg).isAdditionalFlowStep(defNode, useNode) and
-      defNode.getEnclosingCallable() = useNode.getEnclosingCallable() and
-      prefix = "+"
-    ) and
-    if defNode.asInstruction() = useNode.asOperand().getAnyDef()
-    then
-      // Shorthand for flow from the def of this operand.
-      result = prefix + "def" and
-      order1 = -1 and
-      order2 = 0
-    else
-      if defNode.asOperand().getUse() = useNode.asInstruction()
-      then
-        // Shorthand for flow from an operand of this instruction
-        result = prefix + defNode.asOperand().getDumpId() and
-        order1 = -1 and
-        order2 = defNode.asOperand().getDumpSortOrder()
-      else result = prefix + nodeId(defNode, order1, order2)
+private string getFromFlow(Node node2, int order1, int order2) {
+  exists(Node node1 |
+    simpleLocalFlowStep(node1, node2) and
+    result = nodeId(node1, order1, order2)
  )
 }

 /**
 * Gets the local dataflow from this node to other nodes in the same function.
 */
-private string getToFlow(DataFlow::Node defNode, int order1, int order2) {
-  exists(DataFlow::Node useNode, string prefix |
-    (
-      simpleLocalFlowStep(defNode, useNode) and prefix = ""
-      or
-      any(DataFlow::Configuration cfg).isAdditionalFlowStep(defNode, useNode) and
-      defNode.getEnclosingCallable() = useNode.getEnclosingCallable() and
-      prefix = "+"
-    ) and
-    if useNode.asInstruction() = defNode.asOperand().getUse()
-    then
-      // Shorthand for flow to this operand's instruction.
-      result = prefix + "result" and
-      order1 = -1 and
-      order2 = 0
-    else result = prefix + nodeId(useNode, order1, order2)
+private string getToFlow(Node node1, int order1, int order2) {
+  exists(Node node2 |
+    simpleLocalFlowStep(node1, node2) and
+    result = nodeId(node2, order1, order2)
  )
 }

 /**
 * Gets the properties of the dataflow node `node`.
 */
-private string getNodeProperty(DataFlow::Node node, string key) {
+private string getNodeProperty(Node node, string key) {
  // List dataflow into and out of this node. Flow into this node is printed as `src->@`, and flow
  // out of this node is printed as `@->dest`.
  key = "flow" and
  result =
    strictconcat(string flow, boolean to, int order1, int order2 |
-      flow = getFromFlow(node, order1, order2) + "->@" and to = false
+      flow = getFromFlow(node, order1, order2) + "->" + starsForNode(node) + "@" and to = false
      or
-      flow = "@->" + getToFlow(node, order1, order2) and to = true
+      flow = starsForNode(node) + "@->" + getToFlow(node, order1, order2) and to = true
    |
      flow, ", " order by to, order1, order2, flow
    )
-  or
-  // Is this node a dataflow sink?
-  key = "sink" and
-  any(DataFlow::Configuration cfg).isSink(node) and
-  result = "true"
-  or
-  // Is this node a dataflow source?
-  key = "source" and
-  any(DataFlow::Configuration cfg).isSource(node) and
-  result = "true"
-  or
-  // Is this node a dataflow barrier, and if so, what kind?
-  key = "barrier" and
-  result =
-    strictconcat(string kind |
-      any(DataFlow::Configuration cfg).isBarrier(node) and kind = "full"
-      or
-      any(DataFlow::Configuration cfg).isBarrierIn(node) and kind = "in"
-      or
-      any(DataFlow::Configuration cfg).isBarrierOut(node) and kind = "out"
-    |
-      kind, ", "
-    )
-  // or
-  // // Is there partial flow from a source to this node?
-  // // This property will only be emitted if partial flow is enabled by overriding
-  // // `DataFlow::Configuration::explorationLimit()`.
-  // key = "pflow" and
-  // result =
-  //   strictconcat(DataFlow::PartialPathNode sourceNode, DataFlow::PartialPathNode destNode, int dist,
-  //     int order1, int order2 |
-  //     any(DataFlow::Configuration cfg).hasPartialFlow(sourceNode, destNode, dist) and
-  //     destNode.getNode() = node and
-  //     // Only print flow from a source in the same function.
-  //     sourceNode.getNode().getEnclosingCallable() = node.getEnclosingCallable()
-  //   |
-  //     nodeId(sourceNode.getNode(), order1, order2) + "+" + dist.toString(), ", "
-  //     order by
-  //       order1, order2, dist desc
-  //   )
 }

 /**
@@ -121,16 +46,21 @@ private string getNodeProperty(DataFlow::Node node, string key) {
 */
 class LocalFlowPropertyProvider extends IRPropertyProvider {
  override string getOperandProperty(Operand operand, string key) {
-    exists(DataFlow::Node node |
-      operand = node.asOperand() and
+    exists(Node node |
+      operand = [node.asOperand(), node.(RawIndirectOperand).getOperand()] and
      result = getNodeProperty(node, key)
    )
  }

  override string getInstructionProperty(Instruction instruction, string key) {
-    exists(DataFlow::Node node |
-      instruction = node.asInstruction() and
+    exists(Node node |
+      instruction = [node.asInstruction(), node.(RawIndirectInstruction).getInstruction()]
+    |
      result = getNodeProperty(node, key)
    )
  }
+
+  override predicate shouldPrintOperand(Operand operand) { not Ssa::ignoreOperand(operand) }
+
+  override predicate shouldPrintInstruction(Instruction instr) { not Ssa::ignoreInstruction(instr) }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRStoreSteps.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRStoreSteps.qll
@@ -1,33 +0,0 @@
-/**
- * Print the dataflow local store steps in IR dumps.
- */
-
-private import cpp
-// The `ValueNumbering` library has to be imported right after `cpp` to ensure
-// that the cached IR gets the same checksum here as it does in queries that use
-// `ValueNumbering` without `DataFlow`.
-private import semmle.code.cpp.ir.ValueNumbering
-private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.dataflow.DataFlow
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
-private import PrintIRUtilities
-
-/**
- * Property provider for local IR dataflow store steps.
- */
-class LocalFlowPropertyProvider extends IRPropertyProvider {
-  override string getInstructionProperty(Instruction instruction, string key) {
-    exists(DataFlow::Node objectNode, Content content |
-      key = "content[" + content.toString() + "]" and
-      instruction = objectNode.asInstruction() and
-      result =
-        strictconcat(string element, DataFlow::Node fieldNode |
-          storeStep(fieldNode, content, objectNode) and
-          element = nodeId(fieldNode, _, _)
-        |
-          element, ", "
-        )
-    )
-  }
-}
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRUtilities.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRUtilities.qll
@@ -3,37 +3,62 @@
 */

 private import cpp
-// The `ValueNumbering` library has to be imported right after `cpp` to ensure
-// that the cached IR gets the same checksum here as it does in queries that use
-// `ValueNumbering` without `DataFlow`.
-private import semmle.code.cpp.ir.ValueNumbering
 private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.dataflow.DataFlow
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+
+private string stars(int k) {
+  k =
+    [0 .. max([
+            any(RawIndirectInstruction n).getIndirectionIndex(),
+            any(RawIndirectOperand n).getIndirectionIndex()
+          ]
+      )] and
+  (if k = 0 then result = "" else result = "*" + stars(k - 1))
+}
+
+string starsForNode(Node node) {
+  exists(int indirectionIndex |
+    node.(IndirectInstruction).hasInstructionAndIndirectionIndex(_, indirectionIndex) or
+    node.(IndirectOperand).hasOperandAndIndirectionIndex(_, indirectionIndex)
+  |
+    result = stars(indirectionIndex)
+  )
+  or
+  not node instanceof IndirectInstruction and
+  not node instanceof IndirectOperand and
+  result = ""
+}
+
+private Instruction getInstruction(Node n, string stars) {
+  result = [n.asInstruction(), n.(RawIndirectInstruction).getInstruction()] and
+  stars = starsForNode(n)
+}
+
+private Operand getOperand(Node n, string stars) {
+  result = [n.asOperand(), n.(RawIndirectOperand).getOperand()] and
+  stars = starsForNode(n)
+}

 /**
 * Gets a short ID for an IR dataflow node.
 * - For `Instruction`s, this is just the result ID of the instruction (e.g. `m128`).
 * - For `Operand`s, this is the label of the operand, prefixed with the result ID of the
 *   instruction and a dot (e.g. `m128.left`).
- * - For `Variable`s, this is the qualified name of the variable.
 */
-string nodeId(DataFlow::Node node, int order1, int order2) {
-  exists(Instruction instruction | instruction = node.asInstruction() |
-    result = instruction.getResultId() and
+string nodeId(Node node, int order1, int order2) {
+  exists(Instruction instruction, string stars | instruction = getInstruction(node, stars) |
+    result = stars + instruction.getResultId() and
    order1 = instruction.getBlock().getDisplayIndex() and
    order2 = instruction.getDisplayIndexInBlock()
  )
  or
-  exists(Operand operand, Instruction instruction |
-    operand = node.asOperand() and
+  exists(Operand operand, Instruction instruction, string stars |
+    operand = getOperand(node, stars) and
    instruction = operand.getUse()
  |
-    result = instruction.getResultId() + "." + operand.getDumpId() and
+    result = stars + instruction.getResultId() + "." + operand.getDumpId() and
    order1 = instruction.getBlock().getDisplayIndex() and
    order2 = instruction.getDisplayIndexInBlock()
  )
-  or
-  result = "var(" + node.asVariable().getQualifiedName() + ")" and
-  order1 = 1000000 and
-  order2 = 0
 }
--- a/cpp/ql/lib/experimental/semmle/code/cpp/dataflow/ProductFlow.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/dataflow/ProductFlow.qll
@@ -1,7 +1,29 @@
-import semmle.code.cpp.ir.dataflow.DataFlow
+/**
+ * Provides a library for global (inter-procedural) data flow analysis of two
+ * values "simultaneously". This can be used, for example, if you want to track
+ * a memory allocation as well as the size of the allocation.
+ *
+ * Intuitively, you can think of this as regular dataflow, but where each node
+ * in the dataflow graph has been replaced by a pair of nodes `(node1, node2)`,
+ * and two node pairs `(n11, n12)`, `(n21, n22)` is then connected by a dataflow
+ * edge if there's a regular dataflow edge between `n11` and `n21`, and `n12`
+ * and `n22`.
+ *
+ * Note that the above intuition does not reflect the actual implementation.
+ */
+
+import semmle.code.cpp.dataflow.new.DataFlow
+private import DataFlowPrivate
+private import DataFlowUtil
+private import DataFlowImplCommon
 private import codeql.util.Unit

+/**
+ * Provides classes for performing global (inter-procedural) data flow analyses
+ * on a product dataflow graph.
+ */
 module ProductFlow {
+  /** An input configuration for product data-flow. */
  signature module ConfigSig {
    /**
     * Holds if `(source1, source2)` is a relevant data flow source.
@@ -67,6 +89,9 @@ module ProductFlow {
    default predicate isBarrierIn2(DataFlow::Node node) { none() }
  }

+  /**
+   * The output of a global data flow computation.
+   */
  module Global<ConfigSig Config> {
    private module StateConfig implements StateConfigSig {
      class FlowState1 = Unit;
@@ -135,6 +160,7 @@ module ProductFlow {
    import GlobalWithState<StateConfig>
  }

+  /** An input configuration for data flow using flow state. */
  signature module StateConfigSig {
    bindingset[this]
    class FlowState1;
@@ -166,13 +192,13 @@ module ProductFlow {
     * Holds if data flow through `node` is prohibited through the first projection of the product
     * dataflow graph when the flow state is `state`.
     */
-    predicate isBarrier1(DataFlow::Node node, FlowState1 state);
+    default predicate isBarrier1(DataFlow::Node node, FlowState1 state) { none() }

    /**
     * Holds if data flow through `node` is prohibited through the second projection of the product
     * dataflow graph when the flow state is `state`.
     */
-    predicate isBarrier2(DataFlow::Node node, FlowState2 state);
+    default predicate isBarrier2(DataFlow::Node node, FlowState2 state) { none() }

    /**
     * Holds if data flow through `node` is prohibited through the first projection of the product
@@ -211,9 +237,11 @@ module ProductFlow {
     *
     * This step is only applicable in `state1` and updates the flow state to `state2`.
     */
-    predicate isAdditionalFlowStep1(
+    default predicate isAdditionalFlowStep1(
      DataFlow::Node node1, FlowState1 state1, DataFlow::Node node2, FlowState1 state2
-    );
+    ) {
+      none()
+    }

    /**
     * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
@@ -227,9 +255,11 @@ module ProductFlow {
     *
     * This step is only applicable in `state1` and updates the flow state to `state2`.
     */
-    predicate isAdditionalFlowStep2(
+    default predicate isAdditionalFlowStep2(
      DataFlow::Node node1, FlowState2 state1, DataFlow::Node node2, FlowState2 state2
-    );
+    ) {
+      none()
+    }

    /**
     * Holds if data flow into `node` is prohibited in the first projection of the product
@@ -244,6 +274,9 @@ module ProductFlow {
    default predicate isBarrierIn2(DataFlow::Node node) { none() }
  }

+  /**
+   * The output of a global data flow computation.
+   */
  module GlobalWithState<StateConfigSig Config> {
    class PathNode1 = Flow1::PathNode;

@@ -257,6 +290,7 @@ module ProductFlow {

    class FlowState2 = Config::FlowState2;

+    /** Holds if data can flow from `(source1, source2)` to `(sink1, sink2)`. */
    predicate flowPath(
      Flow1::PathNode source1, Flow2::PathNode source2, Flow1::PathNode sink1, Flow2::PathNode sink2
    ) {
@@ -287,9 +321,9 @@ module ProductFlow {
      predicate isBarrierIn(DataFlow::Node node) { Config::isBarrierIn1(node) }
    }

-    module Flow1 = DataFlow::GlobalWithState<Config1>;
+    private module Flow1 = DataFlow::GlobalWithState<Config1>;

-    module Config2 implements DataFlow::StateConfigSig {
+    private module Config2 implements DataFlow::StateConfigSig {
      class FlowState = FlowState2;

      predicate isSource(DataFlow::Node source, FlowState state) {
@@ -319,27 +353,87 @@ module ProductFlow {
      predicate isBarrierIn(DataFlow::Node node) { Config::isBarrierIn2(node) }
    }

-    module Flow2 = DataFlow::GlobalWithState<Config2>;
+    private module Flow2 = DataFlow::GlobalWithState<Config2>;
+
+    private predicate isSourcePair(Flow1::PathNode node1, Flow2::PathNode node2) {
+      Config::isSourcePair(node1.getNode(), node1.getState(), node2.getNode(), node2.getState())
+    }
+
+    private predicate isSinkPair(Flow1::PathNode node1, Flow2::PathNode node2) {
+      Config::isSinkPair(node1.getNode(), node1.getState(), node2.getNode(), node2.getState())
+    }

    pragma[nomagic]
-    private predicate reachableInterprocEntry(
-      Flow1::PathNode source1, Flow2::PathNode source2, Flow1::PathNode node1, Flow2::PathNode node2
-    ) {
-      Config::isSourcePair(node1.getNode(), node1.getState(), node2.getNode(), node2.getState()) and
-      node1 = source1 and
-      node2 = source2
+    private predicate fwdReachableInterprocEntry(Flow1::PathNode node1, Flow2::PathNode node2) {
+      isSourcePair(node1, node2)
      or
-      exists(
-        Flow1::PathNode midEntry1, Flow2::PathNode midEntry2, Flow1::PathNode midExit1,
-        Flow2::PathNode midExit2
-      |
-        reachableInterprocEntry(source1, source2, midEntry1, midEntry2) and
-        interprocEdgePair(midExit1, midExit2, node1, node2) and
-        localPathStep1*(midEntry1, midExit1) and
-        localPathStep2*(midEntry2, midExit2)
+      fwdIsSuccessor(_, _, node1, node2)
+    }
+
+    pragma[nomagic]
+    private predicate fwdIsSuccessorExit(
+      Flow1::PathNode mid1, Flow2::PathNode mid2, Flow1::PathNode succ1, Flow2::PathNode succ2
+    ) {
+      isSinkPair(mid1, mid2) and
+      succ1 = mid1 and
+      succ2 = mid2
+      or
+      interprocEdgePair(mid1, mid2, succ1, succ2)
+    }
+
+    private predicate fwdIsSuccessor1(
+      Flow1::PathNode pred1, Flow2::PathNode pred2, Flow1::PathNode mid1, Flow2::PathNode mid2,
+      Flow1::PathNode succ1, Flow2::PathNode succ2
+    ) {
+      fwdReachableInterprocEntry(pred1, pred2) and
+      localPathStep1*(pred1, mid1) and
+      fwdIsSuccessorExit(pragma[only_bind_into](mid1), pragma[only_bind_into](mid2), succ1, succ2)
+    }
+
+    private predicate fwdIsSuccessor2(
+      Flow1::PathNode pred1, Flow2::PathNode pred2, Flow1::PathNode mid1, Flow2::PathNode mid2,
+      Flow1::PathNode succ1, Flow2::PathNode succ2
+    ) {
+      fwdReachableInterprocEntry(pred1, pred2) and
+      localPathStep2*(pred2, mid2) and
+      fwdIsSuccessorExit(pragma[only_bind_into](mid1), pragma[only_bind_into](mid2), succ1, succ2)
+    }
+
+    private predicate fwdIsSuccessor(
+      Flow1::PathNode pred1, Flow2::PathNode pred2, Flow1::PathNode succ1, Flow2::PathNode succ2
+    ) {
+      exists(Flow1::PathNode mid1, Flow2::PathNode mid2 |
+        fwdIsSuccessor1(pred1, pred2, mid1, mid2, succ1, succ2) and
+        fwdIsSuccessor2(pred1, pred2, mid1, mid2, succ1, succ2)
      )
    }

+    pragma[nomagic]
+    private predicate revReachableInterprocEntry(Flow1::PathNode node1, Flow2::PathNode node2) {
+      fwdReachableInterprocEntry(node1, node2) and
+      isSinkPair(node1, node2)
+      or
+      exists(Flow1::PathNode succ1, Flow2::PathNode succ2 |
+        revReachableInterprocEntry(succ1, succ2) and
+        fwdIsSuccessor(node1, node2, succ1, succ2)
+      )
+    }
+
+    private newtype TNodePair =
+      TMkNodePair(Flow1::PathNode node1, Flow2::PathNode node2) {
+        revReachableInterprocEntry(node1, node2)
+      }
+
+    private predicate pathSucc(TNodePair n1, TNodePair n2) {
+      exists(Flow1::PathNode n11, Flow2::PathNode n12, Flow1::PathNode n21, Flow2::PathNode n22 |
+        n1 = TMkNodePair(n11, n12) and
+        n2 = TMkNodePair(n21, n22) and
+        fwdIsSuccessor(n11, n12, n21, n22)
+      )
+    }
+
+    private predicate pathSuccPlus(TNodePair n1, TNodePair n2) = fastTC(pathSucc/2)(n1, n2)
+
    private predicate localPathStep1(Flow1::PathNode pred, Flow1::PathNode succ) {
      Flow1::PathGraph::edges(pred, succ) and
      pragma[only_bind_out](pred.getNode().getEnclosingCallable()) =
@@ -352,43 +446,133 @@ module ProductFlow {
        pragma[only_bind_out](succ.getNode().getEnclosingCallable())
    }

+    private newtype TKind =
+      TInto(DataFlowCall call) {
+        intoImpl1(_, _, call) or
+        intoImpl2(_, _, call)
+      } or
+      TOutOf(DataFlowCall call) {
+        outImpl1(_, _, call) or
+        outImpl2(_, _, call)
+      } or
+      TJump()
+
+    private predicate intoImpl1(Flow1::PathNode pred1, Flow1::PathNode succ1, DataFlowCall call) {
+      Flow1::PathGraph::edges(pred1, succ1) and
+      pred1.getNode().(ArgumentNode).getCall() = call and
+      succ1.getNode() instanceof ParameterNode
+    }
+
+    private predicate into1(Flow1::PathNode pred1, Flow1::PathNode succ1, TKind kind) {
+      exists(DataFlowCall call |
+        kind = TInto(call) and
+        intoImpl1(pred1, succ1, call)
+      )
+    }
+
+    private predicate outImpl1(Flow1::PathNode pred1, Flow1::PathNode succ1, DataFlowCall call) {
+      Flow1::PathGraph::edges(pred1, succ1) and
+      exists(ReturnKindExt returnKind |
+        succ1.getNode() = returnKind.getAnOutNode(call) and
+        pred1.getNode().(ReturnNodeExt).getKind() = returnKind
+      )
+    }
+
+    private predicate out1(Flow1::PathNode pred1, Flow1::PathNode succ1, TKind kind) {
+      exists(DataFlowCall call |
+        outImpl1(pred1, succ1, call) and
+        kind = TOutOf(call)
+      )
+    }
+
+    private predicate intoImpl2(Flow2::PathNode pred2, Flow2::PathNode succ2, DataFlowCall call) {
+      Flow2::PathGraph::edges(pred2, succ2) and
+      pred2.getNode().(ArgumentNode).getCall() = call and
+      succ2.getNode() instanceof ParameterNode
+    }
+
+    private predicate into2(Flow2::PathNode pred2, Flow2::PathNode succ2, TKind kind) {
+      exists(DataFlowCall call |
+        kind = TInto(call) and
+        intoImpl2(pred2, succ2, call)
+      )
+    }
+
+    private predicate outImpl2(Flow2::PathNode pred2, Flow2::PathNode succ2, DataFlowCall call) {
+      Flow2::PathGraph::edges(pred2, succ2) and
+      exists(ReturnKindExt returnKind |
+        succ2.getNode() = returnKind.getAnOutNode(call) and
+        pred2.getNode().(ReturnNodeExt).getKind() = returnKind
+      )
+    }
+
+    private predicate out2(Flow2::PathNode pred2, Flow2::PathNode succ2, TKind kind) {
+      exists(DataFlowCall call |
+        kind = TOutOf(call) and
+        outImpl2(pred2, succ2, call)
+      )
+    }
+
    pragma[nomagic]
    private predicate interprocEdge1(
-      Declaration predDecl, Declaration succDecl, Flow1::PathNode pred1, Flow1::PathNode succ1
+      Declaration predDecl, Declaration succDecl, Flow1::PathNode pred1, Flow1::PathNode succ1,
+      TKind kind
    ) {
      Flow1::PathGraph::edges(pred1, succ1) and
      predDecl != succDecl and
      pred1.getNode().getEnclosingCallable() = predDecl and
-      succ1.getNode().getEnclosingCallable() = succDecl
+      succ1.getNode().getEnclosingCallable() = succDecl and
+      (
+        into1(pred1, succ1, kind)
+        or
+        out1(pred1, succ1, kind)
+        or
+        kind = TJump() and
+        not into1(pred1, succ1, _) and
+        not out1(pred1, succ1, _)
+      )
    }

    pragma[nomagic]
    private predicate interprocEdge2(
-      Declaration predDecl, Declaration succDecl, Flow2::PathNode pred2, Flow2::PathNode succ2
+      Declaration predDecl, Declaration succDecl, Flow2::PathNode pred2, Flow2::PathNode succ2,
+      TKind kind
    ) {
      Flow2::PathGraph::edges(pred2, succ2) and
      predDecl != succDecl and
      pred2.getNode().getEnclosingCallable() = predDecl and
-      succ2.getNode().getEnclosingCallable() = succDecl
+      succ2.getNode().getEnclosingCallable() = succDecl and
+      (
+        into2(pred2, succ2, kind)
+        or
+        out2(pred2, succ2, kind)
+        or
+        kind = TJump() and
+        not into2(pred2, succ2, _) and
+        not out2(pred2, succ2, _)
+      )
    }

    private predicate interprocEdgePair(
      Flow1::PathNode pred1, Flow2::PathNode pred2, Flow1::PathNode succ1, Flow2::PathNode succ2
    ) {
-      exists(Declaration predDecl, Declaration succDecl |
-        interprocEdge1(predDecl, succDecl, pred1, succ1) and
-        interprocEdge2(predDecl, succDecl, pred2, succ2)
+      exists(Declaration predDecl, Declaration succDecl, TKind kind |
+        interprocEdge1(predDecl, succDecl, pred1, succ1, kind) and
+        interprocEdge2(predDecl, succDecl, pred2, succ2, kind)
      )
    }

    private predicate reachable(
      Flow1::PathNode source1, Flow2::PathNode source2, Flow1::PathNode sink1, Flow2::PathNode sink2
    ) {
-      exists(Flow1::PathNode mid1, Flow2::PathNode mid2 |
-        reachableInterprocEntry(source1, source2, mid1, mid2) and
-        Config::isSinkPair(sink1.getNode(), sink1.getState(), sink2.getNode(), sink2.getState()) and
-        localPathStep1*(mid1, sink1) and
-        localPathStep2*(mid2, sink2)
+      isSourcePair(source1, source2) and
+      isSinkPair(sink1, sink2) and
+      exists(TNodePair n1, TNodePair n2 |
+        n1 = TMkNodePair(source1, source2) and
+        n2 = TMkNodePair(sink1, sink2)
+      |
+        pathSuccPlus(n1, n2) or
+        n1 = n2
      )
    }
  }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -145,14 +145,14 @@ private newtype TDefOrUseImpl =
      or
      // Since the pruning stage doesn't know about global variables we can't use the above check to
      // rule out dead assignments to globals.
-      base.(VariableAddressInstruction).getAstVariable() instanceof Cpp::GlobalOrNamespaceVariable
+      base.(VariableAddressInstruction).getAstVariable() instanceof GlobalLikeVariable
    )
  } or
  TUseImpl(Operand operand, int indirectionIndex) {
    isUse(_, operand, _, _, indirectionIndex) and
    not isDef(_, _, operand, _, _, _)
  } or
-  TGlobalUse(Cpp::GlobalOrNamespaceVariable v, IRFunction f, int indirectionIndex) {
+  TGlobalUse(GlobalLikeVariable v, IRFunction f, int indirectionIndex) {
    // Represents a final "use" of a global variable to ensure that
    // the assignment to a global variable isn't ruled out as dead.
    exists(VariableAddressInstruction vai, int defIndex |
@@ -162,7 +162,7 @@ private newtype TDefOrUseImpl =
      indirectionIndex = [0 .. defIndex] + 1
    )
  } or
-  TGlobalDefImpl(Cpp::GlobalOrNamespaceVariable v, IRFunction f, int indirectionIndex) {
+  TGlobalDefImpl(GlobalLikeVariable v, IRFunction f, int indirectionIndex) {
    // Represents the initial "definition" of a global variable when entering
    // a function body.
    exists(VariableAddressInstruction vai |
@@ -364,7 +364,25 @@ abstract private class OperandBasedUse extends UseImpl {
  OperandBasedUse() { any() }

  final override predicate hasIndexInBlock(IRBlock block, int index) {
-    operand.getUse() = block.getInstruction(index)
+    // See the comment in `ssa0`'s `OperandBasedUse` for an explanation of this
+    // predicate's implementation.
+    exists(BaseSourceVariableInstruction base | base = this.getBase() |
+      if base.getAst() = any(Cpp::PostfixCrementOperation c).getOperand()
+      then
+        exists(Operand op, int indirectionIndex, int indirection |
+          indirectionIndex = this.getIndirectionIndex() and
+          indirection = this.getIndirection() and
+          op =
+            min(Operand cand, int i |
+              isUse(_, cand, base, indirection, indirectionIndex) and
+              block.getInstruction(i) = cand.getUse()
+            |
+              cand order by i
+            ) and
+          block.getInstruction(index) = op.getUse()
+        )
+      else operand.getUse() = block.getInstruction(index)
+    )
  }

  final Operand getOperand() { result = operand }
@@ -458,7 +476,7 @@ class FinalParameterUse extends UseImpl, TFinalParameterUse {
 }

 class GlobalUse extends UseImpl, TGlobalUse {
-  Cpp::GlobalOrNamespaceVariable global;
+  GlobalLikeVariable global;
  IRFunction f;

  GlobalUse() { this = TGlobalUse(global, f, ind) }
@@ -468,7 +486,7 @@ class GlobalUse extends UseImpl, TGlobalUse {
  override int getIndirection() { result = ind + 1 }

  /** Gets the global variable associated with this use. */
-  Cpp::GlobalOrNamespaceVariable getVariable() { result = global }
+  GlobalLikeVariable getVariable() { result = global }

  /** Gets the `IRFunction` whose body is exited from after this use. */
  IRFunction getIRFunction() { result = f }
@@ -496,14 +514,14 @@ class GlobalUse extends UseImpl, TGlobalUse {
 }

 class GlobalDefImpl extends DefOrUseImpl, TGlobalDefImpl {
-  Cpp::GlobalOrNamespaceVariable global;
+  GlobalLikeVariable global;
  IRFunction f;
  int indirectionIndex;

  GlobalDefImpl() { this = TGlobalDefImpl(global, f, indirectionIndex) }

  /** Gets the global variable associated with this definition. */
-  Cpp::GlobalOrNamespaceVariable getVariable() { result = global }
+  GlobalLikeVariable getVariable() { result = global }

  /** Gets the `IRFunction` whose body is evaluated after this definition. */
  IRFunction getIRFunction() { result = f }
@@ -657,27 +675,20 @@ private predicate indirectConversionFlowStep(Node nFrom, Node nTo) {
 * So this predicate recurses back along conversions and `PointerArithmeticInstruction`s to find the
 * first use that has provides use-use flow, and uses that target as the target of the `nodeFrom`.
 */
-private predicate adjustForPointerArith(
-  DefOrUse defOrUse, Node nodeFrom, UseOrPhi use, boolean uncertain
-) {
-  nodeFrom = any(PostUpdateNode pun).getPreUpdateNode() and
-  exists(Node adjusted |
-    indirectConversionFlowStep*(adjusted, nodeFrom) and
-    nodeToDefOrUse(adjusted, defOrUse, uncertain) and
+private predicate adjustForPointerArith(PostUpdateNode pun, UseOrPhi use) {
+  exists(DefOrUse defOrUse, Node adjusted |
+    indirectConversionFlowStep*(adjusted, pun.getPreUpdateNode()) and
+    nodeToDefOrUse(adjusted, defOrUse, _) and
    adjacentDefRead(defOrUse, use)
  )
 }

 private predicate ssaFlowImpl(SsaDefOrUse defOrUse, Node nodeFrom, Node nodeTo, boolean uncertain) {
-  // `nodeFrom = any(PostUpdateNode pun).getPreUpdateNode()` is implied by adjustedForPointerArith.
  exists(UseOrPhi use |
-    adjustForPointerArith(defOrUse, nodeFrom, use, uncertain) and
-    useToNode(use, nodeTo)
-    or
-    not nodeFrom = any(PostUpdateNode pun).getPreUpdateNode() and
    nodeToDefOrUse(nodeFrom, defOrUse, uncertain) and
    adjacentDefRead(defOrUse, use) and
-    useToNode(use, nodeTo)
+    useToNode(use, nodeTo) and
+    nodeFrom != nodeTo
    or
    // Initial global variable value to a first use
    nodeFrom.(InitialGlobalValue).getGlobalDef() = defOrUse and
@@ -712,11 +723,28 @@ private Node getAPriorDefinition(SsaDefOrUse defOrUse) {
 /** Holds if there is def-use or use-use flow from `nodeFrom` to `nodeTo`. */
 predicate ssaFlow(Node nodeFrom, Node nodeTo) {
  exists(Node nFrom, boolean uncertain, SsaDefOrUse defOrUse |
-    ssaFlowImpl(defOrUse, nFrom, nodeTo, uncertain) and
+    ssaFlowImpl(defOrUse, nFrom, nodeTo, uncertain) and nodeFrom != nodeTo
+  |
    if uncertain = true then nodeFrom = [nFrom, getAPriorDefinition(defOrUse)] else nodeFrom = nFrom
  )
 }

+private predicate isArgumentOfCallable(DataFlowCall call, ArgumentNode arg) {
+  arg.argumentOf(call, _)
+}
+
+/** Holds if there is def-use or use-use flow from `pun` to `nodeTo`. */
+predicate postUpdateFlow(PostUpdateNode pun, Node nodeTo) {
+  exists(UseOrPhi use, Node preUpdate |
+    adjustForPointerArith(pun, use) and
+    useToNode(use, nodeTo) and
+    preUpdate = pun.getPreUpdateNode() and
+    not exists(DataFlowCall call |
+      isArgumentOfCallable(call, preUpdate) and isArgumentOfCallable(call, nodeTo)
+    )
+  )
+}
+
 /**
 * Holds if `use` is a use of `sv` and is a next adjacent use of `phi` in
 * index `i1` in basic block `bb1`.
@@ -742,6 +770,7 @@ predicate fromPhiNode(SsaPhiNode nodeFrom, Node nodeTo) {
    fromPhiNodeToUse(phi, sv, bb1, i1, use)
    or
    exists(PhiNode phiTo |
+      phi != phiTo and
      lastRefRedefExt(phi, _, _, phiTo) and
      nodeTo.(SsaPhiNode).getPhiNode() = phiTo
    )
@@ -760,13 +789,14 @@ private predicate variableWriteCand(IRBlock bb, int i, SourceVariable v) {
 }

 private predicate sourceVariableIsGlobal(
-  SourceVariable sv, Cpp::GlobalOrNamespaceVariable global, IRFunction func, int indirectionIndex
+  SourceVariable sv, GlobalLikeVariable global, IRFunction func, int indirectionIndex
 ) {
  exists(IRVariable irVar, BaseIRVariable base |
    sourceVariableHasBaseAndIndex(sv, base, indirectionIndex) and
    irVar = base.getIRVariable() and
    irVar.getEnclosingIRFunction() = func and
-    global = irVar.getAst()
+    global = irVar.getAst() and
+    not irVar instanceof IRDynamicInitializationFlag
  )
 }

@@ -919,7 +949,7 @@ class GlobalDef extends TGlobalDef, SsaDefOrUse {
  IRFunction getIRFunction() { result = global.getIRFunction() }

  /** Gets the global variable associated with this definition. */
-  Cpp::GlobalOrNamespaceVariable getVariable() { result = global.getVariable() }
+  GlobalLikeVariable getVariable() { result = global.getVariable() }
 }

 class Phi extends TPhi, SsaDefOrUse {
@@ -997,6 +1027,14 @@ class PhiNode extends SsaImpl::DefinitionExt {
    this instanceof SsaImpl::PhiNode or
    this instanceof SsaImpl::PhiReadNode
  }
+
+  /**
+   * Holds if this phi node is a phi-read node.
+   *
+   * Phi-read nodes are like normal phi nodes, but they are inserted based
+   * on reads instead of writes.
+   */
+  predicate isPhiRead() { this instanceof SsaImpl::PhiReadNode }
 }

 class DefinitionExt = SsaImpl::DefinitionExt;
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
@@ -117,6 +117,16 @@ private int countIndirections(Type t) {
  else (
    result = any(Indirection ind | ind.getType() = t).getNumberOfIndirections()
    or
+    // If there is an indirection for the type, but we cannot count the number of indirections
+    // it means we couldn't reach a non-indirection type by stripping off indirections. This
+    // can occur if an iterator specifies itself as the value type. In this case we default to
+    // 1 indirection fore the type.
+    exists(Indirection ind |
+      ind.getType() = t and
+      not exists(ind.getNumberOfIndirections()) and
+      result = 1
+    )
+    or
    not exists(Indirection ind | ind.getType() = t) and
    result = 0
  )
@@ -144,6 +154,20 @@ class AllocationInstruction extends CallInstruction {
  AllocationInstruction() { this.getStaticCallTarget() instanceof Cpp::AllocationFunction }
 }

+private predicate isIndirectionType(Type t) { t instanceof Indirection }
+
+private predicate hasUnspecifiedBaseType(Indirection t, Type base) {
+  base = t.getBaseType().getUnspecifiedType()
+}
+
+/**
+ * Holds if `t2` is the same type as `t1`, but after stripping away `result` number
+ * of indirections.
+ * Furthermore, specifies in `t2` been deeply stripped and typedefs has been resolved.
+ */
+private int getNumberOfIndirectionsImpl(Type t1, Type t2) =
+  shortestDistances(isIndirectionType/1, hasUnspecifiedBaseType/2)(t1, t2, result)
+
 /**
 * An abstract class for handling indirections.
 *
@@ -162,7 +186,10 @@ abstract class Indirection extends Type {
   * For example, the number of indirections of a variable `p` of type
   * `int**` is `3` (i.e., `p`, `*p` and `**p`).
   */
-  abstract int getNumberOfIndirections();
+  final int getNumberOfIndirections() {
+    result =
+      getNumberOfIndirectionsImpl(this.getType(), any(Type end | not end instanceof Indirection))
+  }

  /**
   * Holds if `deref` is an instruction that behaves as a `LoadInstruction`
@@ -200,19 +227,11 @@ private class PointerOrArrayOrReferenceTypeIndirection extends Indirection insta
  PointerOrArrayOrReferenceTypeIndirection() {
    baseType = PointerOrArrayOrReferenceType.super.getBaseType()
  }
-
-  override int getNumberOfIndirections() {
-    result = 1 + countIndirections(this.getBaseType().getUnspecifiedType())
-  }
 }

 private class PointerWrapperTypeIndirection extends Indirection instanceof PointerWrapper {
  PointerWrapperTypeIndirection() { baseType = PointerWrapper.super.getBaseType() }

-  override int getNumberOfIndirections() {
-    result = 1 + countIndirections(this.getBaseType().getUnspecifiedType())
-  }
-
  override predicate isAdditionalDereference(Instruction deref, Operand address) {
    exists(CallInstruction call |
      operandForFullyConvertedCall(getAUse(deref), call) and
@@ -233,10 +252,6 @@ private module IteratorIndirections {
      baseType = super.getValueType()
    }

-    override int getNumberOfIndirections() {
-      result = 1 + countIndirections(this.getBaseType().getUnspecifiedType())
-    }
-
    override predicate isAdditionalDereference(Instruction deref, Operand address) {
      exists(CallInstruction call |
        operandForFullyConvertedCall(getAUse(deref), call) and
@@ -258,7 +273,7 @@ private module IteratorIndirections {
        // Taint through `operator+=` and `operator-=` on iterators.
        call.getStaticCallTarget() instanceof Iterator::IteratorAssignArithmeticOperator and
        node2.(IndirectArgumentOutNode).getPreUpdateNode() = node1 and
-        node1.(IndirectOperand).getOperand() = call.getArgumentOperand(0) and
+        node1.(IndirectOperand).hasOperandAndIndirectionIndex(call.getArgumentOperand(0), _) and
        node1.getType().getUnspecifiedType() = this
      )
    }
@@ -573,7 +588,6 @@ private module Cached {
    )
  }

-  pragma[assume_small_delta]
  private predicate convertsIntoArgumentRev(Instruction instr) {
    convertsIntoArgumentFwd(instr) and
    (
@@ -791,7 +805,7 @@ private module Cached {
      address.getDef() = instr and
      isDereference(load, address) and
      isUseImpl(address, _, indirectionIndex - 1) and
-      result = instr
+      result = load
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
@@ -160,7 +160,7 @@ predicate modeledTaintStep(DataFlow::Node nodeIn, DataFlow::Node nodeOut) {
    FunctionInput modelIn, FunctionOutput modelOut
  |
    indirectArgument = callInput(call, modelIn) and
-    indirectArgument.getAddressOperand() = nodeIn.asOperand() and
+    indirectArgument.hasAddressOperandAndIndirectionIndex(nodeIn.asOperand(), _) and
    call.getStaticCallTarget() = func and
    (
      func.(DataFlowFunction).hasDataFlow(modelIn, modelOut)
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ssa0/SsaInternals.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ssa0/SsaInternals.qll
@@ -122,7 +122,46 @@ abstract private class OperandBasedUse extends UseImpl {
  override string toString() { result = operand.toString() }

  final override predicate hasIndexInBlock(IRBlock block, int index) {
-    operand.getUse() = block.getInstruction(index)
+    // Ideally, this would just be implemented as:
+    // ```
+    // operand.getUse() = block.getInstruction(index)
+    // ```
+    // but because the IR generated for a snippet such as
+    // ```
+    // int x = *p++;
+    // ```
+    // looks like
+    // ```
+    // r1(glval<int>)   = VariableAddress[x]  :
+    // r2(glval<int *>) = VariableAddress[p]  :
+    // r3(int *)        = Load[p]             : &:r2, m1
+    // r4(int)          = Constant[1]         :
+    // r5(int *)        = PointerAdd[4]       : r3, r4
+    // m3(int *)        = Store[p]            : &:r2, r5
+    // r6(int *)        = CopyValue           : r3
+    // r7(int)          = Load[?]             : &:r6, ~m2
+    // m2(int)          = Store[x]            : &:r1, r7
+    // ```
+    // we need to ensure that the `r3` operand of the `CopyValue` instruction isn't seen as a fresh use
+    // of `p` that happens after the increment. So if the base instruction of this use comes from a
+    // post-fix crement operation we set the index of the SSA use that wraps the `r3` operand at the
+    // `CopyValue` instruction to be the same index as the `r3` operand at the `PointerAdd` instruction.
+    // This ensures that the SSA library doesn't create flow from the `PointerAdd` to `r6`.
+    exists(BaseSourceVariableInstruction base | base = this.getBase() |
+      if base.getAst() = any(Cpp::PostfixCrementOperation c).getOperand()
+      then
+        exists(Operand op |
+          op =
+            min(Operand cand, int i |
+              isUse(_, cand, base, _, _) and
+              block.getInstruction(i) = cand.getUse()
+            |
+              cand order by i
+            ) and
+          block.getInstruction(index) = op.getUse()
+        )
+      else operand.getUse() = block.getInstruction(index)
+    )
  }

  final override Cpp::Location getLocation() { result = operand.getLocation() }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/IRType.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/IRType.qll
@@ -39,7 +39,7 @@ class IRType extends TIRType {
   * Gets a string that uniquely identifies this `IRType`. This string is often the same as the
   * result of `IRType.toString()`, but for some types it may be more verbose to ensure uniqueness.
   */
-  string getIdentityString() { result = toString() }
+  string getIdentityString() { result = this.toString() }

  /**
   * Gets the size of the type, in bytes, if known.
@@ -206,7 +206,7 @@ class IRFloatingPointType extends IRNumericType, TIRFloatingPointType {
  IRFloatingPointType() { this = TIRFloatingPointType(_, base, domain) }

  final override string toString() {
-    result = getDomainPrefix() + getBaseString() + byteSize.toString()
+    result = this.getDomainPrefix() + this.getBaseString() + byteSize.toString()
  }

  final override Language::LanguageType getCanonicalLanguageType() {
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll
@@ -135,11 +135,11 @@ class Opcode extends TOpcode {
   * Holds if the instruction must have an operand with the specified `OperandTag`.
   */
  final predicate hasOperand(OperandTag tag) {
-    hasOperandInternal(tag)
+    this.hasOperandInternal(tag)
    or
-    hasAddressOperand() and tag instanceof AddressOperandTag
+    this.hasAddressOperand() and tag instanceof AddressOperandTag
    or
-    hasBufferSizeOperand() and tag instanceof BufferSizeOperandTag
+    this.hasBufferSizeOperand() and tag instanceof BufferSizeOperandTag
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll
@@ -77,4 +77,16 @@ class IRPropertyProvider extends TIRPropertyProvider {
   * Gets the value of the property named `key` for the specified operand.
   */
  string getOperandProperty(Operand operand, string key) { none() }
+
+  /**
+   * Holds if the instruction `instr` should be included when printing
+   * the IR instructions.
+   */
+  predicate shouldPrintInstruction(Instruction instr) { any() }
+
+  /**
+   * Holds if the operand `operand` should be included when printing the an
+   * instruction's operand list.
+   */
+  predicate shouldPrintOperand(Operand operand) { any() }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll
@@ -45,7 +45,9 @@ class IRFunction extends IRFunctionBase {
   * Gets the block containing the entry point of this function.
   */
  pragma[noinline]
-  final IRBlock getEntryBlock() { result.getFirstInstruction() = getEnterFunctionInstruction() }
+  final IRBlock getEntryBlock() {
+    result.getFirstInstruction() = this.getEnterFunctionInstruction()
+  }

  /**
   * Gets all instructions in this function.
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll
@@ -39,12 +39,12 @@ class IRVariable extends TIRVariable {
  /**
   * Gets the type of the variable.
   */
-  final Language::Type getType() { getLanguageType().hasType(result, false) }
+  final Language::Type getType() { this.getLanguageType().hasType(result, false) }

  /**
   * Gets the language-neutral type of the variable.
   */
-  final IRType getIRType() { result = getLanguageType().getIRType() }
+  final IRType getIRType() { result = this.getLanguageType().getIRType() }

  /**
   * Gets the type of the variable.
@@ -58,7 +58,7 @@ class IRVariable extends TIRVariable {
  Language::AST getAst() { none() }

  /** DEPRECATED: Alias for getAst */
-  deprecated Language::AST getAST() { result = getAst() }
+  deprecated Language::AST getAST() { result = this.getAst() }

  /**
   * Gets an identifier string for the variable. This identifier is unique
@@ -69,7 +69,7 @@ class IRVariable extends TIRVariable {
  /**
   * Gets the source location of this variable.
   */
-  final Language::Location getLocation() { result = getAst().getLocation() }
+  final Language::Location getLocation() { result = this.getAst().getLocation() }

  /**
   * Gets the IR for the function that references this variable.
@@ -91,15 +91,15 @@ class IRUserVariable extends IRVariable, TIRUserVariable {

  IRUserVariable() { this = TIRUserVariable(var, type, func) }

-  final override string toString() { result = getVariable().toString() }
+  final override string toString() { result = this.getVariable().toString() }

  final override Language::AST getAst() { result = var }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Language::AST getAST() { result = getAst() }
+  deprecated override Language::AST getAST() { result = this.getAst() }

  final override string getUniqueId() {
-    result = getVariable().toString() + " " + getVariable().getLocation().toString()
+    result = this.getVariable().toString() + " " + this.getVariable().getLocation().toString()
  }

  final override Language::LanguageType getLanguageType() { result = type }
@@ -166,9 +166,9 @@ class IRGeneratedVariable extends IRVariable {
  final override Language::AST getAst() { result = ast }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Language::AST getAST() { result = getAst() }
+  deprecated override Language::AST getAST() { result = this.getAst() }

-  override string toString() { result = getBaseString() + getLocationString() }
+  override string toString() { result = this.getBaseString() + this.getLocationString() }

  override string getUniqueId() { none() }

@@ -272,7 +272,7 @@ class IRStringLiteral extends IRGeneratedVariable, TIRStringLiteral {
  final override predicate isReadOnly() { any() }

  final override string getUniqueId() {
-    result = "String: " + getLocationString() + "=" + Language::getStringLiteralText(literal)
+    result = "String: " + this.getLocationString() + "=" + Language::getStringLiteralText(literal)
  }

  final override string getBaseString() { result = "#string" }
@@ -303,7 +303,8 @@ class IRDynamicInitializationFlag extends IRGeneratedVariable, TIRDynamicInitial
  final Language::Variable getVariable() { result = var }

  final override string getUniqueId() {
-    result = "Init: " + getVariable().toString() + " " + getVariable().getLocation().toString()
+    result =
+      "Init: " + this.getVariable().toString() + " " + this.getVariable().getLocation().toString()
  }

  final override string getBaseString() { result = "#init:" + var.toString() + ":" }
@@ -332,5 +333,5 @@ class IRParameter extends IRAutomaticVariable {
 * An IR variable representing a positional parameter.
 */
 class IRPositionalParameter extends IRParameter, IRAutomaticUserVariable {
-  final override int getIndex() { result = getVariable().(Language::Parameter).getIndex() }
+  final override int getIndex() { result = this.getVariable().(Language::Parameter).getIndex() }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
@@ -210,9 +210,6 @@ class Instruction extends Construction::TStageInstruction {
   */
  final Language::AST getAst() { result = Construction::getInstructionAst(this) }

-  /** DEPRECATED: Alias for getAst */
-  deprecated Language::AST getAST() { result = this.getAst() }
-
  /**
   * Gets the location of the source code for this instruction.
   */
@@ -463,9 +460,6 @@ class VariableInstruction extends Instruction {
   * Gets the AST variable that this instruction's IR variable refers to, if one exists.
   */
  final Language::Variable getAstVariable() { result = var.(IRUserVariable).getVariable() }
-
-  /** DEPRECATED: Alias for getAstVariable */
-  deprecated Language::Variable getASTVariable() { result = this.getAstVariable() }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll
@@ -42,6 +42,14 @@ private predicate shouldPrintFunction(Language::Declaration decl) {
  exists(PrintIRConfiguration config | config.shouldPrintFunction(decl))
 }

+private predicate shouldPrintInstruction(Instruction i) {
+  exists(IRPropertyProvider provider | provider.shouldPrintInstruction(i))
+}
+
+private predicate shouldPrintOperand(Operand operand) {
+  exists(IRPropertyProvider provider | provider.shouldPrintOperand(operand))
+}
+
 private string getAdditionalInstructionProperty(Instruction instr, string key) {
  exists(IRPropertyProvider provider | result = provider.getInstructionProperty(instr, key))
 }
@@ -84,7 +92,9 @@ private string getOperandPropertyString(Operand operand) {
 private newtype TPrintableIRNode =
  TPrintableIRFunction(IRFunction irFunc) { shouldPrintFunction(irFunc.getFunction()) } or
  TPrintableIRBlock(IRBlock block) { shouldPrintFunction(block.getEnclosingFunction()) } or
-  TPrintableInstruction(Instruction instr) { shouldPrintFunction(instr.getEnclosingFunction()) }
+  TPrintableInstruction(Instruction instr) {
+    shouldPrintInstruction(instr) and shouldPrintFunction(instr.getEnclosingFunction())
+  }

 /**
 * A node to be emitted in the IR graph.
@@ -127,13 +137,13 @@ abstract private class PrintableIRNode extends TPrintableIRNode {
   * Gets the value of the node property with the specified key.
   */
  string getProperty(string key) {
-    key = "semmle.label" and result = getLabel()
+    key = "semmle.label" and result = this.getLabel()
    or
-    key = "semmle.order" and result = getOrder().toString()
+    key = "semmle.order" and result = this.getOrder().toString()
    or
-    key = "semmle.graphKind" and result = getGraphKind()
+    key = "semmle.graphKind" and result = this.getGraphKind()
    or
-    key = "semmle.forceText" and forceText() and result = "true"
+    key = "semmle.forceText" and this.forceText() and result = "true"
  }
 }

@@ -178,7 +188,7 @@ private class PrintableIRBlock extends PrintableIRNode, TPrintableIRBlock {

  PrintableIRBlock() { this = TPrintableIRBlock(block) }

-  override string toString() { result = getLabel() }
+  override string toString() { result = this.getLabel() }

  override Language::Location getLocation() { result = block.getLocation() }

@@ -223,7 +233,7 @@ private class PrintableInstruction extends PrintableIRNode, TPrintableInstructio
      |
        resultString = instr.getResultString() and
        operationString = instr.getOperationString() and
-        operandsString = getOperandsString() and
+        operandsString = this.getOperandsString() and
        columnWidths(block, resultWidth, operationWidth) and
        result =
          resultString + getPaddingString(resultWidth - resultString.length()) + " = " +
@@ -252,7 +262,8 @@ private class PrintableInstruction extends PrintableIRNode, TPrintableInstructio
  private string getOperandsString() {
    result =
      concat(Operand operand |
-        operand = instr.getAnOperand()
+        operand = instr.getAnOperand() and
+        shouldPrintOperand(operand)
      |
        operand.getDumpString() + getOperandPropertyString(operand), ", "
        order by
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll
@@ -7,17 +7,19 @@ private import internal.ValueNumberingImports
 class ValueNumber extends TValueNumber {
  final string toString() { result = "GVN" }

-  final string getDebugString() { result = strictconcat(getAnInstruction().getResultId(), ", ") }
+  final string getDebugString() {
+    result = strictconcat(this.getAnInstruction().getResultId(), ", ")
+  }

  final Language::Location getLocation() {
    if
      exists(Instruction i |
-        i = getAnInstruction() and not i.getLocation() instanceof Language::UnknownLocation
+        i = this.getAnInstruction() and not i.getLocation() instanceof Language::UnknownLocation
      )
    then
      result =
        min(Language::Location l |
-          l = getAnInstruction().getLocation() and not l instanceof Language::UnknownLocation
+          l = this.getAnInstruction().getLocation() and not l instanceof Language::UnknownLocation
        |
          l
          order by
@@ -40,7 +42,7 @@ class ValueNumber extends TValueNumber {
  final Instruction getExampleInstruction() {
    result =
      min(Instruction instr |
-        instr = getAnInstruction()
+        instr = this.getAnInstruction()
      |
        instr order by instr.getBlock().getDisplayIndex(), instr.getDisplayIndexInBlock()
      )
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll
@@ -176,7 +176,6 @@ private predicate binaryValueNumber0(
  )
 }

-pragma[assume_small_delta]
 private predicate binaryValueNumber(
  BinaryInstruction instr, IRFunction irFunc, Opcode opcode, TValueNumber leftOperand,
  TValueNumber rightOperand
@@ -202,7 +201,6 @@ private predicate pointerArithmeticValueNumber0(
  )
 }

-pragma[assume_small_delta]
 private predicate pointerArithmeticValueNumber(
  PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, int elementSize,
  TValueNumber leftOperand, TValueNumber rightOperand
@@ -249,7 +247,6 @@ private predicate loadTotalOverlapValueNumber0(
  )
 }

-pragma[assume_small_delta]
 private predicate loadTotalOverlapValueNumber(
  LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, TValueNumber memOperand,
  TValueNumber operand
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll
@@ -22,7 +22,7 @@ private newtype TAllocation =
 abstract class Allocation extends TAllocation {
  abstract string toString();

-  final string getAllocationString() { result = toString() }
+  final string getAllocationString() { result = this.toString() }

  abstract Instruction getABaseInstruction();

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll
@@ -95,7 +95,9 @@ private newtype TMemoryLocation =
 */
 abstract class MemoryLocation extends TMemoryLocation {
  final string toString() {
-    if isMayAccess() then result = "?" + toStringInternal() else result = toStringInternal()
+    if this.isMayAccess()
+    then result = "?" + this.toStringInternal()
+    else result = this.toStringInternal()
  }

  abstract string toStringInternal();
@@ -110,7 +112,7 @@ abstract class MemoryLocation extends TMemoryLocation {

  abstract Location getLocation();

-  final IRType getIRType() { result = getType().getIRType() }
+  final IRType getIRType() { result = this.getType().getIRType() }

  abstract predicate isMayAccess();

@@ -136,7 +138,7 @@ abstract class MemoryLocation extends TMemoryLocation {
  final predicate canReuseSsa() { none() }

  /** DEPRECATED: Alias for canReuseSsa */
-  deprecated predicate canReuseSSA() { canReuseSsa() }
+  deprecated predicate canReuseSSA() { this.canReuseSsa() }
 }

 /**
@@ -191,19 +193,19 @@ class VariableMemoryLocation extends TVariableMemoryLocation, AllocationMemoryLo
  }

  private string getIntervalString() {
-    if coversEntireVariable()
+    if this.coversEntireVariable()
    then result = ""
    else result = Interval::getIntervalString(startBitOffset, endBitOffset)
  }

  private string getTypeString() {
-    if coversEntireVariable() and type = var.getIRType()
+    if this.coversEntireVariable() and type = var.getIRType()
    then result = ""
    else result = "<" + languageType.toString() + ">"
  }

  final override string toStringInternal() {
-    result = var.toString() + getIntervalString() + getTypeString()
+    result = var.toString() + this.getIntervalString() + this.getTypeString()
  }

  final override Language::LanguageType getType() {
@@ -236,7 +238,7 @@ class VariableMemoryLocation extends TVariableMemoryLocation, AllocationMemoryLo
  /**
   * Holds if this memory location covers the entire variable.
   */
-  final predicate coversEntireVariable() { varIRTypeHasBitRange(startBitOffset, endBitOffset) }
+  final predicate coversEntireVariable() { this.varIRTypeHasBitRange(startBitOffset, endBitOffset) }

  pragma[noinline]
  private predicate varIRTypeHasBitRange(int start, int end) {
@@ -262,7 +264,7 @@ class EntireAllocationMemoryLocation extends TEntireAllocationMemoryLocation,
 class EntireAllocationVirtualVariable extends EntireAllocationMemoryLocation, VirtualVariable {
  EntireAllocationVirtualVariable() {
    not allocationEscapes(var) and
-    not isMayAccess()
+    not this.isMayAccess()
  }
 }

@@ -275,8 +277,8 @@ class VariableVirtualVariable extends VariableMemoryLocation, VirtualVariable {
  VariableVirtualVariable() {
    not allocationEscapes(var) and
    type = var.getIRType() and
-    coversEntireVariable() and
-    not isMayAccess()
+    this.coversEntireVariable() and
+    not this.isMayAccess()
  }
 }

@@ -337,7 +339,7 @@ class AllNonLocalMemory extends TAllNonLocalMemory, MemoryLocation {
    // instruction, which provides the initial definition for all memory outside of the current
    // function's stack frame. This memory includes string literals and other read-only globals, so
    // we allow such an access to be the definition for a use of a read-only location.
-    not isMayAccess()
+    not this.isMayAccess()
  }
 }

@@ -360,7 +362,7 @@ class AllAliasedMemory extends TAllAliasedMemory, MemoryLocation {

  final override Location getLocation() { result = irFunc.getLocation() }

-  final override string getUniqueId() { result = " " + toString() }
+  final override string getUniqueId() { result = " " + this.toString() }

  final override VirtualVariable getVirtualVariable() { result = TAllAliasedMemory(irFunc, false) }

@@ -369,7 +371,7 @@ class AllAliasedMemory extends TAllAliasedMemory, MemoryLocation {

 /** A virtual variable that groups all escaped memory within a function. */
 class AliasedVirtualVariable extends AllAliasedMemory, VirtualVariable {
-  AliasedVirtualVariable() { not isMayAccess() }
+  AliasedVirtualVariable() { not this.isMayAccess() }
 }

 /**
@@ -575,9 +577,6 @@ private Overlap getVariableMemoryLocationOverlap(
 */
 predicate canReuseSsaForOldResult(Instruction instr) { OldSsa::canReuseSsaForMemoryResult(instr) }

-/** DEPRECATED: Alias for canReuseSsaForOldResult */
-deprecated predicate canReuseSSAForOldResult = canReuseSsaForOldResult/1;
-
 bindingset[result, b]
 private boolean unbindBool(boolean b) { result != b.booleanNot() }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
@@ -34,9 +34,13 @@ private module Cached {

  cached
  predicate hasUnreachedInstructionCached(IRFunction irFunc) {
-    exists(OldInstruction oldInstruction |
+    exists(OldIR::Instruction oldInstruction |
      irFunc = oldInstruction.getEnclosingIRFunction() and
-      Reachability::isInfeasibleInstructionSuccessor(oldInstruction, _)
+      (
+        Reachability::isInfeasibleInstructionSuccessor(oldInstruction, _)
+        or
+        oldInstruction.getOpcode() instanceof Opcode::Unreached
+      )
    )
  }

@@ -366,21 +370,19 @@ private module Cached {
    then
      result = getChi(getOldInstruction(instruction)) and
      kind instanceof GotoEdge
-    else (
+    else
      exists(OldInstruction oldInstruction |
-        oldInstruction = getOldInstruction(instruction) and
+        (
+          oldInstruction = getOldInstruction(instruction)
+          or
+          instruction = getChi(oldInstruction)
+        ) and
        (
          if Reachability::isInfeasibleInstructionSuccessor(oldInstruction, kind)
          then result = unreachedInstruction(instruction.getEnclosingIRFunction())
          else result = getNewInstruction(oldInstruction.getSuccessor(kind))
        )
      )
-      or
-      exists(OldInstruction oldInstruction |
-        instruction = getChi(oldInstruction) and
-        result = getNewInstruction(oldInstruction.getSuccessor(kind))
-      )
-    )
  }

  cached
@@ -420,12 +422,6 @@ private module Cached {
    )
  }

-  /** DEPRECATED: Alias for getInstructionAst */
-  cached
-  deprecated Language::AST getInstructionAST(Instruction instr) {
-    result = getInstructionAst(instr)
-  }
-
  cached
  Language::LanguageType getInstructionResultType(Instruction instr) {
    result = instr.(RawIR::Instruction).getResultLanguageType()
@@ -991,9 +987,6 @@ predicate canReuseSsaForMemoryResult(Instruction instruction) {
  // We don't support reusing SSA for any location that could create a `Chi` instruction.
 }

-/** DEPRECATED: Alias for canReuseSsaForMemoryResult */
-deprecated predicate canReuseSSAForMemoryResult = canReuseSsaForMemoryResult/1;
-
 /**
 * Expose some of the internal predicates to PrintSSA.qll. We do this by publicly importing those modules in the
 * `DebugSsa` module, which is then imported by PrintSSA.
@@ -1003,9 +996,6 @@ module DebugSsa {
  import DefUse
 }

-/** DEPRECATED: Alias for DebugSsa */
-deprecated module DebugSSA = DebugSsa;
-
 import CachedForDebugging

 cached
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/OperandTag.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/OperandTag.qll
@@ -40,7 +40,9 @@ abstract class OperandTag extends TOperandTag {
  /**
   * Gets a label that will appear before the operand when the IR is printed.
   */
-  final string getLabel() { if alwaysPrintLabel() then result = getId() + ":" else result = "" }
+  final string getLabel() {
+    if this.alwaysPrintLabel() then result = this.getId() + ":" else result = ""
+  }

  /**
   * Gets an identifier that uniquely identifies this operand within its instruction.
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstruction.qll
@@ -19,6 +19,9 @@ newtype TInstruction =
  ) {
    IRConstruction::Raw::hasInstruction(tag1, tag2)
  } or
+  TRawUnreachedInstruction(IRFunctionBase irFunc) {
+    IRConstruction::hasUnreachedInstruction(irFunc)
+  } or
  TUnaliasedSsaPhiInstruction(
    TRawInstruction blockStartInstr, UnaliasedSsa::Ssa::MemoryLocation memoryLocation
  ) {
@@ -70,9 +73,6 @@ module UnaliasedSsaInstructions {
  }
 }

-/** DEPRECATED: Alias for UnaliasedSsaInstructions */
-deprecated module UnaliasedSSAInstructions = UnaliasedSsaInstructions;
-
 /**
 * Provides wrappers for the constructors of each branch of `TInstruction` that is used by the
 * aliased SSA stage.
@@ -104,6 +104,3 @@ module AliasedSsaInstructions {
    result = TAliasedSsaUnreachedInstruction(irFunc)
  }
 }
-
-/** DEPRECATED: Alias for AliasedSsaInstructions */
-deprecated module AliasedSSAInstructions = AliasedSsaInstructions;
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TOperand.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TOperand.qll
@@ -74,20 +74,12 @@ private module Shared {

  class TNonSsaMemoryOperand = Internal::TNonSsaMemoryOperand;

-  /** DEPRECATED: Alias for TNonSsaMemoryOperand */
-  deprecated class TNonSSAMemoryOperand = TNonSsaMemoryOperand;
-
  /**
   * Returns the non-Phi memory operand with the specified parameters.
   */
  TNonSsaMemoryOperand nonSsaMemoryOperand(TRawInstruction useInstr, MemoryOperandTag tag) {
    result = Internal::TNonSsaMemoryOperand(useInstr, tag)
  }
-
-  /** DEPRECATED: Alias for nonSsaMemoryOperand */
-  deprecated TNonSSAMemoryOperand nonSSAMemoryOperand(TRawInstruction useInstr, MemoryOperandTag tag) {
-    result = nonSsaMemoryOperand(useInstr, tag)
-  }
 }

 /**
@@ -167,9 +159,6 @@ module UnaliasedSsaOperands {
  TChiOperand chiOperand(Unaliased::Instruction useInstr, ChiOperandTag tag) { none() }
 }

-/** DEPRECATED: Alias for UnaliasedSsaOperands */
-deprecated module UnaliasedSSAOperands = UnaliasedSsaOperands;
-
 /**
 * Provides wrappers for the constructors of each branch of `TOperand` that is used by the
 * aliased SSA stage.
@@ -217,6 +206,3 @@ module AliasedSsaOperands {
    result = Internal::TAliasedChiOperand(useInstr, tag)
  }
 }
-
-/** DEPRECATED: Alias for AliasedSsaOperands */
-deprecated module AliasedSSAOperands = AliasedSsaOperands;
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IR.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IR.qll
@@ -77,4 +77,16 @@ class IRPropertyProvider extends TIRPropertyProvider {
   * Gets the value of the property named `key` for the specified operand.
   */
  string getOperandProperty(Operand operand, string key) { none() }
+
+  /**
+   * Holds if the instruction `instr` should be included when printing
+   * the IR instructions.
+   */
+  predicate shouldPrintInstruction(Instruction instr) { any() }
+
+  /**
+   * Holds if the operand `operand` should be included when printing the an
+   * instruction's operand list.
+   */
+  predicate shouldPrintOperand(Operand operand) { any() }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRFunction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRFunction.qll
@@ -45,7 +45,9 @@ class IRFunction extends IRFunctionBase {
   * Gets the block containing the entry point of this function.
   */
  pragma[noinline]
-  final IRBlock getEntryBlock() { result.getFirstInstruction() = getEnterFunctionInstruction() }
+  final IRBlock getEntryBlock() {
+    result.getFirstInstruction() = this.getEnterFunctionInstruction()
+  }

  /**
   * Gets all instructions in this function.
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRVariable.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRVariable.qll
@@ -39,12 +39,12 @@ class IRVariable extends TIRVariable {
  /**
   * Gets the type of the variable.
   */
-  final Language::Type getType() { getLanguageType().hasType(result, false) }
+  final Language::Type getType() { this.getLanguageType().hasType(result, false) }

  /**
   * Gets the language-neutral type of the variable.
   */
-  final IRType getIRType() { result = getLanguageType().getIRType() }
+  final IRType getIRType() { result = this.getLanguageType().getIRType() }

  /**
   * Gets the type of the variable.
@@ -58,7 +58,7 @@ class IRVariable extends TIRVariable {
  Language::AST getAst() { none() }

  /** DEPRECATED: Alias for getAst */
-  deprecated Language::AST getAST() { result = getAst() }
+  deprecated Language::AST getAST() { result = this.getAst() }

  /**
   * Gets an identifier string for the variable. This identifier is unique
@@ -69,7 +69,7 @@ class IRVariable extends TIRVariable {
  /**
   * Gets the source location of this variable.
   */
-  final Language::Location getLocation() { result = getAst().getLocation() }
+  final Language::Location getLocation() { result = this.getAst().getLocation() }

  /**
   * Gets the IR for the function that references this variable.
@@ -91,15 +91,15 @@ class IRUserVariable extends IRVariable, TIRUserVariable {

  IRUserVariable() { this = TIRUserVariable(var, type, func) }

-  final override string toString() { result = getVariable().toString() }
+  final override string toString() { result = this.getVariable().toString() }

  final override Language::AST getAst() { result = var }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Language::AST getAST() { result = getAst() }
+  deprecated override Language::AST getAST() { result = this.getAst() }

  final override string getUniqueId() {
-    result = getVariable().toString() + " " + getVariable().getLocation().toString()
+    result = this.getVariable().toString() + " " + this.getVariable().getLocation().toString()
  }

  final override Language::LanguageType getLanguageType() { result = type }
@@ -166,9 +166,9 @@ class IRGeneratedVariable extends IRVariable {
  final override Language::AST getAst() { result = ast }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Language::AST getAST() { result = getAst() }
+  deprecated override Language::AST getAST() { result = this.getAst() }

-  override string toString() { result = getBaseString() + getLocationString() }
+  override string toString() { result = this.getBaseString() + this.getLocationString() }

  override string getUniqueId() { none() }

@@ -272,7 +272,7 @@ class IRStringLiteral extends IRGeneratedVariable, TIRStringLiteral {
  final override predicate isReadOnly() { any() }

  final override string getUniqueId() {
-    result = "String: " + getLocationString() + "=" + Language::getStringLiteralText(literal)
+    result = "String: " + this.getLocationString() + "=" + Language::getStringLiteralText(literal)
  }

  final override string getBaseString() { result = "#string" }
@@ -303,7 +303,8 @@ class IRDynamicInitializationFlag extends IRGeneratedVariable, TIRDynamicInitial
  final Language::Variable getVariable() { result = var }

  final override string getUniqueId() {
-    result = "Init: " + getVariable().toString() + " " + getVariable().getLocation().toString()
+    result =
+      "Init: " + this.getVariable().toString() + " " + this.getVariable().getLocation().toString()
  }

  final override string getBaseString() { result = "#init:" + var.toString() + ":" }
@@ -332,5 +333,5 @@ class IRParameter extends IRAutomaticVariable {
 * An IR variable representing a positional parameter.
 */
 class IRPositionalParameter extends IRParameter, IRAutomaticUserVariable {
-  final override int getIndex() { result = getVariable().(Language::Parameter).getIndex() }
+  final override int getIndex() { result = this.getVariable().(Language::Parameter).getIndex() }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll
@@ -210,9 +210,6 @@ class Instruction extends Construction::TStageInstruction {
   */
  final Language::AST getAst() { result = Construction::getInstructionAst(this) }

-  /** DEPRECATED: Alias for getAst */
-  deprecated Language::AST getAST() { result = this.getAst() }
-
  /**
   * Gets the location of the source code for this instruction.
   */
@@ -463,9 +460,6 @@ class VariableInstruction extends Instruction {
   * Gets the AST variable that this instruction's IR variable refers to, if one exists.
   */
  final Language::Variable getAstVariable() { result = var.(IRUserVariable).getVariable() }
-
-  /** DEPRECATED: Alias for getAstVariable */
-  deprecated Language::Variable getASTVariable() { result = this.getAstVariable() }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll
@@ -42,6 +42,14 @@ private predicate shouldPrintFunction(Language::Declaration decl) {
  exists(PrintIRConfiguration config | config.shouldPrintFunction(decl))
 }

+private predicate shouldPrintInstruction(Instruction i) {
+  exists(IRPropertyProvider provider | provider.shouldPrintInstruction(i))
+}
+
+private predicate shouldPrintOperand(Operand operand) {
+  exists(IRPropertyProvider provider | provider.shouldPrintOperand(operand))
+}
+
 private string getAdditionalInstructionProperty(Instruction instr, string key) {
  exists(IRPropertyProvider provider | result = provider.getInstructionProperty(instr, key))
 }
@@ -84,7 +92,9 @@ private string getOperandPropertyString(Operand operand) {
 private newtype TPrintableIRNode =
  TPrintableIRFunction(IRFunction irFunc) { shouldPrintFunction(irFunc.getFunction()) } or
  TPrintableIRBlock(IRBlock block) { shouldPrintFunction(block.getEnclosingFunction()) } or
-  TPrintableInstruction(Instruction instr) { shouldPrintFunction(instr.getEnclosingFunction()) }
+  TPrintableInstruction(Instruction instr) {
+    shouldPrintInstruction(instr) and shouldPrintFunction(instr.getEnclosingFunction())
+  }

 /**
 * A node to be emitted in the IR graph.
@@ -127,13 +137,13 @@ abstract private class PrintableIRNode extends TPrintableIRNode {
   * Gets the value of the node property with the specified key.
   */
  string getProperty(string key) {
-    key = "semmle.label" and result = getLabel()
+    key = "semmle.label" and result = this.getLabel()
    or
-    key = "semmle.order" and result = getOrder().toString()
+    key = "semmle.order" and result = this.getOrder().toString()
    or
-    key = "semmle.graphKind" and result = getGraphKind()
+    key = "semmle.graphKind" and result = this.getGraphKind()
    or
-    key = "semmle.forceText" and forceText() and result = "true"
+    key = "semmle.forceText" and this.forceText() and result = "true"
  }
 }

@@ -178,7 +188,7 @@ private class PrintableIRBlock extends PrintableIRNode, TPrintableIRBlock {

  PrintableIRBlock() { this = TPrintableIRBlock(block) }

-  override string toString() { result = getLabel() }
+  override string toString() { result = this.getLabel() }

  override Language::Location getLocation() { result = block.getLocation() }

@@ -223,7 +233,7 @@ private class PrintableInstruction extends PrintableIRNode, TPrintableInstructio
      |
        resultString = instr.getResultString() and
        operationString = instr.getOperationString() and
-        operandsString = getOperandsString() and
+        operandsString = this.getOperandsString() and
        columnWidths(block, resultWidth, operationWidth) and
        result =
          resultString + getPaddingString(resultWidth - resultString.length()) + " = " +
@@ -252,7 +262,8 @@ private class PrintableInstruction extends PrintableIRNode, TPrintableInstructio
  private string getOperandsString() {
    result =
      concat(Operand operand |
-        operand = instr.getAnOperand()
+        operand = instr.getAnOperand() and
+        shouldPrintOperand(operand)
      |
        operand.getDumpString() + getOperandPropertyString(operand), ", "
        order by
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll
@@ -7,17 +7,19 @@ private import internal.ValueNumberingImports
 class ValueNumber extends TValueNumber {
  final string toString() { result = "GVN" }

-  final string getDebugString() { result = strictconcat(getAnInstruction().getResultId(), ", ") }
+  final string getDebugString() {
+    result = strictconcat(this.getAnInstruction().getResultId(), ", ")
+  }

  final Language::Location getLocation() {
    if
      exists(Instruction i |
-        i = getAnInstruction() and not i.getLocation() instanceof Language::UnknownLocation
+        i = this.getAnInstruction() and not i.getLocation() instanceof Language::UnknownLocation
      )
    then
      result =
        min(Language::Location l |
-          l = getAnInstruction().getLocation() and not l instanceof Language::UnknownLocation
+          l = this.getAnInstruction().getLocation() and not l instanceof Language::UnknownLocation
        |
          l
          order by
@@ -40,7 +42,7 @@ class ValueNumber extends TValueNumber {
  final Instruction getExampleInstruction() {
    result =
      min(Instruction instr |
-        instr = getAnInstruction()
+        instr = this.getAnInstruction()
      |
        instr order by instr.getBlock().getDisplayIndex(), instr.getDisplayIndexInBlock()
      )
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll
@@ -176,7 +176,6 @@ private predicate binaryValueNumber0(
  )
 }

-pragma[assume_small_delta]
 private predicate binaryValueNumber(
  BinaryInstruction instr, IRFunction irFunc, Opcode opcode, TValueNumber leftOperand,
  TValueNumber rightOperand
@@ -202,7 +201,6 @@ private predicate pointerArithmeticValueNumber0(
  )
 }

-pragma[assume_small_delta]
 private predicate pointerArithmeticValueNumber(
  PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, int elementSize,
  TValueNumber leftOperand, TValueNumber rightOperand
@@ -249,7 +247,6 @@ private predicate loadTotalOverlapValueNumber0(
  )
 }

-pragma[assume_small_delta]
 private predicate loadTotalOverlapValueNumber(
  LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, TValueNumber memOperand,
  TValueNumber operand
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll
@@ -178,9 +178,9 @@ module Raw {
  }
 }

-class TStageInstruction = TRawInstruction;
+class TStageInstruction = TRawInstruction or TRawUnreachedInstruction;

-predicate hasInstruction(TRawInstruction instr) { any() }
+predicate hasInstruction(TStageInstruction instr) { any() }

 predicate hasModeledMemoryResult(Instruction instruction) { none() }

@@ -368,23 +368,31 @@ private predicate isStrictlyForwardGoto(GotoStmt goto) {

 Locatable getInstructionAst(TStageInstruction instr) {
  result = getInstructionTranslatedElement(instr).getAst()
-}
-
-/** DEPRECATED: Alias for getInstructionAst */
-deprecated Locatable getInstructionAST(TStageInstruction instr) {
-  result = getInstructionAst(instr)
+  or
+  exists(IRFunction irFunc |
+    instr = TRawUnreachedInstruction(irFunc) and
+    result = irFunc.getFunction()
+  )
 }

 CppType getInstructionResultType(TStageInstruction instr) {
  getInstructionTranslatedElement(instr).hasInstruction(_, getInstructionTag(instr), result)
+  or
+  instr instanceof TRawUnreachedInstruction and
+  result = getVoidType()
 }

 predicate getInstructionOpcode(Opcode opcode, TStageInstruction instr) {
  getInstructionTranslatedElement(instr).hasInstruction(opcode, getInstructionTag(instr), _)
+  or
+  instr instanceof TRawUnreachedInstruction and
+  opcode instanceof Opcode::Unreached
 }

 IRFunctionBase getInstructionEnclosingIRFunction(TStageInstruction instr) {
  result.getFunction() = getInstructionTranslatedElement(instr).getFunction()
+  or
+  instr = TRawUnreachedInstruction(result)
 }

 Instruction getPrimaryInstructionForSideEffect(SideEffectInstruction instruction) {
@@ -393,6 +401,16 @@ Instruction getPrimaryInstructionForSideEffect(SideEffectInstruction instruction
        .getPrimaryInstructionForSideEffect(getInstructionTag(instruction))
 }

+predicate hasUnreachedInstruction(IRFunction func) {
+  exists(Call c |
+    c.getEnclosingFunction() = func.getFunction() and
+    any(Options opt).exits(c.getTarget())
+  ) and
+  not exists(TranslatedUnreachableReturnStmt return |
+    return.getEnclosingFunction().getFunction() = func.getFunction()
+  )
+}
+
 import CachedForDebugging

 cached
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll
@@ -34,6 +34,7 @@ newtype TInstructionTag =
  CallTargetTag() or
  CallTag() or
  CallSideEffectTag() or
+  CallNoReturnTag() or
  AllocationSizeTag() or
  AllocationElementSizeTag() or
  AllocationExtentConvertTag() or
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
@@ -8,6 +8,7 @@ private import SideEffects
 private import TranslatedElement
 private import TranslatedExpr
 private import TranslatedFunction
+private import DefaultOptions as DefaultOptions

 /**
 * Gets the `CallInstruction` from the `TranslatedCallExpr` for the specified expression.
@@ -30,68 +31,74 @@ abstract class TranslatedCall extends TranslatedExpr {
    // The qualifier is evaluated before the call target, because the value of
    // the call target may depend on the value of the qualifier for virtual
    // calls.
-    id = -2 and result = getQualifier()
+    id = -2 and result = this.getQualifier()
    or
-    id = -1 and result = getCallTarget()
+    id = -1 and result = this.getCallTarget()
    or
-    result = getArgument(id)
+    result = this.getArgument(id)
    or
-    id = getNumberOfArguments() and result = getSideEffects()
+    id = this.getNumberOfArguments() and result = this.getSideEffects()
  }

  final override Instruction getFirstInstruction() {
-    if exists(getQualifier())
-    then result = getQualifier().getFirstInstruction()
-    else result = getFirstCallTargetInstruction()
+    if exists(this.getQualifier())
+    then result = this.getQualifier().getFirstInstruction()
+    else result = this.getFirstCallTargetInstruction()
  }

  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
    tag = CallTag() and
    opcode instanceof Opcode::Call and
-    resultType = getTypeForPRValue(getCallResultType())
+    resultType = getTypeForPRValue(this.getCallResultType())
  }

  override Instruction getChildSuccessor(TranslatedElement child) {
-    child = getQualifier() and
-    result = getFirstCallTargetInstruction()
+    child = this.getQualifier() and
+    result = this.getFirstCallTargetInstruction()
    or
-    child = getCallTarget() and
-    result = getFirstArgumentOrCallInstruction()
+    child = this.getCallTarget() and
+    result = this.getFirstArgumentOrCallInstruction()
    or
    exists(int argIndex |
-      child = getArgument(argIndex) and
-      if exists(getArgument(argIndex + 1))
-      then result = getArgument(argIndex + 1).getFirstInstruction()
-      else result = getInstruction(CallTag())
+      child = this.getArgument(argIndex) and
+      if exists(this.getArgument(argIndex + 1))
+      then result = this.getArgument(argIndex + 1).getFirstInstruction()
+      else result = this.getInstruction(CallTag())
    )
    or
-    child = getSideEffects() and
-    result = getParent().getChildSuccessor(this)
+    child = this.getSideEffects() and
+    if this.isNoReturn()
+    then
+      result =
+        any(UnreachedInstruction instr |
+          this.getEnclosingFunction().getFunction() = instr.getEnclosingFunction()
+        )
+    else result = this.getParent().getChildSuccessor(this)
  }

  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
    kind instanceof GotoEdge and
    tag = CallTag() and
-    result = getSideEffects().getFirstInstruction()
+    result = this.getSideEffects().getFirstInstruction()
  }

  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
    tag = CallTag() and
    (
      operandTag instanceof CallTargetOperandTag and
-      result = getCallTargetResult()
+      result = this.getCallTargetResult()
      or
      operandTag instanceof ThisArgumentOperandTag and
-      result = getQualifierResult()
+      result = this.getQualifierResult()
      or
      exists(PositionalArgumentOperandTag argTag |
        argTag = operandTag and
-        result = getArgument(argTag.getArgIndex()).getResult()
+        result = this.getArgument(argTag.getArgIndex()).getResult()
      )
    )
  }

-  final override Instruction getResult() { result = getInstruction(CallTag()) }
+  final override Instruction getResult() { result = this.getInstruction(CallTag()) }

  /**
   * Gets the result type of the call.
@@ -101,7 +108,7 @@ abstract class TranslatedCall extends TranslatedExpr {
  /**
   * Holds if the call has a `this` argument.
   */
-  predicate hasQualifier() { exists(getQualifier()) }
+  predicate hasQualifier() { exists(this.getQualifier()) }

  /**
   * Gets the `TranslatedExpr` for the indirect target of the call, if any.
@@ -114,7 +121,9 @@ abstract class TranslatedCall extends TranslatedExpr {
   * it can be overridden by a subclass for cases where there is a call target
   * that is not computed from an expression (e.g. a direct call).
   */
-  Instruction getFirstCallTargetInstruction() { result = getCallTarget().getFirstInstruction() }
+  Instruction getFirstCallTargetInstruction() {
+    result = this.getCallTarget().getFirstInstruction()
+  }

  /**
   * Gets the instruction whose result value is the target of the call. By
@@ -122,7 +131,7 @@ abstract class TranslatedCall extends TranslatedExpr {
   * overridden by a subclass for cases where there is a call target that is not
   * computed from an expression (e.g. a direct call).
   */
-  Instruction getCallTargetResult() { result = getCallTarget().getResult() }
+  Instruction getCallTargetResult() { result = this.getCallTarget().getResult() }

  /**
   * Gets the `TranslatedExpr` for the qualifier of the call (i.e. the value
@@ -136,7 +145,7 @@ abstract class TranslatedCall extends TranslatedExpr {
   * overridden by a subclass for cases where there is a `this` argument that is
   * not computed from a child expression (e.g. a constructor call).
   */
-  Instruction getQualifierResult() { result = getQualifier().getResult() }
+  Instruction getQualifierResult() { result = this.getQualifier().getResult() }

  /**
   * Gets the argument with the specified `index`. Does not include the `this`
@@ -151,9 +160,9 @@ abstract class TranslatedCall extends TranslatedExpr {
   * argument. Otherwise, returns the call instruction.
   */
  final Instruction getFirstArgumentOrCallInstruction() {
-    if hasArguments()
-    then result = getArgument(0).getFirstInstruction()
-    else result = getInstruction(CallTag())
+    if this.hasArguments()
+    then result = this.getArgument(0).getFirstInstruction()
+    else result = this.getInstruction(CallTag())
  }

  /**
@@ -161,6 +170,8 @@ abstract class TranslatedCall extends TranslatedExpr {
   */
  abstract predicate hasArguments();

+  predicate isNoReturn() { none() }
+
  final TranslatedSideEffects getSideEffects() { result.getExpr() = expr }
 }

@@ -175,17 +186,17 @@ abstract class TranslatedSideEffects extends TranslatedElement {
  /** Gets the expression whose side effects are being modeled. */
  abstract Expr getExpr();

-  final override Locatable getAst() { result = getExpr() }
+  final override Locatable getAst() { result = this.getExpr() }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = getAst() }
+  deprecated override Locatable getAST() { result = this.getAst() }

-  final override Declaration getFunction() { result = getEnclosingDeclaration(getExpr()) }
+  final override Declaration getFunction() { result = getEnclosingDeclaration(this.getExpr()) }

  final override TranslatedElement getChild(int i) {
    result =
      rank[i + 1](TranslatedSideEffect tse, int group, int indexInGroup |
-        tse.getPrimaryExpr() = getExpr() and
+        tse.getPrimaryExpr() = this.getExpr() and
        tse.sortOrder(group, indexInGroup)
      |
        tse order by group, indexInGroup
@@ -194,10 +205,10 @@ abstract class TranslatedSideEffects extends TranslatedElement {

  final override Instruction getChildSuccessor(TranslatedElement te) {
    exists(int i |
-      getChild(i) = te and
-      if exists(getChild(i + 1))
-      then result = getChild(i + 1).getFirstInstruction()
-      else result = getParent().getChildSuccessor(this)
+      this.getChild(i) = te and
+      if exists(this.getChild(i + 1))
+      then result = this.getChild(i + 1).getFirstInstruction()
+      else result = this.getParent().getChildSuccessor(this)
    )
  }

@@ -206,10 +217,10 @@ abstract class TranslatedSideEffects extends TranslatedElement {
  }

  final override Instruction getFirstInstruction() {
-    result = getChild(0).getFirstInstruction()
+    result = this.getChild(0).getFirstInstruction()
    or
    // Some functions, like `std::move()`, have no side effects whatsoever.
-    not exists(getChild(0)) and result = getParent().getChildSuccessor(this)
+    not exists(this.getChild(0)) and result = this.getParent().getChildSuccessor(this)
  }

  final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { none() }
@@ -225,10 +236,10 @@ abstract class TranslatedSideEffects extends TranslatedElement {
 */
 abstract class TranslatedDirectCall extends TranslatedCall {
  final override Instruction getFirstCallTargetInstruction() {
-    result = getInstruction(CallTargetTag())
+    result = this.getInstruction(CallTargetTag())
  }

-  final override Instruction getCallTargetResult() { result = getInstruction(CallTargetTag()) }
+  final override Instruction getCallTargetResult() { result = this.getInstruction(CallTargetTag()) }

  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
    TranslatedCall.super.hasInstruction(opcode, tag, resultType)
@@ -243,7 +254,7 @@ abstract class TranslatedDirectCall extends TranslatedCall {
    or
    tag = CallTargetTag() and
    kind instanceof GotoEdge and
-    result = getFirstArgumentOrCallInstruction()
+    result = this.getFirstArgumentOrCallInstruction()
  }
 }

@@ -266,6 +277,8 @@ abstract class TranslatedCallExpr extends TranslatedNonConstantExpr, TranslatedC
  }

  final override int getNumberOfArguments() { result = expr.getNumberOfArguments() }
+
+  final override predicate isNoReturn() { any(Options opt).exits(expr.getTarget()) }
 }

 /**
@@ -290,12 +303,12 @@ class TranslatedFunctionCall extends TranslatedCallExpr, TranslatedDirectCall {
  }

  override Instruction getQualifierResult() {
-    hasQualifier() and
-    result = getQualifier().getResult()
+    this.hasQualifier() and
+    result = this.getQualifier().getResult()
  }

  override predicate hasQualifier() {
-    exists(getQualifier()) and
+    exists(this.getQualifier()) and
    not exists(MemberFunction func | expr.getTarget() = func and func.isStatic())
  }
 }
@@ -311,7 +324,7 @@ class TranslatedStructorCall extends TranslatedFunctionCall {

  override Instruction getQualifierResult() {
    exists(StructorCallContext context |
-      context = getParent() and
+      context = this.getParent() and
      result = context.getReceiver()
    )
  }
@@ -362,24 +375,26 @@ abstract class TranslatedSideEffect extends TranslatedElement {

  final override Instruction getChildSuccessor(TranslatedElement child) { none() }

-  final override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) }
+  final override Instruction getFirstInstruction() {
+    result = this.getInstruction(OnlyInstructionTag())
+  }

  final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType type) {
    tag = OnlyInstructionTag() and
-    sideEffectInstruction(opcode, type)
+    this.sideEffectInstruction(opcode, type)
  }

  final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
-    result = getParent().getChildSuccessor(this) and
+    result = this.getParent().getChildSuccessor(this) and
    tag = OnlyInstructionTag() and
    kind instanceof GotoEdge
  }

-  final override Declaration getFunction() { result = getParent().getFunction() }
+  final override Declaration getFunction() { result = this.getParent().getFunction() }

  final override Instruction getPrimaryInstructionForSideEffect(InstructionTag tag) {
    tag = OnlyInstructionTag() and
-    result = getParent().(TranslatedSideEffects).getPrimaryInstruction()
+    result = this.getParent().(TranslatedSideEffects).getPrimaryInstruction()
  }

  /**
@@ -417,18 +432,18 @@ abstract class TranslatedArgumentSideEffect extends TranslatedSideEffect {
  TranslatedArgumentSideEffect() { any() }

  override string toString() {
-    isWrite() and
-    result = "(write side effect for " + getArgString() + ")"
+    this.isWrite() and
+    result = "(write side effect for " + this.getArgString() + ")"
    or
-    not isWrite() and
-    result = "(read side effect for " + getArgString() + ")"
+    not this.isWrite() and
+    result = "(read side effect for " + this.getArgString() + ")"
  }

  override Call getPrimaryExpr() { result = call }

  override predicate sortOrder(int group, int indexInGroup) {
    indexInGroup = index and
-    if isWrite() then group = argumentWriteGroup() else group = argumentReadGroup()
+    if this.isWrite() then group = argumentWriteGroup() else group = argumentReadGroup()
  }

  final override int getInstructionIndex(InstructionTag tag) {
@@ -439,20 +454,20 @@ abstract class TranslatedArgumentSideEffect extends TranslatedSideEffect {
  final override predicate sideEffectInstruction(Opcode opcode, CppType type) {
    opcode = sideEffectOpcode and
    (
-      isWrite() and
+      this.isWrite() and
      (
        opcode instanceof BufferAccessOpcode and
        type = getUnknownType()
        or
        not opcode instanceof BufferAccessOpcode and
-        exists(Type indirectionType | indirectionType = getIndirectionType() |
+        exists(Type indirectionType | indirectionType = this.getIndirectionType() |
          if indirectionType instanceof VoidType
          then type = getUnknownType()
          else type = getTypeForPRValueOrUnknown(indirectionType)
        )
      )
      or
-      not isWrite() and
+      not this.isWrite() and
      type = getVoidType()
    )
  }
@@ -460,7 +475,7 @@ abstract class TranslatedArgumentSideEffect extends TranslatedSideEffect {
  final override CppType getInstructionMemoryOperandType(
    InstructionTag tag, TypedOperandTag operandTag
  ) {
-    not isWrite() and
+    not this.isWrite() and
    if sideEffectOpcode instanceof BufferAccessOpcode
    then
      result = getUnknownType() and
@@ -469,7 +484,7 @@ abstract class TranslatedArgumentSideEffect extends TranslatedSideEffect {
    else
      exists(Type operandType |
        tag instanceof OnlyInstructionTag and
-        operandType = getIndirectionType() and
+        operandType = this.getIndirectionType() and
        operandTag instanceof SideEffectOperandTag
      |
        // If the type we select is an incomplete type (e.g. a forward-declared `struct`), there will
@@ -481,7 +496,7 @@ abstract class TranslatedArgumentSideEffect extends TranslatedSideEffect {
  final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
    tag instanceof OnlyInstructionTag and
    operandTag instanceof AddressOperandTag and
-    result = getArgInstruction()
+    result = this.getArgInstruction()
    or
    tag instanceof OnlyInstructionTag and
    operandTag instanceof BufferSizeOperandTag and
@@ -522,7 +537,7 @@ class TranslatedArgumentExprSideEffect extends TranslatedArgumentSideEffect,
  final override Locatable getAst() { result = arg }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = getAst() }
+  deprecated override Locatable getAST() { result = this.getAst() }

  final override Type getIndirectionType() {
    result = arg.getUnspecifiedType().(DerivedType).getBaseType()
@@ -557,7 +572,7 @@ class TranslatedStructorQualifierSideEffect extends TranslatedArgumentSideEffect
  final override Locatable getAst() { result = call }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = getAst() }
+  deprecated override Locatable getAST() { result = this.getAst() }

  final override Type getIndirectionType() { result = call.getTarget().getDeclaringType() }

@@ -581,7 +596,7 @@ class TranslatedCallSideEffect extends TranslatedSideEffect, TTranslatedCallSide
  override Locatable getAst() { result = expr }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = getAst() }
+  deprecated override Locatable getAST() { result = this.getAst() }

  override Expr getPrimaryExpr() { result = expr }

@@ -622,7 +637,7 @@ class TranslatedAllocationSideEffect extends TranslatedSideEffect, TTranslatedAl
  override Locatable getAst() { result = expr }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = getAst() }
+  deprecated override Locatable getAST() { result = this.getAst() }

  override Expr getPrimaryExpr() { result = expr }

@@ -635,7 +650,7 @@ class TranslatedAllocationSideEffect extends TranslatedSideEffect, TTranslatedAl
  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
    tag = OnlyInstructionTag() and
    operandTag = addressOperand() and
-    result = getPrimaryInstructionForSideEffect(OnlyInstructionTag())
+    result = this.getPrimaryInstructionForSideEffect(OnlyInstructionTag())
  }

  override predicate sideEffectInstruction(Opcode opcode, CppType type) {
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll
@@ -22,9 +22,9 @@ abstract class TranslatedCondition extends TranslatedElement {
  final override Locatable getAst() { result = expr }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = getAst() }
+  deprecated override Locatable getAST() { result = this.getAst() }

-  final ConditionContext getConditionContext() { result = getParent() }
+  final ConditionContext getConditionContext() { result = this.getParent() }

  final Expr getExpr() { result = expr }

@@ -42,9 +42,11 @@ abstract class TranslatedFlexibleCondition extends TranslatedCondition, Conditio
 {
  TranslatedFlexibleCondition() { this = TTranslatedFlexibleCondition(expr) }

-  final override TranslatedElement getChild(int id) { id = 0 and result = getOperand() }
+  final override TranslatedElement getChild(int id) { id = 0 and result = this.getOperand() }

-  final override Instruction getFirstInstruction() { result = getOperand().getFirstInstruction() }
+  final override Instruction getFirstInstruction() {
+    result = this.getOperand().getFirstInstruction()
+  }

  final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
    none()
@@ -61,13 +63,13 @@ class TranslatedParenthesisCondition extends TranslatedFlexibleCondition {
  override ParenthesisExpr expr;

  final override Instruction getChildTrueSuccessor(TranslatedCondition child) {
-    child = getOperand() and
-    result = getConditionContext().getChildTrueSuccessor(this)
+    child = this.getOperand() and
+    result = this.getConditionContext().getChildTrueSuccessor(this)
  }

  final override Instruction getChildFalseSuccessor(TranslatedCondition child) {
-    child = getOperand() and
-    result = getConditionContext().getChildFalseSuccessor(this)
+    child = this.getOperand() and
+    result = this.getConditionContext().getChildFalseSuccessor(this)
  }

  final override TranslatedCondition getOperand() {
@@ -79,13 +81,13 @@ class TranslatedNotCondition extends TranslatedFlexibleCondition {
  override NotExpr expr;

  override Instruction getChildTrueSuccessor(TranslatedCondition child) {
-    child = getOperand() and
-    result = getConditionContext().getChildFalseSuccessor(this)
+    child = this.getOperand() and
+    result = this.getConditionContext().getChildFalseSuccessor(this)
  }

  override Instruction getChildFalseSuccessor(TranslatedCondition child) {
-    child = getOperand() and
-    result = getConditionContext().getChildTrueSuccessor(this)
+    child = this.getOperand() and
+    result = this.getConditionContext().getChildTrueSuccessor(this)
  }

  override TranslatedCondition getOperand() {
@@ -103,13 +105,13 @@ abstract class TranslatedBinaryLogicalOperation extends TranslatedNativeConditio
  override BinaryLogicalOperation expr;

  final override TranslatedElement getChild(int id) {
-    id = 0 and result = getLeftOperand()
+    id = 0 and result = this.getLeftOperand()
    or
-    id = 1 and result = getRightOperand()
+    id = 1 and result = this.getRightOperand()
  }

  final override Instruction getFirstInstruction() {
-    result = getLeftOperand().getFirstInstruction()
+    result = this.getLeftOperand().getFirstInstruction()
  }

  final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
@@ -131,16 +133,16 @@ class TranslatedLogicalAndExpr extends TranslatedBinaryLogicalOperation {
  TranslatedLogicalAndExpr() { expr instanceof LogicalAndExpr }

  override Instruction getChildTrueSuccessor(TranslatedCondition child) {
-    child = getLeftOperand() and
-    result = getRightOperand().getFirstInstruction()
+    child = this.getLeftOperand() and
+    result = this.getRightOperand().getFirstInstruction()
    or
-    child = getRightOperand() and
-    result = getConditionContext().getChildTrueSuccessor(this)
+    child = this.getRightOperand() and
+    result = this.getConditionContext().getChildTrueSuccessor(this)
  }

  override Instruction getChildFalseSuccessor(TranslatedCondition child) {
-    (child = getLeftOperand() or child = getRightOperand()) and
-    result = getConditionContext().getChildFalseSuccessor(this)
+    (child = this.getLeftOperand() or child = this.getRightOperand()) and
+    result = this.getConditionContext().getChildFalseSuccessor(this)
  }
 }

@@ -148,25 +150,25 @@ class TranslatedLogicalOrExpr extends TranslatedBinaryLogicalOperation {
  override LogicalOrExpr expr;

  override Instruction getChildTrueSuccessor(TranslatedCondition child) {
-    (child = getLeftOperand() or child = getRightOperand()) and
-    result = getConditionContext().getChildTrueSuccessor(this)
+    (child = this.getLeftOperand() or child = this.getRightOperand()) and
+    result = this.getConditionContext().getChildTrueSuccessor(this)
  }

  override Instruction getChildFalseSuccessor(TranslatedCondition child) {
-    child = getLeftOperand() and
-    result = getRightOperand().getFirstInstruction()
+    child = this.getLeftOperand() and
+    result = this.getRightOperand().getFirstInstruction()
    or
-    child = getRightOperand() and
-    result = getConditionContext().getChildFalseSuccessor(this)
+    child = this.getRightOperand() and
+    result = this.getConditionContext().getChildFalseSuccessor(this)
  }
 }

 class TranslatedValueCondition extends TranslatedCondition, TTranslatedValueCondition {
  TranslatedValueCondition() { this = TTranslatedValueCondition(expr) }

-  override TranslatedElement getChild(int id) { id = 0 and result = getValueExpr() }
+  override TranslatedElement getChild(int id) { id = 0 and result = this.getValueExpr() }

-  override Instruction getFirstInstruction() { result = getValueExpr().getFirstInstruction() }
+  override Instruction getFirstInstruction() { result = this.getValueExpr().getFirstInstruction() }

  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
    tag = ValueConditionConditionalBranchTag() and
@@ -175,25 +177,25 @@ class TranslatedValueCondition extends TranslatedCondition, TTranslatedValueCond
  }

  override Instruction getChildSuccessor(TranslatedElement child) {
-    child = getValueExpr() and
-    result = getInstruction(ValueConditionConditionalBranchTag())
+    child = this.getValueExpr() and
+    result = this.getInstruction(ValueConditionConditionalBranchTag())
  }

  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
    tag = ValueConditionConditionalBranchTag() and
    (
      kind instanceof TrueEdge and
-      result = getConditionContext().getChildTrueSuccessor(this)
+      result = this.getConditionContext().getChildTrueSuccessor(this)
      or
      kind instanceof FalseEdge and
-      result = getConditionContext().getChildFalseSuccessor(this)
+      result = this.getConditionContext().getChildFalseSuccessor(this)
    )
  }

  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
    tag = ValueConditionConditionalBranchTag() and
    operandTag instanceof ConditionOperandTag and
-    result = getValueExpr().getResult()
+    result = this.getValueExpr().getResult()
  }

  private TranslatedExpr getValueExpr() { result = getTranslatedExpr(expr) }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll
@@ -47,7 +47,7 @@ abstract class TranslatedDeclarationEntry extends TranslatedElement, TTranslated
  final override Locatable getAst() { result = entry.getAst() }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = getAst() }
+  deprecated override Locatable getAST() { result = this.getAst() }
 }

 /**
@@ -60,19 +60,19 @@ abstract class TranslatedLocalVariableDeclaration extends TranslatedVariableInit
   */
  abstract LocalVariable getVariable();

-  final override Type getTargetType() { result = getVariableType(getVariable()) }
+  final override Type getTargetType() { result = getVariableType(this.getVariable()) }

  final override TranslatedInitialization getInitialization() {
    result =
-      getTranslatedInitialization(getVariable().getInitializer().getExpr().getFullyConverted())
+      getTranslatedInitialization(this.getVariable().getInitializer().getExpr().getFullyConverted())
  }

  final override Instruction getInitializationSuccessor() {
-    result = getParent().getChildSuccessor(this)
+    result = this.getParent().getChildSuccessor(this)
  }

  final override IRVariable getIRVariable() {
-    result = getIRUserVariable(getFunction(), getVariable())
+    result = getIRUserVariable(this.getFunction(), this.getVariable())
  }
 }

@@ -123,7 +123,7 @@ class TranslatedStaticLocalVariableDeclarationEntry extends TranslatedDeclaratio

  TranslatedStaticLocalVariableDeclarationEntry() { var = entry.getDeclaration() }

-  final override TranslatedElement getChild(int id) { id = 0 and result = getInitialization() }
+  final override TranslatedElement getChild(int id) { id = 0 and result = this.getInitialization() }

  final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType type) {
    tag = DynamicInitializationFlagAddressTag() and
@@ -148,39 +148,39 @@ class TranslatedStaticLocalVariableDeclarationEntry extends TranslatedDeclaratio
  }

  final override Instruction getFirstInstruction() {
-    result = getInstruction(DynamicInitializationFlagAddressTag())
+    result = this.getInstruction(DynamicInitializationFlagAddressTag())
  }

  final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
    tag = DynamicInitializationFlagAddressTag() and
    kind instanceof GotoEdge and
-    result = getInstruction(DynamicInitializationFlagLoadTag())
+    result = this.getInstruction(DynamicInitializationFlagLoadTag())
    or
    tag = DynamicInitializationFlagLoadTag() and
    kind instanceof GotoEdge and
-    result = getInstruction(DynamicInitializationConditionalBranchTag())
+    result = this.getInstruction(DynamicInitializationConditionalBranchTag())
    or
    tag = DynamicInitializationConditionalBranchTag() and
    (
      kind instanceof TrueEdge and
-      result = getParent().getChildSuccessor(this)
+      result = this.getParent().getChildSuccessor(this)
      or
      kind instanceof FalseEdge and
-      result = getInitialization().getFirstInstruction()
+      result = this.getInitialization().getFirstInstruction()
    )
    or
    tag = DynamicInitializationFlagConstantTag() and
    kind instanceof GotoEdge and
-    result = getInstruction(DynamicInitializationFlagStoreTag())
+    result = this.getInstruction(DynamicInitializationFlagStoreTag())
    or
    tag = DynamicInitializationFlagStoreTag() and
    kind instanceof GotoEdge and
-    result = getParent().getChildSuccessor(this)
+    result = this.getParent().getChildSuccessor(this)
  }

  final override Instruction getChildSuccessor(TranslatedElement child) {
-    child = getInitialization() and
-    result = getInstruction(DynamicInitializationFlagConstantTag())
+    child = this.getInitialization() and
+    result = this.getInstruction(DynamicInitializationFlagConstantTag())
  }

  final override IRDynamicInitializationFlag getInstructionVariable(InstructionTag tag) {
@@ -196,20 +196,20 @@ class TranslatedStaticLocalVariableDeclarationEntry extends TranslatedDeclaratio
    tag = DynamicInitializationFlagLoadTag() and
    (
      operandTag instanceof AddressOperandTag and
-      result = getInstruction(DynamicInitializationFlagAddressTag())
+      result = this.getInstruction(DynamicInitializationFlagAddressTag())
    )
    or
    tag = DynamicInitializationConditionalBranchTag() and
    operandTag instanceof ConditionOperandTag and
-    result = getInstruction(DynamicInitializationFlagLoadTag())
+    result = this.getInstruction(DynamicInitializationFlagLoadTag())
    or
    tag = DynamicInitializationFlagStoreTag() and
    (
      operandTag instanceof AddressOperandTag and
-      result = getInstruction(DynamicInitializationFlagAddressTag())
+      result = this.getInstruction(DynamicInitializationFlagAddressTag())
      or
      operandTag instanceof StoreValueOperandTag and
-      result = getInstruction(DynamicInitializationFlagConstantTag())
+      result = this.getInstruction(DynamicInitializationFlagConstantTag())
    )
  }

@@ -238,7 +238,7 @@ class TranslatedStaticLocalVariableInitialization extends TranslatedElement,
  final override Locatable getAst() { result = entry.getAst() }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = getAst() }
+  deprecated override Locatable getAST() { result = this.getAst() }

  final override LocalVariable getVariable() { result = var }

@@ -267,7 +267,7 @@ class TranslatedConditionDecl extends TranslatedLocalVariableDeclaration, TTrans
  override Locatable getAst() { result = conditionDeclExpr }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = getAst() }
+  deprecated override Locatable getAST() { result = this.getAst() }

  override Declaration getFunction() { result = getEnclosingFunction(conditionDeclExpr) }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
@@ -821,7 +821,7 @@ abstract class TranslatedElement extends TTranslatedElement {
  abstract Locatable getAst();

  /** DEPRECATED: Alias for getAst */
-  deprecated Locatable getAST() { result = getAst() }
+  deprecated Locatable getAST() { result = this.getAst() }

  /**
   * Get the first instruction to be executed in the evaluation of this element.
@@ -831,7 +831,7 @@ abstract class TranslatedElement extends TTranslatedElement {
  /**
   * Get the immediate child elements of this element.
   */
-  final TranslatedElement getAChild() { result = getChild(_) }
+  final TranslatedElement getAChild() { result = this.getChild(_) }

  /**
   * Gets the immediate child element of this element. The `id` is unique
@@ -844,25 +844,29 @@ abstract class TranslatedElement extends TTranslatedElement {
   * Gets the an identifier string for the element. This id is unique within
   * the scope of the element's function.
   */
-  final int getId() { result = getUniqueId() }
+  final int getId() { result = this.getUniqueId() }

  private TranslatedElement getChildByRank(int rankIndex) {
    result =
-      rank[rankIndex + 1](TranslatedElement child, int id | child = getChild(id) | child order by id)
+      rank[rankIndex + 1](TranslatedElement child, int id |
+        child = this.getChild(id)
+      |
+        child order by id
+      )
  }

  language[monotonicAggregates]
  private int getDescendantCount() {
    result =
-      1 + sum(TranslatedElement child | child = getChildByRank(_) | child.getDescendantCount())
+      1 + sum(TranslatedElement child | child = this.getChildByRank(_) | child.getDescendantCount())
  }

  private int getUniqueId() {
-    if not exists(getParent())
+    if not exists(this.getParent())
    then result = 0
    else
      exists(TranslatedElement parent |
-        parent = getParent() and
+        parent = this.getParent() and
        if this = parent.getChildByRank(0)
        then result = 1 + parent.getUniqueId()
        else
@@ -908,7 +912,7 @@ abstract class TranslatedElement extends TTranslatedElement {
   * there is no enclosing `try`.
   */
  Instruction getExceptionSuccessorInstruction() {
-    result = getParent().getExceptionSuccessorInstruction()
+    result = this.getParent().getExceptionSuccessorInstruction()
  }

  /**
@@ -1022,14 +1026,14 @@ abstract class TranslatedElement extends TTranslatedElement {
    exists(Locatable ast |
      result.getAst() = ast and
      result.getTag() = tag and
-      hasTempVariableAndAst(tag, ast)
+      this.hasTempVariableAndAst(tag, ast)
    )
  }

  pragma[noinline]
  private predicate hasTempVariableAndAst(TempVariableTag tag, Locatable ast) {
-    hasTempVariable(tag, _) and
-    ast = getAst()
+    this.hasTempVariable(tag, _) and
+    ast = this.getAst()
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
@@ -76,9 +76,6 @@ abstract class TranslatedExpr extends TranslatedElement {

  final override Locatable getAst() { result = expr }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  final override Declaration getFunction() { result = getEnclosingDeclaration(expr) }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
@@ -68,7 +68,7 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
  final override Locatable getAst() { result = func }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = getAst() }
+  deprecated override Locatable getAST() { result = this.getAst() }

  /**
   * Gets the function being translated.
@@ -76,15 +76,15 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
  final override Function getFunction() { result = func }

  final override TranslatedElement getChild(int id) {
-    id = -5 and result = getReadEffects()
+    id = -5 and result = this.getReadEffects()
    or
-    id = -4 and result = getConstructorInitList()
+    id = -4 and result = this.getConstructorInitList()
    or
-    id = -3 and result = getBody()
+    id = -3 and result = this.getBody()
    or
-    id = -2 and result = getDestructorDestructionList()
+    id = -2 and result = this.getDestructorDestructionList()
    or
-    id >= -1 and result = getParameter(id)
+    id >= -1 and result = this.getParameter(id)
  }

  final private TranslatedConstructorInitList getConstructorInitList() {
@@ -109,64 +109,66 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
    result = getTranslatedEllipsisParameter(func)
  }

-  final override Instruction getFirstInstruction() { result = getInstruction(EnterFunctionTag()) }
+  final override Instruction getFirstInstruction() {
+    result = this.getInstruction(EnterFunctionTag())
+  }

  final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
    kind instanceof GotoEdge and
    (
      tag = EnterFunctionTag() and
-      result = getInstruction(AliasedDefinitionTag())
+      result = this.getInstruction(AliasedDefinitionTag())
      or
      tag = AliasedDefinitionTag() and
-      result = getInstruction(InitializeNonLocalTag())
+      result = this.getInstruction(InitializeNonLocalTag())
      or
      (
        tag = InitializeNonLocalTag() and
-        if exists(getThisType())
-        then result = getParameter(-1).getFirstInstruction()
+        if exists(this.getThisType())
+        then result = this.getParameter(-1).getFirstInstruction()
        else
-          if exists(getParameter(0))
-          then result = getParameter(0).getFirstInstruction()
-          else result = getBody().getFirstInstruction()
+          if exists(this.getParameter(0))
+          then result = this.getParameter(0).getFirstInstruction()
+          else result = this.getBody().getFirstInstruction()
      )
      or
      tag = ReturnValueAddressTag() and
-      result = getInstruction(ReturnTag())
+      result = this.getInstruction(ReturnTag())
      or
      tag = ReturnTag() and
-      result = getInstruction(AliasedUseTag())
+      result = this.getInstruction(AliasedUseTag())
      or
      tag = UnwindTag() and
-      result = getInstruction(AliasedUseTag())
+      result = this.getInstruction(AliasedUseTag())
      or
      tag = AliasedUseTag() and
-      result = getInstruction(ExitFunctionTag())
+      result = this.getInstruction(ExitFunctionTag())
    )
  }

  final override Instruction getChildSuccessor(TranslatedElement child) {
    exists(int paramIndex |
-      child = getParameter(paramIndex) and
+      child = this.getParameter(paramIndex) and
      if
        exists(func.getParameter(paramIndex + 1)) or
        getEllipsisParameterIndexForFunction(func) = paramIndex + 1
-      then result = getParameter(paramIndex + 1).getFirstInstruction()
-      else result = getConstructorInitList().getFirstInstruction()
+      then result = this.getParameter(paramIndex + 1).getFirstInstruction()
+      else result = this.getConstructorInitList().getFirstInstruction()
    )
    or
-    child = getConstructorInitList() and
-    result = getBody().getFirstInstruction()
+    child = this.getConstructorInitList() and
+    result = this.getBody().getFirstInstruction()
    or
-    child = getBody() and
-    result = getReturnSuccessorInstruction()
+    child = this.getBody() and
+    result = this.getReturnSuccessorInstruction()
    or
-    child = getDestructorDestructionList() and
-    result = getReadEffects().getFirstInstruction()
+    child = this.getDestructorDestructionList() and
+    result = this.getReadEffects().getFirstInstruction()
    or
-    child = getReadEffects() and
-    if hasReturnValue()
-    then result = getInstruction(ReturnValueAddressTag())
-    else result = getInstruction(ReturnTag())
+    child = this.getReadEffects() and
+    if this.hasReturnValue()
+    then result = this.getInstruction(ReturnValueAddressTag())
+    else result = this.getInstruction(ReturnTag())
  }

  final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
@@ -185,13 +187,13 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
      or
      tag = ReturnValueAddressTag() and
      opcode instanceof Opcode::VariableAddress and
-      resultType = getTypeForGLValue(getReturnType()) and
-      hasReturnValue()
+      resultType = getTypeForGLValue(this.getReturnType()) and
+      this.hasReturnValue()
      or
      (
        tag = ReturnTag() and
        resultType = getVoidType() and
-        if hasReturnValue()
+        if this.hasReturnValue()
        then opcode instanceof Opcode::ReturnValue
        else opcode instanceof Opcode::ReturnVoid
      )
@@ -217,23 +219,23 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
  }

  final override Instruction getExceptionSuccessorInstruction() {
-    result = getInstruction(UnwindTag())
+    result = this.getInstruction(UnwindTag())
  }

  final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
    tag = ReturnTag() and
-    hasReturnValue() and
+    this.hasReturnValue() and
    operandTag instanceof AddressOperandTag and
-    result = getInstruction(ReturnValueAddressTag())
+    result = this.getInstruction(ReturnValueAddressTag())
  }

  final override CppType getInstructionMemoryOperandType(
    InstructionTag tag, TypedOperandTag operandTag
  ) {
    tag = ReturnTag() and
-    hasReturnValue() and
+    this.hasReturnValue() and
    operandTag instanceof LoadOperandTag and
-    result = getTypeForPRValue(getReturnType())
+    result = getTypeForPRValue(this.getReturnType())
    or
    tag = AliasedUseTag() and
    operandTag instanceof SideEffectOperandTag and
@@ -242,7 +244,7 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {

  final override IRVariable getInstructionVariable(InstructionTag tag) {
    tag = ReturnValueAddressTag() and
-    result = getReturnVariable()
+    result = this.getReturnVariable()
  }

  final override predicate needsUnknownOpaqueType(int byteSize) {
@@ -251,15 +253,15 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {

  final override predicate hasTempVariable(TempVariableTag tag, CppType type) {
    tag = ReturnValueTempVar() and
-    hasReturnValue() and
-    type = getTypeForPRValue(getReturnType())
+    this.hasReturnValue() and
+    type = getTypeForPRValue(this.getReturnType())
    or
    tag = EllipsisTempVar() and
    func.isVarargs() and
    type = getEllipsisVariablePRValueType()
    or
    tag = ThisTempVar() and
-    type = getTypeForGLValue(getThisType())
+    type = getTypeForGLValue(this.getThisType())
  }

  /**
@@ -267,7 +269,7 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
   * statement.
   */
  final Instruction getReturnSuccessorInstruction() {
-    result = getDestructorDestructionList().getFirstInstruction()
+    result = this.getDestructorDestructionList().getFirstInstruction()
  }

  /**
@@ -368,25 +370,25 @@ abstract class TranslatedParameter extends TranslatedElement {
  final override TranslatedElement getChild(int id) { none() }

  final override Instruction getFirstInstruction() {
-    result = getInstruction(InitializerVariableAddressTag())
+    result = this.getInstruction(InitializerVariableAddressTag())
  }

  final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
    kind instanceof GotoEdge and
    (
      tag = InitializerVariableAddressTag() and
-      result = getInstruction(InitializerStoreTag())
+      result = this.getInstruction(InitializerStoreTag())
      or
      tag = InitializerStoreTag() and
-      if hasIndirection()
-      then result = getInstruction(InitializerIndirectAddressTag())
-      else result = getParent().getChildSuccessor(this)
+      if this.hasIndirection()
+      then result = this.getInstruction(InitializerIndirectAddressTag())
+      else result = this.getParent().getChildSuccessor(this)
      or
      tag = InitializerIndirectAddressTag() and
-      result = getInstruction(InitializerIndirectStoreTag())
+      result = this.getInstruction(InitializerIndirectStoreTag())
      or
      tag = InitializerIndirectStoreTag() and
-      result = getParent().getChildSuccessor(this)
+      result = this.getParent().getChildSuccessor(this)
    )
  }

@@ -395,21 +397,21 @@ abstract class TranslatedParameter extends TranslatedElement {
  final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
    tag = InitializerVariableAddressTag() and
    opcode instanceof Opcode::VariableAddress and
-    resultType = getGLValueType()
+    resultType = this.getGLValueType()
    or
    tag = InitializerStoreTag() and
    opcode instanceof Opcode::InitializeParameter and
-    resultType = getPRValueType()
+    resultType = this.getPRValueType()
    or
-    hasIndirection() and
+    this.hasIndirection() and
    tag = InitializerIndirectAddressTag() and
    opcode instanceof Opcode::Load and
-    resultType = getPRValueType()
+    resultType = this.getPRValueType()
    or
-    hasIndirection() and
+    this.hasIndirection() and
    tag = InitializerIndirectStoreTag() and
    opcode instanceof Opcode::InitializeIndirection and
-    resultType = getInitializationResultType()
+    resultType = this.getInitializationResultType()
  }

  final override IRVariable getInstructionVariable(InstructionTag tag) {
@@ -418,26 +420,26 @@ abstract class TranslatedParameter extends TranslatedElement {
      tag = InitializerVariableAddressTag() or
      tag = InitializerIndirectStoreTag()
    ) and
-    result = getIRVariable()
+    result = this.getIRVariable()
  }

  final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
    tag = InitializerStoreTag() and
    (
      operandTag instanceof AddressOperandTag and
-      result = getInstruction(InitializerVariableAddressTag())
+      result = this.getInstruction(InitializerVariableAddressTag())
    )
    or
    // this feels a little strange, but I think it's the best we can do
    tag = InitializerIndirectAddressTag() and
    (
      operandTag instanceof AddressOperandTag and
-      result = getInstruction(InitializerVariableAddressTag())
+      result = this.getInstruction(InitializerVariableAddressTag())
    )
    or
    tag = InitializerIndirectStoreTag() and
    operandTag instanceof AddressOperandTag and
-    result = getInstruction(InitializerIndirectAddressTag())
+    result = this.getInstruction(InitializerIndirectAddressTag())
  }

  abstract predicate hasIndirection();
@@ -465,7 +467,7 @@ class TranslatedThisParameter extends TranslatedParameter, TTranslatedThisParame
  final override Locatable getAst() { result = func }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = getAst() }
+  deprecated override Locatable getAST() { result = this.getAst() }

  final override Function getFunction() { result = func }

@@ -500,7 +502,7 @@ class TranslatedPositionalParameter extends TranslatedParameter, TTranslatedPara
  final override Locatable getAst() { result = param }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = getAst() }
+  deprecated override Locatable getAST() { result = this.getAst() }

  final override Function getFunction() {
    result = param.getFunction() or
@@ -522,7 +524,7 @@ class TranslatedPositionalParameter extends TranslatedParameter, TTranslatedPara
  final override CppType getInitializationResultType() { result = getUnknownType() }

  final override IRAutomaticUserVariable getIRVariable() {
-    result = getIRUserVariable(getFunction(), param)
+    result = getIRUserVariable(this.getFunction(), param)
  }
 }

@@ -540,7 +542,7 @@ class TranslatedEllipsisParameter extends TranslatedParameter, TTranslatedEllips
  final override Locatable getAst() { result = func }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = getAst() }
+  deprecated override Locatable getAST() { result = this.getAst() }

  final override Function getFunction() { result = func }

@@ -579,7 +581,7 @@ class TranslatedConstructorInitList extends TranslatedElement, InitializationCon
  override Locatable getAst() { result = func }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = getAst() }
+  deprecated override Locatable getAST() { result = this.getAst() }

  override TranslatedElement getChild(int id) {
    exists(ConstructorFieldInit fieldInit |
@@ -599,9 +601,9 @@ class TranslatedConstructorInitList extends TranslatedElement, InitializationCon
  }

  override Instruction getFirstInstruction() {
-    if exists(getChild(0))
-    then result = getChild(0).getFirstInstruction()
-    else result = getParent().getChildSuccessor(this)
+    if exists(this.getChild(0))
+    then result = this.getChild(0).getFirstInstruction()
+    else result = this.getParent().getChildSuccessor(this)
  }

  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
@@ -614,10 +616,10 @@ class TranslatedConstructorInitList extends TranslatedElement, InitializationCon

  override Instruction getChildSuccessor(TranslatedElement child) {
    exists(int id |
-      child = getChild(id) and
-      if exists(getChild(id + 1))
-      then result = getChild(id + 1).getFirstInstruction()
-      else result = getParent().getChildSuccessor(this)
+      child = this.getChild(id) and
+      if exists(this.getChild(id + 1))
+      then result = this.getChild(id + 1).getFirstInstruction()
+      else result = this.getParent().getChildSuccessor(this)
    )
  }

@@ -651,7 +653,7 @@ class TranslatedDestructorDestructionList extends TranslatedElement,
  override Locatable getAst() { result = func }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = getAst() }
+  deprecated override Locatable getAST() { result = this.getAst() }

  override TranslatedElement getChild(int id) {
    exists(DestructorFieldDestruction fieldDestruction |
@@ -666,9 +668,9 @@ class TranslatedDestructorDestructionList extends TranslatedElement,
  }

  override Instruction getFirstInstruction() {
-    if exists(getChild(0))
-    then result = getChild(0).getFirstInstruction()
-    else result = getParent().getChildSuccessor(this)
+    if exists(this.getChild(0))
+    then result = this.getChild(0).getFirstInstruction()
+    else result = this.getParent().getChildSuccessor(this)
  }

  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
@@ -681,10 +683,10 @@ class TranslatedDestructorDestructionList extends TranslatedElement,

  override Instruction getChildSuccessor(TranslatedElement child) {
    exists(int id |
-      child = getChild(id) and
-      if exists(getChild(id + 1))
-      then result = getChild(id + 1).getFirstInstruction()
-      else result = getParent().getChildSuccessor(this)
+      child = this.getChild(id) and
+      if exists(this.getChild(id + 1))
+      then result = this.getChild(id + 1).getFirstInstruction()
+      else result = this.getParent().getChildSuccessor(this)
    )
  }
 }
@@ -699,7 +701,7 @@ class TranslatedReadEffects extends TranslatedElement, TTranslatedReadEffects {
  override Locatable getAst() { result = func }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = getAst() }
+  deprecated override Locatable getAST() { result = this.getAst() }

  override Function getFunction() { result = func }

@@ -713,25 +715,25 @@ class TranslatedReadEffects extends TranslatedElement, TTranslatedReadEffects {
  }

  override Instruction getFirstInstruction() {
-    if exists(getAChild())
+    if exists(this.getAChild())
    then
      result =
-        min(TranslatedElement child, int id | child = getChild(id) | child order by id)
+        min(TranslatedElement child, int id | child = this.getChild(id) | child order by id)
            .getFirstInstruction()
-    else result = getParent().getChildSuccessor(this)
+    else result = this.getParent().getChildSuccessor(this)
  }

  override Instruction getChildSuccessor(TranslatedElement child) {
-    exists(int id | child = getChild(id) |
-      if exists(TranslatedReadEffect child2, int id2 | id2 > id and child2 = getChild(id2))
+    exists(int id | child = this.getChild(id) |
+      if exists(TranslatedReadEffect child2, int id2 | id2 > id and child2 = this.getChild(id2))
      then
        result =
          min(TranslatedReadEffect child2, int id2 |
-            child2 = getChild(id2) and id2 > id
+            child2 = this.getChild(id2) and id2 > id
          |
            child2 order by id2
          ).getFirstInstruction()
-      else result = getParent().getChildSuccessor(this)
+      else result = this.getParent().getChildSuccessor(this)
    )
  }

@@ -758,10 +760,10 @@ abstract class TranslatedReadEffect extends TranslatedElement {
  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
    tag = OnlyInstructionTag() and
    kind = EdgeKind::gotoEdge() and
-    result = getParent().getChildSuccessor(this)
+    result = this.getParent().getChildSuccessor(this)
  }

-  override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) }
+  override Instruction getFirstInstruction() { result = this.getInstruction(OnlyInstructionTag()) }

  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
    opcode instanceof Opcode::ReturnIndirection and
@@ -786,7 +788,7 @@ class TranslatedThisReadEffect extends TranslatedReadEffect, TTranslatedThisRead
  override Locatable getAst() { result = func }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = getAst() }
+  deprecated override Locatable getAST() { result = this.getAst() }

  override Function getFunction() { result = func }

@@ -812,7 +814,7 @@ class TranslatedParameterReadEffect extends TranslatedReadEffect, TTranslatedPar
  override Locatable getAst() { result = param }

  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = getAst() }
+  deprecated override Locatable getAST() { result = this.getAst() }

  override string toString() { result = "read effect: " + param.toString() }

@@ -826,6 +828,6 @@ class TranslatedParameterReadEffect extends TranslatedReadEffect, TTranslatedPar

  final override IRVariable getInstructionVariable(InstructionTag tag) {
    tag = OnlyInstructionTag() and
-    result = getIRUserVariable(getFunction(), param)
+    result = getIRUserVariable(this.getFunction(), param)
  }
 }
--- a/Show More
+++ b/Show More