Python: Further parser improvements

- Adds support for multiple named grammars in the same extension file.
- Adds a grammar for grammars (in order to better test future support for
   implicit whitespace).
- Changes prediction to be partially bottom-up using left corners. This
  Limits the number of superfluous predictions that are generated.
- Rewrites the handling of tokens in the parser to now treat them as if
  they are normal productions (with a "black box" right hand side). This
  removes the need for special handling of terminals (scanning etc.) and
  greatly simplifies the code.
- Renames various uses of "item" to "production" instead, as there was
  some overlap in nomenclature.

Co-authored-by: Rasmus Lerchedahl Petersen <yoff@github.com>

.bazelversion

@@ -1 +1 @@
-7.1.0
+7.0.2

.github/workflows/cpp-swift-analysis.yml

@@ -1,55 +0,0 @@
-name: "Code scanning - C++"
-
-on:
-  push:
-    branches:
-      - main
-      - 'rc/*'
-  pull_request:
-    branches:
-      - main
-      - 'rc/*'
-    paths:
-      - 'swift/**'
-      - '.github/codeql/**'
-      - '.github/workflows/cpp-swift-analysis.yml'
-  schedule:
-    - cron: '0 9 * * 1'
-
-jobs:
-  CodeQL-Build:
-
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-      security-events: write
-      pull-requests: read
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@main
-      # Override language selection by uncommenting this and choosing your languages
-      with:
-        languages: cpp
-        config-file: ./.github/codeql/codeql-config.yml
-  
-    - name: "[Ubuntu] Remove GCC 13 from runner image"
-      shell: bash
-      run: |
-        sudo rm -f /etc/apt/sources.list.d/ubuntu-toolchain-r-ubuntu-test-jammy.list
-        sudo apt-get update
-        sudo apt-get install -y --allow-downgrades libc6=2.35-* libc6-dev=2.35-* libstdc++6=12.3.0-* libgcc-s1=12.3.0-*
-
-    - name: "Build Swift extractor using Bazel"
-      run: |
-        bazel clean --expunge
-        bazel run //swift:create-extractor-pack --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results --spawn_strategy=local --features=-layering_check
-        bazel shutdown
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@main

CODEOWNERS

@@ -1,5 +1,4 @@
 /cpp/ @github/codeql-c-analysis
-/cpp/autobuilder/ @github/codeql-c-extractor
 /csharp/ @github/codeql-csharp
 /go/ @github/codeql-go
 /java/ @github/codeql-java

codeql-workspace.yml

@@ -6,7 +6,6 @@ provide:
   - "*/ql/consistency-queries/qlpack.yml"
   - "*/ql/automodel/src/qlpack.yml"
   - "*/ql/automodel/test/qlpack.yml"
-  - "python/extractor/qlpack.yml"
   - "shared/**/qlpack.yml"
   - "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml"
   - "go/ql/config/legacy-support/qlpack.yml"
@@ -28,6 +27,7 @@ provide:
   - "misc/suite-helpers/qlpack.yml"
   - "ruby/extractor-pack/codeql-extractor.yml"
   - "swift/extractor-pack/codeql-extractor.yml"
+  - "swift/integration-tests/qlpack.yml"
   - "ql/extractor-pack/codeql-extractor.yml"
   - ".github/codeql/extensions/**/codeql-pack.yml"
 

config/identical-files.json

@@ -88,46 +88,123 @@
   "IR Instruction": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll"
   ],
   "IR IRBlock": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRBlock.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/IRBlock.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRBlock.qll"
   ],
   "IR IRVariable": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRVariable.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/IRVariable.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRVariable.qll"
   ],
   "IR IRFunction": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRFunction.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRFunction.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/IRFunction.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRFunction.qll"
   ],
   "IR Operand": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/Operand.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Operand.qll"
+  ],
+  "IR IRType": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/IRType.qll",
+    "csharp/ql/src/experimental/ir/implementation/IRType.qll"
+  ],
+  "IR IRConfiguration": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/IRConfiguration.qll",
+    "csharp/ql/src/experimental/ir/implementation/IRConfiguration.qll"
+  ],
+  "IR UseSoundEscapeAnalysis": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/UseSoundEscapeAnalysis.qll",
+    "csharp/ql/src/experimental/ir/implementation/UseSoundEscapeAnalysis.qll"
+  ],
+  "IR IRFunctionBase": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll",
+    "csharp/ql/src/experimental/ir/implementation/internal/IRFunctionBase.qll"
+  ],
+  "IR Operand Tag": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
+    "csharp/ql/src/experimental/ir/implementation/internal/OperandTag.qll"
+  ],
+  "IR TInstruction": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstruction.qll",
+    "csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll"
+  ],
+  "IR TIRVariable": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll",
+    "csharp/ql/src/experimental/ir/implementation/internal/TIRVariable.qll"
   ],
   "IR IR": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IR.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/IR.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IR.qll"
   ],
   "IR IRConsistency": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/IRConsistency.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRConsistency.qll"
   ],
   "IR PrintIR": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/PrintIR.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/PrintIR.qll"
+  ],
+  "IR IntegerConstant": [
+    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerConstant.qll",
+    "csharp/ql/src/experimental/ir/internal/IntegerConstant.qll"
+  ],
+  "IR IntegerInteval": [
+    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerInterval.qll",
+    "csharp/ql/src/experimental/ir/internal/IntegerInterval.qll"
+  ],
+  "IR IntegerPartial": [
+    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerPartial.qll",
+    "csharp/ql/src/experimental/ir/internal/IntegerPartial.qll"
+  ],
+  "IR Overlap": [
+    "cpp/ql/lib/semmle/code/cpp/ir/internal/Overlap.qll",
+    "csharp/ql/src/experimental/ir/internal/Overlap.qll"
+  ],
+  "IR EdgeKind": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll",
+    "csharp/ql/src/experimental/ir/implementation/EdgeKind.qll"
+  ],
+  "IR MemoryAccessKind": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll",
+    "csharp/ql/src/experimental/ir/implementation/MemoryAccessKind.qll"
+  ],
+  "IR TempVariableTag": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/TempVariableTag.qll",
+    "csharp/ql/src/experimental/ir/implementation/TempVariableTag.qll"
+  ],
+  "IR Opcode": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll",
+    "csharp/ql/src/experimental/ir/implementation/Opcode.qll"
   ],
   "IR SSAConsistency": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll"
   ],
   "C++ IR InstructionImports": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll",
@@ -175,7 +252,8 @@
   ],
   "SSA AliasAnalysis": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll"
   ],
   "SSA PrintAliasAnalysis": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll",
@@ -190,28 +268,44 @@
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll"
   ],
+  "IR SSA SimpleSSA": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll"
+  ],
+  "IR AliasConfiguration (unaliased_ssa)": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll"
+  ],
   "IR SSA SSAConstruction": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll"
   ],
   "IR SSA PrintSSA": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/PrintSSA.qll"
   ],
   "IR ValueNumberInternal": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll"
   ],
   "C++ IR ValueNumber": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/gvn/ValueNumbering.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll"
   ],
   "C++ IR PrintValueNumbering": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/PrintValueNumbering.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/PrintValueNumbering.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/PrintValueNumbering.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/gvn/PrintValueNumbering.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll"
   ],
   "C++ IR ConstantAnalysis": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll",
@@ -239,6 +333,38 @@
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
   ],
+  "C# IR InstructionImports": [
+    "csharp/ql/src/experimental/ir/implementation/raw/internal/InstructionImports.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/InstructionImports.qll"
+  ],
+  "C# IR IRImports": [
+    "csharp/ql/src/experimental/ir/implementation/raw/internal/IRImports.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/IRImports.qll"
+  ],
+  "C# IR IRBlockImports": [
+    "csharp/ql/src/experimental/ir/implementation/raw/internal/IRBlockImports.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll"
+  ],
+  "C# IR IRFunctionImports": [
+    "csharp/ql/src/experimental/ir/implementation/raw/internal/IRFunctionImports.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/IRFunctionImports.qll"
+  ],
+  "C# IR IRVariableImports": [
+    "csharp/ql/src/experimental/ir/implementation/raw/internal/IRVariableImports.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll"
+  ],
+  "C# IR OperandImports": [
+    "csharp/ql/src/experimental/ir/implementation/raw/internal/OperandImports.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/OperandImports.qll"
+  ],
+  "C# IR PrintIRImports": [
+    "csharp/ql/src/experimental/ir/implementation/raw/internal/PrintIRImports.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll"
+  ],
+  "C# IR ValueNumberingImports": [
+    "csharp/ql/src/experimental/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll"
+  ],
   "C# ControlFlowReachability": [
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
@@ -255,6 +381,7 @@
     "cpp/ql/lib/semmle/code/cpp/XML.qll",
     "csharp/ql/lib/semmle/code/csharp/XML.qll",
     "java/ql/lib/semmle/code/xml/XML.qll",
+    "javascript/ql/lib/semmle/javascript/XML.qll",
     "python/ql/lib/semmle/python/xml/XML.qll"
   ],
   "DuplicationProblems.inc.qhelp": [

cpp/downgrades/aa7ff0ab32cd4674f6ab731d32fea64116997b05/exprs.ql

@@ -1,13 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class Location extends @location_expr {
-  string toString() { none() }
-}
-
-from Expr expr, int kind, int kind_new, Location loc
-where
-  exprs(expr, kind, loc) and
-  if kind = 363 then kind_new = 1 else kind_new = kind
-select expr, kind_new, loc

cpp/downgrades/aa7ff0ab32cd4674f6ab731d32fea64116997b05/upgrade.properties

@@ -1,4 +0,0 @@
-description: Introduce re-use expressions
-compatibility: partial
-expr_reuse.rel: delete
-exprs.rel: run exprs.qlo

cpp/downgrades/abfce5c170f93e281948f7689ece373464fdaf87/expr_reuse.ql

@@ -1,7 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-from Expr reuse, Expr original
-where expr_reuse(reuse, original, _)
-select reuse, original

cpp/downgrades/abfce5c170f93e281948f7689ece373464fdaf87/expr_types.ql

@@ -1,22 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class Type extends @type {
-  string toString() { none() }
-}
-
-predicate existingType(Expr expr, Type type, int value_category) {
-  expr_types(expr, type, value_category)
-}
-
-predicate reuseType(Expr reuse, Type type, int value_category) {
-  exists(Expr original |
-    expr_reuse(reuse, original, value_category) and
-    expr_types(original, type, _)
-  )
-}
-
-from Expr expr, Type type, int value_category
-where existingType(expr, type, value_category) or reuseType(expr, type, value_category)
-select expr, type, value_category

cpp/downgrades/abfce5c170f93e281948f7689ece373464fdaf87/upgrade.properties

@@ -1,4 +0,0 @@
-description: Add value category to expr_reuse table
-compatibility: full
-expr_reuse.rel: run expr_reuse.qlo
-expr_types.rel: run expr_types.qlo

cpp/ql/lib/CHANGELOG.md

@@ -1,32 +1,3 @@
-## 0.12.10
-
-### New Features
-
-* Added a `TaintInheritingContent` class that can be extended to model taint flowing from a qualifier to a field.
-* Added a predicate `GuardCondition.comparesEq/4` to query whether an expression is compared to a constant. 
-* Added a predicate `GuardCondition.ensuresEq/4` to query whether a basic block is guarded by an expression being equal to a constant.
-* Added a predicate `GuardCondition.comparesLt/4` to query whether an expression is compared to a constant. 
-* Added a predicate `GuardCondition.ensuresLt/4` to query whether a basic block is guarded by an expression being less than a constant.
-* Added a predicate `GuardCondition.valueControls` to query whether a basic block is guarded by a particular `case` of a `switch` statement.
-
-### Minor Analysis Improvements
-
-* Added destructors for temporary objects with extended lifetimes to the intermediate representation.
-
-## 0.12.9
-
-No user-facing changes.
-
-## 0.12.8
-
-No user-facing changes.
-
-## 0.12.7
-
-### Minor Analysis Improvements
-
-* Added destructors for named objects to the intermediate representation.
-
 ## 0.12.6
 
 ### New Features

cpp/ql/lib/change-notes/2024-02-26-ir-named-destructors.md

@@ -1,5 +1,4 @@
-## 0.12.7
-
-### Minor Analysis Improvements
-
-* Added destructors for named objects to the intermediate representation.
+---
+category: minorAnalysis
+---
+* Added destructors for named objects to the intermediate representation.

cpp/ql/lib/change-notes/released/0.12.10.md

@@ -1,14 +0,0 @@
-## 0.12.10
-
-### New Features
-
-* Added a `TaintInheritingContent` class that can be extended to model taint flowing from a qualifier to a field.
-* Added a predicate `GuardCondition.comparesEq/4` to query whether an expression is compared to a constant. 
-* Added a predicate `GuardCondition.ensuresEq/4` to query whether a basic block is guarded by an expression being equal to a constant.
-* Added a predicate `GuardCondition.comparesLt/4` to query whether an expression is compared to a constant. 
-* Added a predicate `GuardCondition.ensuresLt/4` to query whether a basic block is guarded by an expression being less than a constant.
-* Added a predicate `GuardCondition.valueControls` to query whether a basic block is guarded by a particular `case` of a `switch` statement.
-
-### Minor Analysis Improvements
-
-* Added destructors for temporary objects with extended lifetimes to the intermediate representation.

cpp/ql/lib/change-notes/released/0.12.8.md

@@ -1,3 +0,0 @@
-## 0.12.8
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/0.12.9.md

@@ -1,3 +0,0 @@
-## 0.12.9
-
-No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.12.10
+lastReleaseVersion: 0.12.6

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.12.10
+version: 0.12.7-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -309,12 +309,9 @@ class ExprNode extends AstNode {
   override AstNode getChildInternal(int childIndex) {
     result.getAst() = expr.getChild(childIndex)
     or
-    childIndex = max(int index | exists(expr.getChild(index)) or index = 0) + 1 and
-    result.getAst() = expr.(ConditionDeclExpr).getInitializingExpr()
-    or
     exists(int destructorIndex |
       result.getAst() = expr.getImplicitDestructorCall(destructorIndex) and
-      childIndex = destructorIndex + max(int index | exists(expr.getChild(index)) or index = 0) + 2
+      childIndex = destructorIndex + max(int index | exists(expr.getChild(index)) or index = 0) + 1
     )
   }
 
@@ -689,8 +686,6 @@ private string getChildAccessorWithoutConversions(Locatable parent, Element chil
       not namedExprChildPredicates(expr, child, _) and
       exists(int n | expr.getChild(n) = child and result = "getChild(" + n + ")")
       or
-      expr.(ConditionDeclExpr).getInitializingExpr() = child and result = "getInitializingExpr()"
-      or
       exists(int n |
         expr.getImplicitDestructorCall(n) = child and
         result = "getImplicitDestructorCall(" + n + ")"

cpp/ql/lib/semmle/code/cpp/Variable.qll

@@ -590,33 +590,6 @@ class TemplateVariable extends Variable {
   Variable getAnInstantiation() { result.isConstructedFrom(this) }
 }
 
-/**
- * A variable that is an instantiation of a template. For example
- * the instantiation `myTemplateVariable<int>` in the following code:
- * ```
- * template<class T>
- * T myTemplateVariable;
- *
- * void caller(int i) {
- *   myTemplateVariable<int> = i;
- * }
- * ```
- */
-class VariableTemplateInstantiation extends Variable {
-  TemplateVariable tv;
-
-  VariableTemplateInstantiation() { tv.getAnInstantiation() = this }
-
-  override string getAPrimaryQlClass() { result = "VariableTemplateInstantiation" }
-
-  /**
-   * Gets the variable template from which this instantiation was instantiated.
-   *
-   * Example: For `int x<int>`, returns `T x`.
-   */
-  TemplateVariable getTemplate() { result = tv }
-}
-
 /**
  * A non-static local variable or parameter that is not part of an
  * uninstantiated template. Uninstantiated templates are purely syntax, and

cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll

@@ -20,44 +20,6 @@ private predicate isUnreachedBlock(IRBlock block) {
   block.getFirstInstruction() instanceof UnreachedInstruction
 }
 
-private newtype TAbstractValue =
-  TBooleanValue(boolean b) { b = true or b = false } or
-  TMatchValue(CaseEdge c)
-
-/**
- * An abstract value. This is either a boolean value, or a `switch` case.
- */
-abstract class AbstractValue extends TAbstractValue {
-  /** Gets an abstract value that represents the dual of this value, if any. */
-  abstract AbstractValue getDualValue();
-
-  /** Gets a textual representation of this abstract value. */
-  abstract string toString();
-}
-
-/** A Boolean value. */
-class BooleanValue extends AbstractValue, TBooleanValue {
-  /** Gets the underlying Boolean value. */
-  boolean getValue() { this = TBooleanValue(result) }
-
-  override BooleanValue getDualValue() { result.getValue() = this.getValue().booleanNot() }
-
-  override string toString() { result = this.getValue().toString() }
-}
-
-/** A value that represents a match against a specific `switch` case. */
-class MatchValue extends AbstractValue, TMatchValue {
-  /** Gets the case. */
-  CaseEdge getCase() { this = TMatchValue(result) }
-
-  override MatchValue getDualValue() {
-    // A `MatchValue` has no dual.
-    none()
-  }
-
-  override string toString() { result = this.getCase().toString() }
-}
-
 /**
  * A Boolean condition in the AST that guards one or more basic blocks. This includes
  * operands of logical operators but not switch statements.
@@ -72,15 +34,6 @@ class GuardCondition extends Expr {
     this.(BinaryLogicalOperation).getAnOperand() instanceof GuardCondition
   }
 
-  /**
-   * Holds if this condition controls `controlled`, meaning that `controlled` is only
-   * entered if the value of this condition is `v`.
-   *
-   * For details on what "controls" mean, see the QLDoc for `controls`.
-   */
-  cached
-  predicate valueControls(BasicBlock controlled, AbstractValue v) { none() }
-
   /**
    * Holds if this condition controls `controlled`, meaning that `controlled` is only
    * entered if the value of this condition is `testIsTrue`.
@@ -108,9 +61,7 @@ class GuardCondition extends Expr {
    * true (for `&&`) or false (for `||`) branch.
    */
   cached
-  final predicate controls(BasicBlock controlled, boolean testIsTrue) {
-    this.valueControls(controlled, any(BooleanValue bv | bv.getValue() = testIsTrue))
-  }
+  predicate controls(BasicBlock controlled, boolean testIsTrue) { none() }
 
   /** Holds if (determined by this guard) `left < right + k` evaluates to `isLessThan` if this expression evaluates to `testIsTrue`. */
   cached
@@ -125,20 +76,6 @@ class GuardCondition extends Expr {
   cached
   predicate ensuresLt(Expr left, Expr right, int k, BasicBlock block, boolean isLessThan) { none() }
 
-  /**
-   * Holds if (determined by this guard) `e < k` evaluates to `isLessThan` if
-   * this expression evaluates to `value`.
-   */
-  cached
-  predicate comparesLt(Expr e, int k, boolean isLessThan, AbstractValue value) { none() }
-
-  /**
-   * Holds if (determined by this guard) `e < k` must be `isLessThan` in `block`.
-   * If `isLessThan = false` then this implies `e >= k`.
-   */
-  cached
-  predicate ensuresLt(Expr e, int k, BasicBlock block, boolean isLessThan) { none() }
-
   /** Holds if (determined by this guard) `left == right + k` evaluates to `areEqual` if this expression evaluates to `testIsTrue`. */
   cached
   predicate comparesEq(Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue) {
@@ -151,17 +88,6 @@ class GuardCondition extends Expr {
    */
   cached
   predicate ensuresEq(Expr left, Expr right, int k, BasicBlock block, boolean areEqual) { none() }
-
-  /** Holds if (determined by this guard) `e == k` evaluates to `areEqual` if this expression evaluates to `value`. */
-  cached
-  predicate comparesEq(Expr e, int k, boolean areEqual, AbstractValue value) { none() }
-
-  /**
-   * Holds if (determined by this guard) `e == k` must be `areEqual` in `block`.
-   * If `areEqual = false` then this implies `e != k`.
-   */
-  cached
-  predicate ensuresEq(Expr e, int k, BasicBlock block, boolean areEqual) { none() }
 }
 
 /**
@@ -172,13 +98,13 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardCondition {
     this.(BinaryLogicalOperation).getAnOperand() instanceof GuardCondition
   }
 
-  override predicate valueControls(BasicBlock controlled, AbstractValue v) {
+  override predicate controls(BasicBlock controlled, boolean testIsTrue) {
     exists(BinaryLogicalOperation binop, GuardCondition lhs, GuardCondition rhs |
       this = binop and
       lhs = binop.getLeftOperand() and
       rhs = binop.getRightOperand() and
-      lhs.valueControls(controlled, v) and
-      rhs.valueControls(controlled, v)
+      lhs.controls(controlled, testIsTrue) and
+      rhs.controls(controlled, testIsTrue)
     )
   }
 
@@ -190,27 +116,12 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardCondition {
     )
   }
 
-  override predicate comparesLt(Expr e, int k, boolean isLessThan, AbstractValue value) {
-    exists(BooleanValue partValue, GuardCondition part |
-      this.(BinaryLogicalOperation)
-          .impliesValue(part, partValue.getValue(), value.(BooleanValue).getValue())
-    |
-      part.comparesLt(e, k, isLessThan, partValue)
-    )
-  }
-
   override predicate ensuresLt(Expr left, Expr right, int k, BasicBlock block, boolean isLessThan) {
     exists(boolean testIsTrue |
       this.comparesLt(left, right, k, isLessThan, testIsTrue) and this.controls(block, testIsTrue)
     )
   }
 
-  override predicate ensuresLt(Expr e, int k, BasicBlock block, boolean isLessThan) {
-    exists(AbstractValue value |
-      this.comparesLt(e, k, isLessThan, value) and this.valueControls(block, value)
-    )
-  }
-
   override predicate comparesEq(Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue) {
     exists(boolean partIsTrue, GuardCondition part |
       this.(BinaryLogicalOperation).impliesValue(part, partIsTrue, testIsTrue)
@@ -224,21 +135,6 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardCondition {
       this.comparesEq(left, right, k, areEqual, testIsTrue) and this.controls(block, testIsTrue)
     )
   }
-
-  override predicate comparesEq(Expr e, int k, boolean areEqual, AbstractValue value) {
-    exists(BooleanValue partValue, GuardCondition part |
-      this.(BinaryLogicalOperation)
-          .impliesValue(part, partValue.getValue(), value.(BooleanValue).getValue())
-    |
-      part.comparesEq(e, k, areEqual, partValue)
-    )
-  }
-
-  override predicate ensuresEq(Expr e, int k, BasicBlock block, boolean areEqual) {
-    exists(AbstractValue value |
-      this.comparesEq(e, k, areEqual, value) and this.valueControls(block, value)
-    )
-  }
 }
 
 /**
@@ -250,12 +146,13 @@ private class GuardConditionFromIR extends GuardCondition {
 
   GuardConditionFromIR() { this = ir.getUnconvertedResultExpression() }
 
-  override predicate valueControls(BasicBlock controlled, AbstractValue v) {
+  override predicate controls(BasicBlock controlled, boolean testIsTrue) {
     // This condition must determine the flow of control; that is, this
     // node must be a top-level condition.
-    this.controlsBlock(controlled, v)
+    this.controlsBlock(controlled, testIsTrue)
   }
 
+  /** Holds if (determined by this guard) `left < right + k` evaluates to `isLessThan` if this expression evaluates to `testIsTrue`. */
   override predicate comparesLt(Expr left, Expr right, int k, boolean isLessThan, boolean testIsTrue) {
     exists(Instruction li, Instruction ri |
       li.getUnconvertedResultExpression() = left and
@@ -264,13 +161,10 @@ private class GuardConditionFromIR extends GuardCondition {
     )
   }
 
-  override predicate comparesLt(Expr e, int k, boolean isLessThan, AbstractValue value) {
-    exists(Instruction i |
-      i.getUnconvertedResultExpression() = e and
-      ir.comparesLt(i.getAUse(), k, isLessThan, value)
-    )
-  }
-
+  /**
+   * Holds if (determined by this guard) `left < right + k` must be `isLessThan` in `block`.
+   * If `isLessThan = false` then this implies `left >= right + k`.
+   */
   override predicate ensuresLt(Expr left, Expr right, int k, BasicBlock block, boolean isLessThan) {
     exists(Instruction li, Instruction ri, boolean testIsTrue |
       li.getUnconvertedResultExpression() = left and
@@ -280,14 +174,7 @@ private class GuardConditionFromIR extends GuardCondition {
     )
   }
 
-  override predicate ensuresLt(Expr e, int k, BasicBlock block, boolean isLessThan) {
-    exists(Instruction i, AbstractValue value |
-      i.getUnconvertedResultExpression() = e and
-      ir.comparesLt(i.getAUse(), k, isLessThan, value) and
-      this.valueControls(block, value)
-    )
-  }
-
+  /** Holds if (determined by this guard) `left == right + k` evaluates to `areEqual` if this expression evaluates to `testIsTrue`. */
   override predicate comparesEq(Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue) {
     exists(Instruction li, Instruction ri |
       li.getUnconvertedResultExpression() = left and
@@ -296,6 +183,10 @@ private class GuardConditionFromIR extends GuardCondition {
     )
   }
 
+  /**
+   * Holds if (determined by this guard) `left == right + k` must be `areEqual` in `block`.
+   * If `areEqual = false` then this implies `left != right + k`.
+   */
   override predicate ensuresEq(Expr left, Expr right, int k, BasicBlock block, boolean areEqual) {
     exists(Instruction li, Instruction ri, boolean testIsTrue |
       li.getUnconvertedResultExpression() = left and
@@ -305,30 +196,15 @@ private class GuardConditionFromIR extends GuardCondition {
     )
   }
 
-  override predicate comparesEq(Expr e, int k, boolean areEqual, AbstractValue value) {
-    exists(Instruction i |
-      i.getUnconvertedResultExpression() = e and
-      ir.comparesEq(i.getAUse(), k, areEqual, value)
-    )
-  }
-
-  override predicate ensuresEq(Expr e, int k, BasicBlock block, boolean areEqual) {
-    exists(Instruction i, AbstractValue value |
-      i.getUnconvertedResultExpression() = e and
-      ir.comparesEq(i.getAUse(), k, areEqual, value) and
-      this.valueControls(block, value)
-    )
-  }
-
   /**
    * Holds if this condition controls `block`, meaning that `block` is only
-   * entered if the value of this condition is `v`. This helper
+   * entered if the value of this condition is `testIsTrue`. This helper
    * predicate does not necessarily hold for binary logical operations like
    * `&&` and `||`. See the detailed explanation on predicate `controls`.
    */
-  private predicate controlsBlock(BasicBlock controlled, AbstractValue v) {
+  private predicate controlsBlock(BasicBlock controlled, boolean testIsTrue) {
     exists(IRBlock irb |
-      ir.valueControls(irb, v) and
+      ir.controls(irb, testIsTrue) and
       nonExcludedIRAndBasicBlock(irb, controlled) and
       not isUnreachedBlock(irb)
     )
@@ -373,28 +249,10 @@ private predicate nonExcludedIRAndBasicBlock(IRBlock irb, BasicBlock controlled)
  */
 cached
 class IRGuardCondition extends Instruction {
-  Instruction branch;
+  ConditionalBranchInstruction branch;
 
   cached
-  IRGuardCondition() { branch = getBranchForCondition(this) }
-
-  /**
-   * Holds if this condition controls `controlled`, meaning that `controlled` is only
-   * entered if the value of this condition is `v`.
-   *
-   * For details on what "controls" mean, see the QLDoc for `controls`.
-   */
-  cached
-  predicate valueControls(IRBlock controlled, AbstractValue v) {
-    // This condition must determine the flow of control; that is, this
-    // node must be a top-level condition.
-    this.controlsBlock(controlled, v)
-    or
-    exists(IRGuardCondition ne |
-      this = ne.(LogicalNotInstruction).getUnary() and
-      ne.valueControls(controlled, v.getDualValue())
-    )
-  }
+  IRGuardCondition() { branch = get_branch_for_condition(this) }
 
   /**
    * Holds if this condition controls `controlled`, meaning that `controlled` is only
@@ -424,25 +282,13 @@ class IRGuardCondition extends Instruction {
    */
   cached
   predicate controls(IRBlock controlled, boolean testIsTrue) {
-    this.valueControls(controlled, any(BooleanValue bv | bv.getValue() = testIsTrue))
-  }
-
-  /**
-   * Holds if the control-flow edge `(pred, succ)` may be taken only if
-   * the value of this condition is `v`.
-   */
-  cached
-  predicate valueControlsEdge(IRBlock pred, IRBlock succ, AbstractValue v) {
-    pred.getASuccessor() = succ and
-    this.valueControls(pred, v)
+    // This condition must determine the flow of control; that is, this
+    // node must be a top-level condition.
+    this.controlsBlock(controlled, testIsTrue)
     or
-    succ = this.getBranchSuccessor(v) and
-    (
-      branch.(ConditionalBranchInstruction).getCondition() = this and
-      branch.getBlock() = pred
-      or
-      branch.(SwitchInstruction).getExpression() = this and
-      branch.getBlock() = pred
+    exists(IRGuardCondition ne |
+      this = ne.(LogicalNotInstruction).getUnary() and
+      ne.controls(controlled, testIsTrue.booleanNot())
     )
   }
 
@@ -451,12 +297,17 @@ class IRGuardCondition extends Instruction {
    * the value of this condition is `testIsTrue`.
    */
   cached
-  final predicate controlsEdge(IRBlock pred, IRBlock succ, boolean testIsTrue) {
-    this.valueControlsEdge(pred, succ, any(BooleanValue bv | bv.getValue() = testIsTrue))
+  predicate controlsEdge(IRBlock pred, IRBlock succ, boolean testIsTrue) {
+    pred.getASuccessor() = succ and
+    this.controls(pred, testIsTrue)
+    or
+    succ = this.getBranchSuccessor(testIsTrue) and
+    branch.getCondition() = this and
+    branch.getBlock() = pred
   }
 
   /**
-   * Gets the block to which `branch` jumps directly when the value of this condition is `v`.
+   * Gets the block to which `branch` jumps directly when this condition is `testIsTrue`.
    *
    * This predicate is intended to help with situations in which an inference can only be made
    * based on an edge between a block with multiple successors and a block with multiple
@@ -470,39 +321,21 @@ class IRGuardCondition extends Instruction {
    * return x;
    * ```
    */
-  private IRBlock getBranchSuccessor(AbstractValue v) {
-    branch.(ConditionalBranchInstruction).getCondition() = this and
-    exists(BooleanValue bv | bv = v |
-      bv.getValue() = true and
-      result.getFirstInstruction() = branch.(ConditionalBranchInstruction).getTrueSuccessor()
+  private IRBlock getBranchSuccessor(boolean testIsTrue) {
+    branch.getCondition() = this and
+    (
+      testIsTrue = true and
+      result.getFirstInstruction() = branch.getTrueSuccessor()
       or
-      bv.getValue() = false and
-      result.getFirstInstruction() = branch.(ConditionalBranchInstruction).getFalseSuccessor()
-    )
-    or
-    exists(SwitchInstruction switch, CaseEdge kind | switch = branch |
-      switch.getExpression() = this and
-      result.getFirstInstruction() = switch.getSuccessor(kind) and
-      kind = v.(MatchValue).getCase()
+      testIsTrue = false and
+      result.getFirstInstruction() = branch.getFalseSuccessor()
     )
   }
 
   /** Holds if (determined by this guard) `left < right + k` evaluates to `isLessThan` if this expression evaluates to `testIsTrue`. */
   cached
   predicate comparesLt(Operand left, Operand right, int k, boolean isLessThan, boolean testIsTrue) {
-    exists(BooleanValue value |
-      compares_lt(this, left, right, k, isLessThan, value) and
-      value.getValue() = testIsTrue
-    )
-  }
-
-  /**
-   * Holds if (determined by this guard) `op < k` evaluates to `isLessThan` if
-   * this expression evaluates to `value`.
-   */
-  cached
-  predicate comparesLt(Operand op, int k, boolean isLessThan, AbstractValue value) {
-    compares_lt(this, op, k, isLessThan, value)
+    compares_lt(this, left, right, k, isLessThan, testIsTrue)
   }
 
   /**
@@ -511,19 +344,8 @@ class IRGuardCondition extends Instruction {
    */
   cached
   predicate ensuresLt(Operand left, Operand right, int k, IRBlock block, boolean isLessThan) {
-    exists(AbstractValue value |
-      compares_lt(this, left, right, k, isLessThan, value) and this.valueControls(block, value)
-    )
-  }
-
-  /**
-   * Holds if (determined by this guard) `op < k` must be `isLessThan` in `block`.
-   * If `isLessThan = false` then this implies `op >= k`.
-   */
-  cached
-  predicate ensuresLt(Operand op, int k, IRBlock block, boolean isLessThan) {
-    exists(AbstractValue value |
-      compares_lt(this, op, k, isLessThan, value) and this.valueControls(block, value)
+    exists(boolean testIsTrue |
+      compares_lt(this, left, right, k, isLessThan, testIsTrue) and this.controls(block, testIsTrue)
     )
   }
 
@@ -535,37 +357,16 @@ class IRGuardCondition extends Instruction {
   predicate ensuresLtEdge(
     Operand left, Operand right, int k, IRBlock pred, IRBlock succ, boolean isLessThan
   ) {
-    exists(AbstractValue value |
-      compares_lt(this, left, right, k, isLessThan, value) and
-      this.valueControlsEdge(pred, succ, value)
-    )
-  }
-
-  /**
-   * Holds if (determined by this guard) `op < k` must be `isLessThan` on the edge from
-   * `pred` to `succ`. If `isLessThan = false` then this implies `op >= k`.
-   */
-  cached
-  predicate ensuresLtEdge(Operand left, int k, IRBlock pred, IRBlock succ, boolean isLessThan) {
-    exists(AbstractValue value |
-      compares_lt(this, left, k, isLessThan, value) and
-      this.valueControlsEdge(pred, succ, value)
+    exists(boolean testIsTrue |
+      compares_lt(this, left, right, k, isLessThan, testIsTrue) and
+      this.controlsEdge(pred, succ, testIsTrue)
     )
   }
 
   /** Holds if (determined by this guard) `left == right + k` evaluates to `areEqual` if this expression evaluates to `testIsTrue`. */
   cached
   predicate comparesEq(Operand left, Operand right, int k, boolean areEqual, boolean testIsTrue) {
-    exists(BooleanValue value |
-      compares_eq(this, left, right, k, areEqual, value) and
-      value.getValue() = testIsTrue
-    )
-  }
-
-  /** Holds if (determined by this guard) `op == k` evaluates to `areEqual` if this expression evaluates to `value`. */
-  cached
-  predicate comparesEq(Operand op, int k, boolean areEqual, AbstractValue value) {
-    compares_eq(this, op, k, areEqual, value)
+    compares_eq(this, left, right, k, areEqual, testIsTrue)
   }
 
   /**
@@ -574,19 +375,8 @@ class IRGuardCondition extends Instruction {
    */
   cached
   predicate ensuresEq(Operand left, Operand right, int k, IRBlock block, boolean areEqual) {
-    exists(AbstractValue value |
-      compares_eq(this, left, right, k, areEqual, value) and this.valueControls(block, value)
-    )
-  }
-
-  /**
-   * Holds if (determined by this guard) `op == k` must be `areEqual` in `block`.
-   * If `areEqual = false` then this implies `op != k`.
-   */
-  cached
-  predicate ensuresEq(Operand op, int k, IRBlock block, boolean areEqual) {
-    exists(AbstractValue value |
-      compares_eq(this, op, k, areEqual, value) and this.valueControls(block, value)
+    exists(boolean testIsTrue |
+      compares_eq(this, left, right, k, areEqual, testIsTrue) and this.controls(block, testIsTrue)
     )
   }
 
@@ -598,31 +388,19 @@ class IRGuardCondition extends Instruction {
   predicate ensuresEqEdge(
     Operand left, Operand right, int k, IRBlock pred, IRBlock succ, boolean areEqual
   ) {
-    exists(AbstractValue value |
-      compares_eq(this, left, right, k, areEqual, value) and
-      this.valueControlsEdge(pred, succ, value)
-    )
-  }
-
-  /**
-   * Holds if (determined by this guard) `op == k` must be `areEqual` on the edge from
-   * `pred` to `succ`. If `areEqual = false` then this implies `op != k`.
-   */
-  cached
-  predicate ensuresEqEdge(Operand op, int k, IRBlock pred, IRBlock succ, boolean areEqual) {
-    exists(AbstractValue value |
-      compares_eq(this, op, k, areEqual, value) and
-      this.valueControlsEdge(pred, succ, value)
+    exists(boolean testIsTrue |
+      compares_eq(this, left, right, k, areEqual, testIsTrue) and
+      this.controlsEdge(pred, succ, testIsTrue)
     )
   }
 
   /**
    * Holds if this condition controls `block`, meaning that `block` is only
-   * entered if the value of this condition is `v`. This helper
+   * entered if the value of this condition is `testIsTrue`. This helper
    * predicate does not necessarily hold for binary logical operations like
    * `&&` and `||`. See the detailed explanation on predicate `controls`.
    */
-  private predicate controlsBlock(IRBlock controlled, AbstractValue v) {
+  private predicate controlsBlock(IRBlock controlled, boolean testIsTrue) {
     not isUnreachedBlock(controlled) and
     //
     // For this block to control the block `controlled` with `testIsTrue` the
@@ -663,7 +441,7 @@ class IRGuardCondition extends Instruction {
     // that `this` strictly dominates `controlled` so that isn't necessary to check
     // directly.
     exists(IRBlock succ |
-      succ = this.getBranchSuccessor(v) and
+      succ = this.getBranchSuccessor(testIsTrue) and
       this.hasDominatingEdgeTo(succ) and
       succ.dominates(controlled)
     )
@@ -698,14 +476,12 @@ class IRGuardCondition extends Instruction {
   private IRBlock getBranchBlock() { result = branch.getBlock() }
 }
 
-private Instruction getBranchForCondition(Instruction guard) {
-  result.(ConditionalBranchInstruction).getCondition() = guard
+private ConditionalBranchInstruction get_branch_for_condition(Instruction guard) {
+  result.getCondition() = guard
   or
   exists(LogicalNotInstruction cond |
-    result = getBranchForCondition(cond) and cond.getUnary() = guard
+    result = get_branch_for_condition(cond) and cond.getUnary() = guard
   )
-  or
-  result.(SwitchInstruction).getExpression() = guard
 }
 
 /**
@@ -714,98 +490,52 @@ private Instruction getBranchForCondition(Instruction guard) {
  * Beware making mistaken logical implications here relating `areEqual` and `testIsTrue`.
  */
 private predicate compares_eq(
-  Instruction test, Operand left, Operand right, int k, boolean areEqual, AbstractValue value
+  Instruction test, Operand left, Operand right, int k, boolean areEqual, boolean testIsTrue
 ) {
   /* The simple case where the test *is* the comparison so areEqual = testIsTrue xor eq. */
-  exists(AbstractValue v | simple_comparison_eq(test, left, right, k, v) |
-    areEqual = true and value = v
+  exists(boolean eq | simple_comparison_eq(test, left, right, k, eq) |
+    areEqual = true and testIsTrue = eq
     or
-    areEqual = false and value = v.getDualValue()
+    areEqual = false and testIsTrue = eq.booleanNot()
   )
   or
   // I think this is handled by forwarding in controlsBlock.
   //or
   //logical_comparison_eq(test, left, right, k, areEqual, testIsTrue)
   /* a == b + k => b == a - k */
-  exists(int mk | k = -mk | compares_eq(test, right, left, mk, areEqual, value))
+  exists(int mk | k = -mk | compares_eq(test, right, left, mk, areEqual, testIsTrue))
   or
-  complex_eq(test, left, right, k, areEqual, value)
+  complex_eq(test, left, right, k, areEqual, testIsTrue)
   or
   /* (x is true => (left == right + k)) => (!x is false => (left == right + k)) */
-  exists(AbstractValue dual | value = dual.getDualValue() |
-    compares_eq(test.(LogicalNotInstruction).getUnary(), left, right, k, areEqual, dual)
-  )
-}
-
-/** Holds if `op == k` is `areEqual` given that `test` is equal to `value`. */
-private predicate compares_eq(
-  Instruction test, Operand op, int k, boolean areEqual, AbstractValue value
-) {
-  /* The simple case where the test *is* the comparison so areEqual = testIsTrue xor eq. */
-  exists(AbstractValue v | simple_comparison_eq(test, op, k, v) |
-    areEqual = true and value = v
-    or
-    areEqual = false and value = v.getDualValue()
-  )
-  or
-  complex_eq(test, op, k, areEqual, value)
-  or
-  /* (x is true => (op == k)) => (!x is false => (op == k)) */
-  exists(AbstractValue dual | value = dual.getDualValue() |
-    compares_eq(test.(LogicalNotInstruction).getUnary(), op, k, areEqual, dual)
-  )
-  or
-  // ((test is `areEqual` => op == const + k2) and const == `k1`) =>
-  // test is `areEqual` => op == k1 + k2
-  exists(int k1, int k2, ConstantInstruction const |
-    compares_eq(test, op, const.getAUse(), k2, areEqual, value) and
-    int_value(const) = k1 and
-    k = k1 + k2
+  exists(boolean isFalse | testIsTrue = isFalse.booleanNot() |
+    compares_eq(test.(LogicalNotInstruction).getUnary(), left, right, k, areEqual, isFalse)
   )
 }
 
 /** Rearrange various simple comparisons into `left == right + k` form. */
 private predicate simple_comparison_eq(
-  CompareInstruction cmp, Operand left, Operand right, int k, AbstractValue value
+  CompareInstruction cmp, Operand left, Operand right, int k, boolean areEqual
 ) {
   left = cmp.getLeftOperand() and
   cmp instanceof CompareEQInstruction and
   right = cmp.getRightOperand() and
   k = 0 and
-  value.(BooleanValue).getValue() = true
+  areEqual = true
   or
   left = cmp.getLeftOperand() and
   cmp instanceof CompareNEInstruction and
   right = cmp.getRightOperand() and
   k = 0 and
-  value.(BooleanValue).getValue() = false
-}
-
-/** Rearrange various simple comparisons into `op == k` form. */
-private predicate simple_comparison_eq(Instruction test, Operand op, int k, AbstractValue value) {
-  exists(SwitchInstruction switch, CaseEdge case |
-    test = switch.getExpression() and
-    op.getDef() = test and
-    case = value.(MatchValue).getCase() and
-    exists(switch.getSuccessor(case)) and
-    case.getValue().toInt() = k
-  )
+  areEqual = false
 }
 
 private predicate complex_eq(
-  CompareInstruction cmp, Operand left, Operand right, int k, boolean areEqual, AbstractValue value
+  CompareInstruction cmp, Operand left, Operand right, int k, boolean areEqual, boolean testIsTrue
 ) {
-  sub_eq(cmp, left, right, k, areEqual, value)
+  sub_eq(cmp, left, right, k, areEqual, testIsTrue)
   or
-  add_eq(cmp, left, right, k, areEqual, value)
-}
-
-private predicate complex_eq(
-  Instruction test, Operand op, int k, boolean areEqual, AbstractValue value
-) {
-  sub_eq(test, op, k, areEqual, value)
-  or
-  add_eq(test, op, k, areEqual, value)
+  add_eq(cmp, left, right, k, areEqual, testIsTrue)
 }
 
 /*
@@ -815,46 +545,31 @@ private predicate complex_eq(
 
 /** Holds if `left < right + k` evaluates to `isLt` given that test is `testIsTrue`. */
 private predicate compares_lt(
-  Instruction test, Operand left, Operand right, int k, boolean isLt, AbstractValue value
+  Instruction test, Operand left, Operand right, int k, boolean isLt, boolean testIsTrue
 ) {
   /* In the simple case, the test is the comparison, so isLt = testIsTrue */
-  simple_comparison_lt(test, left, right, k) and
-  value.(BooleanValue).getValue() = isLt
+  simple_comparison_lt(test, left, right, k) and isLt = true and testIsTrue = true
   or
-  complex_lt(test, left, right, k, isLt, value)
+  simple_comparison_lt(test, left, right, k) and isLt = false and testIsTrue = false
+  or
+  complex_lt(test, left, right, k, isLt, testIsTrue)
   or
   /* (not (left < right + k)) => (left >= right + k) */
-  exists(boolean isGe | isLt = isGe.booleanNot() | compares_ge(test, left, right, k, isGe, value))
+  exists(boolean isGe | isLt = isGe.booleanNot() |
+    compares_ge(test, left, right, k, isGe, testIsTrue)
+  )
   or
   /* (x is true => (left < right + k)) => (!x is false => (left < right + k)) */
-  exists(AbstractValue dual | value = dual.getDualValue() |
-    compares_lt(test.(LogicalNotInstruction).getUnary(), left, right, k, isLt, dual)
-  )
-}
-
-/** Holds if `op < k` evaluates to `isLt` given that `test` evaluates to `value`. */
-private predicate compares_lt(Instruction test, Operand op, int k, boolean isLt, AbstractValue value) {
-  simple_comparison_lt(test, op, k, isLt, value)
-  or
-  complex_lt(test, op, k, isLt, value)
-  or
-  /* (x is true => (op < k)) => (!x is false => (op < k)) */
-  exists(AbstractValue dual | value = dual.getDualValue() |
-    compares_lt(test.(LogicalNotInstruction).getUnary(), op, k, isLt, dual)
-  )
-  or
-  exists(int k1, int k2, ConstantInstruction const |
-    compares_lt(test, op, const.getAUse(), k2, isLt, value) and
-    int_value(const) = k1 and
-    k = k1 + k2
+  exists(boolean isFalse | testIsTrue = isFalse.booleanNot() |
+    compares_lt(test.(LogicalNotInstruction).getUnary(), left, right, k, isLt, isFalse)
   )
 }
 
 /** `(a < b + k) => (b > a - k) => (b >= a + (1-k))` */
 private predicate compares_ge(
-  Instruction test, Operand left, Operand right, int k, boolean isGe, AbstractValue value
+  Instruction test, Operand left, Operand right, int k, boolean isGe, boolean testIsTrue
 ) {
-  exists(int onemk | k = 1 - onemk | compares_lt(test, right, left, onemk, isGe, value))
+  exists(int onemk | k = 1 - onemk | compares_lt(test, right, left, onemk, isGe, testIsTrue))
 }
 
 /** Rearrange various simple comparisons into `left < right + k` form. */
@@ -880,99 +595,55 @@ private predicate simple_comparison_lt(CompareInstruction cmp, Operand left, Ope
   k = 1
 }
 
-/** Rearrange various simple comparisons into `op < k` form. */
-private predicate simple_comparison_lt(
-  Instruction test, Operand op, int k, boolean isLt, AbstractValue value
-) {
-  exists(SwitchInstruction switch, CaseEdge case |
-    test = switch.getExpression() and
-    op.getDef() = test and
-    case = value.(MatchValue).getCase() and
-    exists(switch.getSuccessor(case)) and
-    case.getMaxValue() > case.getMinValue()
-  |
-    // op <= k => op < k - 1
-    isLt = true and
-    case.getMaxValue().toInt() = k - 1
-    or
-    isLt = false and
-    case.getMinValue().toInt() = k
-  )
-}
-
 private predicate complex_lt(
-  CompareInstruction cmp, Operand left, Operand right, int k, boolean isLt, AbstractValue value
+  CompareInstruction cmp, Operand left, Operand right, int k, boolean isLt, boolean testIsTrue
 ) {
-  sub_lt(cmp, left, right, k, isLt, value)
+  sub_lt(cmp, left, right, k, isLt, testIsTrue)
   or
-  add_lt(cmp, left, right, k, isLt, value)
-}
-
-private predicate complex_lt(
-  Instruction test, Operand left, int k, boolean isLt, AbstractValue value
-) {
-  sub_lt(test, left, k, isLt, value)
-  or
-  add_lt(test, left, k, isLt, value)
+  add_lt(cmp, left, right, k, isLt, testIsTrue)
 }
 
 // left - x < right + c => left < right + (c+x)
 // left < (right - x) + c => left < right + (c-x)
 private predicate sub_lt(
-  CompareInstruction cmp, Operand left, Operand right, int k, boolean isLt, AbstractValue value
+  CompareInstruction cmp, Operand left, Operand right, int k, boolean isLt, boolean testIsTrue
 ) {
   exists(SubInstruction lhs, int c, int x |
-    compares_lt(cmp, lhs.getAUse(), right, c, isLt, value) and
+    compares_lt(cmp, lhs.getAUse(), right, c, isLt, testIsTrue) and
     left = lhs.getLeftOperand() and
     x = int_value(lhs.getRight()) and
     k = c + x
   )
   or
   exists(SubInstruction rhs, int c, int x |
-    compares_lt(cmp, left, rhs.getAUse(), c, isLt, value) and
+    compares_lt(cmp, left, rhs.getAUse(), c, isLt, testIsTrue) and
     right = rhs.getLeftOperand() and
     x = int_value(rhs.getRight()) and
     k = c - x
   )
   or
   exists(PointerSubInstruction lhs, int c, int x |
-    compares_lt(cmp, lhs.getAUse(), right, c, isLt, value) and
+    compares_lt(cmp, lhs.getAUse(), right, c, isLt, testIsTrue) and
     left = lhs.getLeftOperand() and
     x = int_value(lhs.getRight()) and
     k = c + x
   )
   or
   exists(PointerSubInstruction rhs, int c, int x |
-    compares_lt(cmp, left, rhs.getAUse(), c, isLt, value) and
+    compares_lt(cmp, left, rhs.getAUse(), c, isLt, testIsTrue) and
     right = rhs.getLeftOperand() and
     x = int_value(rhs.getRight()) and
     k = c - x
   )
 }
 
-private predicate sub_lt(Instruction test, Operand left, int k, boolean isLt, AbstractValue value) {
-  exists(SubInstruction lhs, int c, int x |
-    compares_lt(test, lhs.getAUse(), c, isLt, value) and
-    left = lhs.getLeftOperand() and
-    x = int_value(lhs.getRight()) and
-    k = c + x
-  )
-  or
-  exists(PointerSubInstruction lhs, int c, int x |
-    compares_lt(test, lhs.getAUse(), c, isLt, value) and
-    left = lhs.getLeftOperand() and
-    x = int_value(lhs.getRight()) and
-    k = c + x
-  )
-}
-
 // left + x < right + c => left < right + (c-x)
 // left < (right + x) + c => left < right + (c+x)
 private predicate add_lt(
-  CompareInstruction cmp, Operand left, Operand right, int k, boolean isLt, AbstractValue value
+  CompareInstruction cmp, Operand left, Operand right, int k, boolean isLt, boolean testIsTrue
 ) {
   exists(AddInstruction lhs, int c, int x |
-    compares_lt(cmp, lhs.getAUse(), right, c, isLt, value) and
+    compares_lt(cmp, lhs.getAUse(), right, c, isLt, testIsTrue) and
     (
       left = lhs.getLeftOperand() and x = int_value(lhs.getRight())
       or
@@ -982,7 +653,7 @@ private predicate add_lt(
   )
   or
   exists(AddInstruction rhs, int c, int x |
-    compares_lt(cmp, left, rhs.getAUse(), c, isLt, value) and
+    compares_lt(cmp, left, rhs.getAUse(), c, isLt, testIsTrue) and
     (
       right = rhs.getLeftOperand() and x = int_value(rhs.getRight())
       or
@@ -992,7 +663,7 @@ private predicate add_lt(
   )
   or
   exists(PointerAddInstruction lhs, int c, int x |
-    compares_lt(cmp, lhs.getAUse(), right, c, isLt, value) and
+    compares_lt(cmp, lhs.getAUse(), right, c, isLt, testIsTrue) and
     (
       left = lhs.getLeftOperand() and x = int_value(lhs.getRight())
       or
@@ -1002,7 +673,7 @@ private predicate add_lt(
   )
   or
   exists(PointerAddInstruction rhs, int c, int x |
-    compares_lt(cmp, left, rhs.getAUse(), c, isLt, value) and
+    compares_lt(cmp, left, rhs.getAUse(), c, isLt, testIsTrue) and
     (
       right = rhs.getLeftOperand() and x = int_value(rhs.getRight())
       or
@@ -1012,86 +683,47 @@ private predicate add_lt(
   )
 }
 
-private predicate add_lt(Instruction test, Operand left, int k, boolean isLt, AbstractValue value) {
-  exists(AddInstruction lhs, int c, int x |
-    compares_lt(test, lhs.getAUse(), c, isLt, value) and
-    (
-      left = lhs.getLeftOperand() and x = int_value(lhs.getRight())
-      or
-      left = lhs.getRightOperand() and x = int_value(lhs.getLeft())
-    ) and
-    k = c - x
-  )
-  or
-  exists(PointerAddInstruction lhs, int c, int x |
-    compares_lt(test, lhs.getAUse(), c, isLt, value) and
-    (
-      left = lhs.getLeftOperand() and x = int_value(lhs.getRight())
-      or
-      left = lhs.getRightOperand() and x = int_value(lhs.getLeft())
-    ) and
-    k = c - x
-  )
-}
-
 // left - x == right + c => left == right + (c+x)
 // left == (right - x) + c => left == right + (c-x)
 private predicate sub_eq(
-  CompareInstruction cmp, Operand left, Operand right, int k, boolean areEqual, AbstractValue value
+  CompareInstruction cmp, Operand left, Operand right, int k, boolean areEqual, boolean testIsTrue
 ) {
   exists(SubInstruction lhs, int c, int x |
-    compares_eq(cmp, lhs.getAUse(), right, c, areEqual, value) and
+    compares_eq(cmp, lhs.getAUse(), right, c, areEqual, testIsTrue) and
     left = lhs.getLeftOperand() and
     x = int_value(lhs.getRight()) and
     k = c + x
   )
   or
   exists(SubInstruction rhs, int c, int x |
-    compares_eq(cmp, left, rhs.getAUse(), c, areEqual, value) and
+    compares_eq(cmp, left, rhs.getAUse(), c, areEqual, testIsTrue) and
     right = rhs.getLeftOperand() and
     x = int_value(rhs.getRight()) and
     k = c - x
   )
   or
   exists(PointerSubInstruction lhs, int c, int x |
-    compares_eq(cmp, lhs.getAUse(), right, c, areEqual, value) and
+    compares_eq(cmp, lhs.getAUse(), right, c, areEqual, testIsTrue) and
     left = lhs.getLeftOperand() and
     x = int_value(lhs.getRight()) and
     k = c + x
   )
   or
   exists(PointerSubInstruction rhs, int c, int x |
-    compares_eq(cmp, left, rhs.getAUse(), c, areEqual, value) and
+    compares_eq(cmp, left, rhs.getAUse(), c, areEqual, testIsTrue) and
     right = rhs.getLeftOperand() and
     x = int_value(rhs.getRight()) and
     k = c - x
   )
 }
 
-// op - x == c => op == (c+x)
-private predicate sub_eq(Instruction test, Operand op, int k, boolean areEqual, AbstractValue value) {
-  exists(SubInstruction sub, int c, int x |
-    compares_eq(test, sub.getAUse(), c, areEqual, value) and
-    op = sub.getLeftOperand() and
-    x = int_value(sub.getRight()) and
-    k = c + x
-  )
-  or
-  exists(PointerSubInstruction sub, int c, int x |
-    compares_eq(test, sub.getAUse(), c, areEqual, value) and
-    op = sub.getLeftOperand() and
-    x = int_value(sub.getRight()) and
-    k = c + x
-  )
-}
-
 // left + x == right + c => left == right + (c-x)
 // left == (right + x) + c => left == right + (c+x)
 private predicate add_eq(
-  CompareInstruction cmp, Operand left, Operand right, int k, boolean areEqual, AbstractValue value
+  CompareInstruction cmp, Operand left, Operand right, int k, boolean areEqual, boolean testIsTrue
 ) {
   exists(AddInstruction lhs, int c, int x |
-    compares_eq(cmp, lhs.getAUse(), right, c, areEqual, value) and
+    compares_eq(cmp, lhs.getAUse(), right, c, areEqual, testIsTrue) and
     (
       left = lhs.getLeftOperand() and x = int_value(lhs.getRight())
       or
@@ -1101,7 +733,7 @@ private predicate add_eq(
   )
   or
   exists(AddInstruction rhs, int c, int x |
-    compares_eq(cmp, left, rhs.getAUse(), c, areEqual, value) and
+    compares_eq(cmp, left, rhs.getAUse(), c, areEqual, testIsTrue) and
     (
       right = rhs.getLeftOperand() and x = int_value(rhs.getRight())
       or
@@ -1111,7 +743,7 @@ private predicate add_eq(
   )
   or
   exists(PointerAddInstruction lhs, int c, int x |
-    compares_eq(cmp, lhs.getAUse(), right, c, areEqual, value) and
+    compares_eq(cmp, lhs.getAUse(), right, c, areEqual, testIsTrue) and
     (
       left = lhs.getLeftOperand() and x = int_value(lhs.getRight())
       or
@@ -1121,7 +753,7 @@ private predicate add_eq(
   )
   or
   exists(PointerAddInstruction rhs, int c, int x |
-    compares_eq(cmp, left, rhs.getAUse(), c, areEqual, value) and
+    compares_eq(cmp, left, rhs.getAUse(), c, areEqual, testIsTrue) and
     (
       right = rhs.getLeftOperand() and x = int_value(rhs.getRight())
       or
@@ -1131,30 +763,5 @@ private predicate add_eq(
   )
 }
 
-// left + x == right + c => left == right + (c-x)
-private predicate add_eq(
-  Instruction test, Operand left, int k, boolean areEqual, AbstractValue value
-) {
-  exists(AddInstruction lhs, int c, int x |
-    compares_eq(test, lhs.getAUse(), c, areEqual, value) and
-    (
-      left = lhs.getLeftOperand() and x = int_value(lhs.getRight())
-      or
-      left = lhs.getRightOperand() and x = int_value(lhs.getLeft())
-    ) and
-    k = c - x
-  )
-  or
-  exists(PointerAddInstruction lhs, int c, int x |
-    compares_eq(test, lhs.getAUse(), c, areEqual, value) and
-    (
-      left = lhs.getLeftOperand() and x = int_value(lhs.getRight())
-      or
-      left = lhs.getRightOperand() and x = int_value(lhs.getLeft())
-    ) and
-    k = c - x
-  )
-}
-
 /** The int value of integer constant expression. */
 private int int_value(Instruction i) { result = i.(IntegerConstantInstruction).getValue().toInt() }

cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow.qll

@@ -28,6 +28,6 @@ import cpp
 deprecated module DataFlow {
   private import semmle.code.cpp.dataflow.internal.DataFlowImplSpecific
   private import codeql.dataflow.DataFlow
-  import DataFlowMake<Location, CppOldDataFlow>
+  import DataFlowMake<CppOldDataFlow>
   import semmle.code.cpp.dataflow.internal.DataFlowImpl1
 }

cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking.qll

@@ -29,6 +29,6 @@ deprecated module TaintTracking {
   private import semmle.code.cpp.dataflow.internal.DataFlowImplSpecific
   private import semmle.code.cpp.dataflow.internal.TaintTrackingImplSpecific
   private import codeql.dataflow.TaintTracking
-  import TaintFlowMake<Location, CppOldDataFlow, CppOldTaintTracking>
+  import TaintFlowMake<CppOldDataFlow, CppOldTaintTracking>
   import semmle.code.cpp.dataflow.internal.tainttracking1.TaintTrackingImpl
 }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

@@ -2,7 +2,6 @@
  * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow` instead.
  */
 
-private import semmle.code.cpp.Location
 private import DataFlowImplSpecific
 private import codeql.dataflow.internal.DataFlowImpl
-import MakeImpl<Location, CppOldDataFlow>
+import MakeImpl<CppOldDataFlow>

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll

@@ -285,8 +285,6 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
-  int accessPathLimit() { result = 5 }
-
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -285,8 +285,6 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
-  int accessPathLimit() { result = 5 }
-
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -285,8 +285,6 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
-  int accessPathLimit() { result = 5 }
-
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -285,8 +285,6 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
-  int accessPathLimit() { result = 5 }
-
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll

@@ -2,7 +2,6 @@
  * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow` instead.
  */
 
-private import semmle.code.cpp.Location
 private import DataFlowImplSpecific
 private import codeql.dataflow.internal.DataFlowImplCommon
-import MakeImplCommon<Location, CppOldDataFlow>
+import MakeImplCommon<CppOldDataFlow>

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific
 private import TaintTrackingImplSpecific
 private import codeql.dataflow.internal.DataFlowImplConsistency
 
-private module Input implements InputSig<Location, CppOldDataFlow> {
+private module Input implements InputSig<CppOldDataFlow> {
   predicate argHasPostUpdateExclude(Private::ArgumentNode n) {
     // Is the null pointer (or something that's not really a pointer)
     exists(n.asExpr().getValue())
@@ -26,4 +26,4 @@ private module Input implements InputSig<Location, CppOldDataFlow> {
   }
 }
 
-module Consistency = MakeConsistency<Location, CppOldDataFlow, CppOldTaintTracking, Input>;
+module Consistency = MakeConsistency<CppOldDataFlow, CppOldTaintTracking, Input>;

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -285,8 +285,6 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
-  int accessPathLimit() { result = 5 }
-
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplSpecific.qll

@@ -4,7 +4,6 @@
  * Provides C++-specific definitions for use in the data flow library.
  */
 
-private import semmle.code.cpp.Location
 private import codeql.dataflow.DataFlow
 
 module Private {
@@ -16,7 +15,7 @@ module Public {
   import DataFlowUtil
 }
 
-module CppOldDataFlow implements InputSig<Location> {
+module CppOldDataFlow implements InputSig {
   import Private
   import Public
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll

@@ -105,7 +105,7 @@ class Node extends TNode {
    * For more information, see
    * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
    */
-  deprecated predicate hasLocationInfo(
+  predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
     this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)

cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingImplSpecific.qll

@@ -4,10 +4,9 @@
  * Provides C++-specific definitions for use in the taint tracking library.
  */
 
-private import semmle.code.cpp.Location
 private import codeql.dataflow.TaintTracking
 private import DataFlowImplSpecific
 
-module CppOldTaintTracking implements InputSig<Location, CppOldDataFlow> {
+module CppOldTaintTracking implements InputSig<CppOldDataFlow> {
   import TaintTrackingUtil
 }

cpp/ql/lib/semmle/code/cpp/dataflow/new/DataFlow.qll

@@ -28,6 +28,6 @@ import cpp
 module DataFlow {
   private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
   private import codeql.dataflow.DataFlow
-  import DataFlowMake<Location, CppDataFlow>
+  import DataFlowMake<CppDataFlow>
   import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl1
 }

cpp/ql/lib/semmle/code/cpp/dataflow/new/TaintTracking.qll

@@ -27,7 +27,6 @@ module TaintTracking {
   private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
   private import semmle.code.cpp.ir.dataflow.internal.TaintTrackingImplSpecific
   private import codeql.dataflow.TaintTracking
-  private import semmle.code.cpp.Location
-  import TaintFlowMake<Location, CppDataFlow, CppTaintTracking>
+  import TaintFlowMake<CppDataFlow, CppTaintTracking>
   import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTrackingImpl
 }

cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll

@@ -1322,31 +1322,3 @@ class CoYieldExpr extends UnaryOperation, @co_yield {
 
   override int getPrecedence() { result = 2 }
 }
-
-/**
- * An expression representing the re-use of another expression.
- *
- * In some specific cases an expression may be referred to outside its
- * original context. A re-use expression wraps any such reference. A
- * re-use expression can for example occur as the qualifier of an implicit
- * destructor called on a temporary object, where the original use of the
- * expression is in the definition of the temporary.
- */
-class ReuseExpr extends Expr, @reuseexpr {
-  override string getAPrimaryQlClass() { result = "ReuseExpr" }
-
-  override string toString() { result = "reuse of " + this.getReusedExpr().toString() }
-
-  /**
-   * Gets the expression that is being re-used.
-   */
-  Expr getReusedExpr() { expr_reuse(underlyingElement(this), unresolveElement(result), _) }
-
-  override Type getType() { result = this.getReusedExpr().getType() }
-
-  override predicate isLValueCategory() { expr_reuse(underlyingElement(this), _, 3) }
-
-  override predicate isXValueCategory() { expr_reuse(underlyingElement(this), _, 2) }
-
-  override predicate isPRValueCategory() { expr_reuse(underlyingElement(this), _, 1) }
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/DataFlow.qll

@@ -24,6 +24,6 @@ import cpp
 module DataFlow {
   private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
   private import codeql.dataflow.DataFlow
-  import DataFlowMake<Location, CppDataFlow>
+  import DataFlowMake<CppDataFlow>
   import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl1
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/FlowSteps.qll

@@ -1,20 +0,0 @@
-/**
- * This file provides an abstract class that can be used to model additional
- * object-to-field taint-flow.
- */
-
-private import codeql.util.Unit
-private import semmle.code.cpp.dataflow.new.DataFlow
-
-/**
- * A `Content` that should be implicitly regarded as tainted whenever an object with such `Content`
- * is itself tainted.
- *
- * For example, if we had a type `struct Container { int field; }`, then by default a tainted
- * `Container` and a `Container` with a tainted `int` stored in its `field` are distinct.
- *
- * If `any(DataFlow::FieldContent fc | fc.getField().hasQualifiedName("Container", "field"))` was
- * included in this type however, then a tainted `Container` would imply that its `field` is also
- * tainted (but not vice versa).
- */
-abstract class TaintInheritingContent extends DataFlow::Content { }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/TaintTracking.qll

@@ -23,6 +23,6 @@ module TaintTracking {
   private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
   private import semmle.code.cpp.ir.dataflow.internal.TaintTrackingImplSpecific
   private import codeql.dataflow.TaintTracking
-  import TaintFlowMake<Location, CppDataFlow, CppTaintTracking>
+  import TaintFlowMake<CppDataFlow, CppTaintTracking>
   import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTrackingImpl
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -1,4 +1,3 @@
-private import semmle.code.cpp.Location
 private import DataFlowImplSpecific
 private import codeql.dataflow.internal.DataFlowImpl
-import MakeImpl<Location, CppDataFlow>
+import MakeImpl<CppDataFlow>

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll

@@ -285,8 +285,6 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
-  int accessPathLimit() { result = 5 }
-
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -285,8 +285,6 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
-  int accessPathLimit() { result = 5 }
-
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -285,8 +285,6 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
-  int accessPathLimit() { result = 5 }
-
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -285,8 +285,6 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
-  int accessPathLimit() { result = 5 }
-
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll

@@ -1,4 +1,3 @@
-private import semmle.code.cpp.Location
 private import DataFlowImplSpecific
 private import codeql.dataflow.internal.DataFlowImplCommon
-import MakeImplCommon<Location, CppDataFlow>
+import MakeImplCommon<CppDataFlow>

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll

@@ -8,7 +8,7 @@ private import DataFlowImplSpecific
 private import TaintTrackingImplSpecific
 private import codeql.dataflow.internal.DataFlowImplConsistency
 
-private module Input implements InputSig<Location, CppDataFlow> {
+private module Input implements InputSig<CppDataFlow> {
   predicate argHasPostUpdateExclude(Private::ArgumentNode n) {
     // The rules for whether an IR argument gets a post-update node are too
     // complex to model here.
@@ -16,4 +16,4 @@ private module Input implements InputSig<Location, CppDataFlow> {
   }
 }
 
-module Consistency = MakeConsistency<Location, CppDataFlow, CppTaintTracking, Input>;
+module Consistency = MakeConsistency<CppDataFlow, CppTaintTracking, Input>;

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplSpecific.qll

@@ -3,7 +3,6 @@
  */
 
 private import codeql.dataflow.DataFlow
-private import semmle.code.cpp.Location
 
 module Private {
   import DataFlowPrivate
@@ -14,7 +13,7 @@ module Public {
   import DataFlowUtil
 }
 
-module CppDataFlow implements InputSig<Location> {
+module CppDataFlow implements InputSig {
   import Private
   import Public
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -448,7 +448,7 @@ class Node extends TIRDataFlowNode {
    * For more information, see
    * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
    */
-  deprecated predicate hasLocationInfo(
+  predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
     this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
@@ -1331,7 +1331,6 @@ private import GetConvertedResultExpression
 
 /** Holds if `node` is an `OperandNode` that should map `node.asExpr()` to `e`. */
 predicate exprNodeShouldBeOperand(OperandNode node, Expr e, int n) {
-  not exprNodeShouldBeIndirectOperand(_, e, n) and
   exists(Instruction def |
     unique( | | getAUse(def)) = node.getOperand() and
     e = getConvertedResultExpression(def, n)
@@ -1348,22 +1347,6 @@ private predicate indirectExprNodeShouldBeIndirectOperand(
   )
 }
 
-/** Holds if `node` should be an `IndirectOperand` that maps `node.asExpr()` to `e`. */
-private predicate exprNodeShouldBeIndirectOperand(IndirectOperand node, Expr e, int n) {
-  exists(ArgumentOperand operand |
-    // When an argument (qualifier or positional) is a prvalue and the
-    // parameter (qualifier or positional) is a (const) reference, IR
-    // construction introduces a temporary `IRVariable`. The `VariableAddress`
-    // instruction has the argument as its `getConvertedResultExpression`
-    // result. However, the instruction actually represents the _address_ of
-    // the argument. So to fix this mismatch, we have the indirection of the
-    // `VariableAddressInstruction` map to the expression.
-    node.hasOperandAndIndirectionIndex(operand, 1) and
-    e = getConvertedResultExpression(operand.getDef(), n) and
-    operand.getDef().(VariableAddressInstruction).getIRVariable() instanceof IRTempVariable
-  )
-}
-
 private predicate exprNodeShouldBeIndirectOutNode(IndirectArgumentOutNode node, Expr e, int n) {
   exists(CallInstruction call |
     call.getStaticCallTarget() instanceof Constructor and
@@ -1376,7 +1359,6 @@ private predicate exprNodeShouldBeIndirectOutNode(IndirectArgumentOutNode node,
 predicate exprNodeShouldBeInstruction(Node node, Expr e, int n) {
   not exprNodeShouldBeOperand(_, e, n) and
   not exprNodeShouldBeIndirectOutNode(_, e, n) and
-  not exprNodeShouldBeIndirectOperand(_, e, n) and
   e = getConvertedResultExpression(node.asInstruction(), n)
 }
 
@@ -1409,8 +1391,7 @@ abstract private class ExprNodeBase extends Node {
 private predicate exprNodeShouldBe(Expr e, int n) {
   exprNodeShouldBeInstruction(_, e, n) or
   exprNodeShouldBeOperand(_, e, n) or
-  exprNodeShouldBeIndirectOutNode(_, e, n) or
-  exprNodeShouldBeIndirectOperand(_, e, n)
+  exprNodeShouldBeIndirectOutNode(_, e, n)
 }
 
 private class InstructionExprNode extends ExprNodeBase, InstructionNode {
@@ -1552,12 +1533,6 @@ private class IndirectArgumentOutExprNode extends ExprNodeBase, IndirectArgument
   final override Expr getConvertedExpr(int n) { exprNodeShouldBeIndirectOutNode(this, result, n) }
 }
 
-private class IndirectOperandExprNode extends ExprNodeBase instanceof IndirectOperand {
-  IndirectOperandExprNode() { exprNodeShouldBeIndirectOperand(this, _, _) }
-
-  final override Expr getConvertedExpr(int n) { exprNodeShouldBeIndirectOperand(this, result, n) }
-}
-
 /**
  * An expression, viewed as a node in a data flow graph.
  */
@@ -2301,8 +2276,8 @@ private import ContentStars
 
 /** A reference through a non-union instance field. */
 class FieldContent extends Content, TFieldContent {
-  private Field f;
-  private int indirectionIndex;
+  Field f;
+  int indirectionIndex;
 
   FieldContent() { this = TFieldContent(f, indirectionIndex) }
 
@@ -2329,9 +2304,9 @@ class FieldContent extends Content, TFieldContent {
 
 /** A reference through an instance field of a union. */
 class UnionContent extends Content, TUnionContent {
-  private Union u;
-  private int indirectionIndex;
-  private int bytes;
+  Union u;
+  int indirectionIndex;
+  int bytes;
 
   UnionContent() { this = TUnionContent(u, bytes, indirectionIndex) }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -10,12 +10,13 @@ private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs as FIO
 private import semmle.code.cpp.ir.internal.IRCppLanguage
 private import semmle.code.cpp.ir.dataflow.internal.ModelUtil
 private import DataFlowPrivate
+private import ssa0.SsaInternals as SsaInternals0
 import SsaInternalsCommon
 
 private module SourceVariables {
   cached
   private newtype TSourceVariable =
-    TMkSourceVariable(BaseSourceVariable base, int ind) {
+    TMkSourceVariable(SsaInternals0::SourceVariable base, int ind) {
       ind = [0 .. countIndirectionsForCppType(base.getLanguageType()) + 1]
     }
 
@@ -29,7 +30,7 @@ private module SourceVariables {
   }
 
   class SourceVariable extends TSourceVariable {
-    BaseSourceVariable base;
+    SsaInternals0::SourceVariable base;
     int ind;
 
     SourceVariable() { this = TMkSourceVariable(base, ind) }
@@ -41,7 +42,7 @@ private module SourceVariables {
      * Gets the base source variable (i.e., the variable without any
      * indirections) of this source variable.
      */
-    BaseSourceVariable getBaseVariable() { result = base }
+    SsaInternals0::SourceVariable getBaseVariable() { result = base }
 
     /** Gets a textual representation of this element. */
     string toString() { result = repeatStars(this.getIndirection()) + base.toString() }
@@ -103,9 +104,17 @@ predicate hasRawIndirectInstruction(Instruction instr, int indirectionIndex) {
 
 cached
 private newtype TDefOrUseImpl =
-  TDefAddressImpl(BaseIRVariable v) or
   TDefImpl(BaseSourceVariableInstruction base, Operand address, int indirectionIndex) {
-    isDef(_, _, address, base, _, indirectionIndex)
+    isDef(_, _, address, base, _, indirectionIndex) and
+    (
+      // We only include the definition if the SSA pruning stage
+      // concluded that the definition is live after the write.
+      any(SsaInternals0::Def def).getAddressOperand() = address
+      or
+      // Since the pruning stage doesn't know about global variables we can't use the above check to
+      // rule out dead assignments to globals.
+      base.(VariableAddressInstruction).getAstVariable() instanceof GlobalLikeVariable
+    )
   } or
   TUseImpl(BaseSourceVariableInstruction base, Operand operand, int indirectionIndex) {
     isUse(_, operand, base, _, indirectionIndex) and
@@ -124,7 +133,8 @@ private newtype TDefOrUseImpl =
   TIteratorDef(
     Operand iteratorDerefAddress, BaseSourceVariableInstruction container, int indirectionIndex
   ) {
-    isIteratorDef(container, iteratorDerefAddress, _, _, indirectionIndex)
+    isIteratorDef(container, iteratorDerefAddress, _, _, indirectionIndex) and
+    any(SsaInternals0::Def def | def.isIteratorDef()).getAddressOperand() = iteratorDerefAddress
   } or
   TIteratorUse(
     Operand iteratorAddress, BaseSourceVariableInstruction container, int indirectionIndex
@@ -257,64 +267,24 @@ private predicate sourceVariableHasBaseAndIndex(SourceVariable v, BaseSourceVari
 }
 
 abstract class DefImpl extends DefOrUseImpl {
+  Operand address;
   int ind;
 
   bindingset[ind]
   DefImpl() { any() }
 
-  override int getIndirectionIndex() { result = ind }
-
-  override string toString() { result = "Def of " + this.getSourceVariable() }
-
   abstract int getIndirection();
 
+  abstract Node0Impl getValue();
+
   abstract predicate isCertain();
 
-  abstract Node0Impl getValue();
-}
-
-/** An initial definition of an `IRVariable`'s address. */
-private class DefAddressImpl extends DefImpl, TDefAddressImpl {
-  BaseIRVariable v;
-
-  DefAddressImpl() {
-    this = TDefAddressImpl(v) and
-    ind = 0
-  }
-
-  final override int getIndirection() { result = 0 }
-
-  final override predicate isCertain() { any() }
-
-  final override Node0Impl getValue() { none() }
-
-  final override predicate hasIndexInBlock(IRBlock block, int index) {
-    block = v.getIRVariable().getEnclosingIRFunction().getEntryBlock() and
-    index = 0
-  }
-
-  override Cpp::Location getLocation() { result = v.getIRVariable().getLocation() }
-
-  final override SourceVariable getSourceVariable() {
-    result.getBaseVariable() = v and
-    result.getIndirection() = 0
-  }
-
-  final override BaseSourceVariableInstruction getBase() { none() }
-}
-
-/**
- * An SSA definition that has an associated `Operand` representing the address
- * that is being written to.
- */
-abstract private class OperandBasedDef extends DefImpl {
-  Operand address;
-
-  bindingset[ind]
-  OperandBasedDef() { any() }
-
   Operand getAddressOperand() { result = address }
 
+  override int getIndirectionIndex() { result = ind }
+
+  override string toString() { result = "Def of " + this.getSourceVariable() }
+
   override Cpp::Location getLocation() { result = this.getAddressOperand().getUse().getLocation() }
 
   final override predicate hasIndexInBlock(IRBlock block, int index) {
@@ -322,7 +292,7 @@ abstract private class OperandBasedDef extends DefImpl {
   }
 }
 
-private class DirectDef extends OperandBasedDef, TDefImpl {
+private class DirectDef extends DefImpl, TDefImpl {
   BaseSourceVariableInstruction base;
 
   DirectDef() { this = TDefImpl(base, address, ind) }
@@ -336,7 +306,7 @@ private class DirectDef extends OperandBasedDef, TDefImpl {
   override predicate isCertain() { isDef(true, _, address, base, _, ind) }
 }
 
-private class IteratorDef extends OperandBasedDef, TIteratorDef {
+private class IteratorDef extends DefImpl, TIteratorDef {
   BaseSourceVariableInstruction container;
 
   IteratorDef() { this = TIteratorDef(address, container, ind) }
@@ -1014,6 +984,17 @@ predicate fromPhiNode(SsaPhiNode nodeFrom, Node nodeTo) {
   )
 }
 
+/**
+ * Holds if there is a write at index `i` in basic block `bb` to variable `v` that's
+ * subsequently read (as determined by the SSA pruning stage).
+ */
+private predicate variableWriteCand(IRBlock bb, int i, SourceVariable v) {
+  exists(SsaInternals0::Def def, SsaInternals0::SourceVariable v0 |
+    def.asDefOrUse().hasIndexInBlock(bb, i, v0) and
+    v0 = v.getBaseVariable()
+  )
+}
+
 private predicate sourceVariableIsGlobal(
   SourceVariable sv, GlobalLikeVariable global, IRFunction func, int indirectionIndex
 ) {
@@ -1037,14 +1018,16 @@ private module SsaInput implements SsaImplCommon::InputSig<Location> {
   predicate variableWrite(IRBlock bb, int i, SourceVariable v, boolean certain) {
     DataFlowImplCommon::forceCachingInSameStage() and
     (
-      exists(DefImpl def | def.hasIndexInBlock(bb, i, v) |
-        if def.isCertain() then certain = true else certain = false
-      )
-      or
-      exists(GlobalDefImpl global |
-        global.hasIndexInBlock(bb, i, v) and
-        certain = true
-      )
+      variableWriteCand(bb, i, v) or
+      sourceVariableIsGlobal(v, _, _, _)
+    ) and
+    exists(DefImpl def | def.hasIndexInBlock(bb, i, v) |
+      if def.isCertain() then certain = true else certain = false
+    )
+    or
+    exists(GlobalDefImpl global |
+      global.hasIndexInBlock(bb, i, v) and
+      certain = true
     )
   }
 
@@ -1219,7 +1202,7 @@ class UseOrPhi extends SsaDefOrUse {
 class Def extends DefOrUse {
   override DefImpl defOrUse;
 
-  Operand getAddressOperand() { result = defOrUse.(OperandBasedDef).getAddressOperand() }
+  Operand getAddressOperand() { result = defOrUse.getAddressOperand() }
 
   Instruction getAddress() { result = this.getAddressOperand().getDef() }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingImplSpecific.qll

@@ -4,8 +4,7 @@
 
 private import codeql.dataflow.TaintTracking
 private import DataFlowImplSpecific
-private import semmle.code.cpp.Location
 
-module CppTaintTracking implements InputSig<Location, CppDataFlow> {
+module CppTaintTracking implements InputSig<CppDataFlow> {
   import TaintTrackingUtil
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

@@ -6,7 +6,6 @@ private import semmle.code.cpp.models.interfaces.SideEffect
 private import DataFlowUtil
 private import DataFlowPrivate
 private import SsaInternals as Ssa
-private import semmle.code.cpp.ir.dataflow.FlowSteps
 
 /**
  * Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
@@ -38,12 +37,6 @@ predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeT
   )
   or
   any(Ssa::Indirection ind).isAdditionalTaintStep(nodeFrom, nodeTo)
-  or
-  // object->field conflation for content that is a `TaintInheritingContent`.
-  exists(DataFlow::ContentSet f |
-    readStep(nodeFrom, f, nodeTo) and
-    f.getAReadContent() instanceof TaintInheritingContent
-  )
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ssa0/SsaInternals.qll

@@ -0,0 +1,347 @@
+/**
+ * This module defines an initial SSA pruning stage that doesn't take
+ * indirections into account.
+ */
+
+private import codeql.ssa.Ssa as SsaImplCommon
+private import semmle.code.cpp.ir.IR
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
+private import semmle.code.cpp.models.interfaces.Allocation as Alloc
+private import semmle.code.cpp.models.interfaces.DataFlow as DataFlow
+private import semmle.code.cpp.ir.implementation.raw.internal.SideEffects as SideEffects
+private import semmle.code.cpp.ir.internal.IRCppLanguage
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
+private import semmle.code.cpp.ir.dataflow.internal.SsaInternalsCommon
+
+private module SourceVariables {
+  class SourceVariable extends BaseSourceVariable {
+    /**
+     * Gets the base source variable of this `SourceVariable`.
+     */
+    BaseSourceVariable getBaseVariable() { result = this }
+  }
+}
+
+import SourceVariables
+
+private newtype TDefOrUseImpl =
+  TDefImpl(Operand address) { isDef(_, _, address, _, _, _) } or
+  TUseImpl(Operand operand) {
+    isUse(_, operand, _, _, _) and
+    not isDef(true, _, operand, _, _, _)
+  } or
+  TIteratorDef(BaseSourceVariableInstruction container, Operand iteratorAddress) {
+    isIteratorDef(container, iteratorAddress, _, _, _)
+  } or
+  TIteratorUse(BaseSourceVariableInstruction container, Operand iteratorAddress) {
+    isIteratorUse(container, iteratorAddress, _, _)
+  } or
+  TFinalParameterUse(Parameter p) {
+    any(Indirection indirection).getType() = p.getUnspecifiedType()
+  }
+
+abstract private class DefOrUseImpl extends TDefOrUseImpl {
+  /** Gets a textual representation of this element. */
+  abstract string toString();
+
+  /** Gets the block of this definition or use. */
+  final IRBlock getBlock() { this.hasIndexInBlock(result, _) }
+
+  /** Holds if this definition or use has index `index` in block `block`. */
+  abstract predicate hasIndexInBlock(IRBlock block, int index);
+
+  final predicate hasIndexInBlock(IRBlock block, int index, SourceVariable sv) {
+    this.hasIndexInBlock(block, index) and
+    sv = this.getSourceVariable()
+  }
+
+  /** Gets the location of this element. */
+  abstract Cpp::Location getLocation();
+
+  abstract BaseSourceVariableInstruction getBase();
+
+  final BaseSourceVariable getBaseSourceVariable() {
+    result = this.getBase().getBaseSourceVariable()
+  }
+
+  /** Gets the variable that is defined or used. */
+  final SourceVariable getSourceVariable() {
+    result.getBaseVariable() = this.getBaseSourceVariable()
+  }
+
+  abstract predicate isCertain();
+}
+
+abstract class DefImpl extends DefOrUseImpl {
+  Operand address;
+
+  Operand getAddressOperand() { result = address }
+
+  abstract Node0Impl getValue();
+
+  override string toString() { result = address.toString() }
+
+  override Cpp::Location getLocation() { result = this.getAddressOperand().getLocation() }
+
+  final override predicate hasIndexInBlock(IRBlock block, int index) {
+    this.getAddressOperand().getUse() = block.getInstruction(index)
+  }
+}
+
+private class DirectDef extends DefImpl, TDefImpl {
+  DirectDef() { this = TDefImpl(address) }
+
+  override BaseSourceVariableInstruction getBase() { isDef(_, _, address, result, _, _) }
+
+  override Node0Impl getValue() { isDef(_, result, address, _, _, _) }
+
+  override predicate isCertain() { isDef(true, _, address, _, _, _) }
+}
+
+private class IteratorDef extends DefImpl, TIteratorDef {
+  BaseSourceVariableInstruction container;
+
+  IteratorDef() { this = TIteratorDef(container, address) }
+
+  override BaseSourceVariableInstruction getBase() { result = container }
+
+  override Node0Impl getValue() { isIteratorDef(_, address, result, _, _) }
+
+  override predicate isCertain() { none() }
+}
+
+abstract class UseImpl extends DefOrUseImpl { }
+
+abstract private class OperandBasedUse extends UseImpl {
+  Operand operand;
+
+  override string toString() { result = operand.toString() }
+
+  final override predicate hasIndexInBlock(IRBlock block, int index) {
+    // Ideally, this would just be implemented as:
+    // ```
+    // operand.getUse() = block.getInstruction(index)
+    // ```
+    // but because the IR generated for a snippet such as
+    // ```
+    // int x = *p++;
+    // ```
+    // looks like
+    // ```
+    // r1(glval<int>)   = VariableAddress[x]  :
+    // r2(glval<int *>) = VariableAddress[p]  :
+    // r3(int *)        = Load[p]             : &:r2, m1
+    // r4(int)          = Constant[1]         :
+    // r5(int *)        = PointerAdd[4]       : r3, r4
+    // m3(int *)        = Store[p]            : &:r2, r5
+    // r6(int *)        = CopyValue           : r3
+    // r7(int)          = Load[?]             : &:r6, ~m2
+    // m2(int)          = Store[x]            : &:r1, r7
+    // ```
+    // we need to ensure that the `r3` operand of the `CopyValue` instruction isn't seen as a fresh use
+    // of `p` that happens after the increment. So if the base instruction of this use comes from a
+    // post-fix crement operation we set the index of the SSA use that wraps the `r3` operand at the
+    // `CopyValue` instruction to be the same index as the `r3` operand at the `PointerAdd` instruction.
+    // This ensures that the SSA library doesn't create flow from the `PointerAdd` to `r6`.
+    exists(BaseSourceVariableInstruction base | base = this.getBase() |
+      if base.getAst() = any(Cpp::PostfixCrementOperation c).getOperand()
+      then
+        exists(Operand op |
+          op =
+            min(Operand cand, int i |
+              isUse(_, cand, base, _, _) and
+              block.getInstruction(i) = cand.getUse()
+            |
+              cand order by i
+            ) and
+          block.getInstruction(index) = op.getUse()
+        )
+      else operand.getUse() = block.getInstruction(index)
+    )
+  }
+
+  final override Cpp::Location getLocation() { result = operand.getLocation() }
+}
+
+private class DirectUse extends OperandBasedUse, TUseImpl {
+  DirectUse() { this = TUseImpl(operand) }
+
+  override BaseSourceVariableInstruction getBase() { isUse(_, operand, result, _, _) }
+
+  override predicate isCertain() { isUse(true, operand, _, _, _) }
+}
+
+private class IteratorUse extends OperandBasedUse, TIteratorUse {
+  BaseSourceVariableInstruction container;
+
+  IteratorUse() { this = TIteratorUse(container, operand) }
+
+  override BaseSourceVariableInstruction getBase() { result = container }
+
+  override predicate isCertain() { none() }
+}
+
+private class FinalParameterUse extends UseImpl, TFinalParameterUse {
+  Parameter p;
+
+  FinalParameterUse() { this = TFinalParameterUse(p) }
+
+  override string toString() { result = p.toString() }
+
+  final override predicate hasIndexInBlock(IRBlock block, int index) {
+    // Ideally, this should always be a `ReturnInstruction`, but if
+    // someone forgets to write a `return` statement in a function
+    // with a non-void return type we generate an `UnreachedInstruction`.
+    // In this case we still want to generate flow out of such functions
+    // if they write to a parameter. So we pick the index of the
+    // `UnreachedInstruction` as the index of this use.
+    // Note that a function may have both a `ReturnInstruction` and an
+    // `UnreachedInstruction`. If that's the case this predicate will
+    // return multiple results. I don't think this is detrimental to
+    // performance, however.
+    exists(Instruction return |
+      return instanceof ReturnInstruction or
+      return instanceof UnreachedInstruction
+    |
+      block.getInstruction(index) = return and
+      return.getEnclosingFunction() = p.getFunction()
+    )
+  }
+
+  final override Cpp::Location getLocation() {
+    // Parameters can have multiple locations. When there's a unique location we use
+    // that one, but if multiple locations exist we default to an unknown location.
+    result = unique( | | p.getLocation())
+    or
+    not exists(unique( | | p.getLocation())) and
+    result instanceof UnknownDefaultLocation
+  }
+
+  override BaseSourceVariableInstruction getBase() {
+    exists(InitializeParameterInstruction init |
+      init.getParameter() = p and
+      // This is always a `VariableAddressInstruction`
+      result = init.getAnOperand().getDef()
+    )
+  }
+
+  override predicate isCertain() { any() }
+}
+
+private module SsaInput implements SsaImplCommon::InputSig<Location> {
+  import InputSigCommon
+  import SourceVariables
+
+  /**
+   * Holds if the `i`'th write in block `bb` writes to the variable `v`.
+   * `certain` is `true` if the write is guaranteed to overwrite the entire variable.
+   */
+  predicate variableWrite(IRBlock bb, int i, SourceVariable v, boolean certain) {
+    DataFlowImplCommon::forceCachingInSameStage() and
+    exists(DefImpl def | def.hasIndexInBlock(bb, i, v) |
+      if def.isCertain() then certain = true else certain = false
+    )
+  }
+
+  /**
+   * Holds if the `i`'th read in block `bb` reads to the variable `v`.
+   * `certain` is `true` if the read is guaranteed.
+   */
+  predicate variableRead(IRBlock bb, int i, SourceVariable v, boolean certain) {
+    exists(UseImpl use | use.hasIndexInBlock(bb, i, v) |
+      if use.isCertain() then certain = true else certain = false
+    )
+  }
+}
+
+private newtype TSsaDefOrUse =
+  TDefOrUse(DefOrUseImpl defOrUse) {
+    defOrUse instanceof UseImpl
+    or
+    // If `defOrUse` is a definition we only include it if the
+    // SSA library concludes that it's live after the write.
+    exists(DefinitionExt def, SourceVariable sv, IRBlock bb, int i |
+      def.definesAt(sv, bb, i, _) and
+      defOrUse.(DefImpl).hasIndexInBlock(bb, i, sv)
+    )
+  } or
+  TPhi(PhiNode phi)
+
+abstract private class SsaDefOrUse extends TSsaDefOrUse {
+  string toString() { result = "SsaDefOrUse" }
+
+  DefOrUseImpl asDefOrUse() { none() }
+
+  PhiNode asPhi() { none() }
+
+  abstract Location getLocation();
+}
+
+class DefOrUse extends TDefOrUse, SsaDefOrUse {
+  DefOrUseImpl defOrUse;
+
+  DefOrUse() { this = TDefOrUse(defOrUse) }
+
+  final override DefOrUseImpl asDefOrUse() { result = defOrUse }
+
+  final override Location getLocation() { result = defOrUse.getLocation() }
+
+  final SourceVariable getSourceVariable() { result = defOrUse.getSourceVariable() }
+}
+
+class Phi extends TPhi, SsaDefOrUse {
+  PhiNode phi;
+
+  Phi() { this = TPhi(phi) }
+
+  final override PhiNode asPhi() { result = phi }
+
+  final override Location getLocation() { result = phi.getBasicBlock().getLocation() }
+}
+
+class UseOrPhi extends SsaDefOrUse {
+  UseOrPhi() {
+    this.asDefOrUse() instanceof UseImpl
+    or
+    this instanceof Phi
+  }
+
+  final override Location getLocation() {
+    result = this.asDefOrUse().getLocation() or result = this.(Phi).getLocation()
+  }
+
+  override string toString() {
+    result = this.asDefOrUse().toString()
+    or
+    this instanceof Phi and
+    result = "Phi"
+  }
+}
+
+class Def extends DefOrUse {
+  override DefImpl defOrUse;
+
+  Operand getAddressOperand() { result = defOrUse.getAddressOperand() }
+
+  Instruction getAddress() { result = this.getAddressOperand().getDef() }
+
+  Node0Impl getValue() { result = defOrUse.getValue() }
+
+  override string toString() { result = this.asDefOrUse().toString() }
+
+  BaseSourceVariableInstruction getBase() { result = defOrUse.getBase() }
+
+  predicate isIteratorDef() { defOrUse instanceof IteratorDef }
+}
+
+private module SsaImpl = SsaImplCommon::Make<Location, SsaInput>;
+
+class PhiNode extends SsaImpl::DefinitionExt {
+  PhiNode() {
+    this instanceof SsaImpl::PhiNode or
+    this instanceof SsaImpl::PhiReadNode
+  }
+}
+
+class DefinitionExt = SsaImpl::DefinitionExt;

cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll

@@ -90,15 +90,6 @@ class CaseEdge extends EdgeKind, TCaseEdge {
    * Gets the largest value of the switch expression for which control will flow along this edge.
    */
   final string getMaxValue() { result = maxValue }
-
-  /**
-   * Gets the unique value of the switch expression for which control will
-   * flow along this edge, if any.
-   */
-  final string getValue() {
-    minValue = maxValue and
-    result = minValue
-  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/constant/ConstantAnalysis.qll

@@ -38,12 +38,6 @@ private int getBinaryInstructionValue(BinaryInstruction instr) {
     or
     instr instanceof DivInstruction and result = div(left, right)
     or
-    instr instanceof BitOrInstruction and result = bitOr(left, right)
-    or
-    instr instanceof BitAndInstruction and result = bitAnd(left, right)
-    or
-    instr instanceof BitXorInstruction and result = bitXor(left, right)
-    or
     instr instanceof CompareEQInstruction and result = compareEQ(left, right)
     or
     instr instanceof CompareNEInstruction and result = compareNE(left, right)

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll

@@ -38,12 +38,6 @@ private int getBinaryInstructionValue(BinaryInstruction instr) {
     or
     instr instanceof DivInstruction and result = div(left, right)
     or
-    instr instanceof BitOrInstruction and result = bitOr(left, right)
-    or
-    instr instanceof BitAndInstruction and result = bitAnd(left, right)
-    or
-    instr instanceof BitXorInstruction and result = bitXor(left, right)
-    or
     instr instanceof CompareEQInstruction and result = compareEQ(left, right)
     or
     instr instanceof CompareNEInstruction and result = compareNE(left, right)

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -40,43 +40,12 @@ IRTempVariable getIRTempVariable(Locatable ast, TempVariableTag tag) {
   result.getTag() = tag
 }
 
-/** Gets an operand of `op`. */
-private Expr getAnOperand(Operation op) { result = op.getAnOperand() }
-
-/**
- * Gets the number of nested operands of `op`. For example,
- * `getNumberOfNestedBinaryOperands((1 + 2) + 3))` is `3`.
- */
-private int getNumberOfNestedBinaryOperands(Operation op) { result = count(getAnOperand*(op)) }
-
-/**
- * Holds if `op` should not be translated to a `ConstantInstruction` as part of
- * IR generation, even if the value of `op` is constant.
- */
-private predicate ignoreConstantValue(Operation op) {
-  op instanceof BitwiseAndExpr
-  or
-  op instanceof BitwiseOrExpr
-  or
-  op instanceof BitwiseXorExpr
-}
-
 /**
  * Holds if `expr` is a constant of a type that can be replaced directly with
  * its value in the IR. This does not include address constants as we have no
  * means to express those as QL values.
  */
-predicate isIRConstant(Expr expr) {
-  exists(expr.getValue()) and
-  // We avoid constant folding certain operations since it's often useful to
-  // mark one of those as a source in dataflow, and if the operation is
-  // constant folded it's not possible to mark its operands as a source (or
-  // sink).
-  // But to avoid creating an outrageous amount of IR from very large
-  // constant expressions we fall back to constant folding if the operation
-  // has more than 50 operands (i.e., 1 + 2 + 3 + 4 + ... + 50)
-  if ignoreConstantValue(expr) then getNumberOfNestedBinaryOperands(expr) > 50 else any()
-}
+predicate isIRConstant(Expr expr) { exists(expr.getValue()) }
 
 // Pulled out for performance. See
 // https://github.com/github/codeql-coreql-team/issues/1044.
@@ -127,9 +96,6 @@ private predicate ignoreExprAndDescendants(Expr expr) {
   exists(BuiltInVarArgsStart vaStartExpr |
     vaStartExpr.getLastNamedParameter().getFullyConverted() = expr
   )
-  or
-  // suppress destructors of temporary variables until proper support is added for them.
-  exists(Expr parent | parent.getAnImplicitDestructorCall() = expr)
 }
 
 /**
@@ -778,13 +744,9 @@ newtype TTranslatedElement =
   // The declaration/initialization part of a `ConditionDeclExpr`
   TTranslatedConditionDecl(ConditionDeclExpr expr) { not ignoreExpr(expr) } or
   // The side effects of a `Call`
-  TTranslatedCallSideEffects(CallOrAllocationExpr expr) {
-    not ignoreExpr(expr) and
-    not ignoreSideEffects(expr)
-  } or
+  TTranslatedCallSideEffects(CallOrAllocationExpr expr) { not ignoreSideEffects(expr) } or
   // The non-argument-specific side effect of a `Call`
   TTranslatedCallSideEffect(Expr expr, SideEffectOpcode opcode) {
-    not ignoreExpr(expr) and
     not ignoreSideEffects(expr) and
     opcode = getCallSideEffectOpcode(expr)
   } or
@@ -802,7 +764,6 @@ newtype TTranslatedElement =
   // Constructor calls lack a qualifier (`this`) expression, so we need to handle the side effects
   // on `*this` without an `Expr`.
   TTranslatedStructorQualifierSideEffect(Call call, SideEffectOpcode opcode) {
-    not ignoreExpr(call) and
     not ignoreSideEffects(call) and
     call instanceof ConstructorCall and
     opcode = getASideEffectOpcode(call, -1)

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -97,6 +97,19 @@ abstract class TranslatedExpr extends TranslatedElement {
     )
   }
 
+  final override predicate hasAnImplicitDestructorCall() {
+    exists(expr.getAnImplicitDestructorCall())
+  }
+
+  final override int getFirstDestructorCallIndex() {
+    not this.handlesDestructorsExplicitly() and
+    (
+      result = max(int childId | exists(this.getChildInternal(childId))) + 1
+      or
+      not exists(this.getChildInternal(_)) and result = 0
+    )
+  }
+
   final override Locatable getAst() { result = expr }
 
   final override Declaration getFunction() { result = getEnclosingDeclaration(expr) }
@@ -2769,50 +2782,6 @@ class TranslatedTemporaryObjectExpr extends TranslatedNonConstantExpr,
   final override Instruction getResult() { result = this.getTargetAddress() }
 }
 
-/**
- * IR translation of a `ReuseExpr`.
- *
- * This translation produces a copy of the glvalue instruction holding the (unconverted) result
- * of the reused expression. In the case where the original expression was a prvalue, the
- * result will be a copy of the glvalue operand of a `TranslatedLoad`.
- */
-class TranslatedReuseExpr extends TranslatedNonConstantExpr {
-  override ReuseExpr expr;
-
-  override Instruction getFirstInstruction(EdgeKind kind) {
-    result = this.getInstruction(OnlyInstructionTag()) and
-    kind instanceof GotoEdge
-  }
-
-  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
-    opcode instanceof Opcode::CopyValue and
-    tag instanceof OnlyInstructionTag and
-    resultType = this.getResultType()
-  }
-
-  override Instruction getResult() { result = this.getInstruction(OnlyInstructionTag()) }
-
-  override Instruction getInstructionSuccessorInternal(InstructionTag tag, EdgeKind kind) {
-    tag = OnlyInstructionTag() and
-    kind instanceof GotoEdge and
-    result = this.getParent().getChildSuccessor(this, kind)
-  }
-
-  override TranslatedElement getChildInternal(int id) { none() }
-
-  override Instruction getALastInstructionInternal() {
-    result = this.getInstruction(OnlyInstructionTag())
-  }
-
-  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
-    tag = OnlyInstructionTag() and
-    operandTag instanceof UnaryOperandTag and
-    if getTranslatedExpr(expr.getReusedExpr()) instanceof TranslatedLoad
-    then result = getTranslatedExpr(expr.getReusedExpr()).(TranslatedLoad).getOperand().getResult()
-    else result = getTranslatedExpr(expr.getReusedExpr()).getResult()
-  }
-}
-
 /**
  * IR translation of a `throw` expression.
  */

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/ConstantAnalysis.qll

@@ -38,12 +38,6 @@ private int getBinaryInstructionValue(BinaryInstruction instr) {
     or
     instr instanceof DivInstruction and result = div(left, right)
     or
-    instr instanceof BitOrInstruction and result = bitOr(left, right)
-    or
-    instr instanceof BitAndInstruction and result = bitAnd(left, right)
-    or
-    instr instanceof BitXorInstruction and result = bitXor(left, right)
-    or
     instr instanceof CompareEQInstruction and result = compareEQ(left, right)
     or
     instr instanceof CompareNEInstruction and result = compareNE(left, right)

cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerPartial.qll

@@ -89,18 +89,6 @@ int compareLE(int a, int b) { if a <= b then result = 1 else result = 0 }
 bindingset[a, b]
 int compareGE(int a, int b) { if a >= b then result = 1 else result = 0 }
 
-/** Returns `a | b`. */
-bindingset[a, b]
-int bitOr(int a, int b) { result = a.bitOr(b) }
-
-/** Returns `a & b`. */
-bindingset[a, b]
-int bitAnd(int a, int b) { result = a.bitAnd(b) }
-
-/** Returns `a ^ b`. */
-bindingset[a, b]
-int bitXor(int a, int b) { result = a.bitXor(b) }
-
 /**
  * Returns `-a`. If the negation would overflow, there is no result.
  */

cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll

@@ -36,9 +36,7 @@ private class MallocAllocationFunction extends AllocationFunction {
         "CRYPTO_malloc", // CRYPTO_malloc(size_t num, const char *file, int line)
         "CRYPTO_zalloc", // CRYPTO_zalloc(size_t num, const char *file, int line)
         "CRYPTO_secure_malloc", // CRYPTO_secure_malloc(size_t num, const char *file, int line)
-        "CRYPTO_secure_zalloc", // CRYPTO_secure_zalloc(size_t num, const char *file, int line)
-        "g_malloc", // g_malloc (n_bytes);
-        "g_try_malloc" // g_try_malloc(n_bytes);
+        "CRYPTO_secure_zalloc" // CRYPTO_secure_zalloc(size_t num, const char *file, int line)
       ]) and
     sizeArg = 0
     or
@@ -141,9 +139,7 @@ private class ReallocAllocationFunction extends AllocationFunction, TaintFunctio
         // --- Windows COM allocation
         "CoTaskMemRealloc", // CoTaskMemRealloc(ptr, size)
         // --- OpenSSL memory allocation
-        "CRYPTO_realloc", // CRYPTO_realloc(void *addr, size_t num, const char *file, int line)
-        "g_realloc", // g_realloc(mem, n_bytes);
-        "g_try_realloc" // g_try_realloc(mem, n_bytes);
+        "CRYPTO_realloc" // CRYPTO_realloc(void *addr, size_t num, const char *file, int line)
       ]) and
     sizeArg = 1 and
     reallocArg = 0

cpp/ql/lib/semmle/code/cpp/models/implementations/Deallocation.qll

@@ -20,10 +20,8 @@ private class StandardDeallocationFunction extends DeallocationFunction {
     freedArg = 0
     or
     this.hasGlobalName([
-        // --- OpenSSL memory deallocation
-        "CRYPTO_free", "CRYPTO_secure_free",
-        // --- glib memory deallocation
-        "g_free"
+        // --- OpenSSL memory allocation
+        "CRYPTO_free", "CRYPTO_secure_free"
       ]) and
     freedArg = 0
     or

cpp/ql/lib/semmle/code/cpp/models/implementations/Iterator.qll

@@ -9,8 +9,6 @@ import cpp
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Iterator
-import semmle.code.cpp.models.interfaces.Alias
-import semmle.code.cpp.models.interfaces.SideEffect
 
 /**
  * An instantiation of the `std::iterator_traits` template.
@@ -440,7 +438,7 @@ private class IteratorAssignmentMemberOperatorModel extends IteratorAssignmentMe
  * A `begin` or `end` member function, or a related member function, that
  * returns an iterator.
  */
-class BeginOrEndFunction extends MemberFunction {
+private class BeginOrEndFunction extends MemberFunction, TaintFunction, GetIteratorFunction {
   BeginOrEndFunction() {
     this.hasName([
         "begin", "cbegin", "rbegin", "crbegin", "end", "cend", "rend", "crend", "before_begin",
@@ -448,11 +446,7 @@ class BeginOrEndFunction extends MemberFunction {
       ]) and
     this.getType().getUnspecifiedType() instanceof Iterator
   }
-}
 
-private class BeginOrEndFunctionModels extends BeginOrEndFunction, TaintFunction,
-  GetIteratorFunction, AliasFunction, SideEffectFunction
-{
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierObject() and
     output.isReturnValue()
@@ -462,22 +456,6 @@ private class BeginOrEndFunctionModels extends BeginOrEndFunction, TaintFunction
     input.isQualifierObject() and
     output.isReturnValue()
   }
-
-  override predicate parameterNeverEscapes(int index) { index = -1 }
-
-  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
-
-  override predicate hasOnlySpecificReadSideEffects() { any() }
-
-  override predicate hasOnlySpecificWriteSideEffects() { any() }
-
-  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
-    none()
-  }
-
-  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
-    i = -1 and buffer = false
-  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/models/implementations/StdContainer.qll

@@ -253,15 +253,13 @@ private class StdSequenceContainerAssign extends TaintFunction {
 /**
  * The standard container functions `at` and `operator[]`.
  */
-class StdSequenceContainerAt extends MemberFunction {
+private class StdSequenceContainerAt extends TaintFunction {
   StdSequenceContainerAt() {
     this.getClassAndName(["at", "operator[]"]) instanceof Array or
     this.getClassAndName(["at", "operator[]"]) instanceof Deque or
     this.getClassAndName(["at", "operator[]"]) instanceof Vector
   }
-}
 
-private class StdSequenceContainerAtModel extends StdSequenceContainerAt, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from qualifier to referenced return value
     input.isQualifierObject() and

cpp/ql/lib/semmle/code/cpp/models/implementations/StdMap.qll

@@ -129,11 +129,9 @@ private class StdMapMerge extends TaintFunction {
 /**
  * The standard map functions `at` and `operator[]`.
  */
-class StdMapAt extends MemberFunction {
+private class StdMapAt extends TaintFunction {
   StdMapAt() { this.getClassAndName(["at", "operator[]"]) instanceof MapOrUnorderedMap }
-}
 
-private class StdMapAtModels extends StdMapAt, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from qualifier to referenced return value
     input.isQualifierObject() and

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -1513,12 +1513,6 @@ exprs(
     int location: @location_expr ref
 );
 
-expr_reuse(
-    int reuse: @expr ref,
-    int original: @expr ref,
-    int value_category: int ref
-)
-
 /*
   case @value.category of
     1 = prval
@@ -1747,7 +1741,6 @@ case @expr.kind of
 | 360 = @isunsigned
 | 361 = @isvoid
 | 362 = @isvolatile
-| 363 = @reuseexpr
 ;
 
 @var_args_expr = @vastartexpr

cpp/ql/lib/upgrades/298438feb146335af824002589cd6d4e96e5dbf9/upgrade.properties

@@ -1,2 +0,0 @@
-description: Introduce re-use expressions
-compatibility: backwards

cpp/ql/lib/upgrades/aa7ff0ab32cd4674f6ab731d32fea64116997b05/expr_reuse.ql

@@ -1,7 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-from Expr reuse, Expr original, int value_category
-where expr_reuse(reuse, original) and expr_types(original, _, value_category)
-select reuse, original, value_category

cpp/ql/lib/upgrades/aa7ff0ab32cd4674f6ab731d32fea64116997b05/upgrade.properties

@@ -1,3 +0,0 @@
-description: Add value category to expr_reuse table
-compatibility: full
-expr_reuse.rel: run expr_reuse.qlo

cpp/ql/src/CHANGELOG.md

@@ -1,34 +1,3 @@
-## 0.9.9
-
-### New Queries
-
-* Added a new query, `cpp/type-confusion`, to detect casts to invalid types.
-
-### Query Metadata Changes
-
-* `@precision medium` metadata was added to the `cpp/boost/tls-settings-misconfiguration` and `cpp/boost/use-of-deprecated-hardcoded-security-protocol` queries, and these queries are now included in the security-extended suite. The `@name` metadata of these queries were also updated.
-
-### Minor Analysis Improvements
-
-* The "Missing return-value check for a 'scanf'-like function" query (`cpp/missing-check-scanf`) has been converted to a `path-problem` query.
-* The "Potentially uninitialized local variable" query (`cpp/uninitialized-local`) has been converted to a `path-problem` query.
-* Added models for `GLib` allocation and deallocation functions.
-
-## 0.9.8
-
-No user-facing changes.
-
-## 0.9.7
-
-No user-facing changes.
-
-## 0.9.6
-
-### Minor Analysis Improvements
-
-* The "non-constant format string" query (`cpp/non-constant-format`) has been converted to a `path-problem` query.
-* The new C/C++ dataflow and taint-tracking libraries (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`) now implicitly assume that dataflow and taint modelled via `DataFlowFunction` and `TaintFunction` always fully overwrite their buffers and thus act as flow barriers. As a result, many dataflow and taint-tracking queries now produce fewer false positives. To remove this assumption and go back to the previous behavior for a given model, one can override the new `isPartialWrite` predicate.
-
 ## 0.9.5
 
 ### Minor Analysis Improvements

cpp/ql/src/Critical/MissingCheckScanf.ql

@@ -2,7 +2,7 @@
  * @name Missing return-value check for a 'scanf'-like function
  * @description Failing to check that a call to 'scanf' actually writes to an
  *              output variable can lead to unexpected behavior at reading time.
- * @kind path-problem
+ * @kind problem
  * @problem.severity warning
  * @security-severity 7.5
  * @precision medium
@@ -18,9 +18,16 @@ import semmle.code.cpp.commons.Scanf
 import semmle.code.cpp.controlflow.Guards
 import semmle.code.cpp.dataflow.new.DataFlow::DataFlow
 import semmle.code.cpp.ir.IR
-import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+import semmle.code.cpp.ir.ValueNumbering
 import ScanfChecks
-import ScanfToUseFlow::PathGraph
+
+/** Holds if `n` reaches an argument  to a call to a `scanf`-like function. */
+pragma[nomagic]
+predicate revFlow0(Node n) {
+  isSink(_, _, n, _)
+  or
+  exists(Node succ | revFlow0(succ) | localFlowStep(n, succ))
+}
 
 /**
  * Holds if `n` represents an uninitialized stack-allocated variable, or a
@@ -31,45 +38,30 @@ predicate isUninitialized(Node n) {
   n.asIndirectExpr(1) instanceof AllocationExpr
 }
 
+pragma[nomagic]
+predicate fwdFlow0(Node n) {
+  revFlow0(n) and
+  (
+    isUninitialized(n)
+    or
+    exists(Node prev |
+      fwdFlow0(prev) and
+      localFlowStep(prev, n)
+    )
+  )
+}
+
 predicate isSink(ScanfFunctionCall call, int index, Node n, Expr input) {
   input = call.getOutputArgument(index) and
   n.asIndirectExpr() = input
 }
 
-/**
- * A configuration to track a uninitialized data flowing to a `scanf`-like
- * output parameter position.
- *
- * This is meant to be a simple flow to rule out cases like:
- * ```
- * int x = 0;
- * scanf(..., &x);
- * use(x);
- * ```
- * since `x` is already initialized it's not a security concern that `x` is
- * used without checking the return value of `scanf`.
- *
- * Since this flow is meant to be simple, we disable field flow and require the
- * source and the sink to be in the same callable.
- */
-module UninitializedToScanfConfig implements ConfigSig {
-  predicate isSource(Node source) { isUninitialized(source) }
-
-  predicate isSink(Node sink) { isSink(_, _, sink, _) }
-
-  FlowFeature getAFeature() { result instanceof FeatureEqualSourceSinkCallContext }
-
-  int accessPathLimit() { result = 0 }
-}
-
-module UninitializedToScanfFlow = Global<UninitializedToScanfConfig>;
-
 /**
  * Holds if `call` is a `scanf`-like call and `output` is the `index`'th
  * argument that has not been previously initialized.
  */
 predicate isRelevantScanfCall(ScanfFunctionCall call, int index, Expr output) {
-  exists(Node n | UninitializedToScanfFlow::flowTo(n) and isSink(call, index, n, output)) and
+  exists(Node n | fwdFlow0(n) and isSink(call, index, n, output)) and
   // Exclude results from incorrectky checked scanf query
   not incorrectlyCheckedScanf(call)
 }
@@ -85,6 +77,31 @@ predicate isSource(ScanfFunctionCall call, int index, Node n, Expr output) {
   n.asDefiningArgument() = output
 }
 
+/**
+ * Holds if `n` is reachable from an output argument of a relevant call to
+ * a `scanf`-like function.
+ */
+pragma[nomagic]
+predicate fwdFlow(Node n) {
+  isSource(_, _, n, _)
+  or
+  exists(Node prev |
+    fwdFlow(prev) and
+    localFlowStep(prev, n) and
+    not isSanitizerOut(prev)
+  )
+}
+
+/** Holds if `n` should not have outgoing flow. */
+predicate isSanitizerOut(Node n) {
+  // We disable flow out of sinks to reduce result duplication
+  isSink(n, _)
+  or
+  // If the node is being passed to a function it may be
+  // modified, and thus it's safe to later read the value.
+  exists(n.asIndirectArgument())
+}
+
 /**
  * Holds if `n` is a node such that `n.asExpr() = e` and `e` is not an
  * argument of a deallocation expression.
@@ -95,37 +112,40 @@ predicate isSink(Node n, Expr e) {
 }
 
 /**
- * A configuration to track flow from the output argument of a call to a
- * `scanf`-like function, and to a use of the defined variable.
+ * Holds if `n` is part of a path from a call to a `scanf`-like function
+ * to a use of the written variable.
  */
-module ScanfToUseConfig implements ConfigSig {
-  predicate isSource(Node source) { isSource(_, _, source, _) }
-
-  predicate isSink(Node sink) { isSink(sink, _) }
-
-  predicate isBarrierOut(Node n) {
-    // We disable flow out of sinks to reduce result duplication
+pragma[nomagic]
+predicate revFlow(Node n) {
+  fwdFlow(n) and
+  (
     isSink(n, _)
     or
-    // If the node is being passed to a function it may be
-    // modified, and thus it's safe to later read the value.
-    exists(n.asIndirectArgument())
-  }
+    exists(Node succ |
+      revFlow(succ) and
+      localFlowStep(n, succ) and
+      not isSanitizerOut(n)
+    )
+  )
 }
 
-module ScanfToUseFlow = Global<ScanfToUseConfig>;
+/** A local flow step, restricted to relevant dataflow nodes. */
+private predicate step(Node n1, Node n2) {
+  revFlow(n1) and
+  revFlow(n2) and
+  localFlowStep(n1, n2)
+}
+
+predicate hasFlow(Node n1, Node n2) = fastTC(step/2)(n1, n2)
 
 /**
  * Holds if `source` is the `index`'th argument to the `scanf`-like call `call`, and `sink` is
  * a dataflow node that represents the expression `e`.
  */
-predicate flowPath(
-  ScanfToUseFlow::PathNode source, ScanfFunctionCall call, int index, ScanfToUseFlow::PathNode sink,
-  Expr e
-) {
-  isSource(call, index, source.getNode(), _) and
-  ScanfToUseFlow::flowPath(source, sink) and
-  isSink(sink.getNode(), e)
+predicate hasFlow(Node source, ScanfFunctionCall call, int index, Node sink, Expr e) {
+  isSource(call, index, source, _) and
+  hasFlow(source, sink) and
+  isSink(sink, e)
 }
 
 /**
@@ -147,33 +167,39 @@ int getMinimumGuardConstant(ScanfFunctionCall call, int index) {
  * Holds the access to `e` isn't guarded by a check that ensures that `call` returned
  * at least `minGuard`.
  */
-predicate hasNonGuardedAccess(
-  ScanfToUseFlow::PathNode source, ScanfFunctionCall call, ScanfToUseFlow::PathNode sink, Expr e,
-  int minGuard
-) {
+predicate hasNonGuardedAccess(ScanfFunctionCall call, Expr e, int minGuard) {
   exists(int index |
-    flowPath(source, call, index, sink, e) and
+    hasFlow(_, call, index, _, e) and
     minGuard = getMinimumGuardConstant(call, index)
   |
-    not exists(GuardCondition guard |
-      // call == k and k >= minGuard so call >= minGuard
-      guard
-          .ensuresEq(globalValueNumber(call).getAnExpr(), any(int k | minGuard <= k),
-            e.getBasicBlock(), true)
+    not exists(int value |
+      e.getBasicBlock() = blockGuardedBy(value, "==", call) and minGuard <= value
       or
-      // call >= k and k >= minGuard so call >= minGuard
-      guard
-          .ensuresLt(globalValueNumber(call).getAnExpr(), any(int k | minGuard <= k),
-            e.getBasicBlock(), false)
+      e.getBasicBlock() = blockGuardedBy(value, "<", call) and minGuard - 1 <= value
+      or
+      e.getBasicBlock() = blockGuardedBy(value, "<=", call) and minGuard <= value
     )
   )
 }
 
-from
-  ScanfToUseFlow::PathNode source, ScanfToUseFlow::PathNode sink, ScanfFunctionCall call, Expr e,
-  int minGuard
-where hasNonGuardedAccess(source, call, sink, e, minGuard)
-select e, source, sink,
+/** Returns a block guarded by the assertion of `value op call` */
+BasicBlock blockGuardedBy(int value, string op, ScanfFunctionCall call) {
+  exists(GuardCondition g, Expr left, Expr right |
+    right = g.getAChild() and
+    value = left.getValue().toInt() and
+    localExprFlow(call, right)
+  |
+    g.ensuresEq(left, right, 0, result, true) and op = "=="
+    or
+    g.ensuresLt(left, right, 0, result, true) and op = "<"
+    or
+    g.ensuresLt(left, right, 1, result, true) and op = "<="
+  )
+}
+
+from ScanfFunctionCall call, Expr e, int minGuard
+where hasNonGuardedAccess(call, e, minGuard)
+select e,
   "This variable is read, but may not have been written. " +
     "It should be guarded by a check that the $@ returns at least " + minGuard + ".", call,
   call.toString()

cpp/ql/src/Critical/ScanfChecks.qll

@@ -3,11 +3,15 @@ private import semmle.code.cpp.commons.Scanf
 private import semmle.code.cpp.controlflow.IRGuards
 private import semmle.code.cpp.ir.ValueNumbering
 
+private ConstantInstruction getZeroInstruction() { result.getValue() = "0" }
+
+private Operand zero() { result.getDef() = getZeroInstruction() }
+
 private predicate exprInBooleanContext(Expr e) {
   exists(IRGuardCondition gc |
     exists(Instruction i |
       i.getUnconvertedResultExpression() = e and
-      gc.comparesEq(valueNumber(i).getAUse(), 0, _, _)
+      gc.comparesEq(valueNumber(i).getAUse(), zero(), 0, _, _)
     )
     or
     gc.getUnconvertedResultExpression() = e
@@ -32,6 +36,10 @@ private string getEofValue() {
   )
 }
 
+private ConstantInstruction getEofInstruction() { result.getValue() = getEofValue() }
+
+private Operand eof() { result.getDef() = getEofInstruction() }
+
 /**
  * Holds if the value of `call` has been checked to not equal `EOF`.
  */
@@ -39,10 +47,10 @@ private predicate checkedForEof(ScanfFunctionCall call) {
   exists(IRGuardCondition gc |
     exists(Instruction i | i.getUnconvertedResultExpression() = call |
       // call == EOF
-      gc.comparesEq(valueNumber(i).getAUse(), getEofValue().toInt(), _, _)
+      gc.comparesEq(valueNumber(i).getAUse(), eof(), 0, _, _)
       or
       // call < 0 (EOF is guaranteed to be negative)
-      gc.comparesLt(valueNumber(i).getAUse(), 0, true, _)
+      gc.comparesLt(valueNumber(i).getAUse(), zero(), 0, true, _)
     )
   )
 }

cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql

@@ -37,37 +37,6 @@ class UncalledFunction extends Function {
   }
 }
 
-/** The `unsigned short` type. */
-class UnsignedShort extends ShortType {
-  UnsignedShort() { this.isUnsigned() }
-}
-
-/**
- * Holds if `t` cannot refer to a string. That is, it's a built-in
- * or arithmetic type that is not a "`char` like" type.
- */
-predicate cannotContainString(Type t) {
-  exists(Type unspecified |
-    unspecified = t.getUnspecifiedType() and
-    not unspecified instanceof UnknownType and
-    not unspecified instanceof CharType and
-    not unspecified instanceof WideCharType and
-    not unspecified instanceof Char8Type and
-    not unspecified instanceof Char16Type and
-    not unspecified instanceof Char32Type and
-    // C often defines `wchar_t` as `unsigned short`
-    not unspecified instanceof UnsignedShort
-  |
-    unspecified instanceof ArithmeticType or
-    unspecified instanceof BuiltInType
-  )
-}
-
-predicate dataFlowOrTaintFlowFunction(Function func, FunctionOutput output) {
-  func.(DataFlowFunction).hasDataFlow(_, output) or
-  func.(TaintFunction).hasTaintFlow(_, output)
-}
-
 /**
  * Holds if `node` is a non-constant source of data flow for non-const format string detection.
  * This is defined as either:
@@ -100,9 +69,7 @@ predicate isNonConst(DataFlow::Node node) {
   // Parameters of uncalled functions that aren't const
   exists(UncalledFunction f, Parameter p |
     f.getAParameter() = p and
-    // We pick the indirection of the parameter since this query is focused
-    // on strings.
-    p = node.asParameter(1) and
+    p = node.asParameter() and
     // Ignore main's argv parameter as it is already considered a `FlowSource`
     // not ignoring it will result in path redundancies
     (f.getName() = "main" implies p != f.getParameter(1))
@@ -115,27 +82,30 @@ predicate isNonConst(DataFlow::Node node) {
   //       are considered as possible non-const sources
   // The function's output must also not be const to be considered a non-const source
   exists(Function func, CallInstruction call |
-    not func.hasDefinition() and
-    func = call.getStaticCallTarget()
-  |
-    // Case 1: It's a known dataflow or taintflow function with flow to the return value
-    call.getUnconvertedResultExpression() = node.asIndirectExpr() and
-    not exists(FunctionOutput output |
-      dataFlowOrTaintFlowFunction(func, output) and
-      output.isReturnValueDeref(_) and
-      node = callOutput(call, output)
+    // NOTE: could use `Call` getAnArgument() instead of `CallInstruction` but requires two
+    // variables representing the same call in ordoer to use `callOutput` below.
+    exists(Expr arg |
+      call.getPositionalArgumentOperand(_).getDef().getUnconvertedResultExpression() = arg and
+      arg = node.asDefiningArgument()
     )
     or
-    // Case 2: It's a known dataflow or taintflow function with flow to an output parameter
-    exists(int i |
-      call.getPositionalArgumentOperand(i).getDef().getUnconvertedResultExpression() =
-        node.asDefiningArgument() and
-      not exists(FunctionOutput output |
-        dataFlowOrTaintFlowFunction(func, output) and
-        output.isParameterDeref(i, _) and
-        node = callOutput(call, output)
-      )
+    call.getUnconvertedResultExpression() = node.asIndirectExpr()
+  |
+    func = call.getStaticCallTarget() and
+    not exists(FunctionOutput output |
+      // NOTE: we must include dataflow and taintflow. e.g., including only dataflow we will find sprintf
+      // variant function's output are now possible non-const sources
+      pragma[only_bind_out](func).(DataFlowFunction).hasDataFlow(_, output) or
+      pragma[only_bind_out](func).(TaintFunction).hasTaintFlow(_, output)
+    |
+      node = callOutput(call, output)
     )
+  ) and
+  not exists(Call c |
+    c.getTarget().hasDefinition() and
+    if node instanceof DataFlow::DefinitionByReferenceNode
+    then c.getAnArgument() = node.asDefiningArgument()
+    else c = [node.asExpr(), node.asIndirectExpr()]
   )
 }
 
@@ -144,29 +114,18 @@ predicate isNonConst(DataFlow::Node node) {
  * `FormattingFunctionCall`.
  */
 predicate isSinkImpl(DataFlow::Node sink, Expr formatString) {
-  sink.asIndirectExpr() = formatString and
+  [sink.asExpr(), sink.asIndirectExpr()] = formatString and
   exists(FormattingFunctionCall fc | formatString = fc.getArgument(fc.getFormatParameterIndex()))
 }
 
 module NonConstFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    exists(Type t |
-      isNonConst(source) and
-      t = source.getType() and
-      not cannotContainString(t)
-    )
-  }
+  predicate isSource(DataFlow::Node source) { isNonConst(source) }
 
   predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _) }
 
   predicate isBarrier(DataFlow::Node node) {
     // Ignore tracing non-const through array indices
-    exists(ArrayExpr a | a.getArrayOffset() = node.asIndirectExpr())
-    or
-    exists(Type t |
-      t = node.getType() and
-      cannotContainString(t)
-    )
+    exists(ArrayExpr a | a.getArrayOffset() = node.asExpr())
   }
 }
 

cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql

@@ -2,7 +2,7 @@
  * @name Potentially uninitialized local variable
  * @description Reading from a local variable that has not been assigned to
  *              will typically yield garbage.
- * @kind path-problem
+ * @kind problem
  * @id cpp/uninitialized-local
  * @problem.severity warning
  * @security-severity 7.8
@@ -15,7 +15,6 @@
 import cpp
 import semmle.code.cpp.ir.IR
 import semmle.code.cpp.ir.dataflow.MustFlow
-import PathGraph
 
 /**
  * Auxiliary predicate: Types that don't require initialization
@@ -90,4 +89,4 @@ where
   conf.hasFlowPath(source, sink) and
   isSinkImpl(sink.getInstruction(), va) and
   v = va.getTarget()
-select va, source, sink, "The variable $@ may not be initialized at this access.", v, v.getName()
+select va, "The variable $@ may not be initialized at this access.", v, v.getName()

cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql

@@ -1,9 +1,8 @@
 /**
- * @name boost::asio TLS settings misconfiguration
+ * @name Boost_asio TLS Settings Misconfiguration
  * @description Using the TLS or SSLv23 protocol from the boost::asio library, but not disabling deprecated protocols, or disabling minimum-recommended protocols.
  * @kind problem
  * @problem.severity error
- * @precision medium
  * @security-severity 7.5
  * @id cpp/boost/tls-settings-misconfiguration
  * @tags security
@@ -13,41 +12,34 @@
 import cpp
 import semmle.code.cpp.security.boostorg.asio.protocols
 
-predicate isSourceImpl(DataFlow::Node source, ConstructorCall cc) {
-  exists(BoostorgAsio::SslContextClass c | c.getAContructorCall() = cc and cc = source.asExpr())
-}
-
-predicate isSinkImpl(DataFlow::Node sink, FunctionCall fcSetOptions) {
-  exists(BoostorgAsio::SslSetOptionsFunction f |
-    f.getACallToThisFunction() = fcSetOptions and
-    fcSetOptions.getQualifier() = sink.asIndirectExpr()
-  )
-}
-
 module ExistsAnyFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { isSourceImpl(source, _) }
+  predicate isSource(DataFlow::Node source) {
+    exists(BoostorgAsio::SslContextClass c | c.getAContructorCall() = source.asExpr())
+  }
 
-  predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _) }
+  predicate isSink(DataFlow::Node sink) {
+    exists(BoostorgAsio::SslSetOptionsFunction f, FunctionCall fcSetOptions |
+      f.getACallToThisFunction() = fcSetOptions and
+      fcSetOptions.getQualifier() = sink.asExpr()
+    )
+  }
 }
 
 module ExistsAnyFlow = DataFlow::Global<ExistsAnyFlowConfig>;
 
 bindingset[flag]
 predicate isOptionSet(ConstructorCall cc, int flag, FunctionCall fcSetOptions) {
-  exists(
-    VariableAccess contextSetOptions, BoostorgAsio::SslSetOptionsFunction f, DataFlow::Node source,
-    DataFlow::Node sink
-  |
-    isSourceImpl(source, cc) and
-    isSinkImpl(sink, fcSetOptions) and
-    ExistsAnyFlow::flow(source, sink) and
-    f.getACallToThisFunction() = fcSetOptions and
-    contextSetOptions = fcSetOptions.getQualifier() and
-    forex(Expr optionArgument |
-      optionArgument = fcSetOptions.getArgument(0) and
-      BoostorgAsio::SslOptionFlow::flowTo(DataFlow::exprNode(optionArgument))
-    |
-      optionArgument.getValue().toInt().bitShiftRight(16).bitAnd(flag) = flag
+  exists(VariableAccess contextSetOptions |
+    ExistsAnyFlow::flow(DataFlow::exprNode(cc), DataFlow::exprNode(contextSetOptions)) and
+    exists(BoostorgAsio::SslSetOptionsFunction f | f.getACallToThisFunction() = fcSetOptions |
+      contextSetOptions = fcSetOptions.getQualifier() and
+      forall(Expr optionArgument, Expr optionArgumentSource |
+        optionArgument = fcSetOptions.getArgument(0) and
+        BoostorgAsio::SslOptionFlow::flow(DataFlow::exprNode(optionArgumentSource),
+          DataFlow::exprNode(optionArgument))
+      |
+        optionArgument.getValue().toInt().bitShiftRight(16).bitAnd(flag) = flag
+      )
     )
   )
 }

cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql

@@ -1,9 +1,8 @@
 /**
- * @name boost::asio use of deprecated hardcoded protocol
+ * @name boost::asio Use of deprecated hardcoded Protocol
  * @description Using a deprecated hard-coded protocol using the boost::asio library.
  * @kind problem
  * @problem.severity error
- * @precision medium
  * @security-severity 7.5
  * @id cpp/boost/use-of-deprecated-hardcoded-security-protocol
  * @tags security

cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.qhelp

@@ -1,50 +0,0 @@
-<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
-<qhelp>
-
-<overview>
-<p>
-Certain casts in C and C++ place no restrictions on the target type. For
-example, C style casts such as <code>(MyClass*)p</code> allows the programmer
-to cast any pointer <code>p</code> to an expression of type <code>MyClass*</code>.
-If the runtime type of <code>p</code> turns out to be a type that's incompatible
-with <code>MyClass</code>, this results in undefined behavior.
-</p>
-</overview>
-
-<recommendation>
-<p>
-If possible, use <code>dynamic_cast</code> to safely cast between polymorphic types.
-If <code>dynamic_cast</code> is not an option, use <code>static_cast</code> to restrict
-the kinds of conversions that the compiler is allowed to perform. If C++ style casts is
-not an option, carefully check that all casts are safe.
-</p>
-</recommendation>
-
-<example>
-<p>
-Consider the following class hierachy where we define a base class <code>Shape</code> and two
-derived classes <code>Circle</code> and <code>Square</code> that are mutually incompatible:
-</p>
-<sample src="TypeConfusionCommon.cpp"/>
-
-<p>
-The following code demonstrates a type confusion vulnerability where the programmer
-assumes that the runtime type of <code>p</code> is always a <code>Square</code>.
-However, if <code>p</code> is a <code>Circle</code>, the cast will result in undefined behavior.
-</p>
-<sample src="TypeConfusionBad.cpp"/>
-
-<p>
-The following code fixes the vulnerability by using <code>dynamic_cast</code> to
-safely cast between polymorphic types. If the cast fails, <code>dynamic_cast</code>
-returns a null pointer, which can be checked for and handled appropriately.
-</p>
-<sample src="TypeConfusionGood.cpp"/>
-</example>
-
-<references>
-<li>
-Microsoft Learn: <a href="https://learn.microsoft.com/en-us/cpp/cpp/type-conversions-and-type-safety-modern-cpp">Type conversions and type safety</a>.
-</li>
-</references>
-</qhelp>

cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql

@@ -1,263 +0,0 @@
-/**
- * @name Type confusion
- * @description Casting a value to an incompatible type can lead to undefined behavior.
- * @kind path-problem
- * @problem.severity warning
- * @security-severity 9.3
- * @precision medium
- * @id cpp/type-confusion
- * @tags security
- *       external/cwe/cwe-843
- */
-
-import cpp
-import semmle.code.cpp.dataflow.new.DataFlow
-import Flow::PathGraph
-
-/**
- * Holds if `f` is a field located at byte offset `offset` in `c`.
- *
- * Note that predicate is recursive, so that given the following:
- * ```cpp
- * struct S1 {
- *   int a;
- *   void* b;
- * };
- *
- * struct S2 {
- *   S1 s1;
- *   char c;
- * };
- * ```
- * both `hasAFieldWithOffset(S2, s1, 0)` and `hasAFieldWithOffset(S2, a, 0)`
- * holds.
- */
-predicate hasAFieldWithOffset(Class c, Field f, int offset) {
-  // Base case: `f` is a field in `c`.
-  f = c.getAField() and
-  offset = f.getByteOffset() and
-  not f.getUnspecifiedType().(Class).hasDefinition()
-  or
-  // Otherwise, we find the struct that is a field of `c` which then has
-  // the field `f` as a member.
-  exists(Field g |
-    g = c.getAField() and
-    // Find the field with the largest offset that's less than or equal to
-    // offset. That's the struct we need to search recursively.
-    g =
-      max(Field cand, int candOffset |
-        cand = c.getAField() and
-        candOffset = cand.getByteOffset() and
-        offset >= candOffset
-      |
-        cand order by candOffset
-      ) and
-    hasAFieldWithOffset(g.getUnspecifiedType(), f, offset - g.getByteOffset())
-  )
-}
-
-/** Holds if `f` is the last field of its declaring class. */
-predicate lastField(Field f) {
-  exists(Class c | c = f.getDeclaringType() |
-    f =
-      max(Field cand, int byteOffset |
-        cand.getDeclaringType() = c and byteOffset = f.getByteOffset()
-      |
-        cand order by byteOffset
-      )
-  )
-}
-
-/**
- * Holds if there exists a field in `c2` at offset `offset` that's compatible
- * with `f1`.
- */
-bindingset[f1, offset, c2]
-pragma[inline_late]
-predicate hasCompatibleFieldAtOffset(Field f1, int offset, Class c2) {
-  exists(Field f2 | hasAFieldWithOffset(c2, f2, offset) |
-    // Let's not deal with bit-fields for now.
-    f2 instanceof BitField
-    or
-    f1.getUnspecifiedType().getSize() = f2.getUnspecifiedType().getSize()
-    or
-    lastField(f1) and
-    f1.getUnspecifiedType().getSize() <= f2.getUnspecifiedType().getSize()
-  )
-}
-
-/**
- * Holds if `c1` is a prefix of `c2`.
- */
-bindingset[c1, c2]
-pragma[inline_late]
-predicate prefix(Class c1, Class c2) {
-  not c1.isPolymorphic() and
-  not c2.isPolymorphic() and
-  if c1 instanceof Union
-  then
-    // If it's a union we just verify that one of it's variants is compatible with the other class
-    exists(Field f1, int offset |
-      // Let's not deal with bit-fields for now.
-      not f1 instanceof BitField and
-      hasAFieldWithOffset(c1, f1, offset)
-    |
-      hasCompatibleFieldAtOffset(f1, offset, c2)
-    )
-  else
-    forall(Field f1, int offset |
-      // Let's not deal with bit-fields for now.
-      not f1 instanceof BitField and
-      hasAFieldWithOffset(c1, f1, offset)
-    |
-      hasCompatibleFieldAtOffset(f1, offset, c2)
-    )
-}
-
-/**
- * An unsafe cast is any explicit cast that is not
- * a `dynamic_cast`.
- */
-class UnsafeCast extends Cast {
-  private Class toType;
-
-  UnsafeCast() {
-    (
-      this instanceof CStyleCast
-      or
-      this instanceof StaticCast
-      or
-      this instanceof ReinterpretCast
-    ) and
-    toType = this.getExplicitlyConverted().getUnspecifiedType().stripType() and
-    not this.isImplicit() and
-    exists(TypeDeclarationEntry tde |
-      tde = toType.getDefinition() and
-      not tde.isFromUninstantiatedTemplate(_)
-    )
-  }
-
-  Class getConvertedType() { result = toType }
-
-  /**
-   * Holds if the result of this cast can safely be interpreted as a value of
-   * type `t`.
-   *
-   * The compatibility rules are as follows:
-   *
-   * 1. the result of `(T)x` is compatible with the type `T` for any `T`
-   * 2. the result of `(T)x` is compatible with the type `U` for any `U` such
-   *    that `U` is a subtype of `T`, or `T` is a subtype of `U`.
-   * 3. the result of `(T)x` is compatible with the type `U` if the list
-   *    of fields of `T` is a prefix of the list of fields of `U`.
-   *    For example, if `U` is `struct { unsigned char x; int y; };`
-   *    and `T` is `struct { unsigned char uc; };`.
-   * 4. the result of `(T)x` is compatible with the type `U` if the list
-   *    of fields of `U` is a prefix of the list of fields of `T`.
-   *
-   *    Condition 4 is a bit controversial, since it assumes that the additional
-   *    fields in `T` won't be accessed. This may result in some FNs.
-   */
-  bindingset[this, t]
-  pragma[inline_late]
-  predicate compatibleWith(Type t) {
-    // Conition 1
-    t.stripType() = this.getConvertedType()
-    or
-    // Condition 3
-    prefix(this.getConvertedType(), t.stripType())
-    or
-    // Condition 4
-    prefix(t.stripType(), this.getConvertedType())
-    or
-    // Condition 2 (a)
-    t.stripType().(Class).getABaseClass+() = this.getConvertedType()
-    or
-    // Condition 2 (b)
-    t.stripType() = this.getConvertedType().getABaseClass+()
-  }
-}
-
-/**
- * Holds if `source` is an allocation that allocates a value of type `type`.
- */
-predicate isSourceImpl(DataFlow::Node source, Class type) {
-  exists(AllocationExpr alloc |
-    alloc = source.asExpr() and
-    type = alloc.getAllocatedElementType().stripType() and
-    not exists(
-      alloc
-          .(NewOrNewArrayExpr)
-          .getAllocator()
-          .(OperatorNewAllocationFunction)
-          .getPlacementArgument()
-    )
-  ) and
-  exists(TypeDeclarationEntry tde |
-    tde = type.getDefinition() and
-    not tde.isFromUninstantiatedTemplate(_)
-  )
-}
-
-/** A configuration describing flow from an allocation to a potentially unsafe cast. */
-module Config implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { isSourceImpl(source, _) }
-
-  predicate isBarrier(DataFlow::Node node) {
-    // We disable flow through global variables to reduce FPs from infeasible paths
-    node instanceof DataFlow::VariableNode
-    or
-    exists(Class c | c = node.getType().stripType() |
-      not c.hasDefinition()
-      or
-      exists(TypeDeclarationEntry tde |
-        tde = c.getDefinition() and
-        tde.isFromUninstantiatedTemplate(_)
-      )
-    )
-  }
-
-  predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(UnsafeCast cast).getUnconverted() }
-
-  int fieldFlowBranchLimit() { result = 0 }
-}
-
-module Flow = DataFlow::Global<Config>;
-
-predicate relevantType(DataFlow::Node sink, Class allocatedType) {
-  exists(DataFlow::Node source |
-    Flow::flow(source, sink) and
-    isSourceImpl(source, allocatedType)
-  )
-}
-
-predicate isSinkImpl(
-  DataFlow::Node sink, Class allocatedType, Type convertedType, boolean compatible
-) {
-  exists(UnsafeCast cast |
-    relevantType(sink, allocatedType) and
-    sink.asExpr() = cast.getUnconverted() and
-    convertedType = cast.getConvertedType()
-  |
-    if cast.compatibleWith(allocatedType) then compatible = true else compatible = false
-  )
-}
-
-from
-  Flow::PathNode source, Flow::PathNode sink, Type badSourceType, Type sinkType,
-  DataFlow::Node sinkNode
-where
-  Flow::flowPath(source, sink) and
-  sinkNode = sink.getNode() and
-  isSourceImpl(source.getNode(), badSourceType) and
-  isSinkImpl(sinkNode, badSourceType, sinkType, false) and
-  // If there is any flow that would result in a valid cast then we don't
-  // report an alert here. This reduces the number of FPs from infeasible paths
-  // significantly.
-  not exists(DataFlow::Node goodSource, Type goodSourceType |
-    isSourceImpl(goodSource, goodSourceType) and
-    isSinkImpl(sinkNode, goodSourceType, sinkType, true) and
-    Flow::flow(goodSource, sinkNode)
-  )
-select sinkNode, source, sink, "Conversion from $@ to $@ is invalid.", badSourceType,
-  badSourceType.toString(), sinkType, sinkType.toString()

cpp/ql/src/Security/CWE/CWE-843/TypeConfusionBad.cpp

@@ -1,7 +0,0 @@
-void allocate_and_draw_bad() {
-  Shape* shape = new Circle;
-  // ...
-  // BAD: Assumes that shape is always a Square
-  Square* square = static_cast<Square*>(shape);
-  int length = square->getLength();
-}

cpp/ql/src/Security/CWE/CWE-843/TypeConfusionCommon.cpp

@@ -1,25 +0,0 @@
-struct Shape {
-  virtual ~Shape();
-
-  virtual void draw() = 0;
-};
-
-struct Circle : public Shape {
-  Circle();
-
-  void draw() override {
-    /* ... */
-  }
-
-  int getRadius();
-};
-
-struct Square : public Shape {
-  Square();
-
-  void draw() override {
-    /* ... */
-  }
-
-  int getLength();
-};

cpp/ql/src/Security/CWE/CWE-843/TypeConfusionGood.cpp

@@ -1,11 +0,0 @@
-void allocate_and_draw_good() {
-  Shape* shape = new Circle;
-  // ...
-  // GOOD: Dynamically checks if shape is a Square
-  Square* square = dynamic_cast<Square*>(shape);
-  if(square) {
-    int length = square->getLength();
-  } else {
-    // handle error
-  }
-}

cpp/ql/src/Summary/LinesOfUserCode.ql

@@ -4,7 +4,6 @@
  * @kind metric
  * @tags summary
  *       lines-of-code
- *       debug
  * @id cpp/summary/lines-of-user-code
  */
 

cpp/ql/src/change-notes/2024-02-16-modelled-functions-block-flow.md

@@ -1,6 +1,4 @@
-## 0.9.6
-
-### Minor Analysis Improvements
-
-* The "non-constant format string" query (`cpp/non-constant-format`) has been converted to a `path-problem` query.
+---
+category: minorAnalysis
+---
 * The new C/C++ dataflow and taint-tracking libraries (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`) now implicitly assume that dataflow and taint modelled via `DataFlowFunction` and `TaintFunction` always fully overwrite their buffers and thus act as flow barriers. As a result, many dataflow and taint-tracking queries now produce fewer false positives. To remove this assumption and go back to the previous behavior for a given model, one can override the new `isPartialWrite` predicate.

cpp/ql/src/change-notes/2024-02-29-non-constant-format-path-query.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "non-constant format string" query (`cpp/non-constant-format`) has been converted to a `path-problem` query.

cpp/ql/src/change-notes/released/0.9.7.md

@@ -1,3 +0,0 @@
-## 0.9.7
-
-No user-facing changes.

cpp/ql/src/change-notes/released/0.9.8.md

@@ -1,3 +0,0 @@
-## 0.9.8
-
-No user-facing changes.

cpp/ql/src/change-notes/released/0.9.9.md

@@ -1,15 +0,0 @@
-## 0.9.9
-
-### New Queries
-
-* Added a new query, `cpp/type-confusion`, to detect casts to invalid types.
-
-### Query Metadata Changes
-
-* `@precision medium` metadata was added to the `cpp/boost/tls-settings-misconfiguration` and `cpp/boost/use-of-deprecated-hardcoded-security-protocol` queries, and these queries are now included in the security-extended suite. The `@name` metadata of these queries were also updated.
-
-### Minor Analysis Improvements
-
-* The "Missing return-value check for a 'scanf'-like function" query (`cpp/missing-check-scanf`) has been converted to a `path-problem` query.
-* The "Potentially uninitialized local variable" query (`cpp/uninitialized-local`) has been converted to a `path-problem` query.
-* Added models for `GLib` allocation and deallocation functions.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.9.9
+lastReleaseVersion: 0.9.5

cpp/ql/src/experimental/Security/CWE/CWE-416/IteratorToExpiredContainer.qhelp

@@ -1,53 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<overview>
-<p>
-Using an iterator owned by a container after the lifetime of the container has expired can lead to undefined behavior.
-This is because the iterator may be invalidated when the container is destroyed, and dereferencing an invalidated iterator is undefined behavior.
-These problems can be hard to spot due to C++'s complex rules for temporary object lifetimes and their extensions.
-</p>
-
-</overview>
-<recommendation>
-
-<p>
-Never create an iterator to a temporary container when the iterator is expected to be used after the container's lifetime has expired.
-</p>
-
-</recommendation>
-<example>
-<p>
-
-</p>
-
-<p>
-The rules for lifetime extension ensures that the code in <code>lifetime_of_temp_extended</code> is well-defined. This is because the
-lifetime of the temporary container returned by <code>get_vector</code> is extended to the end of the loop. However, prior to C++23,
-the lifetime extension rules do not ensure that the container returned by <code>get_vector</code> is extended in <code>lifetime_of_temp_not_extended</code>.
-This is because the temporary container is not bound to a rvalue reference.
-</p>
-<sample src="IteratorToExpiredContainerExtendedLifetime.cpp" />
-
-</example>
-<references>
-
-<li>CERT C Coding Standard:
-<a href="https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory">MEM30-C. Do not access freed memory</a>.</li>
-<li>
-OWASP:
-<a href="https://owasp.org/www-community/vulnerabilities/Using_freed_memory">Using freed memory</a>.
-</li>
-<li>
-<a href="https://github.com/isocpp/CppCoreGuidelines/blob/master/docs/Lifetime.pdf">Lifetime safety: Preventing common dangling</a>
-</li>
-<li>
-<a href="https://en.cppreference.com/w/cpp/container">Containers library</a>
-</li>
-<li>
-<a href="https://en.cppreference.com/w/cpp/language/range-for">Range-based for loop (since C++11)</a>
-</li>
-
-</references>
-</qhelp>

cpp/ql/src/experimental/Security/CWE/CWE-416/IteratorToExpiredContainer.ql

@@ -1,103 +0,0 @@
-/**
- * @name Iterator to expired container
- * @description Using an iterator owned by a container whose lifetime has expired may lead to unexpected behavior.
- * @kind problem
- * @precision high
- * @id cpp/iterator-to-expired-container
- * @problem.severity warning
- * @tags reliability
- *       security
- *       external/cwe/cwe-416
- *       external/cwe/cwe-664
- */
-
-// IMPORTANT: This query does not currently find anything since it relies on extractor and analysis improvements that hasn't yet been released
-import cpp
-import semmle.code.cpp.ir.IR
-import semmle.code.cpp.dataflow.new.DataFlow
-import semmle.code.cpp.models.implementations.StdContainer
-import semmle.code.cpp.models.implementations.StdMap
-import semmle.code.cpp.models.implementations.Iterator
-
-/**
- * A configuration to track flow from a temporary variable to the qualifier of
- * a destructor call
- */
-module TempToDestructorConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source.asInstruction().(VariableAddressInstruction).getIRVariable() instanceof IRTempVariable
-  }
-
-  predicate isSink(DataFlow::Node sink) {
-    sink.asOperand().(ThisArgumentOperand).getCall().getStaticCallTarget() instanceof Destructor
-  }
-}
-
-module TempToDestructorFlow = DataFlow::Global<TempToDestructorConfig>;
-
-/**
- * Gets a `DataFlow::Node` that represents a temporary that will be destroyed
- * by a call to a destructor, or a `DataFlow::Node` that will transitively be
- * destroyed by a call to a destructor.
- *
- * For the latter case, consider something like:
- * ```
- * std::vector<std::vector<int>> get_2d_vector();
- * auto& v = get_2d_vector()[0];
- * ```
- * Given the above, this predicate returns the node corresponding
- * to `get_2d_vector()[0]` since the temporary `get_2d_vector()` gets
- * destroyed by a call to `std::vector<std::vector<int>>::~vector`,
- * and thus the result of `get_2d_vector()[0]` is also an invalid reference.
- */
-DataFlow::Node getADestroyedNode() {
-  exists(TempToDestructorFlow::PathNode destroyedTemp | destroyedTemp.isSource() |
-    result = destroyedTemp.getNode()
-    or
-    exists(CallInstruction call |
-      result.asInstruction() = call and
-      DataFlow::localFlow(destroyedTemp.getNode(),
-        DataFlow::operandNode(call.getThisArgumentOperand()))
-    |
-      call.getStaticCallTarget() instanceof StdSequenceContainerAt or
-      call.getStaticCallTarget() instanceof StdMapAt
-    )
-  )
-}
-
-predicate isSinkImpl(DataFlow::Node sink, FunctionCall fc) {
-  exists(CallInstruction call |
-    call = sink.asOperand().(ThisArgumentOperand).getCall() and
-    fc = call.getUnconvertedResultExpression() and
-    call.getStaticCallTarget() instanceof BeginOrEndFunction
-  )
-}
-
-/**
- * Flow from any destroyed object to the qualifier of a `begin` or `end` call
- */
-module DestroyedToBeginConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source = getADestroyedNode() }
-
-  predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _) }
-
-  DataFlow::FlowFeature getAFeature() {
-    // By blocking argument-to-parameter flow we ensure that we don't enter a
-    // function body where the temporary outlives anything inside the function.
-    // This prevents false positives in cases like:
-    // ```cpp
-    // void foo(const std::vector<int>& v) {
-    //   for(auto x : v) { ... } // this is fine since v outlives the loop
-    // }
-    // ...
-    // foo(create_temporary())
-    // ```
-    result instanceof DataFlow::FeatureHasSinkCallContext
-  }
-}
-
-module DestroyedToBeginFlow = DataFlow::Global<DestroyedToBeginConfig>;
-
-from DataFlow::Node source, DataFlow::Node sink, FunctionCall beginOrEnd
-where DestroyedToBeginFlow::flow(source, sink) and isSinkImpl(sink, beginOrEnd)
-select source, "This object is destroyed before $@ is called.", beginOrEnd, beginOrEnd.toString()

cpp/ql/src/experimental/Security/CWE/CWE-416/IteratorToExpiredContainerExtendedLifetime.cpp

@@ -1,20 +0,0 @@
-#include <vector>
-
-std::vector<int> get_vector();
-
-void use(int);
-
-void lifetime_of_temp_extended() {
-  for(auto x : get_vector()) {
-    use(x); // GOOD: The lifetime of the vector returned by `get_vector()` is extended until the end of the loop.
-  }
-}
-
-// Writes the the values of `v` to an external log and returns it unchanged.
-const std::vector<int>& log_and_return_argument(const std::vector<int>& v);
-
-void lifetime_of_temp_not_extended() {
-  for(auto x : log_and_return_argument(get_vector())) {
-    use(x); // BAD: The lifetime of the vector returned by `get_vector()` is not extended, and the behavior is undefined.
-  }
-}

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.9.9
+version: 0.9.6-dev
 groups:
   - cpp
   - queries