Merge pull request #8233 from github/release-prep/2.8.2

Release preparation for version 2.8.2

.codeqlmanifest.json

@@ -4,15 +4,17 @@
         "*/ql/lib/qlpack.yml",
         "*/ql/test/qlpack.yml",
         "*/ql/examples/qlpack.yml",
-        "*/upgrades/qlpack.yml",
+        "*/ql/consistency-queries/qlpack.yml",
         "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
         "javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml",
+        "javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/qlpack.yml",
         "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml",
+        "csharp/ql/campaigns/Solorigate/lib/qlpack.yml",
+        "csharp/ql/campaigns/Solorigate/src/qlpack.yml",
+        "csharp/ql/campaigns/Solorigate/test/qlpack.yml",
         "misc/legacy-support/*/qlpack.yml",
         "misc/suite-helpers/qlpack.yml",
         "ruby/extractor-pack/codeql-extractor.yml",
-        "ruby/ql/consistency-queries/qlpack.yml",
-        "ql/ql/consistency-queries/qlpack.yml",
         "ql/extractor-pack/codeql-extractor.yml"
     ],
     "versionPolicies": {

.gitattributes

@@ -50,4 +50,15 @@
 *.pdb -text
 
 java/ql/test/stubs/**/*.java linguist-generated=true
-java/ql/test/experimental/stubs/**/*.java linguist-generated=true
+java/ql/test/experimental/stubs/**/*.java linguist-generated=true
+
+# For some languages, upgrade script testing references really old dbscheme
+# files from legacy upgrades that have CRLF line endings. Since upgrade
+# resolution relies on object hashes, we must suppress line ending conversion
+# for those testing dbscheme files.
+*/ql/lib/upgrades/initial/*.dbscheme -text
+
+# Generated test files - these are synced from the standard JavaScript libraries using
+# `javascript/ql/experimental/adaptivethreatmodeling/test/update_endpoint_test_files.py`.
+javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.js linguist-generated=true -merge
+javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.ts linguist-generated=true -merge

.github/workflows/check-change-note.yml

@@ -6,8 +6,11 @@ on:
     paths:
       - "*/ql/src/**/*.ql"
       - "*/ql/src/**/*.qll"
+      - "*/ql/lib/**/*.ql"
+      - "*/ql/lib/**/*.qll"
       - "!**/experimental/**"
       - "!ql/**"
+      - ".github/workflows/check-change-note.yml"
 
 jobs:
   check-change-note:

.github/workflows/codeql-analysis.yml

@@ -27,6 +27,11 @@ jobs:
       pull-requests: read
 
     steps:
+    - name: Setup dotnet
+      uses: actions/setup-dotnet@v1
+      with:
+        dotnet-version: 6.0.101
+
     - name: Checkout repository
       uses: actions/checkout@v2
 
@@ -51,7 +56,7 @@ jobs:
     #    uses a compiled language
 
     - run: |
-       dotnet build csharp
+       dotnet build csharp /p:UseSharedCompilation=false
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@main

.github/workflows/csv-coverage-metrics.yml

@@ -0,0 +1,43 @@
+name: "Publish framework coverage as metrics"
+
+on:
+  schedule:
+    - cron: '5 0 * * *'
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/csv-coverage-metrics.yml"
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Setup CodeQL
+        uses: ./.github/actions/fetch-codeql
+      - name: Create empty database
+        run: |
+          DATABASE="${{ runner.temp }}/java-database"
+          PROJECT="${{ runner.temp }}/java-project"
+          mkdir -p "$PROJECT/src/tmp/empty"
+          echo "class Empty {}" >> "$PROJECT/src/tmp/empty/Empty.java"
+          codeql database create "$DATABASE" --language=java --source-root="$PROJECT" --command 'javac src/tmp/empty/Empty.java'
+      - name: Capture coverage information
+        run: |
+          DATABASE="${{ runner.temp }}/java-database"
+          codeql database analyze --format=sarif-latest --output=metrics.sarif -- "$DATABASE" ./java/ql/src/Metrics/Summaries/FrameworkCoverage.ql
+      - uses: actions/upload-artifact@v2
+        with:
+          name: metrics.sarif
+          path: metrics.sarif
+          retention-days: 20
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: metrics.sarif

.github/workflows/js-ml-tests.yml

@@ -0,0 +1,76 @@
+name: JS ML-powered queries tests
+
+on:
+  push:
+    paths:
+      - "javascript/ql/experimental/adaptivethreatmodeling/**"
+      - .github/workflows/js-ml-tests.yml
+    branches:
+      - main
+      - "rc/*"
+  pull_request:
+    paths:
+      - "javascript/ql/experimental/adaptivethreatmodeling/**"
+      - .github/workflows/js-ml-tests.yml
+
+defaults:
+  run:
+    working-directory: javascript/ql/experimental/adaptivethreatmodeling
+
+jobs:
+  qlformat:
+    name: Check QL formatting
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: ./.github/actions/fetch-codeql
+
+      - name: Check QL formatting
+        run: |
+          find . "(" -name "*.ql" -or -name "*.qll" ")" -print0 | \
+            xargs -0 codeql query format --check-only
+
+  qlcompile:
+    name: Check QL compilation
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: ./.github/actions/fetch-codeql
+
+      - name: Install pack dependencies
+        run: |
+          for pack in modelbuilding src; do
+            codeql pack install --mode verify -- "${pack}"
+          done
+
+      - name: Check QL compilation
+        run: |
+          codeql query compile \
+            --check-only \
+            --ram 5120 \
+            --additional-packs "${{ github.workspace }}" \
+            --threads=0 \
+            -- \
+            lib modelbuilding src
+
+  qltest:
+    name: Run QL tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: ./.github/actions/fetch-codeql
+
+      - name: Install pack dependencies
+        run: codeql pack install -- test
+
+      - name: Run QL tests
+        run: |
+          codeql test run \
+            --threads=0 \
+            --ram 5120 \
+            --additional-packs "${{ github.workspace }}" \
+            -- \
+            test

.github/workflows/mad_modelDiff.yml

@@ -0,0 +1,103 @@
+name: Models as Data - Diff
+
+on:
+  workflow_dispatch:
+    inputs:
+      projects:
+        description: "The projects to generate models for"
+        required: true
+        default: '["netty/netty"]'
+  pull_request:
+    branches:
+      - main
+    paths:
+      - "java/ql/src/utils/model-generator/**/*.*"
+      - ".github/workflows/mad_modelDiff.yml"
+
+permissions:
+  contents: read
+
+jobs:
+  model-diff:
+    name: Model Difference
+    runs-on: ubuntu-latest
+    if: github.repository == 'github/codeql'
+    strategy:
+      matrix:
+        slug: ${{fromJson(github.event.inputs.projects || '["apache/commons-codec", "apache/commons-io", "apache/commons-beanutils", "apache/commons-logging", "apache/commons-fileupload", "apache/commons-lang", "apache/commons-validator", "apache/commons-csv", "apache/dubbo"]' )}}
+    steps:
+      - name: Clone github/codeql from PR
+        uses: actions/checkout@v2
+        if: github.event.pull_request
+        with:
+          path: codeql-pr
+      - name: Clone github/codeql from main
+        uses: actions/checkout@v2
+        with:
+          path: codeql-main
+          ref: main
+      - uses: ./codeql-main/.github/actions/fetch-codeql
+      - name: Download database
+        env:
+          SLUG: ${{ matrix.slug }}
+        run: |
+          set -x
+          mkdir lib-dbs
+          SHORTNAME=${SLUG//[^a-zA-Z0-9_]/}
+          projectId=`curl -s https://lgtm.com/api/v1.0/projects/g/${SLUG} | jq .id`
+          curl -L "https://lgtm.com/api/v1.0/snapshots/$projectId/java" -o "$SHORTNAME.zip"
+          unzip -q -d "${SHORTNAME}-db" "${SHORTNAME}.zip"
+          mkdir "lib-dbs/$SHORTNAME/"
+          mv "${SHORTNAME}-db/"$(ls -1 "${SHORTNAME}"-db)/* "lib-dbs/${SHORTNAME}/"
+      - name: Generate Models (PR and main)
+        run: |
+          set -x
+          mkdir tmp-models
+          MODELS=`pwd`/tmp-models
+          DATABASES=`pwd`/lib-dbs
+
+          analyzeDatabaseWithCheckout() {
+            QL_VARIANT=$1
+            DATABASE=$2
+            cd codeql-$QL_VARIANT
+            SHORTNAME=`basename $DATABASE`
+            python java/ql/src/utils/model-generator/GenerateFlowModel.py $DATABASE $MODELS/${SHORTNAME}.qll
+            mv $MODELS/${SHORTNAME}.qll $MODELS/${SHORTNAME}Generated_${QL_VARIANT}.qll
+            cd ..
+          }
+
+          for d in $DATABASES/*/ ; do
+            ls -1 "$d"
+
+            analyzeDatabaseWithCheckout "main" $d
+            if [[ "$GITHUB_EVENT_NAME" == "pull_request" ]]
+            then
+              analyzeDatabaseWithCheckout "pr" $d
+            fi
+          done
+      - name: Install diff2html
+        if: github.event.pull_request
+        run: |
+          npm install -g diff2html-cli
+      - name: Generate Model Diff
+        if: github.event.pull_request
+        run: |
+          set -x
+          MODELS=`pwd`/tmp-models
+          ls -1 tmp-models/
+          for m in $MODELS/*_main.qll ; do
+            t="${m/main/"pr"}"
+            basename=`basename $m`
+            name="diff_${basename/_main.qll/""}"
+            (diff -w -u $m $t | diff2html -i stdin -F $MODELS/$name.html) || true
+          done
+      - uses: actions/upload-artifact@v2
+        with:
+          name: models
+          path: tmp-models/*.qll
+          retention-days: 20
+      - uses: actions/upload-artifact@v2
+        with:
+          name: diffs
+          path: tmp-models/*.html
+          retention-days: 20

.github/workflows/mad_regenerate-models.yml

@@ -0,0 +1,62 @@
+name: Regenerate framework models
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "30 2 * * *"
+  pull_request:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/mad_regenerate-models.yml"
+
+jobs:
+  regenerate-models:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        # placeholder required for each axis, excluded below, replaced by the actual combinations (see include)
+        slug: ["placeholder"]
+        ref: ["placeholder"]
+        include:
+          - slug: "apache/commons-io"
+            ref: "8985de8fe74f6622a419b37a6eed0dbc484dc128"
+        exclude:
+          - slug: "placeholder"
+            ref: "placeholder"
+    steps:
+      - name: Clone self (github/codeql)
+        uses: actions/checkout@v2
+      - name: Setup CodeQL binaries
+        uses: ./.github/actions/fetch-codeql
+      - name: Clone repositories
+        uses: actions/checkout@v2
+        with:
+          path: repos/${{ matrix.ref }}
+          ref: ${{ matrix.ref }}
+          repository: ${{ matrix.slug }}
+      - name: Build database
+        env:
+          SLUG: ${{ matrix.slug }}
+          REF: ${{ matrix.ref }}
+        run: |
+          mkdir dbs
+          cd repos/${REF}
+          SHORTNAME=${SLUG//[^a-zA-Z0-9_]/}
+          codeql database create --language=java ../../dbs/${SHORTNAME}
+      - name: Regenerate models in-place
+        env:
+          SLUG: ${{ matrix.slug }}
+        run: |
+          SHORTNAME=${SLUG//[^a-zA-Z0-9_]/}
+          java/ql/src/utils/model-generator/RegenerateModels.py "${SLUG}" dbs/${SHORTNAME}
+      - name: Stage changes
+        run: |
+          find java -name "*.qll" -print0 | xargs -0 git add
+          git status
+          git diff --cached > models.patch
+      - uses: actions/upload-artifact@v2
+        with:
+          name: patch
+          path: models.patch
+          retention-days: 7

.github/workflows/ql-for-ql-build.yml

@@ -31,13 +31,13 @@ jobs:
         uses: actions/cache@v2
         with:
           path: ${{ runner.temp }}/query-pack.zip
-          key: queries-${{ hashFiles('ql/**/*.ql*') }}-${{ hashFiles('ql/ql/src/ql.dbscheme*') }}-${{ steps.get-codeql-version.outputs.version }}
+          key: queries-${{ hashFiles('ql/**/*.ql*') }}-${{ hashFiles('ql/**/qlpack.yml') }}-${{ hashFiles('ql/ql/src/ql.dbscheme*') }}-${{ steps.get-codeql-version.outputs.version }}
       - name: Build query pack
         if: steps.cache-queries.outputs.cache-hit != 'true'
         run: |
           cd ql/ql/src
           "${CODEQL}" pack create
-          cd .codeql/pack/codeql/ql-all/0.0.0
+          cd .codeql/pack/codeql/ql/0.0.0
           zip "${PACKZIP}" -r .
         env:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
@@ -189,4 +189,11 @@ jobs:
         uses: github/codeql-action/analyze@erik-krogh/ql
         with: 
           category: "ql-for-ql-${{ matrix.folder }}"
+      - name: Copy sarif file to CWD
+        run: cp ../results/ql.sarif ./${{ matrix.folder }}.sarif
+      - name: Sarif as artifact
+        uses: actions/upload-artifact@v2
+        with:
+          name: ${{ matrix.folder }}.sarif
+          path: ${{ matrix.folder }}.sarif
 

.github/workflows/ql-for-ql-dataset_measure.yml

@@ -17,7 +17,7 @@ jobs:
       CODEQL_THREADS: 4 # TODO: remove this once it's set by the CLI
     strategy:
       matrix:
-        repo: 
+        repo:
           - github/codeql
           - github/codeql-go
     runs-on: ubuntu-latest
@@ -35,7 +35,7 @@ jobs:
             ~/.cargo/registry
             ~/.cargo/git
             ql/target
-          key: ${{ runner.os }}-qltest-cargo-${{ hashFiles('**/Cargo.lock') }}
+          key: ${{ runner.os }}-qltest-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
       - name: Build Extractor
         run: cd ql; env "PATH=$PATH:`dirname ${CODEQL}`" ./create-extractor-pack.sh
         env:

.github/workflows/ql-for-ql-tests.yml

@@ -29,24 +29,24 @@ jobs:
             ~/.cargo/registry
             ~/.cargo/git
             ql/target
-          key: ${{ runner.os }}-qltest-cargo-${{ hashFiles('**/Cargo.lock') }}
+          key: ${{ runner.os }}-qltest-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
       - name: Build extractor
         run: |
           cd ql;
           codeqlpath=$(dirname ${{ steps.find-codeql.outputs.codeql-path }});
           env "PATH=$PATH:$codeqlpath" ./create-extractor-pack.sh
       - name: Run QL tests
-        run: | 
+        run: |
           "${CODEQL}" test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}/ql/extractor-pack" --consistency-queries ql/ql/consistency-queries ql/ql/test
         env:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
       - name: Check QL formatting
-        run: | 
+        run: |
           find ql/ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 "${CODEQL}" query format --check-only
         env:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
       - name: Check QL compilation
-        run: | 
+        run: |
           "${CODEQL}" query compile --check-only --threads=4 --warnings=error --search-path "${{ github.workspace }}/ql/extractor-pack" "ql/ql/src" "ql/ql/examples"
         env:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}

.github/workflows/ruby-build.yml

@@ -50,7 +50,7 @@ jobs:
             ~/.cargo/registry
             ~/.cargo/git
             ruby/target
-          key: ${{ runner.os }}-rust-cargo-${{ hashFiles('**/Cargo.lock') }}
+          key: ${{ runner.os }}-ruby-rust-cargo-${{ hashFiles('ruby/rust-toolchain.toml', 'ruby/**/Cargo.lock') }}
       - name: Check formatting
         run: cargo fmt --all -- --check
       - name: Build

.github/workflows/ruby-qltest.yml

@@ -24,27 +24,53 @@ defaults:
     working-directory: ruby
 
 jobs:
-  qltest:
+  qlformat:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
       - uses: ./.github/actions/fetch-codeql
-      - uses: ./ruby/actions/create-extractor-pack
-      - name: Run QL tests
-        run: |
-          codeql test run --search-path "${{ github.workspace }}/ruby/extractor-pack" --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
       - name: Check QL formatting
         run: find ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 codeql query format --check-only
+  qlcompile:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ./.github/actions/fetch-codeql
       - name: Check QL compilation
         run: |
-          codeql query compile --check-only --threads=4 --warnings=error "ql/src" "ql/examples"
+          codeql query compile --check-only --threads=0 --ram 5000 --warnings=error "ql/src" "ql/examples"
         env:
           GITHUB_TOKEN: ${{ github.token }}
+  qlupgrade:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ./.github/actions/fetch-codeql
       - name: Check DB upgrade scripts
         run: |
           echo >empty.trap
           codeql dataset import -S ql/lib/upgrades/initial/ruby.dbscheme testdb empty.trap
           codeql dataset upgrade testdb --additional-packs ql/lib
           diff -q testdb/ruby.dbscheme ql/lib/ruby.dbscheme
+      - name: Check DB downgrade scripts
+        run: |
+          echo >empty.trap
+          rm -rf testdb; codeql dataset import -S ql/lib/ruby.dbscheme testdb empty.trap
+          codeql resolve upgrades --format=lines --allow-downgrades --additional-packs downgrades \
+           --dbscheme=ql/lib/ruby.dbscheme --target-dbscheme=downgrades/initial/ruby.dbscheme |
+           xargs codeql execute upgrades testdb
+          diff -q testdb/ruby.dbscheme downgrades/initial/ruby.dbscheme
+  qltest:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        slice: ["1/2", "2/2"]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ./.github/actions/fetch-codeql
+      - uses: ./ruby/actions/create-extractor-pack
+      - name: Run QL tests
+        run: |
+          codeql test run --threads=0 --ram 5000 --slice ${{ matrix.slice }} --search-path "${{ github.workspace }}/ruby/extractor-pack" --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test
+        env:
+          GITHUB_TOKEN: ${{ github.token }}

.github/workflows/validate-change-notes.yml

@@ -0,0 +1,29 @@
+name: Validate change notes
+
+on:
+  push:
+    paths:
+      - "*/ql/*/change-notes/**/*"
+      - ".github/workflows/validate-change-notes.yml"
+    branches:
+      - main
+      - "rc/*"
+  pull_request:
+    paths:
+      - "*/ql/*/change-notes/**/*"
+      - ".github/workflows/validate-change-notes.yml"
+
+jobs:
+  check-change-note:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Setup CodeQL
+        uses: ./.github/actions/fetch-codeql
+
+      - name: Fail if there are any errors with existing change notes
+
+        run: |
+          codeql pack release --groups cpp,csharp,java,javascript,python,ruby,-examples,-test,-experimental

CODEOWNERS

@@ -13,6 +13,9 @@
 /python/**/experimental/**/* @github/codeql-python @xcorail
 /ruby/**/experimental/**/* @github/codeql-ruby @xcorail
 
+# ML-powered queries
+/javascript/ql/experimental/adaptivethreatmodeling/ @github/codeql-ml-powered-queries-reviewers
+
 # Notify members of codeql-go about PRs to the shared data-flow library files
 /java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll @github/codeql-java @github/codeql-go
 /java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll @github/codeql-java @github/codeql-go
@@ -27,4 +30,4 @@
 /docs/query-*-style-guide.md @github/codeql-analysis-reviewers
 
 # QL for QL reviewers
-/ql/ @erik-krogh @tausbn
+/ql/ @github/codeql-ql-for-ql-reviewers

CONTRIBUTING.md

@@ -4,6 +4,9 @@ We welcome contributions to our CodeQL libraries and queries. Got an idea for a
 
 There is lots of useful documentation to help you write queries, ranging from information about query file structure to tutorials for specific target languages. For more information on the documentation available, see [CodeQL queries](https://help.semmle.com/QL/learn-ql/writing-queries/writing-queries.html) on [help.semmle.com](https://help.semmle.com).
 
+## Change notes
+
+Any nontrivial user-visible change to a query pack or library pack should have a change note. For details on how to add a change note for your change, see [this guide](docs/change-notes.md).
 
 ## Submitting a new experimental query
 

README.md

@@ -1,11 +1,11 @@
 # CodeQL
 
-This open source repository contains the standard CodeQL libraries and queries that power [LGTM](https://lgtm.com) and the other CodeQL products that [GitHub](https://github.com) makes available to its customers worldwide. For the queries, libraries, and extractor that power Go analysis, visit the [CodeQL for Go repository](https://github.com/github/codeql-go).
+This open source repository contains the standard CodeQL libraries and queries that power [GitHub Advanced Security](https://github.com/features/security/code) and the other application security products that [GitHub](https://github.com/features/security/) makes available to its customers worldwide. For the queries, libraries, and extractor that power Go analysis, visit the [CodeQL for Go repository](https://github.com/github/codeql-go).
 
 ## How do I learn CodeQL and run queries?
 
 There is [extensive documentation](https://codeql.github.com/docs/) on getting started with writing CodeQL.
-You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com or the [CodeQL for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) extension to try out your queries on any open source project that's currently being analyzed.
+You can use the [CodeQL for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) extension or the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com (Semmle Legacy product) to try out your queries on any open source project that's currently being analyzed.
 
 ## Contributing
 
@@ -13,7 +13,7 @@ We welcome contributions to our standard library and standard checks. Do you hav
 
 ## License
 
-The code in this repository is licensed under the [MIT License](LICENSE) by [GitHub](https://github.com).
+The code in this repository is licensed under the [MIT License](LICENSE) by [GitHub](https://github.com). The use of CodeQL on open source code is licensed under specific [Terms & Conditions](https://securitylab.github.com/tools/codeql/license/) UNLESS you have a commercial license in place. If you'd like to use CodeQL with a commercial codebase, please [contact us](https://github.com/enterprise/contact) for further help.
 
 ## Visual Studio Code integration
 

config/identical-files.json

@@ -7,6 +7,7 @@
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForOnActivityResult.qll",
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
@@ -464,7 +465,8 @@
   ],
   "SensitiveDataHeuristics Python/JS": [
     "javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
-    "python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll"
+    "python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll",
+    "ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll"
   ],
   "ReDoS Util Python/JS/Ruby": [
     "javascript/ql/lib/semmle/javascript/security/performance/ReDoSUtil.qll",
@@ -500,5 +502,11 @@
     "javascript/ql/lib/tutorial.qll",
     "python/ql/lib/tutorial.qll",
     "ruby/ql/lib/tutorial.qll"
+  ],
+  "AccessPathSyntax": [
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/AccessPathSyntax.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/AccessPathSyntax.qll",
+    "javascript/ql/lib/semmle/javascript/frameworks/data/internal/AccessPathSyntax.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll"
   ]
 }

cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/Semmle.Autobuild.Cpp.Tests.csproj

@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <TargetFramework>net5.0</TargetFramework>
+    <TargetFramework>net6.0</TargetFramework>
     <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
     <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
     <Nullable>enable</Nullable>

cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net5.0</TargetFramework>
+    <TargetFramework>net6.0</TargetFramework>
     <AssemblyName>Semmle.Autobuild.Cpp</AssemblyName>
     <RootNamespace>Semmle.Autobuild.Cpp</RootNamespace>
     <ApplicationIcon />

cpp/config/suites/security/cwe-120

@@ -5,9 +5,11 @@
   @name Badly bounded write (CWE-120)
 + semmlecode-cpp-queries/Security/CWE/CWE-120/OverrunWrite.ql: /CWE/CWE-120
   @name Potentially overrunning write (CWE-120)
++ semmlecode-cpp-queries/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql: /CWE/CWE-120
+  @name Likely overrunning write
 + semmlecode-cpp-queries/Security/CWE/CWE-120/OverrunWriteFloat.ql: /CWE/CWE-120
   @name Potentially overrunning write with float to string conversion (CWE-120)
 + semmlecode-cpp-queries/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql: /CWE/CWE-120
   @name Array offset used before range check (CWE-120)
 + semmlecode-cpp-queries/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql: /CWE/CWE-120
-    @name Potentially unsafe use of strcat (CWE-120)
+  @name Potentially unsafe use of strcat (CWE-120)

cpp/downgrades/2cd420191e5f782589b4e4efb70127de265390dd/upgrade.properties

@@ -0,0 +1,2 @@
+description: Remove unused legacy relations
+compatibility: backwards

cpp/downgrades/bb0f279f2acd793105a347d589b5afc8715d94c4/upgrade.properties

@@ -0,0 +1,3 @@
+description: Add relation for tracking variables from structured binding declarations
+compatibility: full
+is_structured_binding.rel: delete

cpp/downgrades/qlpack.yml

@@ -0,0 +1,4 @@
+name: codeql/cpp-downgrades
+groups: cpp
+downgrades: .
+library: true

cpp/ql/examples/qlpack.yml

@@ -1,4 +1,6 @@
 name: codeql/cpp-examples
-version: 0.0.2
+groups: 
+  - cpp
+  - examples
 dependencies:
   codeql/cpp-all: "*"

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,24 @@
+## 0.0.10
+
+### New Features
+
+* Added a `isStructuredBinding` predicate to the `Variable` class which holds when the variable is declared as part of a structured binding declaration.
+
+## 0.0.9
+
+## 0.0.8
+
+### Deprecated APIs
+
+* The `codeql/cpp-upgrades` CodeQL pack has been removed. All upgrades scripts have been merged into the `codeql/cpp-all` CodeQL pack.
+
+### Minor Analysis Improvements
+
+* `FormatLiteral::getMaxConvertedLength` now uses range analysis to provide a
+  more accurate length for integers formatted with `%x`
+
+## 0.0.7
+
 ## 0.0.6
 
 ## 0.0.5

cpp/ql/lib/change-notes/released/0.0.10.md

@@ -0,0 +1,5 @@
+## 0.0.10
+
+### New Features
+
+* Added a `isStructuredBinding` predicate to the `Variable` class which holds when the variable is declared as part of a structured binding declaration.

cpp/ql/lib/change-notes/released/0.0.8.md

@@ -0,0 +1,10 @@
+## 0.0.8
+
+### Deprecated APIs
+
+* The `codeql/cpp-upgrades` CodeQL pack has been removed. All upgrades scripts have been merged into the `codeql/cpp-all` CodeQL pack.
+
+### Minor Analysis Improvements
+
+* `FormatLiteral::getMaxConvertedLength` now uses range analysis to provide a
+  more accurate length for integers formatted with `%x`

cpp/ql/lib/change-notes/released/0.0.9.md

@@ -0,0 +1,2 @@
+## 0.0.9
+

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.6
+lastReleaseVersion: 0.0.10

cpp/ql/lib/qlpack.yml

@@ -1,8 +1,7 @@
 name: codeql/cpp-all
-version: 0.0.6
+version: 0.0.10
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
 library: true
-dependencies:
-  codeql/cpp-upgrades: ^0.0.3
+upgrades: upgrades

cpp/ql/lib/semmle/code/cpp/Class.qll

@@ -206,9 +206,7 @@ class Class extends UserType {
    * it is callable by a particular caller. For C++11, there's also a question
    * of whether to include members that are defaulted or deleted.
    */
-  deprecated predicate hasCopyConstructor() {
-    exists(CopyConstructor cc | cc = this.getAMemberFunction())
-  }
+  deprecated predicate hasCopyConstructor() { this.getAMemberFunction() instanceof CopyConstructor }
 
   /**
    * Holds if this class has a copy assignment operator that is either
@@ -224,7 +222,7 @@ class Class extends UserType {
    * or deleted.
    */
   deprecated predicate hasCopyAssignmentOperator() {
-    exists(CopyAssignmentOperator coa | coa = this.getAMemberFunction())
+    this.getAMemberFunction() instanceof CopyAssignmentOperator
   }
 
   /**
@@ -887,7 +885,7 @@ class NestedClass extends Class {
  * pure virtual function.
  */
 class AbstractClass extends Class {
-  AbstractClass() { exists(PureVirtualFunction f | this.getAMemberFunction() = f) }
+  AbstractClass() { this.getAMemberFunction() instanceof PureVirtualFunction }
 
   override string getAPrimaryQlClass() { result = "AbstractClass" }
 }

cpp/ql/lib/semmle/code/cpp/Specifier.qll

@@ -286,13 +286,13 @@ class AttributeArgument extends Element, @attribute_arg {
   override Location getLocation() { attribute_args(underlyingElement(this), _, _, _, result) }
 
   override string toString() {
-    if exists(@attribute_arg_empty self | self = underlyingElement(this))
+    if underlyingElement(this) instanceof @attribute_arg_empty
     then result = "empty argument"
     else
       exists(string prefix, string tail |
         (if exists(this.getName()) then prefix = this.getName() + "=" else prefix = "") and
         (
-          if exists(@attribute_arg_type self | self = underlyingElement(this))
+          if underlyingElement(this) instanceof @attribute_arg_type
           then tail = this.getValueType().getName()
           else tail = this.getValueText()
         ) and

cpp/ql/lib/semmle/code/cpp/Variable.qll

@@ -169,6 +169,12 @@ class Variable extends Declaration, @variable {
     variable_instantiation(underlyingElement(this), unresolveElement(v))
   }
 
+  /**
+   * Holds if this variable is declated as part of a structured binding
+   * declaration. For example, `x` in `auto [x, y] = ...`.
+   */
+  predicate isStructuredBinding() { is_structured_binding(underlyingElement(this)) }
+
   /**
    * Holds if this is a compiler-generated variable. For example, a
    * [range-based for loop](http://en.cppreference.com/w/cpp/language/range-for)

cpp/ql/lib/semmle/code/cpp/XML.qll

@@ -233,7 +233,7 @@ class XMLElement extends @xmlelement, XMLParent, XMLLocatable {
   XMLAttribute getAttribute(string name) { result.getElement() = this and result.getName() = name }
 
   /** Holds if this XML element has an attribute with the specified `name`. */
-  predicate hasAttribute(string name) { exists(XMLAttribute a | a = this.getAttribute(name)) }
+  predicate hasAttribute(string name) { exists(this.getAttribute(name)) }
 
   /** Gets the value of the attribute with the specified `name`, if any. */
   string getAttributeValue(string name) { result = this.getAttribute(name).getValue() }

cpp/ql/lib/semmle/code/cpp/commons/NullTermination.qll

@@ -101,6 +101,21 @@ predicate functionArgumentMustBeNullTerminated(Function f, int i) {
   f instanceof StrcatFunction and i = 0
 }
 
+/**
+ * Holds if `arg` is a string format argument to a formatting function call
+ * `ffc`.
+ */
+predicate formatArgumentMustBeNullTerminated(FormattingFunctionCall ffc, Expr arg) {
+  // String argument to a formatting function (such as `printf`)
+  exists(int n, FormatLiteral fl |
+    ffc.getConversionArgument(n) = arg and
+    fl = ffc.getFormat() and
+    fl.getConversionType(n) instanceof PointerType and // `%s`, `%ws` etc
+    not fl.getConversionType(n) instanceof VoidPointerType and // exclude: `%p`
+    not fl.hasPrecision(n) // exclude: `%.*s`
+  )
+}
+
 /**
  * Holds if `va` is a variable access where the contents must be null terminated.
  */
@@ -113,13 +128,7 @@ predicate variableMustBeNullTerminated(VariableAccess va) {
     )
     or
     // String argument to a formatting function (such as `printf`)
-    exists(int n, FormatLiteral fl |
-      fc.(FormattingFunctionCall).getConversionArgument(n) = va and
-      fl = fc.(FormattingFunctionCall).getFormat() and
-      fl.getConversionType(n) instanceof PointerType and // `%s`, `%ws` etc
-      not fl.getConversionType(n) instanceof VoidPointerType and // exclude: `%p`
-      not fl.hasPrecision(n) // exclude: `%.*s`
-    )
+    formatArgumentMustBeNullTerminated(fc, va)
     or
     // Call to a wrapper function that requires null termination
     // (not itself adding a null terminator)

cpp/ql/lib/semmle/code/cpp/commons/Printf.qll

@@ -10,10 +10,22 @@ private import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
 
 private newtype TBufferWriteEstimationReason =
-  TNoSpecifiedEstimateReason() or
+  TUnspecifiedEstimateReason() or
   TTypeBoundsAnalysis() or
+  TWidenedValueFlowAnalysis() or
   TValueFlowAnalysis()
 
+private predicate gradeToReason(int grade, TBufferWriteEstimationReason reason) {
+  // when combining reasons, lower grade takes precedence
+  grade = 0 and reason = TUnspecifiedEstimateReason()
+  or
+  grade = 1 and reason = TTypeBoundsAnalysis()
+  or
+  grade = 2 and reason = TWidenedValueFlowAnalysis()
+  or
+  grade = 3 and reason = TValueFlowAnalysis()
+}
+
 /**
  * A reason for a specific buffer write size estimate.
  */
@@ -32,7 +44,13 @@ abstract class BufferWriteEstimationReason extends TBufferWriteEstimationReason
    * Combine estimate reasons. Used to give a reason for the size of a format string
    * conversion given reasons coming from its individual specifiers.
    */
-  abstract BufferWriteEstimationReason combineWith(BufferWriteEstimationReason other);
+  BufferWriteEstimationReason combineWith(BufferWriteEstimationReason other) {
+    exists(int grade, int otherGrade |
+      gradeToReason(grade, this) and gradeToReason(otherGrade, other)
+    |
+      if otherGrade < grade then result = other else result = this
+    )
+  }
 }
 
 /**
@@ -40,16 +58,10 @@ abstract class BufferWriteEstimationReason extends TBufferWriteEstimationReason
  * classes derived from BufferWrite and overriding `getMaxData/0` still work with the
  * queries as intended.
  */
-class NoSpecifiedEstimateReason extends BufferWriteEstimationReason, TNoSpecifiedEstimateReason {
-  override string toString() { result = "NoSpecifiedEstimateReason" }
+class UnspecifiedEstimateReason extends BufferWriteEstimationReason, TUnspecifiedEstimateReason {
+  override string toString() { result = "UnspecifiedEstimateReason" }
 
   override string getDescription() { result = "no reason specified" }
-
-  override BufferWriteEstimationReason combineWith(BufferWriteEstimationReason other) {
-    // this reason should not be used in format specifiers, so it should not be combined
-    // with other reasons
-    none()
-  }
 }
 
 /**
@@ -60,9 +72,24 @@ class TypeBoundsAnalysis extends BufferWriteEstimationReason, TTypeBoundsAnalysi
   override string toString() { result = "TypeBoundsAnalysis" }
 
   override string getDescription() { result = "based on type bounds" }
+}
 
-  override BufferWriteEstimationReason combineWith(BufferWriteEstimationReason other) {
-    other != TNoSpecifiedEstimateReason() and result = TTypeBoundsAnalysis()
+/**
+ * The estimation comes from non trivial bounds found via actual flow analysis,
+ * but a widening aproximation might have been used for variables in loops.
+ * For example
+ * ```
+ * for (int i = 0; i < 10; ++i) {
+ *    int j = i + i;
+ *    //...  <- estimation done here based on j
+ * }
+ * ```
+ */
+class WidenedValueFlowAnalysis extends BufferWriteEstimationReason, TWidenedValueFlowAnalysis {
+  override string toString() { result = "WidenedValueFlowAnalysis" }
+
+  override string getDescription() {
+    result = "based on flow analysis of value bounds with a widening approximation"
   }
 }
 
@@ -80,10 +107,6 @@ class ValueFlowAnalysis extends BufferWriteEstimationReason, TValueFlowAnalysis
   override string toString() { result = "ValueFlowAnalysis" }
 
   override string getDescription() { result = "based on flow analysis of value bounds" }
-
-  override BufferWriteEstimationReason combineWith(BufferWriteEstimationReason other) {
-    other != TNoSpecifiedEstimateReason() and result = other
-  }
 }
 
 class PrintfFormatAttribute extends FormatAttribute {
@@ -359,6 +382,38 @@ private int lengthInBase10(float f) {
   result = f.log10().floor() + 1
 }
 
+pragma[nomagic]
+private predicate isPointerTypeWithBase(Type base, PointerType pt) { base = pt.getBaseType() }
+
+bindingset[expr]
+private BufferWriteEstimationReason getEstimationReasonForIntegralExpression(Expr expr) {
+  // we consider the range analysis non trivial if it
+  // * constrained non-trivially both sides of a signed value, or
+  // * constrained non-trivially the positive side of an unsigned value
+  // expr should already be given as getFullyConverted
+  if
+    upperBound(expr) < exprMaxVal(expr) and
+    (exprMinVal(expr) >= 0 or lowerBound(expr) > exprMinVal(expr))
+  then
+    // next we check whether the estimate may have been widened
+    if upperBoundMayBeWidened(expr)
+    then result = TWidenedValueFlowAnalysis()
+    else result = TValueFlowAnalysis()
+  else result = TTypeBoundsAnalysis()
+}
+
+/**
+ * Gets the number of hex digits required to represent the integer represented by `f`.
+ *
+ * `f` is assumed to be nonnegative.
+ */
+bindingset[f]
+private int lengthInBase16(float f) {
+  f = 0 and result = 1
+  or
+  result = (f.log2() / 4.0).floor() + 1
+}
+
 /**
  * A class to represent format strings that occur as arguments to invocations of formatting functions.
  */
@@ -910,19 +965,19 @@ class FormatLiteral extends Literal {
       (
         conv = ["s", "S"] and
         len = "h" and
-        result.(PointerType).getBaseType() instanceof PlainCharType
+        isPointerTypeWithBase(any(PlainCharType plainCharType), result)
         or
         conv = ["s", "S"] and
         len = ["l", "w"] and
-        result.(PointerType).getBaseType() = this.getWideCharType()
+        isPointerTypeWithBase(this.getWideCharType(), result)
         or
         conv = "s" and
         (len != "l" and len != "w" and len != "h") and
-        result.(PointerType).getBaseType() = this.getDefaultCharType()
+        isPointerTypeWithBase(this.getDefaultCharType(), result)
         or
         conv = "S" and
         (len != "l" and len != "w" and len != "h") and
-        result.(PointerType).getBaseType() = this.getNonDefaultCharType()
+        isPointerTypeWithBase(this.getNonDefaultCharType(), result)
       )
     )
   }
@@ -1067,7 +1122,7 @@ class FormatLiteral extends Literal {
    * conversion specifier of this format string; has no result if this cannot
    * be determined.
    */
-  int getMaxConvertedLength(int n) { result = max(getMaxConvertedLength(n, _)) }
+  int getMaxConvertedLength(int n) { result = max(this.getMaxConvertedLength(n, _)) }
 
   /**
    * Gets the maximum length of the string that can be produced by the nth
@@ -1157,12 +1212,10 @@ class FormatLiteral extends Literal {
             1 + lengthInBase10(2.pow(this.getIntegralDisplayType(n).getSize() * 8 - 1)) and
           // The second case uses range analysis to deduce a length that's shorter than the length
           // of the number -2^31.
-          exists(Expr arg, float lower, float upper, float typeLower, float typeUpper |
+          exists(Expr arg, float lower, float upper |
             arg = this.getUse().getConversionArgument(n) and
             lower = lowerBound(arg.getFullyConverted()) and
-            upper = upperBound(arg.getFullyConverted()) and
-            typeLower = exprMinVal(arg.getFullyConverted()) and
-            typeUpper = exprMaxVal(arg.getFullyConverted())
+            upper = upperBound(arg.getFullyConverted())
           |
             valueBasedBound =
               max(int cand |
@@ -1179,11 +1232,9 @@ class FormatLiteral extends Literal {
                   else cand = lengthInBase10(upper)
                 )
               ) and
-            (
-              if lower > typeLower or upper < typeUpper
-              then reason = TValueFlowAnalysis()
-              else reason = TTypeBoundsAnalysis()
-            )
+            // we don't want to call this on `arg.getFullyConverted()` as we want
+            // to detect non-trivial range analysis without taking into account up-casting
+            reason = getEstimationReasonForIntegralExpression(arg)
           ) and
           len = valueBasedBound.minimum(typeBasedBound)
         )
@@ -1195,6 +1246,40 @@ class FormatLiteral extends Literal {
           typeBasedBound = lengthInBase10(2.pow(this.getIntegralDisplayType(n).getSize() * 8) - 1) and
           // The second case uses range analysis to deduce a length that's shorter than
           // the length of the number 2^31 - 1.
+          exists(Expr arg, float lower, float upper |
+            arg = this.getUse().getConversionArgument(n) and
+            lower = lowerBound(arg.getFullyConverted()) and
+            upper = upperBound(arg.getFullyConverted())
+          |
+            valueBasedBound =
+              lengthInBase10(max(float cand |
+                  // If lower can be negative we use `(unsigned)-1` as the candidate value.
+                  lower < 0 and
+                  cand = 2.pow(any(IntType t | t.isUnsigned()).getSize() * 8)
+                  or
+                  cand = upper
+                )) and
+            // we don't want to call this on `arg.getFullyConverted()` as we want
+            // to detect non-trivial range analysis without taking into account up-casting
+            reason = getEstimationReasonForIntegralExpression(arg)
+          ) and
+          len = valueBasedBound.minimum(typeBasedBound)
+        )
+        or
+        this.getConversionChar(n).toLowerCase() = "x" and
+        // e.g. "12345678"
+        exists(int baseLen, int typeBasedBound, int valueBasedBound |
+          typeBasedBound =
+            min(int digits |
+              digits = 2 * this.getIntegralDisplayType(n).getSize()
+              or
+              exists(IntegralType t |
+                t = this.getUse().getConversionArgument(n).getType().getUnderlyingType()
+              |
+                t.isUnsigned() and
+                digits = 2 * t.getSize()
+              )
+            ) and
           exists(Expr arg, float lower, float upper, float typeLower, float typeUpper |
             arg = this.getUse().getConversionArgument(n) and
             lower = lowerBound(arg.getFullyConverted()) and
@@ -1203,7 +1288,7 @@ class FormatLiteral extends Literal {
             typeUpper = exprMaxVal(arg.getFullyConverted())
           |
             valueBasedBound =
-              lengthInBase10(max(float cand |
+              lengthInBase16(max(float cand |
                   // If lower can be negative we use `(unsigned)-1` as the candidate value.
                   lower < 0 and
                   cand = 2.pow(any(IntType t | t.isUnsigned()).getSize() * 8)
@@ -1216,29 +1301,10 @@ class FormatLiteral extends Literal {
               else reason = TTypeBoundsAnalysis()
             )
           ) and
-          len = valueBasedBound.minimum(typeBasedBound)
+          baseLen = valueBasedBound.minimum(typeBasedBound) and
+          if this.hasAlternateFlag(n) then len = 2 + baseLen else len = baseLen // "0x"
         )
         or
-        this.getConversionChar(n).toLowerCase() = "x" and
-        // e.g. "12345678"
-        exists(int sizeBytes, int baseLen |
-          sizeBytes =
-            min(int bytes |
-              bytes = this.getIntegralDisplayType(n).getSize()
-              or
-              exists(IntegralType t |
-                t = this.getUse().getConversionArgument(n).getType().getUnderlyingType()
-              |
-                t.isUnsigned() and bytes = t.getSize()
-              )
-            ) and
-          baseLen = sizeBytes * 2 and
-          (
-            if this.hasAlternateFlag(n) then len = 2 + baseLen else len = baseLen // "0x"
-          )
-        ) and
-        reason = TTypeBoundsAnalysis()
-        or
         this.getConversionChar(n).toLowerCase() = "p" and
         exists(PointerType ptrType, int baseLen |
           ptrType = this.getFullyConverted().getType() and
@@ -1287,7 +1353,7 @@ class FormatLiteral extends Literal {
    * determining whether a buffer overflow is caused by long float to string
    * conversions.
    */
-  int getMaxConvertedLengthLimited(int n) { result = max(getMaxConvertedLengthLimited(n, _)) }
+  int getMaxConvertedLengthLimited(int n) { result = max(this.getMaxConvertedLengthLimited(n, _)) }
 
   /**
    * Gets the maximum length of the string that can be produced by the nth

cpp/ql/lib/semmle/code/cpp/commons/unix/Constants.qll

@@ -11,10 +11,10 @@ import cpp
  */
 bindingset[input]
 int parseOctal(string input) {
-  input.charAt(0) = "0" and
+  input.regexpMatch("0[0-7]+") and
   result =
     strictsum(int ix |
-      ix in [0 .. input.length()]
+      ix in [1 .. input.length()]
     |
       8.pow(input.length() - (ix + 1)) * input.charAt(ix).toInt()
     )

cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll

@@ -29,7 +29,7 @@ class GuardCondition extends Expr {
     exists(IRGuardCondition ir | this = ir.getUnconvertedResultExpression())
     or
     // no binary operators in the IR
-    exists(GuardCondition gc | this.(BinaryLogicalOperation).getAnOperand() = gc)
+    this.(BinaryLogicalOperation).getAnOperand() instanceof GuardCondition
     or
     // the IR short-circuits if(!x)
     // don't produce a guard condition for `y = !x` and other non-short-circuited cases
@@ -98,7 +98,7 @@ class GuardCondition extends Expr {
  */
 private class GuardConditionFromBinaryLogicalOperator extends GuardCondition {
   GuardConditionFromBinaryLogicalOperator() {
-    exists(GuardCondition gc | this.(BinaryLogicalOperation).getAnOperand() = gc)
+    this.(BinaryLogicalOperation).getAnOperand() instanceof GuardCondition
   }
 
   override predicate controls(BasicBlock controlled, boolean testIsTrue) {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll

@@ -3,6 +3,17 @@ private import DataFlowImplSpecific::Public
 import Cached
 
 module DataFlowImplCommonPublic {
+  /** A state value to track during data flow. */
+  class FlowState = string;
+
+  /**
+   * The default state, which is used when the state is unspecified for a source
+   * or a sink.
+   */
+  class FlowStateEmpty extends FlowState {
+    FlowStateEmpty() { this = "" }
+  }
+
   private newtype TFlowFeature =
     TFeatureHasSourceCallContext() or
     TFeatureHasSinkCallContext() or
@@ -1279,7 +1290,7 @@ class DataFlowCallOption extends TDataFlowCallOption {
   }
 }
 
-/** Content tagged with the type of a containing object. */
+/** A `Content` tagged with the type of a containing object. */
 class TypedContent extends MkTypedContent {
   private Content c;
   private DataFlowType t;

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll

@@ -48,7 +48,7 @@ private class Argument extends Expr {
  */
 class ArgumentNode extends Node {
   ArgumentNode() {
-    exists(Argument arg | this.asExpr() = arg) or
+    this.asExpr() instanceof Argument or
     this = getInstanceArgument(_)
   }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll

@@ -592,12 +592,14 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
  * Holds if data flows from `source` to `sink` in zero or more local
  * (intra-procedural) steps.
  */
+pragma[inline]
 predicate localFlow(Node source, Node sink) { localFlowStep*(source, sink) }
 
 /**
  * Holds if data can flow from `e1` to `e2` in zero or more
  * local (intra-procedural) steps.
  */
+pragma[inline]
 predicate localExprFlow(Expr e1, Expr e2) { localFlow(exprNode(e1), exprNode(e2)) }
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowVar.qll

@@ -353,9 +353,9 @@ module FlowVar_internal {
         // indirection.
         result = def.getAUse(v)
         or
-        exists(SsaDefinition descendentDef |
-          this.getASuccessorSsaVar+() = TSsaVar(descendentDef, _) and
-          result = descendentDef.getAUse(v)
+        exists(SsaDefinition descendantDef |
+          this.getASuccessorSsaVar+() = TSsaVar(descendantDef, _) and
+          result = descendantDef.getAUse(v)
         )
       )
       or
@@ -435,7 +435,7 @@ module FlowVar_internal {
       parameterIsNonConstReference(p) and
       p = v and
       // This definition reaches the exit node of the function CFG
-      getAReachedBlockVarSBB(this).getANode() = p.getFunction()
+      getAReachedBlockVarSBB(this).getEnd() = p.getFunction()
     }
 
     override predicate definedByInitialValue(StackVariable lsv) {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll

@@ -47,6 +47,12 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { n
  */
 predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
 
+/**
+ * Holds if `guard` should be a sanitizer guard in all global taint flow configurations
+ * but not in local taint.
+ */
+predicate defaultTaintSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
+
 /**
  * Holds if taint can flow in one local step from `nodeFrom` to `nodeTo` excluding
  * local data flow steps. That is, `nodeFrom` and `nodeTo` are likely to represent
@@ -118,12 +124,14 @@ predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeT
  * Holds if taint may propagate from `source` to `sink` in zero or more local
  * (intra-procedural) steps.
  */
+pragma[inline]
 predicate localTaint(DataFlow::Node source, DataFlow::Node sink) { localTaintStep*(source, sink) }
 
 /**
  * Holds if taint can flow from `e1` to `e2` in zero or more
  * local (intra-procedural) steps.
  */
+pragma[inline]
 predicate localExprTaint(Expr e1, Expr e2) {
   localTaint(DataFlow::exprNode(e1), DataFlow::exprNode(e2))
 }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

@@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration {
    * The smaller this predicate is, the faster `hasFlow()` will converge.
    */
   // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSource(DataFlow::Node source);
+  override predicate isSource(DataFlow::Node source) { none() }
 
   /**
    * Holds if `sink` is a relevant taint sink.
@@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration {
    * The smaller this predicate is, the faster `hasFlow()` will converge.
    */
   // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSink(DataFlow::Node sink);
+  override predicate isSink(DataFlow::Node sink) { none() }
 
   /** Holds if the node `node` is a taint sanitizer. */
   predicate isSanitizer(DataFlow::Node node) { none() }
@@ -93,7 +93,7 @@ abstract class Configuration extends DataFlow::Configuration {
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
   final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
+    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

@@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration {
    * The smaller this predicate is, the faster `hasFlow()` will converge.
    */
   // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSource(DataFlow::Node source);
+  override predicate isSource(DataFlow::Node source) { none() }
 
   /**
    * Holds if `sink` is a relevant taint sink.
@@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration {
    * The smaller this predicate is, the faster `hasFlow()` will converge.
    */
   // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSink(DataFlow::Node sink);
+  override predicate isSink(DataFlow::Node sink) { none() }
 
   /** Holds if the node `node` is a taint sanitizer. */
   predicate isSanitizer(DataFlow::Node node) { none() }
@@ -93,7 +93,7 @@ abstract class Configuration extends DataFlow::Configuration {
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
   final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
+    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/exprs/Access.qll

@@ -84,8 +84,8 @@ class VariableAccess extends Access, @varaccess {
     exists(Assignment a | a.getLValue() = this) or
     exists(CrementOperation c | c.getOperand() = this) or
     exists(AddressOfExpr addof | addof.getOperand() = this) or
-    exists(ReferenceToExpr rte | this.getConversion() = rte) or
-    exists(ArrayToPointerConversion atpc | this.getConversion() = atpc)
+    this.getConversion() instanceof ReferenceToExpr or
+    this.getConversion() instanceof ArrayToPointerConversion
   }
 
   /**
@@ -104,8 +104,8 @@ class VariableAccess extends Access, @varaccess {
   predicate isRValue() {
     not exists(AssignExpr ae | ae.getLValue() = this) and
     not exists(AddressOfExpr addof | addof.getOperand() = this) and
-    not exists(ReferenceToExpr rte | this.getConversion() = rte) and
-    not exists(ArrayToPointerConversion atpc | this.getConversion() = atpc)
+    not this.getConversion() instanceof ReferenceToExpr and
+    not this.getConversion() instanceof ArrayToPointerConversion
   }
 
   /**
@@ -218,9 +218,7 @@ class PointerFieldAccess extends FieldAccess {
 class DotFieldAccess extends FieldAccess {
   override string getAPrimaryQlClass() { result = "DotFieldAccess" }
 
-  DotFieldAccess() {
-    exists(Class c | c = this.getQualifier().getFullyConverted().getUnspecifiedType())
-  }
+  DotFieldAccess() { this.getQualifier().getFullyConverted().getUnspecifiedType() instanceof Class }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/exprs/Call.qll

@@ -35,7 +35,7 @@ class Call extends Expr, NameQualifiableElement, TCall {
    *
    * For example, `ptr->f()` has a qualifier, whereas plain `f()` does not.
    */
-  predicate hasQualifier() { exists(Expr e | this.getChild(-1) = e) }
+  predicate hasQualifier() { exists(this.getChild(-1)) }
 
   /**
    * Gets the expression to the left of the function name or function pointer variable name.

cpp/ql/lib/semmle/code/cpp/exprs/Cast.qll

@@ -724,7 +724,7 @@ class SizeofOperator extends Expr, @runtime_sizeof {
  * ```
  */
 class SizeofExprOperator extends SizeofOperator {
-  SizeofExprOperator() { exists(Expr e | this.getChild(0) = e) }
+  SizeofExprOperator() { exists(this.getChild(0)) }
 
   override string getAPrimaryQlClass() { result = "SizeofExprOperator" }
 
@@ -787,7 +787,7 @@ class AlignofOperator extends Expr, @runtime_alignof {
  * ```
  */
 class AlignofExprOperator extends AlignofOperator {
-  AlignofExprOperator() { exists(Expr e | this.getChild(0) = e) }
+  AlignofExprOperator() { exists(this.getChild(0)) }
 
   /**
    * Gets the contained expression.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll

@@ -1,3 +1,8 @@
+/**
+ * An IR taint tracking library that uses an IR DataFlow configuration to track
+ * taint from user inputs as defined by `semmle.code.cpp.security.Security`.
+ */
+
 import cpp
 import semmle.code.cpp.security.Security
 private import semmle.code.cpp.ir.dataflow.DataFlow

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll

@@ -63,7 +63,7 @@ private module VirtualDispatch {
         this.flowsFrom(other, allowOtherFromArg)
       |
         // Call argument
-        exists(DataFlowCall call, int i |
+        exists(DataFlowCall call, Position i |
           other
               .(DataFlow::ParameterNode)
               .isParameterOf(pragma[only_bind_into](call).getStaticCallTarget(), i) and
@@ -268,16 +268,6 @@ Function viableImplInCallContext(CallInstruction call, CallInstruction ctx) {
   )
 }
 
-/** A parameter position represented by an integer. */
-class ParameterPosition extends int {
-  ParameterPosition() { any(ParameterNode p).isParameterOf(_, this) }
-}
-
-/** An argument position represented by an integer. */
-class ArgumentPosition extends int {
-  ArgumentPosition() { any(ArgumentNode a).argumentOf(_, this) }
-}
-
 /** Holds if arguments at position `apos` match parameters at position `ppos`. */
 pragma[inline]
 predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll

@@ -3,6 +3,17 @@ private import DataFlowImplSpecific::Public
 import Cached
 
 module DataFlowImplCommonPublic {
+  /** A state value to track during data flow. */
+  class FlowState = string;
+
+  /**
+   * The default state, which is used when the state is unspecified for a source
+   * or a sink.
+   */
+  class FlowStateEmpty extends FlowState {
+    FlowStateEmpty() { this = "" }
+  }
+
   private newtype TFlowFeature =
     TFeatureHasSourceCallContext() or
     TFeatureHasSinkCallContext() or
@@ -1279,7 +1290,7 @@ class DataFlowCallOption extends TDataFlowCallOption {
   }
 }
 
-/** Content tagged with the type of a containing object. */
+/** A `Content` tagged with the type of a containing object. */
 class TypedContent extends MkTypedContent {
   private Content c;
   private DataFlowType t;

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -27,7 +27,7 @@ abstract class ArgumentNode extends OperandNode {
    * Holds if this argument occurs at the given position in the given call.
    * The instance argument is considered to have index `-1`.
    */
-  abstract predicate argumentOf(DataFlowCall call, int pos);
+  abstract predicate argumentOf(DataFlowCall call, ArgumentPosition pos);
 
   /** Gets the call in which this node is an argument. */
   DataFlowCall getCall() { this.argumentOf(result, _) }
@@ -42,7 +42,9 @@ private class PrimaryArgumentNode extends ArgumentNode {
 
   PrimaryArgumentNode() { exists(CallInstruction call | op = call.getAnArgumentOperand()) }
 
-  override predicate argumentOf(DataFlowCall call, int pos) { op = call.getArgumentOperand(pos) }
+  override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
+    op = call.getArgumentOperand(pos.(DirectPosition).getIndex())
+  }
 
   override string toString() {
     exists(Expr unconverted |
@@ -71,9 +73,9 @@ private class SideEffectArgumentNode extends ArgumentNode {
 
   SideEffectArgumentNode() { op = read.getSideEffectOperand() }
 
-  override predicate argumentOf(DataFlowCall call, int pos) {
+  override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
     read.getPrimaryInstruction() = call and
-    pos = getArgumentPosOfSideEffect(read.getIndex())
+    pos.(IndirectionPosition).getIndex() = read.getIndex()
   }
 
   override string toString() {
@@ -90,6 +92,54 @@ private class SideEffectArgumentNode extends ArgumentNode {
   }
 }
 
+/** A parameter position represented by an integer. */
+class ParameterPosition = Position;
+
+/** An argument position represented by an integer. */
+class ArgumentPosition = Position;
+
+class Position extends TPosition {
+  abstract string toString();
+}
+
+class DirectPosition extends TDirectPosition {
+  int index;
+
+  DirectPosition() { this = TDirectPosition(index) }
+
+  string toString() {
+    index = -1 and
+    result = "this"
+    or
+    index != -1 and
+    result = index.toString()
+  }
+
+  int getIndex() { result = index }
+}
+
+class IndirectionPosition extends TIndirectionPosition {
+  int index;
+
+  IndirectionPosition() { this = TIndirectionPosition(index) }
+
+  string toString() {
+    index = -1 and
+    result = "this"
+    or
+    index != -1 and
+    result = index.toString()
+  }
+
+  int getIndex() { result = index }
+}
+
+newtype TPosition =
+  TDirectPosition(int index) { exists(any(CallInstruction c).getArgument(index)) } or
+  TIndirectionPosition(int index) {
+    exists(ReadSideEffectInstruction instr | instr.getIndex() = index)
+  }
+
 private newtype TReturnKind =
   TNormalReturnKind() or
   TIndirectReturnKind(ParameterIndex index)

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -490,19 +490,6 @@ class ExprNode extends InstructionNode {
   override string toString() { result = this.asConvertedExpr().toString() }
 }
 
-/**
- * INTERNAL: do not use. Translates a parameter/argument index into a negative
- * number that denotes the index of its side effect (pointer indirection).
- */
-bindingset[index]
-int getArgumentPosOfSideEffect(int index) {
-  // -1 -> -2
-  //  0 -> -3
-  //  1 -> -4
-  // ...
-  result = -3 - index
-}
-
 /**
  * The value of a parameter at function entry, viewed as a node in a data
  * flow graph. This includes both explicit parameters such as `x` in `f(x)`
@@ -525,7 +512,7 @@ class ParameterNode extends InstructionNode {
    * implicit `this` parameter is considered to have position `-1`, and
    * pointer-indirection parameters are at further negative positions.
    */
-  predicate isParameterOf(Function f, int pos) { none() } // overridden by subclasses
+  predicate isParameterOf(Function f, ParameterPosition pos) { none() } // overridden by subclasses
 }
 
 /** An explicit positional parameter, not including `this` or `...`. */
@@ -534,8 +521,8 @@ private class ExplicitParameterNode extends ParameterNode {
 
   ExplicitParameterNode() { exists(instr.getParameter()) }
 
-  override predicate isParameterOf(Function f, int pos) {
-    f.getParameter(pos) = instr.getParameter()
+  override predicate isParameterOf(Function f, ParameterPosition pos) {
+    f.getParameter(pos.(DirectPosition).getIndex()) = instr.getParameter()
   }
 
   /** Gets the `Parameter` associated with this node. */
@@ -550,8 +537,8 @@ class ThisParameterNode extends ParameterNode {
 
   ThisParameterNode() { instr.getIRVariable() instanceof IRThisVariable }
 
-  override predicate isParameterOf(Function f, int pos) {
-    pos = -1 and instr.getEnclosingFunction() = f
+  override predicate isParameterOf(Function f, ParameterPosition pos) {
+    pos.(DirectPosition).getIndex() = -1 and instr.getEnclosingFunction() = f
   }
 
   override string toString() { result = "this" }
@@ -561,12 +548,12 @@ class ThisParameterNode extends ParameterNode {
 class ParameterIndirectionNode extends ParameterNode {
   override InitializeIndirectionInstruction instr;
 
-  override predicate isParameterOf(Function f, int pos) {
+  override predicate isParameterOf(Function f, ParameterPosition pos) {
     exists(int index |
       instr.getEnclosingFunction() = f and
       instr.hasIndex(index)
     |
-      pos = getArgumentPosOfSideEffect(index)
+      pos.(IndirectionPosition).getIndex() = index
     )
   }
 
@@ -1045,12 +1032,14 @@ SideEffectInstruction getSideEffectFor(CallInstruction call, int argument) {
  * Holds if data flows from `source` to `sink` in zero or more local
  * (intra-procedural) steps.
  */
+pragma[inline]
 predicate localFlow(Node source, Node sink) { localFlowStep*(source, sink) }
 
 /**
  * Holds if data can flow from `i1` to `i2` in zero or more
  * local (intra-procedural) steps.
  */
+pragma[inline]
 predicate localInstructionFlow(Instruction e1, Instruction e2) {
   localFlow(instructionNode(e1), instructionNode(e2))
 }
@@ -1059,6 +1048,7 @@ predicate localInstructionFlow(Instruction e1, Instruction e2) {
  * Holds if data can flow from `e1` to `e2` in zero or more
  * local (intra-procedural) steps.
  */
+pragma[inline]
 predicate localExprFlow(Expr e1, Expr e2) { localFlow(exprNode(e1), exprNode(e2)) }
 
 private newtype TContent =

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll

@@ -659,4 +659,15 @@ module Consistency {
     not phiHasInputFromBlock(_, def, _) and
     not uncertainWriteDefinitionInput(_, def)
   }
+
+  query predicate notDominatedByDef(RelevantDefinition def, SourceVariable v, BasicBlock bb, int i) {
+    exists(BasicBlock bbDef, int iDef | def.definesAt(v, bbDef, iDef) |
+      ssaDefReachesReadWithinBlock(v, def, bb, i) and
+      (bb != bbDef or i < iDef)
+      or
+      ssaDefReachesRead(v, def, bb, i) and
+      not ssaDefReachesReadWithinBlock(v, def, bb, i) and
+      not def.definesAt(v, getImmediateBasicBlockDominator*(bb), _)
+    )
+  }
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -51,16 +51,6 @@ private newtype TDefOrUse =
   TExplicitUse(Operand op) { isExplicitUse(op) } or
   TReturnParamIndirection(Operand op) { returnParameterIndirection(op, _) }
 
-pragma[nomagic]
-private int getRank(DefOrUse defOrUse, IRBlock block) {
-  defOrUse =
-    rank[result](int i, DefOrUse cand |
-      block.getInstruction(i) = toInstruction(cand)
-    |
-      cand order by i
-    )
-}
-
 private class DefOrUse extends TDefOrUse {
   /** Gets the instruction associated with this definition, if any. */
   Instruction asDef() { none() }
@@ -74,9 +64,10 @@ private class DefOrUse extends TDefOrUse {
   /** Gets the block of this definition or use. */
   abstract IRBlock getBlock();
 
-  /** Holds if this definition or use has rank `rank` in block `block`. */
-  cached
-  final predicate hasRankInBlock(IRBlock block, int rnk) { rnk = getRank(this, block) }
+  /** Holds if this definition or use has index `index` in block `block`. */
+  final predicate hasIndexInBlock(IRBlock block, int index) {
+    block.getInstruction(index) = toInstruction(this)
+  }
 
   /** Gets the location of this element. */
   abstract Cpp::Location getLocation();
@@ -179,10 +170,16 @@ private class ReturnParameterIndirection extends Use, TReturnParamIndirection {
 }
 
 private predicate isExplicitUse(Operand op) {
-  op.getDef() instanceof VariableAddressInstruction and
-  not exists(LoadInstruction load |
-    load.getSourceAddressOperand() = op and
-    load.getAUse().getUse() instanceof InitializeIndirectionInstruction
+  exists(VariableAddressInstruction vai | vai = op.getDef() |
+    // Don't include this operand as a use if it only exists to initialize the
+    // indirection of a parameter.
+    not exists(LoadInstruction load |
+      load.getSourceAddressOperand() = op and
+      load.getAUse().getUse() instanceof InitializeIndirectionInstruction
+    ) and
+    // Don't include this operand as a use if the only use of the address is for a write
+    // that definitely overrides a variable.
+    not (explicitWrite(true, _, vai) and exists(unique( | | vai.getAUse())))
   )
 }
 
@@ -313,8 +310,8 @@ cached
 private module Cached {
   private predicate defUseFlow(Node nodeFrom, Node nodeTo) {
     exists(IRBlock bb1, int i1, IRBlock bb2, int i2, DefOrUse defOrUse, Use use |
-      defOrUse.hasRankInBlock(bb1, i1) and
-      use.hasRankInBlock(bb2, i2) and
+      defOrUse.hasIndexInBlock(bb1, i1) and
+      use.hasIndexInBlock(bb2, i2) and
       adjacentDefRead(_, bb1, i1, bb2, i2) and
       nodeFrom.asInstruction() = toInstruction(defOrUse) and
       flowOutOfAddressStep(use.getOperand(), nodeTo)
@@ -326,9 +323,9 @@ private module Cached {
     exists(IRBlock bb1, int i1, IRBlock bb2, int i2, Def def, Use use |
       nodeFrom.isTerminal() and
       def.getInstruction() = nodeFrom.getStoreInstruction() and
-      def.hasRankInBlock(bb1, i1) and
+      def.hasIndexInBlock(bb1, i1) and
       adjacentDefRead(_, bb1, i1, bb2, i2) and
-      use.hasRankInBlock(bb2, i2) and
+      use.hasIndexInBlock(bb2, i2) and
       flowOutOfAddressStep(use.getOperand(), nodeTo)
     )
     or
@@ -359,8 +356,8 @@ private module Cached {
 
   private predicate fromReadNode(ReadNode nodeFrom, Node nodeTo) {
     exists(IRBlock bb1, int i1, IRBlock bb2, int i2, Use use1, Use use2 |
-      use1.hasRankInBlock(bb1, i1) and
-      use2.hasRankInBlock(bb2, i2) and
+      use1.hasIndexInBlock(bb1, i1) and
+      use2.hasIndexInBlock(bb2, i2) and
       use1.getOperand().getDef() = nodeFrom.getInstruction() and
       adjacentDefRead(_, bb1, i1, bb2, i2) and
       flowOutOfAddressStep(use2.getOperand(), nodeTo)
@@ -371,7 +368,7 @@ private module Cached {
     exists(PhiNode phi, Use use, IRBlock block, int rnk |
       phi = nodeFrom.getPhiNode() and
       adjacentDefRead(phi, _, _, block, rnk) and
-      use.hasRankInBlock(block, rnk) and
+      use.hasIndexInBlock(block, rnk) and
       flowOutOfAddressStep(use.getOperand(), nodeTo)
     )
   }
@@ -379,7 +376,7 @@ private module Cached {
   private predicate toPhiNode(Node nodeFrom, SsaPhiNode nodeTo) {
     // Flow to phi nodes
     exists(Def def, IRBlock block, int rnk |
-      def.hasRankInBlock(block, rnk) and
+      def.hasIndexInBlock(block, rnk) and
       nodeTo.hasInputAtRankInBlock(block, rnk)
     |
       exists(StoreNodeInstr storeNode |
@@ -512,8 +509,8 @@ private module Cached {
     |
       store = def.getInstruction() and
       store.getSourceValueOperand() = operand and
-      def.hasRankInBlock(block1, rnk1) and
-      use.hasRankInBlock(block2, rnk2) and
+      def.hasIndexInBlock(block1, rnk1) and
+      use.hasIndexInBlock(block2, rnk2) and
       adjacentDefRead(_, block1, rnk1, block2, rnk2)
     |
       // The shared SSA library has determined that `use` is the next use of the operand
@@ -543,12 +540,12 @@ private module Cached {
     not operand = getSourceAddressOperand(_) and
     exists(Use use1, Use use2, IRBlock block1, int rnk1, IRBlock block2, int rnk2 |
       use1.getOperand() = operand and
-      use1.hasRankInBlock(block1, rnk1) and
+      use1.hasIndexInBlock(block1, rnk1) and
       // Don't flow to the next use if this use is part of a store operation that totally
       // overrides a variable.
       not explicitWrite(true, _, use1.getOperand().getDef()) and
       adjacentDefRead(_, block1, rnk1, block2, rnk2) and
-      use2.hasRankInBlock(block2, rnk2) and
+      use2.hasIndexInBlock(block2, rnk2) and
       flowOutOfAddressStep(use2.getOperand(), nodeTo)
     )
     or
@@ -620,7 +617,7 @@ import Cached
 predicate variableWrite(IRBlock bb, int i, SourceVariable v, boolean certain) {
   DataFlowImplCommon::forceCachingInSameStage() and
   exists(Def def |
-    def.hasRankInBlock(bb, i) and
+    def.hasIndexInBlock(bb, i) and
     v = def.getSourceVariable() and
     (if def.isCertain() then certain = true else certain = false)
   )
@@ -632,7 +629,7 @@ predicate variableWrite(IRBlock bb, int i, SourceVariable v, boolean certain) {
  */
 predicate variableRead(IRBlock bb, int i, SourceVariable v, boolean certain) {
   exists(Use use |
-    use.hasRankInBlock(bb, i) and
+    use.hasIndexInBlock(bb, i) and
     v = use.getSourceVariable() and
     certain = true
   )

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

@@ -121,12 +121,14 @@ private predicate operandToInstructionTaintStep(Operand opFrom, Instruction inst
  * Holds if taint may propagate from `source` to `sink` in zero or more local
  * (intra-procedural) steps.
  */
+pragma[inline]
 predicate localTaint(DataFlow::Node source, DataFlow::Node sink) { localTaintStep*(source, sink) }
 
 /**
  * Holds if taint can flow from `i1` to `i2` in zero or more
  * local (intra-procedural) steps.
  */
+pragma[inline]
 predicate localInstructionTaint(Instruction i1, Instruction i2) {
   localTaint(DataFlow::instructionNode(i1), DataFlow::instructionNode(i2))
 }
@@ -135,6 +137,7 @@ predicate localInstructionTaint(Instruction i1, Instruction i2) {
  * Holds if taint can flow from `e1` to `e2` in zero or more
  * local (intra-procedural) steps.
  */
+pragma[inline]
 predicate localExprTaint(Expr e1, Expr e2) {
   localTaint(DataFlow::exprNode(e1), DataFlow::exprNode(e2))
 }
@@ -160,6 +163,12 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { n
  */
 predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
 
+/**
+ * Holds if `guard` should be a sanitizer guard in all global taint flow configurations
+ * but not in local taint.
+ */
+predicate defaultTaintSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
+
 /**
  * Holds if taint can flow from `instrIn` to `instrOut` through a call to a
  * modeled function.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

@@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration {
    * The smaller this predicate is, the faster `hasFlow()` will converge.
    */
   // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSource(DataFlow::Node source);
+  override predicate isSource(DataFlow::Node source) { none() }
 
   /**
    * Holds if `sink` is a relevant taint sink.
@@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration {
    * The smaller this predicate is, the faster `hasFlow()` will converge.
    */
   // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSink(DataFlow::Node sink);
+  override predicate isSink(DataFlow::Node sink) { none() }
 
   /** Holds if the node `node` is a taint sanitizer. */
   predicate isSanitizer(DataFlow::Node node) { none() }
@@ -93,7 +93,7 @@ abstract class Configuration extends DataFlow::Configuration {
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
   final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
+    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

@@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration {
    * The smaller this predicate is, the faster `hasFlow()` will converge.
    */
   // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSource(DataFlow::Node source);
+  override predicate isSource(DataFlow::Node source) { none() }
 
   /**
    * Holds if `sink` is a relevant taint sink.
@@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration {
    * The smaller this predicate is, the faster `hasFlow()` will converge.
    */
   // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSink(DataFlow::Node sink);
+  override predicate isSink(DataFlow::Node sink) { none() }
 
   /** Holds if the node `node` is a taint sanitizer. */
   predicate isSanitizer(DataFlow::Node node) { none() }
@@ -93,7 +93,7 @@ abstract class Configuration extends DataFlow::Configuration {
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
   final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
+    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll

@@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration {
    * The smaller this predicate is, the faster `hasFlow()` will converge.
    */
   // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSource(DataFlow::Node source);
+  override predicate isSource(DataFlow::Node source) { none() }
 
   /**
    * Holds if `sink` is a relevant taint sink.
@@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration {
    * The smaller this predicate is, the faster `hasFlow()` will converge.
    */
   // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSink(DataFlow::Node sink);
+  override predicate isSink(DataFlow::Node sink) { none() }
 
   /** Holds if the node `node` is a taint sanitizer. */
   predicate isSanitizer(DataFlow::Node node) { none() }
@@ -93,7 +93,7 @@ abstract class Configuration extends DataFlow::Configuration {
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
   final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
+    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll

@@ -200,7 +200,7 @@ class IRBlock extends IRBlockBase {
    * post-dominate block `B`, but block `A` does post-dominate an immediate successor of block `B`.
    */
   pragma[noinline]
-  final IRBlock postPominanceFrontier() {
+  final IRBlock postDominanceFrontier() {
     this.postDominates(result.getASuccessor()) and
     not this.strictlyPostDominates(result)
   }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRBlock.qll

@@ -200,7 +200,7 @@ class IRBlock extends IRBlockBase {
    * post-dominate block `B`, but block `A` does post-dominate an immediate successor of block `B`.
    */
   pragma[noinline]
-  final IRBlock postPominanceFrontier() {
+  final IRBlock postDominanceFrontier() {
     this.postDominates(result.getASuccessor()) and
     not this.strictlyPostDominates(result)
   }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll

@@ -111,6 +111,45 @@ private predicate hasDefaultSideEffect(Call call, ParameterIndex i, boolean buff
   )
 }
 
+/**
+ * A `Call` or `NewOrNewArrayExpr`.
+ *
+ * Both kinds of expression invoke a function as part of their evaluation. This class provides a
+ * way to treat both kinds of function similarly, and to get the invoked `Function`.
+ */
+class CallOrAllocationExpr extends Expr {
+  CallOrAllocationExpr() {
+    this instanceof Call
+    or
+    this instanceof NewOrNewArrayExpr
+  }
+
+  /** Gets the `Function` invoked by this expression, if known. */
+  final Function getTarget() {
+    result = this.(Call).getTarget()
+    or
+    result = this.(NewOrNewArrayExpr).getAllocator()
+  }
+}
+
+/**
+ * Returns the side effect opcode, if any, that represents any side effects not specifically modeled
+ * by an argument side effect.
+ */
+Opcode getCallSideEffectOpcode(CallOrAllocationExpr expr) {
+  not exists(expr.getTarget().(SideEffectFunction)) and result instanceof Opcode::CallSideEffect
+  or
+  exists(SideEffectFunction sideEffectFunction |
+    sideEffectFunction = expr.getTarget() and
+    if not sideEffectFunction.hasOnlySpecificWriteSideEffects()
+    then result instanceof Opcode::CallSideEffect
+    else (
+      not sideEffectFunction.hasOnlySpecificReadSideEffects() and
+      result instanceof Opcode::CallReadSideEffect
+    )
+  )
+}
+
 /**
  * Returns a side effect opcode for parameter index `i` of the specified call.
  *

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll

@@ -49,19 +49,6 @@ abstract class TranslatedCall extends TranslatedExpr {
     tag = CallTag() and
     opcode instanceof Opcode::Call and
     resultType = getTypeForPRValue(getCallResultType())
-    or
-    hasSideEffect() and
-    tag = CallSideEffectTag() and
-    (
-      if hasWriteSideEffect()
-      then (
-        opcode instanceof Opcode::CallSideEffect and
-        resultType = getUnknownType()
-      ) else (
-        opcode instanceof Opcode::CallReadSideEffect and
-        resultType = getVoidType()
-      )
-    )
   }
 
   override Instruction getChildSuccessor(TranslatedElement child) {
@@ -84,25 +71,8 @@ abstract class TranslatedCall extends TranslatedExpr {
 
   override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
     kind instanceof GotoEdge and
-    (
-      (
-        tag = CallTag() and
-        if hasSideEffect()
-        then result = getInstruction(CallSideEffectTag())
-        else
-          if hasPreciseSideEffect()
-          then result = getSideEffects().getFirstInstruction()
-          else result = getParent().getChildSuccessor(this)
-      )
-      or
-      (
-        hasSideEffect() and
-        tag = CallSideEffectTag() and
-        if hasPreciseSideEffect()
-        then result = getSideEffects().getFirstInstruction()
-        else result = getParent().getChildSuccessor(this)
-      )
-    )
+    tag = CallTag() and
+    result = getSideEffects().getFirstInstruction()
   }
 
   override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
@@ -121,15 +91,6 @@ abstract class TranslatedCall extends TranslatedExpr {
     )
   }
 
-  final override CppType getInstructionMemoryOperandType(
-    InstructionTag tag, TypedOperandTag operandTag
-  ) {
-    tag = CallSideEffectTag() and
-    hasSideEffect() and
-    operandTag instanceof SideEffectOperandTag and
-    result = getUnknownType()
-  }
-
   final override Instruction getResult() { result = getInstruction(CallTag()) }
 
   /**
@@ -200,40 +161,31 @@ abstract class TranslatedCall extends TranslatedExpr {
    */
   abstract predicate hasArguments();
 
-  predicate hasReadSideEffect() { any() }
-
-  predicate hasWriteSideEffect() { any() }
-
-  private predicate hasSideEffect() { hasReadSideEffect() or hasWriteSideEffect() }
-
-  override Instruction getPrimaryInstructionForSideEffect(InstructionTag tag) {
-    hasSideEffect() and
-    tag = CallSideEffectTag() and
-    result = getResult()
-  }
-
-  predicate hasPreciseSideEffect() { exists(getSideEffects()) }
-
   final TranslatedSideEffects getSideEffects() { result.getExpr() = expr }
 }
 
+/**
+ * The IR translation of the side effects of the parent `TranslatedElement`.
+ *
+ * This object does not itself generate the side effect instructions. Instead, its children provide
+ * the actual side effects, with this object acting as a placeholder so the parent only needs to
+ * insert this one element at the point where all the side effects are supposed to occur.
+ */
 abstract class TranslatedSideEffects extends TranslatedElement {
+  /** Gets the expression whose side effects are being modeled. */
   abstract Expr getExpr();
 
   final override Locatable getAST() { result = getExpr() }
 
   final override Function getFunction() { result = getExpr().getEnclosingFunction() }
 
-  override TranslatedElement getChild(int i) {
+  final override TranslatedElement getChild(int i) {
     result =
-      rank[i + 1](TranslatedSideEffect tse, int isWrite, int index |
-        (
-          tse.getCall() = getExpr() and
-          tse.getArgumentIndex() = index and
-          if tse.isWrite() then isWrite = 1 else isWrite = 0
-        )
+      rank[i + 1](TranslatedSideEffect tse, int group, int indexInGroup |
+        tse.getPrimaryExpr() = getExpr() and
+        tse.sortOrder(group, indexInGroup)
       |
-        tse order by isWrite, index
+        tse order by group, indexInGroup
       )
   }
 
@@ -246,12 +198,21 @@ abstract class TranslatedSideEffects extends TranslatedElement {
     )
   }
 
-  /**
-   * Gets the `TranslatedFunction` containing this expression.
-   */
-  final TranslatedFunction getEnclosingFunction() {
-    result = getTranslatedFunction(getExpr().getEnclosingFunction())
+  final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType type) {
+    none()
   }
+
+  final override Instruction getFirstInstruction() {
+    result = getChild(0).getFirstInstruction()
+    or
+    // Some functions, like `std::move()`, have no side effects whatsoever.
+    not exists(getChild(0)) and result = getParent().getChildSuccessor(this)
+  }
+
+  final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { none() }
+
+  /** Gets the primary instruction to be associated with each side effect instruction. */
+  abstract Instruction getPrimaryInstruction();
 }
 
 /**
@@ -325,14 +286,6 @@ class TranslatedFunctionCall extends TranslatedCallExpr, TranslatedDirectCall {
     tag = CallTargetTag() and result = expr.getTarget()
   }
 
-  override predicate hasReadSideEffect() {
-    not expr.getTarget().(SideEffectFunction).hasOnlySpecificReadSideEffects()
-  }
-
-  override predicate hasWriteSideEffect() {
-    not expr.getTarget().(SideEffectFunction).hasOnlySpecificWriteSideEffects()
-  }
-
   override Instruction getQualifierResult() {
     hasQualifier() and
     result = getQualifier().getResult()
@@ -363,209 +316,116 @@ class TranslatedStructorCall extends TranslatedFunctionCall {
   override predicate hasQualifier() { any() }
 }
 
-class TranslatedAllocationSideEffects extends TranslatedSideEffects,
-  TTranslatedAllocationSideEffects {
-  AllocationExpr expr;
-
-  TranslatedAllocationSideEffects() { this = TTranslatedAllocationSideEffects(expr) }
-
-  final override AllocationExpr getExpr() { result = expr }
-
-  override string toString() { result = "(allocation side effects for " + expr.toString() + ")" }
-
-  override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) }
-
-  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType type) {
-    opcode instanceof Opcode::InitializeDynamicAllocation and
-    tag = OnlyInstructionTag() and
-    type = getUnknownType()
-  }
-
-  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
-    tag = OnlyInstructionTag() and
-    kind = EdgeKind::gotoEdge() and
-    if exists(getChild(0))
-    then result = getChild(0).getFirstInstruction()
-    else result = getParent().getChildSuccessor(this)
-  }
-
-  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
-    tag = OnlyInstructionTag() and
-    operandTag = addressOperand() and
-    result = getPrimaryInstructionForSideEffect(OnlyInstructionTag())
-  }
-
-  override Instruction getPrimaryInstructionForSideEffect(InstructionTag tag) {
-    tag = OnlyInstructionTag() and
-    if expr instanceof NewOrNewArrayExpr
-    then result = getTranslatedAllocatorCall(expr).getInstruction(CallTag())
-    else result = getTranslatedCallInstruction(expr)
-  }
-}
-
+/**
+ * The IR translation of the side effects of a function call, including the implicit allocator
+ * call in a `new` or `new[]` expression.
+ */
 class TranslatedCallSideEffects extends TranslatedSideEffects, TTranslatedCallSideEffects {
-  Call expr;
+  Expr expr;
 
   TranslatedCallSideEffects() { this = TTranslatedCallSideEffects(expr) }
 
-  override string toString() { result = "(side effects  for " + expr.toString() + ")" }
+  final override string toString() { result = "(side effects  for " + expr.toString() + ")" }
 
-  override Call getExpr() { result = expr }
+  final override Expr getExpr() { result = expr }
 
-  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType type) { none() }
-
-  override Instruction getFirstInstruction() { result = getChild(0).getFirstInstruction() }
-
-  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { none() }
-
-  override Instruction getPrimaryInstructionForSideEffect(InstructionTag tag) {
-    tag = OnlyInstructionTag() and
-    result = getTranslatedCallInstruction(expr)
-  }
-}
-
-class TranslatedStructorCallSideEffects extends TranslatedCallSideEffects {
-  TranslatedStructorCallSideEffects() {
-    getParent().(TranslatedStructorCall).hasQualifier() and
-    getASideEffectOpcode(expr, -1) instanceof WriteSideEffectOpcode
-  }
-
-  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType t) {
-    tag instanceof OnlyInstructionTag and
-    t = getTypeForPRValue(expr.getTarget().getDeclaringType()) and
-    opcode = getASideEffectOpcode(expr, -1).(WriteSideEffectOpcode)
-  }
-
-  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
-    (
-      if exists(getChild(0))
-      then result = getChild(0).getFirstInstruction()
-      else result = getParent().getChildSuccessor(this)
-    ) and
-    tag = OnlyInstructionTag() and
-    kind instanceof GotoEdge
-  }
-
-  override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) }
-
-  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
-    tag instanceof OnlyInstructionTag and
-    operandTag instanceof AddressOperandTag and
-    result = getParent().(TranslatedStructorCall).getQualifierResult()
-  }
-
-  final override int getInstructionIndex(InstructionTag tag) {
-    tag = OnlyInstructionTag() and
-    result = -1
-  }
-}
-
-class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEffect {
-  Call call;
-  Expr arg;
-  int index;
-  SideEffectOpcode sideEffectOpcode;
-
-  TranslatedSideEffect() {
-    this = TTranslatedArgumentSideEffect(call, arg, index, sideEffectOpcode)
-  }
-
-  override Locatable getAST() { result = arg }
-
-  Expr getExpr() { result = arg }
-
-  Call getCall() { result = call }
-
-  int getArgumentIndex() { result = index }
-
-  predicate isWrite() { sideEffectOpcode instanceof WriteSideEffectOpcode }
-
-  override string toString() {
-    isWrite() and
-    result = "(write side effect for " + arg.toString() + ")"
+  final override Instruction getPrimaryInstruction() {
+    expr instanceof Call and result = getTranslatedCallInstruction(expr)
     or
-    not isWrite() and
-    result = "(read side effect for " + arg.toString() + ")"
+    expr instanceof NewOrNewArrayExpr and
+    result = getTranslatedAllocatorCall(expr).getInstruction(CallTag())
   }
+}
 
-  override TranslatedElement getChild(int n) { none() }
+/** Returns the sort group index for argument read side effects. */
+private int argumentReadGroup() { result = 1 }
 
-  override Instruction getChildSuccessor(TranslatedElement child) { none() }
+/** Returns the sort group index for conservative call side effects. */
+private int callSideEffectGroup() {
+  result = 0 // Make this group first for now to preserve the existing ordering
+}
 
-  override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) }
+/** Returns the sort group index for argument write side effects. */
+private int argumentWriteGroup() { result = 2 }
 
-  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType type) {
+/** Returns the sort group index for dynamic allocation side effects. */
+private int initializeAllocationGroup() { result = 3 }
+
+/**
+ * The IR translation of a single side effect of a call.
+ */
+abstract class TranslatedSideEffect extends TranslatedElement {
+  final override TranslatedElement getChild(int n) { none() }
+
+  final override Instruction getChildSuccessor(TranslatedElement child) { none() }
+
+  final override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) }
+
+  final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType type) {
     tag = OnlyInstructionTag() and
-    opcode = sideEffectOpcode and
-    (
-      isWrite() and
-      (
-        opcode instanceof BufferAccessOpcode and
-        type = getUnknownType()
-        or
-        not opcode instanceof BufferAccessOpcode and
-        exists(Type baseType | baseType = arg.getUnspecifiedType().(DerivedType).getBaseType() |
-          if baseType instanceof VoidType
-          then type = getUnknownType()
-          else type = getTypeForPRValueOrUnknown(baseType)
-        )
-        or
-        index = -1 and
-        not arg.getUnspecifiedType() instanceof DerivedType and
-        type = getTypeForPRValueOrUnknown(arg.getUnspecifiedType())
-      )
-      or
-      not isWrite() and
-      type = getVoidType()
-    )
+    sideEffectInstruction(opcode, type)
   }
 
-  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
+  final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
     result = getParent().getChildSuccessor(this) and
     tag = OnlyInstructionTag() and
     kind instanceof GotoEdge
   }
 
-  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
-    tag instanceof OnlyInstructionTag and
-    operandTag instanceof AddressOperandTag and
-    result = getTranslatedExpr(arg).getResult()
-    or
-    tag instanceof OnlyInstructionTag and
-    operandTag instanceof BufferSizeOperandTag and
-    result =
-      getTranslatedExpr(call.getArgument(call.getTarget()
-              .(SideEffectFunction)
-              .getParameterSizeIndex(index)).getFullyConverted()).getResult()
-  }
+  final override Function getFunction() { result = getParent().getFunction() }
 
-  override CppType getInstructionMemoryOperandType(InstructionTag tag, TypedOperandTag operandTag) {
-    not isWrite() and
-    if sideEffectOpcode instanceof BufferAccessOpcode
-    then
-      result = getUnknownType() and
-      tag instanceof OnlyInstructionTag and
-      operandTag instanceof SideEffectOperandTag
-    else
-      exists(Type operandType |
-        tag instanceof OnlyInstructionTag and
-        operandType = arg.getType().getUnspecifiedType().(DerivedType).getBaseType() and
-        operandTag instanceof SideEffectOperandTag
-        or
-        tag instanceof OnlyInstructionTag and
-        operandType = arg.getType().getUnspecifiedType() and
-        not operandType instanceof DerivedType and
-        operandTag instanceof SideEffectOperandTag
-      |
-        // If the type we select is an incomplete type (e.g. a forward-declared `struct`), there will
-        // not be a `CppType` that represents that type. In that case, fall back to `UnknownCppType`.
-        result = getTypeForPRValueOrUnknown(operandType)
-      )
-  }
-
-  override Instruction getPrimaryInstructionForSideEffect(InstructionTag tag) {
+  final override Instruction getPrimaryInstructionForSideEffect(InstructionTag tag) {
     tag = OnlyInstructionTag() and
-    result = getTranslatedCallInstruction(call)
+    result = getParent().(TranslatedSideEffects).getPrimaryInstruction()
+  }
+
+  /**
+   * Gets the expression that caused this side effect.
+   *
+   * All side effects with the same `getPrimaryExpr()` will appear in the same contiguous sequence
+   * in the IR.
+   */
+  abstract Expr getPrimaryExpr();
+
+  /**
+   * Gets the order in which this side effect should be sorted with respect to other side effects
+   * for the same expression.
+   *
+   * Side effects are sorted first by `group`, and then by `indexInGroup`.
+   */
+  abstract predicate sortOrder(int group, int indexInGroup);
+
+  /**
+   * Gets the opcode and result type for the side effect instruction.
+   */
+  abstract predicate sideEffectInstruction(Opcode opcode, CppType type);
+}
+
+/**
+ * The IR translation of a single argument side effect for a call.
+ */
+abstract class TranslatedArgumentSideEffect extends TranslatedSideEffect {
+  Call call;
+  int index;
+  SideEffectOpcode sideEffectOpcode;
+
+  // All subclass charpreds must bind the `index` field.
+  bindingset[index]
+  TranslatedArgumentSideEffect() { any() }
+
+  override string toString() {
+    isWrite() and
+    result = "(write side effect for " + getArgString() + ")"
+    or
+    not isWrite() and
+    result = "(read side effect for " + getArgString() + ")"
+  }
+
+  override Call getPrimaryExpr() { result = call }
+
+  override predicate sortOrder(int group, int indexInGroup) {
+    indexInGroup = index and
+    if isWrite() then group = argumentWriteGroup() else group = argumentReadGroup()
   }
 
   final override int getInstructionIndex(InstructionTag tag) {
@@ -577,11 +437,199 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff
    * Gets the `TranslatedFunction` containing this expression.
    */
   final TranslatedFunction getEnclosingFunction() {
-    result = getTranslatedFunction(arg.getEnclosingFunction())
+    result = getTranslatedFunction(call.getEnclosingFunction())
   }
 
-  /**
-   * Gets the `Function` containing this expression.
-   */
-  override Function getFunction() { result = arg.getEnclosingFunction() }
+  final override predicate sideEffectInstruction(Opcode opcode, CppType type) {
+    opcode = sideEffectOpcode and
+    (
+      isWrite() and
+      (
+        opcode instanceof BufferAccessOpcode and
+        type = getUnknownType()
+        or
+        not opcode instanceof BufferAccessOpcode and
+        exists(Type indirectionType | indirectionType = getIndirectionType() |
+          if indirectionType instanceof VoidType
+          then type = getUnknownType()
+          else type = getTypeForPRValueOrUnknown(indirectionType)
+        )
+      )
+      or
+      not isWrite() and
+      type = getVoidType()
+    )
+  }
+
+  final override CppType getInstructionMemoryOperandType(
+    InstructionTag tag, TypedOperandTag operandTag
+  ) {
+    not isWrite() and
+    if sideEffectOpcode instanceof BufferAccessOpcode
+    then
+      result = getUnknownType() and
+      tag instanceof OnlyInstructionTag and
+      operandTag instanceof SideEffectOperandTag
+    else
+      exists(Type operandType |
+        tag instanceof OnlyInstructionTag and
+        operandType = getIndirectionType() and
+        operandTag instanceof SideEffectOperandTag
+      |
+        // If the type we select is an incomplete type (e.g. a forward-declared `struct`), there will
+        // not be a `CppType` that represents that type. In that case, fall back to `UnknownCppType`.
+        result = getTypeForPRValueOrUnknown(operandType)
+      )
+  }
+
+  final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
+    tag instanceof OnlyInstructionTag and
+    operandTag instanceof AddressOperandTag and
+    result = getArgInstruction()
+    or
+    tag instanceof OnlyInstructionTag and
+    operandTag instanceof BufferSizeOperandTag and
+    result =
+      getTranslatedExpr(call.getArgument(call.getTarget()
+              .(SideEffectFunction)
+              .getParameterSizeIndex(index)).getFullyConverted()).getResult()
+  }
+
+  /** Holds if this side effect is a write side effect, rather than a read side effect. */
+  final predicate isWrite() { sideEffectOpcode instanceof WriteSideEffectOpcode }
+
+  /** Gets a text representation of the argument. */
+  abstract string getArgString();
+
+  /** Gets the `Instruction` whose result is the value of the argument. */
+  abstract Instruction getArgInstruction();
+
+  /** Gets the type pointed to by the argument. */
+  abstract Type getIndirectionType();
+}
+
+/**
+ * The IR translation of an argument side effect where the argument has an `Expr` object in the AST.
+ *
+ * This generally applies to all positional arguments, as well as qualifier (`this`) arguments for
+ * calls other than constructor calls.
+ */
+class TranslatedArgumentExprSideEffect extends TranslatedArgumentSideEffect,
+  TTranslatedArgumentExprSideEffect {
+  Expr arg;
+
+  TranslatedArgumentExprSideEffect() {
+    this = TTranslatedArgumentExprSideEffect(call, arg, index, sideEffectOpcode)
+  }
+
+  final override Locatable getAST() { result = arg }
+
+  final override Type getIndirectionType() {
+    result = arg.getUnspecifiedType().(DerivedType).getBaseType()
+    or
+    // Sometimes the qualifier type gets the type of the class itself, rather than a pointer to the
+    // class.
+    index = -1 and
+    not arg.getUnspecifiedType() instanceof DerivedType and
+    result = arg.getUnspecifiedType()
+  }
+
+  final override string getArgString() { result = arg.toString() }
+
+  final override Instruction getArgInstruction() { result = getTranslatedExpr(arg).getResult() }
+}
+
+/**
+ * The IR translation of an argument side effect for `*this` on a call, where there is no `Expr`
+ * object that represents the `this` argument.
+ *
+ * The applies only to constructor calls, as the AST has explioit qualifier `Expr`s for all other
+ * calls to non-static member functions.
+ */
+class TranslatedStructorQualifierSideEffect extends TranslatedArgumentSideEffect,
+  TTranslatedStructorQualifierSideEffect {
+  TranslatedStructorQualifierSideEffect() {
+    this = TTranslatedStructorQualifierSideEffect(call, sideEffectOpcode) and
+    index = -1
+  }
+
+  final override Locatable getAST() { result = call }
+
+  final override Type getIndirectionType() { result = call.getTarget().getDeclaringType() }
+
+  final override string getArgString() { result = "this" }
+
+  final override Instruction getArgInstruction() {
+    exists(TranslatedStructorCall structorCall |
+      structorCall.getExpr() = call and
+      result = structorCall.getQualifierResult()
+    )
+  }
+}
+
+/** The IR translation of the non-argument-specific side effect of a call. */
+class TranslatedCallSideEffect extends TranslatedSideEffect, TTranslatedCallSideEffect {
+  Expr expr;
+  SideEffectOpcode sideEffectOpcode;
+
+  TranslatedCallSideEffect() { this = TTranslatedCallSideEffect(expr, sideEffectOpcode) }
+
+  override Locatable getAST() { result = expr }
+
+  override Expr getPrimaryExpr() { result = expr }
+
+  override predicate sortOrder(int group, int indexInGroup) {
+    group = callSideEffectGroup() and indexInGroup = 0
+  }
+
+  override string toString() { result = "(call side effect for '" + expr.toString() + "')" }
+
+  override predicate sideEffectInstruction(Opcode opcode, CppType type) {
+    opcode = sideEffectOpcode and
+    (
+      opcode instanceof Opcode::CallSideEffect and
+      type = getUnknownType()
+      or
+      opcode instanceof Opcode::CallReadSideEffect and
+      type = getVoidType()
+    )
+  }
+
+  override CppType getInstructionMemoryOperandType(InstructionTag tag, TypedOperandTag operandTag) {
+    tag instanceof OnlyInstructionTag and
+    operandTag instanceof SideEffectOperandTag and
+    result = getUnknownType()
+  }
+}
+
+/**
+ * The IR translation of the allocation side effect of a call to a memory allocation function.
+ *
+ * This side effect provides a definition for the newly-allocated memory.
+ */
+class TranslatedAllocationSideEffect extends TranslatedSideEffect, TTranslatedAllocationSideEffect {
+  AllocationExpr expr;
+
+  TranslatedAllocationSideEffect() { this = TTranslatedAllocationSideEffect(expr) }
+
+  override Locatable getAST() { result = expr }
+
+  override Expr getPrimaryExpr() { result = expr }
+
+  override predicate sortOrder(int group, int indexInGroup) {
+    group = initializeAllocationGroup() and indexInGroup = 0
+  }
+
+  override string toString() { result = "(allocation side effect for '" + expr.toString() + "')" }
+
+  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = OnlyInstructionTag() and
+    operandTag = addressOperand() and
+    result = getPrimaryInstructionForSideEffect(OnlyInstructionTag())
+  }
+
+  override predicate sideEffectInstruction(Opcode opcode, CppType type) {
+    opcode instanceof Opcode::InitializeDynamicAllocation and
+    type = getUnknownType()
+  }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -135,6 +135,20 @@ private predicate ignoreExpr(Expr expr) {
   ignoreExprAndDescendants(expr)
 }
 
+/**
+ * Holds if the side effects of `expr` should be ignoredf for the purposes of IR generation.
+ *
+ * In cases involving `constexpr`, a call can wind up as a constant expression. `ignoreExpr()` will
+ * not hold for such a call, since we do need to translate the call (as a constant), but we need to
+ * ignore all of the side effects of that call, since we will not actually be generating a `Call`
+ * instruction.
+ */
+private predicate ignoreSideEffects(Expr expr) {
+  ignoreExpr(expr)
+  or
+  isIRConstant(expr)
+}
+
 /**
  * Holds if `func` contains an AST that cannot be translated into IR. This is mostly used to work
  * around extractor bugs. Once the relevant extractor bugs are fixed, this predicate can be removed.
@@ -553,6 +567,13 @@ newtype TTranslatedElement =
   } or
   // The initialization of a base class from within a constructor.
   TTranslatedConstructorBaseInit(ConstructorBaseInit init) { not ignoreExpr(init) } or
+  // Workaround for a case where no base constructor is generated but a targetless base
+  // constructor call is present.
+  TTranslatedConstructorBareInit(ConstructorInit init) {
+    not ignoreExpr(init) and
+    not init instanceof ConstructorBaseInit and
+    not init instanceof ConstructorFieldInit
+  } or
   // The destruction of a base class from within a destructor.
   TTranslatedDestructorBaseDestruction(DestructorBaseDestruction destruction) {
     not ignoreExpr(destruction)
@@ -621,32 +642,34 @@ newtype TTranslatedElement =
   // The declaration/initialization part of a `ConditionDeclExpr`
   TTranslatedConditionDecl(ConditionDeclExpr expr) { not ignoreExpr(expr) } or
   // The side effects of a `Call`
-  TTranslatedCallSideEffects(Call expr) {
-    // Exclude allocations such as `malloc` (which happen to also be function calls).
-    // Both `TranslatedCallSideEffects` and `TranslatedAllocationSideEffects` generate
-    // the same side effects for its children as they both extend the `TranslatedSideEffects`
-    // class.
-    // Note: We can separate allocation side effects and call side effects into two
-    // translated elements as no call can be both a `ConstructorCall` and an `AllocationExpr`.
-    not expr instanceof AllocationExpr and
-    (
-      exists(TTranslatedArgumentSideEffect(expr, _, _, _)) or
-      expr instanceof ConstructorCall
-    )
+  TTranslatedCallSideEffects(CallOrAllocationExpr expr) { not ignoreSideEffects(expr) } or
+  // The non-argument-specific side effect of a `Call`
+  TTranslatedCallSideEffect(Expr expr, SideEffectOpcode opcode) {
+    not ignoreSideEffects(expr) and
+    opcode = getCallSideEffectOpcode(expr)
   } or
-  // The side effects of an allocation, i.e. `new`, `new[]` or `malloc`
-  TTranslatedAllocationSideEffects(AllocationExpr expr) { not ignoreExpr(expr) } or
   // A precise side effect of an argument to a `Call`
-  TTranslatedArgumentSideEffect(Call call, Expr expr, int n, SideEffectOpcode opcode) {
+  TTranslatedArgumentExprSideEffect(Call call, Expr expr, int n, SideEffectOpcode opcode) {
     not ignoreExpr(expr) and
-    not ignoreExpr(call) and
+    not ignoreSideEffects(call) and
     (
       n >= 0 and expr = call.getArgument(n).getFullyConverted()
       or
       n = -1 and expr = call.getQualifier().getFullyConverted()
     ) and
     opcode = getASideEffectOpcode(call, n)
-  }
+  } or
+  // Constructor calls lack a qualifier (`this`) expression, so we need to handle the side effects
+  // on `*this` without an `Expr`.
+  TTranslatedStructorQualifierSideEffect(Call call, SideEffectOpcode opcode) {
+    not ignoreSideEffects(call) and
+    // Don't bother with destructor calls for now, since we won't see very many of them in the IR
+    // until we start injecting implicit destructor calls.
+    call instanceof ConstructorCall and
+    opcode = getASideEffectOpcode(call, -1)
+  } or
+  // The side effect that initializes newly-allocated memory.
+  TTranslatedAllocationSideEffect(AllocationExpr expr) { not ignoreSideEffects(expr) }
 
 /**
  * Gets the index of the first explicitly initialized element in `initList`

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll

@@ -573,6 +573,11 @@ class TranslatedConstructorInitList extends TranslatedElement, InitializationCon
       baseInit = func.(Constructor).getInitializer(id) and
       result = getTranslatedConstructorBaseInit(baseInit)
     )
+    or
+    exists(ConstructorInit bareInit |
+      bareInit = func.(Constructor).getInitializer(id) and
+      result = getTranslatedConstructorBareInit(bareInit)
+    )
   }
 
   override Instruction getFirstInstruction() {

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll

@@ -917,3 +917,36 @@ class TranslatedDestructorBaseDestruction extends TranslatedBaseStructorCall,
 
   final override string toString() { result = "destroy base: " + call.toString() }
 }
+
+/**
+ * A constructor base init call where no base constructor has been generated.
+ *
+ * Workaround for an extractor issue.
+ */
+class TranslatedConstructorBareInit extends TranslatedElement, TTranslatedConstructorBareInit {
+  ConstructorInit init;
+
+  TranslatedConstructorBareInit() { this = TTranslatedConstructorBareInit(init) }
+
+  override Locatable getAST() { result = init }
+
+  final override string toString() { result = "construct base (no constructor)" }
+
+  override Instruction getFirstInstruction() { result = getParent().getChildSuccessor(this) }
+
+  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
+    none()
+  }
+
+  override TranslatedElement getChild(int id) { none() }
+
+  override Function getFunction() { result = getParent().getFunction() }
+
+  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { none() }
+
+  override Instruction getChildSuccessor(TranslatedElement child) { none() }
+}
+
+TranslatedConstructorBareInit getTranslatedConstructorBareInit(ConstructorInit init) {
+  result.getAST() = init
+}

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll

@@ -200,7 +200,7 @@ class IRBlock extends IRBlockBase {
    * post-dominate block `B`, but block `A` does post-dominate an immediate successor of block `B`.
    */
   pragma[noinline]
-  final IRBlock postPominanceFrontier() {
+  final IRBlock postDominanceFrontier() {
     this.postDominates(result.getASuccessor()) and
     not this.strictlyPostDominates(result)
   }

cpp/ql/lib/semmle/code/cpp/metrics/MetricClass.qll

@@ -308,45 +308,45 @@ class MetricClass extends Class {
   }
 
   private string getAUsedHalsteadN1Operator() {
-    exists(CommaExpr e | e = this.getAnEnclosedExpression()) and result = "comma"
+    this.getAnEnclosedExpression() instanceof CommaExpr and result = "comma"
     or
-    exists(ReferenceToExpr e | e = this.getAnEnclosedExpression()) and result = "refTo"
+    this.getAnEnclosedExpression() instanceof ReferenceToExpr and result = "refTo"
     or
-    exists(PointerDereferenceExpr e | e = this.getAnEnclosedExpression()) and result = "dereference"
+    this.getAnEnclosedExpression() instanceof PointerDereferenceExpr and result = "dereference"
     or
-    exists(CStyleCast e | e = this.getAnEnclosedExpression()) and result = "cCast"
+    this.getAnEnclosedExpression() instanceof CStyleCast and result = "cCast"
     or
-    exists(StaticCast e | e = this.getAnEnclosedExpression()) and result = "staticCast"
+    this.getAnEnclosedExpression() instanceof StaticCast and result = "staticCast"
     or
-    exists(ConstCast e | e = this.getAnEnclosedExpression()) and result = "constCast"
+    this.getAnEnclosedExpression() instanceof ConstCast and result = "constCast"
     or
-    exists(ReinterpretCast e | e = this.getAnEnclosedExpression()) and result = "reinterpretCast"
+    this.getAnEnclosedExpression() instanceof ReinterpretCast and result = "reinterpretCast"
     or
-    exists(DynamicCast e | e = this.getAnEnclosedExpression()) and result = "dynamicCast"
+    this.getAnEnclosedExpression() instanceof DynamicCast and result = "dynamicCast"
     or
-    exists(SizeofExprOperator e | e = this.getAnEnclosedExpression()) and result = "sizeofExpr"
+    this.getAnEnclosedExpression() instanceof SizeofExprOperator and result = "sizeofExpr"
     or
-    exists(SizeofTypeOperator e | e = this.getAnEnclosedExpression()) and result = "sizeofType"
+    this.getAnEnclosedExpression() instanceof SizeofTypeOperator and result = "sizeofType"
     or
-    exists(IfStmt e | e = this.getAnEnclosedStmt()) and result = "ifVal"
+    this.getAnEnclosedStmt() instanceof IfStmt and result = "ifVal"
     or
-    exists(SwitchStmt e | e = this.getAnEnclosedStmt()) and result = "switchVal"
+    this.getAnEnclosedStmt() instanceof SwitchStmt and result = "switchVal"
     or
-    exists(ForStmt e | e = this.getAnEnclosedStmt()) and result = "forVal"
+    this.getAnEnclosedStmt() instanceof ForStmt and result = "forVal"
     or
-    exists(DoStmt e | e = this.getAnEnclosedStmt()) and result = "doVal"
+    this.getAnEnclosedStmt() instanceof DoStmt and result = "doVal"
     or
-    exists(WhileStmt e | e = this.getAnEnclosedStmt()) and result = "whileVal"
+    this.getAnEnclosedStmt() instanceof WhileStmt and result = "whileVal"
     or
-    exists(GotoStmt e | e = this.getAnEnclosedStmt()) and result = "gotoVal"
+    this.getAnEnclosedStmt() instanceof GotoStmt and result = "gotoVal"
     or
-    exists(ContinueStmt e | e = this.getAnEnclosedStmt()) and result = "continueVal"
+    this.getAnEnclosedStmt() instanceof ContinueStmt and result = "continueVal"
     or
-    exists(BreakStmt e | e = this.getAnEnclosedStmt()) and result = "breakVal"
+    this.getAnEnclosedStmt() instanceof BreakStmt and result = "breakVal"
     or
-    exists(ReturnStmt e | e = this.getAnEnclosedStmt()) and result = "returnVal"
+    this.getAnEnclosedStmt() instanceof ReturnStmt and result = "returnVal"
     or
-    exists(SwitchCase e | e = this.getAnEnclosedStmt()) and result = "caseVal"
+    this.getAnEnclosedStmt() instanceof SwitchCase and result = "caseVal"
     or
     exists(IfStmt s | s = this.getAnEnclosedStmt() and s.hasElse()) and
     result = "elseVal"

cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll

@@ -11,15 +11,14 @@ import semmle.code.cpp.models.interfaces.SideEffect
 import semmle.code.cpp.models.interfaces.FlowSource
 
 /**
- * The standard functions `gets` and `fgets`.
+ * The standard functions `fgets` and `fgetws`.
  */
-private class GetsFunction extends DataFlowFunction, TaintFunction, ArrayFunction, AliasFunction,
+private class FgetsFunction extends DataFlowFunction, TaintFunction, ArrayFunction, AliasFunction,
   SideEffectFunction, RemoteFlowSourceFunction {
-  GetsFunction() {
-    // gets(str)
+  FgetsFunction() {
     // fgets(str, num, stream)
     // fgetws(wstr, num, stream)
-    this.hasGlobalOrStdOrBslName(["gets", "fgets", "fgetws"])
+    this.hasGlobalOrStdOrBslName(["fgets", "fgetws"])
   }
 
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
@@ -51,18 +50,61 @@ private class GetsFunction extends DataFlowFunction, TaintFunction, ArrayFunctio
   override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
     output.isParameterDeref(0) and
     description = "String read by " + this.getName()
+    or
+    output.isReturnValue() and
+    description = "String read by " + this.getName()
   }
 
   override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
-    not this.hasName("gets") and
     bufParam = 0 and
     countParam = 1
   }
 
-  override predicate hasArrayWithUnknownSize(int bufParam) {
-    this.hasName("gets") and
-    bufParam = 0
+  override predicate hasArrayOutput(int bufParam) { bufParam = 0 }
+
+  override predicate hasSocketInput(FunctionInput input) { input.isParameterDeref(2) }
+}
+
+/**
+ * The standard functions `gets`.
+ */
+private class GetsFunction extends DataFlowFunction, ArrayFunction, AliasFunction,
+  SideEffectFunction, LocalFlowSourceFunction {
+  GetsFunction() {
+    // gets(str)
+    this.hasGlobalOrStdOrBslName("gets")
   }
 
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    input.isParameter(0) and
+    output.isReturnValue()
+  }
+
+  override predicate parameterNeverEscapes(int index) { none() }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { index = 0 }
+
+  override predicate parameterIsAlwaysReturned(int index) { index = 0 }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    i = 0 and
+    buffer = true and
+    mustWrite = true
+  }
+
+  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(0) and
+    description = "String read by " + this.getName()
+    or
+    output.isReturnValue() and
+    description = "String read by " + this.getName()
+  }
+
+  override predicate hasArrayWithUnknownSize(int bufParam) { bufParam = 0 }
+
   override predicate hasArrayOutput(int bufParam) { bufParam = 0 }
 }

cpp/ql/lib/semmle/code/cpp/models/interfaces/FlowSource.qll

@@ -20,8 +20,9 @@ abstract class RemoteFlowSourceFunction extends Function {
   abstract predicate hasRemoteFlowSource(FunctionOutput output, string description);
 
   /**
-   * Holds if remote data from this source comes from a socket described by
-   * `input`. There is no result if a socket is not specified.
+   * Holds if remote data from this source comes from a socket or stream
+   * described by `input`. There is no result if none is specified by a
+   * parameter.
    */
   predicate hasSocketInput(FunctionInput input) { none() }
 }
@@ -59,8 +60,9 @@ abstract class RemoteFlowSinkFunction extends Function {
   abstract predicate hasRemoteFlowSink(FunctionInput input, string description);
 
   /**
-   * Holds if data put into this sink is transmitted through a socket described
-   * by `input`. There is no result if a socket is not specified.
+   * Holds if data put into this sink is transmitted through a socket or stream
+   * described by `input`. There is no result if none is specified by a
+   * parameter.
    */
   predicate hasSocketInput(FunctionInput input) { none() }
 }

cpp/ql/lib/semmle/code/cpp/padding/Padding.qll

@@ -397,7 +397,7 @@ class PaddedType extends Class {
     // Support only single inheritance for now. If multiple inheritance is
     // supported, be sure to fix up the calls to getABaseClass*() to correctly
     // handle the presence of multiple base class subojects with the same type.
-    not exists(ClassDerivation cd | cd = this.getDerivation(1))
+    not exists(this.getDerivation(1))
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/pointsto/PointsTo.qll

@@ -72,7 +72,7 @@ predicate lvalue(Element e) {
   or
   exists(Cast c | lvalue(c) and e.(Expr).getConversion() = c)
   or
-  exists(ReferenceToExpr toref | e.(Expr).getConversion() = toref)
+  e.(Expr).getConversion() instanceof ReferenceToExpr
   or
   // If f is a function-pointer, then the following two
   // calls are equivalent:  f()  and  (*f)()

cpp/ql/lib/semmle/code/cpp/security/BufferWrite.qll

@@ -76,7 +76,7 @@ abstract class BufferWrite extends Expr {
    * can be found), specifying the reason for the estimation.
    */
   int getMaxData(BufferWriteEstimationReason reason) {
-    reason instanceof NoSpecifiedEstimateReason and result = getMaxData()
+    reason instanceof UnspecifiedEstimateReason and result = this.getMaxData()
   }
 
   /**
@@ -85,7 +85,7 @@ abstract class BufferWrite extends Expr {
    * much smaller (8 bytes) than their true maximum length.  This can be
    * helpful in determining the cause of a buffer overflow issue.
    */
-  int getMaxDataLimited() { result = getMaxData() }
+  int getMaxDataLimited() { result = this.getMaxData() }
 
   /**
    * Gets an upper bound to the amount of data that's being written (if one
@@ -94,7 +94,7 @@ abstract class BufferWrite extends Expr {
    * than their true maximum length.  This can be helpful in determining the
    * cause of a buffer overflow issue.
    */
-  int getMaxDataLimited(BufferWriteEstimationReason reason) { result = getMaxData(reason) }
+  int getMaxDataLimited(BufferWriteEstimationReason reason) { result = this.getMaxData(reason) }
 
   /**
    * Gets the size of a single character of the type this
@@ -159,9 +159,11 @@ class StrCopyBW extends BufferWriteCall {
       this.getArgument(this.getParamSrc()).(AnalysedString).getMaxLength() * this.getCharSize()
   }
 
-  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+  override int getMaxData(BufferWriteEstimationReason reason) {
+    result = this.getMaxDataImpl(reason)
+  }
 
-  override int getMaxData() { result = max(getMaxDataImpl(_)) }
+  override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
 }
 
 /**
@@ -203,9 +205,11 @@ class StrCatBW extends BufferWriteCall {
       this.getArgument(this.getParamSrc()).(AnalysedString).getMaxLength() * this.getCharSize()
   }
 
-  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+  override int getMaxData(BufferWriteEstimationReason reason) {
+    result = this.getMaxDataImpl(reason)
+  }
 
-  override int getMaxData() { result = max(getMaxDataImpl(_)) }
+  override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
 }
 
 /**
@@ -269,9 +273,11 @@ class SprintfBW extends BufferWriteCall {
     )
   }
 
-  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+  override int getMaxData(BufferWriteEstimationReason reason) {
+    result = this.getMaxDataImpl(reason)
+  }
 
-  override int getMaxData() { result = max(getMaxDataImpl(_)) }
+  override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
 
   private int getMaxDataLimitedImpl(BufferWriteEstimationReason reason) {
     exists(FormatLiteral fl |
@@ -281,10 +287,10 @@ class SprintfBW extends BufferWriteCall {
   }
 
   override int getMaxDataLimited(BufferWriteEstimationReason reason) {
-    result = getMaxDataLimitedImpl(reason)
+    result = this.getMaxDataLimitedImpl(reason)
   }
 
-  override int getMaxDataLimited() { result = max(getMaxDataLimitedImpl(_)) }
+  override int getMaxDataLimited() { result = max(this.getMaxDataLimitedImpl(_)) }
 }
 
 /**
@@ -382,9 +388,11 @@ class SnprintfBW extends BufferWriteCall {
     )
   }
 
-  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+  override int getMaxData(BufferWriteEstimationReason reason) {
+    result = this.getMaxDataImpl(reason)
+  }
 
-  override int getMaxData() { result = max(getMaxDataImpl(_)) }
+  override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
 
   private int getMaxDataLimitedImpl(BufferWriteEstimationReason reason) {
     exists(FormatLiteral fl |
@@ -394,10 +402,10 @@ class SnprintfBW extends BufferWriteCall {
   }
 
   override int getMaxDataLimited(BufferWriteEstimationReason reason) {
-    result = getMaxDataLimitedImpl(reason)
+    result = this.getMaxDataLimitedImpl(reason)
   }
 
-  override int getMaxDataLimited() { result = max(getMaxDataLimitedImpl(_)) }
+  override int getMaxDataLimited() { result = max(this.getMaxDataLimitedImpl(_)) }
 }
 
 /**
@@ -495,9 +503,11 @@ class ScanfBW extends BufferWrite {
     )
   }
 
-  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+  override int getMaxData(BufferWriteEstimationReason reason) {
+    result = this.getMaxDataImpl(reason)
+  }
 
-  override int getMaxData() { result = max(getMaxDataImpl(_)) }
+  override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
 
   override string getBWDesc() {
     exists(FunctionCall fc |
@@ -536,7 +546,9 @@ class RealpathBW extends BufferWriteCall {
     this = this // Suppress a compiler warning
   }
 
-  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+  override int getMaxData(BufferWriteEstimationReason reason) {
+    result = this.getMaxDataImpl(reason)
+  }
 
-  override int getMaxData() { result = max(getMaxDataImpl(_)) }
+  override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
 }

cpp/ql/lib/semmle/code/cpp/security/Overflow.qll

@@ -9,6 +9,7 @@ import semmle.code.cpp.controlflow.Dominance
 private import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
+import semmle.code.cpp.controlflow.Guards
 
 /**
  * Holds if the value of `use` is guarded using `abs`.
@@ -16,53 +17,16 @@ import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
 predicate guardedAbs(Operation e, Expr use) {
   exists(FunctionCall fc | fc.getTarget().getName() = ["abs", "labs", "llabs", "imaxabs"] |
     fc.getArgument(0).getAChild*() = use and
-    guardedLesser(e, fc)
+    exists(GuardCondition c | c.ensuresLt(fc, _, _, e.getBasicBlock(), true))
   )
 }
 
-/**
- * Gets the position of `stmt` in basic block `block` (this is a thin layer
- * over `BasicBlock.getNode`, intended to improve performance).
- */
-pragma[noinline]
-private int getStmtIndexInBlock(BasicBlock block, Stmt stmt) { block.getNode(result) = stmt }
-
-pragma[inline]
-private predicate stmtDominates(Stmt dominator, Stmt dominated) {
-  // In same block
-  exists(BasicBlock block, int dominatorIndex, int dominatedIndex |
-    dominatorIndex = getStmtIndexInBlock(block, dominator) and
-    dominatedIndex = getStmtIndexInBlock(block, dominated) and
-    dominatedIndex >= dominatorIndex
-  )
-  or
-  // In (possibly) different blocks
-  bbStrictlyDominates(dominator.getBasicBlock(), dominated.getBasicBlock())
-}
-
 /**
  * Holds if the value of `use` is guarded to be less than something, and `e`
  * is in code controlled by that guard (where the guard condition held).
  */
-pragma[nomagic]
 predicate guardedLesser(Operation e, Expr use) {
-  exists(IfStmt c, RelationalOperation guard |
-    use = guard.getLesserOperand().getAChild*() and
-    guard = c.getControllingExpr().getAChild*() and
-    stmtDominates(c.getThen(), e.getEnclosingStmt())
-  )
-  or
-  exists(Loop c, RelationalOperation guard |
-    use = guard.getLesserOperand().getAChild*() and
-    guard = c.getControllingExpr().getAChild*() and
-    stmtDominates(c.getStmt(), e.getEnclosingStmt())
-  )
-  or
-  exists(ConditionalExpr c, RelationalOperation guard |
-    use = guard.getLesserOperand().getAChild*() and
-    guard = c.getCondition().getAChild*() and
-    c.getThen().getAChild*() = e
-  )
+  exists(GuardCondition c | c.ensuresLt(use, _, _, e.getBasicBlock(), true))
   or
   guardedAbs(e, use)
 }
@@ -71,25 +35,8 @@ predicate guardedLesser(Operation e, Expr use) {
  * Holds if the value of `use` is guarded to be greater than something, and `e`
  * is in code controlled by that guard (where the guard condition held).
  */
-pragma[nomagic]
 predicate guardedGreater(Operation e, Expr use) {
-  exists(IfStmt c, RelationalOperation guard |
-    use = guard.getGreaterOperand().getAChild*() and
-    guard = c.getControllingExpr().getAChild*() and
-    stmtDominates(c.getThen(), e.getEnclosingStmt())
-  )
-  or
-  exists(Loop c, RelationalOperation guard |
-    use = guard.getGreaterOperand().getAChild*() and
-    guard = c.getControllingExpr().getAChild*() and
-    stmtDominates(c.getStmt(), e.getEnclosingStmt())
-  )
-  or
-  exists(ConditionalExpr c, RelationalOperation guard |
-    use = guard.getGreaterOperand().getAChild*() and
-    guard = c.getCondition().getAChild*() and
-    c.getThen().getAChild*() = e
-  )
+  exists(GuardCondition c | c.ensuresLt(use, _, _, e.getBasicBlock(), false))
   or
   guardedAbs(e, use)
 }

cpp/ql/lib/semmle/code/cpp/security/TaintTracking.qll

@@ -1,7 +1,10 @@
 /*
- * Support for tracking tainted data through the program.
+ * Support for tracking tainted data through the program. This is an alias for
+ * `semmle.code.cpp.ir.dataflow.DefaultTaintTracking` provided for backwards
+ * compatibility.
  *
- * Prefer to use `semmle.code.cpp.dataflow.TaintTracking` when designing new queries.
+ * Prefer to use `semmle.code.cpp.dataflow.TaintTracking` or
+ * `semmle.code.cpp.ir.dataflow.TaintTracking` when designing new queries.
  */
 
 import semmle.code.cpp.ir.dataflow.DefaultTaintTracking

cpp/ql/lib/semmle/code/cpp/security/TaintTrackingImpl.qll

@@ -258,7 +258,7 @@ private predicate insideFunctionValueMoveTo(Element src, Element dest) {
           format.getConversionChar(sourceArg - ffc.getTarget().getNumberOfParameters()) = ["s", "S"]
         )
         or
-        not exists(FormatLiteral fl | fl = c.(FormattingFunctionCall).getFormat())
+        not c.(FormattingFunctionCall).getFormat() instanceof FormatLiteral
         or
         not c instanceof FormattingFunctionCall
       ) and

cpp/ql/lib/semmle/code/cpp/stmts/Stmt.qll

@@ -271,7 +271,7 @@ class IfStmt extends ConditionalStmt, @stmt_if {
    * if (b) { x = 1; }
    * ```
    */
-  predicate hasElse() { exists(Stmt s | this.getElse() = s) }
+  predicate hasElse() { exists(this.getElse()) }
 
   override string toString() { result = "if (...) ... " }
 
@@ -357,7 +357,7 @@ class ConstexprIfStmt extends ConditionalStmt, @stmt_constexpr_if {
    * if constexpr (b) { x = 1; }
    * ```
    */
-  predicate hasElse() { exists(Stmt s | this.getElse() = s) }
+  predicate hasElse() { exists(this.getElse()) }
 
   override string toString() { result = "if constexpr (...) ... " }
 

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -135,52 +135,11 @@ externalData(
     string value : string ref
 );
 
-/**
- * The date of the snapshot.
- */
-snapshotDate(unique date snapshotDate : date ref);
-
 /**
  * The source location of the snapshot.
  */
 sourceLocationPrefix(string prefix : string ref);
 
-/**
- * Data used by the 'duplicate code' detection.
- */
-duplicateCode(
-    unique int id : @duplication,
-    string relativePath : string ref,
-    int equivClass : int ref
-);
-
-/**
- * Data used by the 'similar code' detection.
- */
-similarCode(
-    unique int id : @similarity,
-    string relativePath : string ref,
-    int equivClass : int ref
-);
-
-/**
- * Data used by the 'duplicate code' and 'similar code' detection.
- */
-@duplication_or_similarity = @duplication | @similarity
-
-/**
- * Data used by the 'duplicate code' and 'similar code' detection.
- */
-#keyset[id, offset]
-tokens(
-    int id : @duplication_or_similarity ref,
-    int offset : int ref,
-    int beginLine : int ref,
-    int beginColumn : int ref,
-    int endLine : int ref,
-    int endColumn : int ref
-);
-
 /**
  * Information about packages that provide code used during compilation.
  * The `id` is just a unique identifier.
@@ -487,6 +446,7 @@ var_decl_specifiers(
     int id: @var_decl ref,
     string name: string ref
 )
+is_structured_binding(unique int id: @variable ref);
 
 type_decls(
     unique int id: @type_decl,

cpp/ql/lib/tutorial.qll

@@ -6,122 +6,22 @@
  */
 class Person extends string {
   Person() {
-    this = "Ronil" or
-    this = "Dina" or
-    this = "Ravi" or
-    this = "Bruce" or
-    this = "Jo" or
-    this = "Aida" or
-    this = "Esme" or
-    this = "Charlie" or
-    this = "Fred" or
-    this = "Meera" or
-    this = "Maya" or
-    this = "Chad" or
-    this = "Tiana" or
-    this = "Laura" or
-    this = "George" or
-    this = "Will" or
-    this = "Mary" or
-    this = "Almira" or
-    this = "Susannah" or
-    this = "Rhoda" or
-    this = "Cynthia" or
-    this = "Eunice" or
-    this = "Olive" or
-    this = "Virginia" or
-    this = "Angeline" or
-    this = "Helen" or
-    this = "Cornelia" or
-    this = "Harriet" or
-    this = "Mahala" or
-    this = "Abby" or
-    this = "Margaret" or
-    this = "Deb" or
-    this = "Minerva" or
-    this = "Severus" or
-    this = "Lavina" or
-    this = "Adeline" or
-    this = "Cath" or
-    this = "Elisa" or
-    this = "Lucretia" or
-    this = "Anne" or
-    this = "Eleanor" or
-    this = "Joanna" or
-    this = "Adam" or
-    this = "Agnes" or
-    this = "Rosanna" or
-    this = "Clara" or
-    this = "Melissa" or
-    this = "Amy" or
-    this = "Isabel" or
-    this = "Jemima" or
-    this = "Cordelia" or
-    this = "Melinda" or
-    this = "Delila" or
-    this = "Jeremiah" or
-    this = "Elijah" or
-    this = "Hester" or
-    this = "Walter" or
-    this = "Oliver" or
-    this = "Hugh" or
-    this = "Aaron" or
-    this = "Reuben" or
-    this = "Eli" or
-    this = "Amos" or
-    this = "Augustus" or
-    this = "Theodore" or
-    this = "Ira" or
-    this = "Timothy" or
-    this = "Cyrus" or
-    this = "Horace" or
-    this = "Simon" or
-    this = "Asa" or
-    this = "Frank" or
-    this = "Nelson" or
-    this = "Leonard" or
-    this = "Harrison" or
-    this = "Anthony" or
-    this = "Louis" or
-    this = "Milton" or
-    this = "Noah" or
-    this = "Cornelius" or
-    this = "Abdul" or
-    this = "Warren" or
-    this = "Harvey" or
-    this = "Dennis" or
-    this = "Wesley" or
-    this = "Sylvester" or
-    this = "Gilbert" or
-    this = "Sullivan" or
-    this = "Edmund" or
-    this = "Wilson" or
-    this = "Perry" or
-    this = "Matthew" or
-    this = "Simba" or
-    this = "Nala" or
-    this = "Rafiki" or
-    this = "Shenzi" or
-    this = "Ernest" or
-    this = "Gertrude" or
-    this = "Oscar" or
-    this = "Lilian" or
-    this = "Raymond" or
-    this = "Elgar" or
-    this = "Elmer" or
-    this = "Herbert" or
-    this = "Maude" or
-    this = "Mae" or
-    this = "Otto" or
-    this = "Edwin" or
-    this = "Ophelia" or
-    this = "Parsley" or
-    this = "Sage" or
-    this = "Rosemary" or
-    this = "Thyme" or
-    this = "Garfunkel" or
-    this = "King Basil" or
-    this = "Stephen"
+    this =
+      [
+        "Ronil", "Dina", "Ravi", "Bruce", "Jo", "Aida", "Esme", "Charlie", "Fred", "Meera", "Maya",
+        "Chad", "Tiana", "Laura", "George", "Will", "Mary", "Almira", "Susannah", "Rhoda",
+        "Cynthia", "Eunice", "Olive", "Virginia", "Angeline", "Helen", "Cornelia", "Harriet",
+        "Mahala", "Abby", "Margaret", "Deb", "Minerva", "Severus", "Lavina", "Adeline", "Cath",
+        "Elisa", "Lucretia", "Anne", "Eleanor", "Joanna", "Adam", "Agnes", "Rosanna", "Clara",
+        "Melissa", "Amy", "Isabel", "Jemima", "Cordelia", "Melinda", "Delila", "Jeremiah", "Elijah",
+        "Hester", "Walter", "Oliver", "Hugh", "Aaron", "Reuben", "Eli", "Amos", "Augustus",
+        "Theodore", "Ira", "Timothy", "Cyrus", "Horace", "Simon", "Asa", "Frank", "Nelson",
+        "Leonard", "Harrison", "Anthony", "Louis", "Milton", "Noah", "Cornelius", "Abdul", "Warren",
+        "Harvey", "Dennis", "Wesley", "Sylvester", "Gilbert", "Sullivan", "Edmund", "Wilson",
+        "Perry", "Matthew", "Simba", "Nala", "Rafiki", "Shenzi", "Ernest", "Gertrude", "Oscar",
+        "Lilian", "Raymond", "Elgar", "Elmer", "Herbert", "Maude", "Mae", "Otto", "Edwin",
+        "Ophelia", "Parsley", "Sage", "Rosemary", "Thyme", "Garfunkel", "King Basil", "Stephen"
+      ]
   }
 
   /** Gets the hair color of the person. If the person is bald, there is no result. */
@@ -936,25 +836,12 @@ class Person extends string {
 
   /** Holds if the person is deceased. */
   predicate isDeceased() {
-    this = "Ernest" or
-    this = "Gertrude" or
-    this = "Oscar" or
-    this = "Lilian" or
-    this = "Edwin" or
-    this = "Raymond" or
-    this = "Elgar" or
-    this = "Elmer" or
-    this = "Herbert" or
-    this = "Maude" or
-    this = "Mae" or
-    this = "Otto" or
-    this = "Ophelia" or
-    this = "Parsley" or
-    this = "Sage" or
-    this = "Rosemary" or
-    this = "Thyme" or
-    this = "Garfunkel" or
-    this = "King Basil"
+    this =
+      [
+        "Ernest", "Gertrude", "Oscar", "Lilian", "Edwin", "Raymond", "Elgar", "Elmer", "Herbert",
+        "Maude", "Mae", "Otto", "Ophelia", "Parsley", "Sage", "Rosemary", "Thyme", "Garfunkel",
+        "King Basil"
+      ]
   }
 
   /** Gets a parent of the person (alive or deceased). */
@@ -1195,12 +1082,7 @@ class Person extends string {
   }
 
   /** Holds if the person is allowed in the region. Initially, all villagers are allowed in every region. */
-  predicate isAllowedIn(string region) {
-    region = "north" or
-    region = "south" or
-    region = "east" or
-    region = "west"
-  }
+  predicate isAllowedIn(string region) { region = ["north", "south", "east", "west"] }
 }
 
 /** Returns a parent of the person. */

cpp/ql/lib/upgrades/018f430097e80bcf4b2786c989dae94b7d82b819/upgrade.properties

@@ -0,0 +1,6 @@
+description: Remove unused legacy relations
+compatibility: full
+snapshotDate.rel: delete
+duplicateCode.rel: delete
+similarCode.rel: delete
+tokens.rel: delete