Python: inline init_module_submodule_defn into ImportResolution

The new-dataflow ImportResolution module only used
semmle.python.essa.SsaDefinitions for the 5-line helper predicate
SsaSource::init_module_submodule_defn. Inline it locally and drop the
dependency on legacy SsaDefinitions. This is the only remaining direct
import of semmle.python.essa.* in the new dataflow stack, so dropping
it makes the layering cleaner.

Semantic noop on the current SSA: SsaSourceVariable.getName() and
GlobalVariable.getId() both project the same DB column
(variable(_,_,result)), and the old call's 'init.getEntryNode() = f'
join was just constraining init = package via Scope.getEntryNode()'s
functional uniqueness. RA dump of accesses.ql confirms only the
expected predicate-rename shuffle; all 70 dataflow + ApiGraphs library
tests pass.

This factors out commit 8cab5a20f2 from the larger shared-CFG
migration #21925.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.37
+version: 0.4.38-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.29
+version: 0.6.30-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

cpp/ql/lib/DefaultOptions.qll

@@ -30,8 +30,6 @@ class Options extends string {
   predicate overrideReturnsNull(Call call) {
     // Used in CVS:
     call.(FunctionCall).getTarget().hasGlobalName("Xstrdup")
-    or
-    CustomOptions::overrideReturnsNull(call) // old Options.qll
   }
 
   /**
@@ -45,8 +43,6 @@ class Options extends string {
     // Used in CVS:
     call.(FunctionCall).getTarget().hasGlobalName("Xstrdup") and
     nullValue(call.getArgument(0))
-    or
-    CustomOptions::returnsNull(call) // old Options.qll
   }
 
   /**
@@ -65,8 +61,6 @@ class Options extends string {
     f.hasGlobalOrStdName([
         "exit", "_exit", "_Exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
       ])
-    or
-    CustomOptions::exits(f) // old Options.qll
   }
 
   /**
@@ -79,8 +73,7 @@ class Options extends string {
    * runtime, the program's behavior is undefined)
    */
   predicate exprExits(Expr e) {
-    e.(AssumeExpr).getChild(0).(CompileTimeConstantInt).getIntValue() = 0 or
-    CustomOptions::exprExits(e) // old Options.qll
+    e.(AssumeExpr).getChild(0).(CompileTimeConstantInt).getIntValue() = 0
   }
 
   /**
@@ -88,10 +81,7 @@ class Options extends string {
    *
    * By default holds only for `fgets`.
    */
-  predicate alwaysCheckReturnValue(Function f) {
-    f.hasGlobalOrStdName("fgets") or
-    CustomOptions::alwaysCheckReturnValue(f) // old Options.qll
-  }
+  predicate alwaysCheckReturnValue(Function f) { f.hasGlobalOrStdName("fgets") }
 
   /**
    * Holds if it is reasonable to ignore the return value of function
@@ -107,8 +97,6 @@ class Options extends string {
     // common way of sleeping using select:
     fc.getTarget().hasGlobalName("select") and
     fc.getArgument(0).getValue() = "0"
-    or
-    CustomOptions::okToIgnoreReturnValue(fc) // old Options.qll
   }
 }
 

cpp/ql/lib/Options.qll

@@ -98,57 +98,3 @@ class CustomMutexType extends MutexType {
    */
   override predicate unlockAccess(FunctionCall fc, Expr arg) { none() }
 }
-
-/**
- * DEPRECATED: customize `CustomOptions.overrideReturnsNull` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate overrideReturnsNull(Call call) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.returnsNull` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate returnsNull(Call call) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.exits` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate exits(Function f) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.exprExits` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate exprExits(Expr e) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.alwaysCheckReturnValue` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate alwaysCheckReturnValue(Function f) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.okToIgnoreReturnValue` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate okToIgnoreReturnValue(FunctionCall fc) { none() }

cpp/ql/lib/change-notes/2026-05-27-deprecated-removal.md

@@ -0,0 +1,15 @@
+---
+category: breaking
+---
+* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
+* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
+* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.
+* Removed the deprecated `exprExits` predicate from `Options.qll`. Use `CustomOptions.exprExits` instead.
+* Removed the deprecated `alwaysCheckReturnValue` predicate from `Options.qll`. Use `CustomOptions.alwaysCheckReturnValue` instead.
+* Removed the deprecated `okToIgnoreReturnValue` predicate from `Options.qll`. Use `CustomOptions.okToIgnoreReturnValue` instead.
+* Removed the deprecated `semmle.code.cpp.Member`. Import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly.
+* Removed the deprecated `UnknownDefaultLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `UnknownExprLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `UnknownStmtLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `TemplateParameter` class. Use `TypeTemplateParameter` instead.
+* Support for class resolution across link targets has been removed for databases which were created with CodeQL versions before 1.23.0.

cpp/ql/lib/cpp.qll

@@ -32,7 +32,6 @@ import semmle.code.cpp.Class
 import semmle.code.cpp.Struct
 import semmle.code.cpp.Union
 import semmle.code.cpp.Enum
-import semmle.code.cpp.Member
 import semmle.code.cpp.Field
 import semmle.code.cpp.Function
 import semmle.code.cpp.MemberFunction

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 10.2.0
+version: 10.2.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Location.qll

@@ -148,28 +148,3 @@ class UnknownLocation extends Location {
     this.getFile().getAbsolutePath() = "" and locations_default(this, _, 0, 0, 0, 0)
   }
 }
-
-/**
- * A dummy location which is used when something doesn't have a location in
- * the source code but needs to have a `Location` associated with it.
- *
- * DEPRECATED: use `UnknownLocation`
- */
-deprecated class UnknownDefaultLocation extends UnknownLocation { }
-
-/**
- * A dummy location which is used when an expression doesn't have a
- * location in the source code but needs to have a `Location` associated
- * with it.
- *
- * DEPRECATED: use `UnknownLocation`
- */
-deprecated class UnknownExprLocation extends UnknownLocation { }
-
-/**
- * A dummy location which is used when a statement doesn't have a location
- * in the source code but needs to have a `Location` associated with it.
- *
- * DEPRECATED: use `UnknownLocation`
- */
-deprecated class UnknownStmtLocation extends UnknownLocation { }

cpp/ql/lib/semmle/code/cpp/Member.qll

@@ -1,6 +0,0 @@
-/**
- * DEPRECATED: import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly as required.
- */
-
-import semmle.code.cpp.Element
-import semmle.code.cpp.Type

cpp/ql/lib/semmle/code/cpp/TemplateParameter.qll

@@ -35,13 +35,6 @@ class NonTypeTemplateParameter extends Literal, TemplateParameterImpl {
   override string getAPrimaryQlClass() { result = "NonTypeTemplateParameter" }
 }
 
-/**
- * A C++ `typename` (or `class`) template parameter.
- *
- * DEPRECATED: Use `TypeTemplateParameter` instead.
- */
-deprecated class TemplateParameter = TypeTemplateParameter;
-
 /**
  * A C++ `typename` (or `class`) template parameter.
  *

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -276,6 +276,45 @@ private predicate isClassConstructedFrom(Class c, Class templateClass) {
   not c.isConstructedFrom(_) and c = templateClass
 }
 
+/** Gets the fully templated version of `c`. */
+private Class getFullyTemplatedClassOld(Class c) {
+  not c.isFromUninstantiatedTemplate(_) and
+  isClassConstructedFrom(c, result)
+}
+
+private TemplateClass getOriginalClassTemplate(TemplateClass tc) {
+  result = tc.getOriginalTemplate()
+  or
+  not exists(tc.getOriginalTemplate()) and
+  result = tc
+}
+
+/** Gets the fully templated version of `c`. */
+private Class getFullyTemplatedClassNew(Class c) {
+  not c.isFromUninstantiatedTemplate(_) and
+  exists(Class mid |
+    c.isConstructedFrom(mid)
+    or
+    not c.isConstructedFrom(_) and c = mid
+  |
+    result = getOriginalClassTemplate(mid)
+    or
+    not mid instanceof TemplateClass and mid = result
+  )
+}
+
+/** Gets the fully templated version of `c`. */
+private Class getFullyTemplatedClass(Class c) {
+  // The `Class::getOriginalTemplate` predicate was introduced in CodeQL
+  // version 2.25.6 and the upgrade script leaves the
+  // `class_template_generated_from` extensionals empty if the database
+  // was generated with an older extractor. So we use the old implementation
+  // if the `class_template_generated_from` extensional is empty.
+  if class_template_generated_from(_, _)
+  then result = getFullyTemplatedClassNew(c)
+  else result = getFullyTemplatedClassOld(c)
+}
+
 /**
  * Holds if `f` is an instantiation of a function template `templateFunc`, or
  * holds with `f = templateFunc` if `f` is not an instantiation of any function
@@ -292,7 +331,7 @@ private predicate isFunctionConstructedFrom(Function f, Function templateFunc) {
 }
 
 /** Gets the fully templated version of `f`. */
-Function getFullyTemplatedFunction(Function f) {
+private Function getFullyTemplatedFunctionOld(Function f) {
   not f.isFromUninstantiatedTemplate(_) and
   (
     exists(Class c, Class templateClass, int i |
@@ -306,13 +345,46 @@ Function getFullyTemplatedFunction(Function f) {
   )
 }
 
+private TemplateFunction getOriginalFunctionTemplate(TemplateFunction tf) {
+  result = tf.getOriginalTemplate()
+  or
+  not exists(tf.getOriginalTemplate()) and
+  result = tf
+}
+
+/** Gets the fully templated version of `f`. */
+private Function getFullyTemplatedFunctionNew(Function f) {
+  not f.isFromUninstantiatedTemplate(_) and
+  exists(Function mid |
+    f.isConstructedFrom(mid)
+    or
+    not f.isConstructedFrom(_) and f = mid
+  |
+    result = getOriginalFunctionTemplate(mid)
+    or
+    not mid instanceof TemplateFunction and mid = result
+  )
+}
+
+/** Gets the fully templated version of `f`. */
+Function getFullyTemplatedFunction(Function f) {
+  // The `Function::getOriginalTemplate` predicate was introduced in CodeQL
+  // version 2.25.6 and the upgrade script leaves the
+  // `function_template_generated_from` extensionals empty if the database
+  // was generated with an older extractor. So we use the old implementation
+  // if the `function_template_generated_from` extensional is empty.
+  if function_template_generated_from(_, _)
+  then result = getFullyTemplatedFunctionNew(f)
+  else result = getFullyTemplatedFunctionOld(f)
+}
+
 /** Prefixes `const` to `s` if `t` is const, or returns `s` otherwise. */
 bindingset[s, t]
 private string withConst(string s, Type t) {
   if t.isConst() then result = "const " + s else result = s
 }
 
-/** Prefixes `volatile` to `s` if `t` is const, or returns `s` otherwise. */
+/** Prefixes `volatile` to `s` if `t` is volatile, or returns `s` otherwise. */
 bindingset[s, t]
 private string withVolatile(string s, Type t) {
   if t.isVolatile() then result = "volatile " + s else result = s
@@ -490,7 +562,7 @@ pragma[nomagic]
 private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining) {
   // If there is a declaring type then we start by expanding the function templates
   exists(Class template |
-    isClassConstructedFrom(f.getDeclaringType(), template) and
+    template = getFullyTemplatedClass(f.getDeclaringType()) and
     remaining = getNumberOfSupportedClassTemplateArguments(template) and
     result = getTypeNameWithoutFunctionTemplates(f, n, 0)
   )
@@ -502,7 +574,7 @@ private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining
   or
   exists(string mid, TypeTemplateParameter tp, Class template |
     mid = getTypeNameWithoutClassTemplates(f, n, remaining + 1) and
-    isClassConstructedFrom(f.getDeclaringType(), template) and
+    template = getFullyTemplatedClass(f.getDeclaringType()) and
     tp = getSupportedClassTemplateArgument(template, remaining)
   |
     result = mid.replaceAll(tp.getName(), "class:" + remaining.toString())

cpp/ql/lib/semmle/code/cpp/internal/ResolveClass.qll

@@ -1,59 +1,5 @@
 import semmle.code.cpp.Type
 
-/** For upgraded databases without mangled name info. */
-pragma[noinline]
-private string getTopLevelClassName(@usertype c) {
-  not mangled_name(_, _, _) and
-  isClass(c) and
-  usertypes(c, result, _) and
-  not namespacembrs(_, c) and // not in a namespace
-  not member(_, _, c) and // not in some structure
-  not class_instantiation(c, _) // not a template instantiation
-}
-
-/**
- * For upgraded databases without mangled name info.
- * Holds if `d` is a unique complete class named `name`.
- */
-pragma[noinline]
-private predicate existsCompleteWithName(string name, @usertype d) {
-  not mangled_name(_, _, _) and
-  is_complete(d) and
-  name = getTopLevelClassName(d) and
-  onlyOneCompleteClassExistsWithName(name)
-}
-
-/** For upgraded databases without mangled name info. */
-pragma[noinline]
-private predicate onlyOneCompleteClassExistsWithName(string name) {
-  not mangled_name(_, _, _) and
-  strictcount(@usertype c | is_complete(c) and getTopLevelClassName(c) = name) = 1
-}
-
-/**
- * For upgraded databases without mangled name info.
- * Holds if `c` is an incomplete class named `name`.
- */
-pragma[noinline]
-private predicate existsIncompleteWithName(string name, @usertype c) {
-  not mangled_name(_, _, _) and
-  not is_complete(c) and
-  name = getTopLevelClassName(c)
-}
-
-/**
- * For upgraded databases without mangled name info.
- * Holds if `c` is an incomplete class, and there exists a unique complete class `d`
- * with the same name.
- */
-private predicate oldHasCompleteTwin(@usertype c, @usertype d) {
-  not mangled_name(_, _, _) and
-  exists(string name |
-    existsIncompleteWithName(name, c) and
-    existsCompleteWithName(name, d)
-  )
-}
-
 pragma[noinline]
 private @mangledname getClassMangledName(@usertype c) {
   isClass(c) and
@@ -103,10 +49,7 @@ private module Cached {
   @usertype resolveClass(@usertype c) {
     hasCompleteTwin(c, result)
     or
-    oldHasCompleteTwin(c, result)
-    or
     not hasCompleteTwin(c, _) and
-    not oldHasCompleteTwin(c, _) and
     result = c
   }
 

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.6.4
+version: 1.6.5-dev
 groups:
   - cpp
   - queries

cpp/ql/test/library-tests/dataflow/external-models/flow.expected

@@ -51,13 +51,16 @@ models
 | 50 | Summary: ; ; false; ymlStepGenerated; ; ; Argument[0]; ReturnValue; taint; df-generated |
 | 51 | Summary: ; ; false; ymlStepManual; ; ; Argument[0]; ReturnValue; taint; manual |
 | 52 | Summary: ; ; false; ymlStepManual_with_body; ; ; Argument[0]; ReturnValue; taint; manual |
-| 53 | Summary: Azure::Core::IO; BodyStream; true; Read; ; ; Argument[-1]; Argument[*0]; taint; manual |
-| 54 | Summary: Azure::Core::IO; BodyStream; true; ReadToCount; ; ; Argument[-1]; Argument[*0]; taint; manual |
-| 55 | Summary: Azure::Core::IO; BodyStream; true; ReadToEnd; ; ; Argument[-1]; ReturnValue.Element; taint; manual |
-| 56 | Summary: Azure; Nullable; true; Value; ; ; Argument[-1]; ReturnValue[*]; taint; manual |
-| 57 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
+| 53 | Summary: ; TemplateClass1; true; templateFunction2<U,V>; (U,V); ; Argument[1]; ReturnValue; value; manual |
+| 54 | Summary: ; TemplateClass1<T>; false; templateFunction<U>; (T,U); ; Argument[0]; ReturnValue; value; manual |
+| 55 | Summary: ; TemplateClass2<T,U>; true; function; (U,T); ; Argument[1]; ReturnValue; value; manual |
+| 56 | Summary: Azure::Core::IO; BodyStream; true; Read; ; ; Argument[-1]; Argument[*0]; taint; manual |
+| 57 | Summary: Azure::Core::IO; BodyStream; true; ReadToCount; ; ; Argument[-1]; Argument[*0]; taint; manual |
+| 58 | Summary: Azure::Core::IO; BodyStream; true; ReadToEnd; ; ; Argument[-1]; ReturnValue.Element; taint; manual |
+| 59 | Summary: Azure; Nullable; true; Value; ; ; Argument[-1]; ReturnValue[*]; taint; manual |
+| 60 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
 edges
-| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:57 |
+| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:60 |
 | asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:91:7:91:17 | recv_buffer | provenance | Src:MaD:32  |
 | asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:93:29:93:39 | *recv_buffer | provenance | Src:MaD:32 Sink:MaD:2 |
 | asio_streams.cpp:97:37:97:44 | call to source | asio_streams.cpp:98:7:98:14 | send_str | provenance | TaintFunction |
@@ -66,24 +69,24 @@ edges
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:101:7:101:17 | send_buffer | provenance |  |
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:2 |
 | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance |  |
-| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:57 |
-| azure.cpp:62:10:62:14 | [summary param] this in Value | azure.cpp:62:10:62:14 | [summary] to write: ReturnValue[*] in Value | provenance | MaD:56 |
-| azure.cpp:113:16:113:19 | [summary param] this in Read | azure.cpp:113:16:113:19 | [summary param] *0 in Read [Return] | provenance | MaD:53 |
-| azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | azure.cpp:114:16:114:26 | [summary param] *0 in ReadToCount [Return] | provenance | MaD:54 |
-| azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue.Element in ReadToEnd | provenance | MaD:55 |
+| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:60 |
+| azure.cpp:62:10:62:14 | [summary param] this in Value | azure.cpp:62:10:62:14 | [summary] to write: ReturnValue[*] in Value | provenance | MaD:59 |
+| azure.cpp:113:16:113:19 | [summary param] this in Read | azure.cpp:113:16:113:19 | [summary param] *0 in Read [Return] | provenance | MaD:56 |
+| azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | azure.cpp:114:16:114:26 | [summary param] *0 in ReadToCount [Return] | provenance | MaD:57 |
+| azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue.Element in ReadToEnd | provenance | MaD:58 |
 | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue.Element in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue in ReadToEnd [element] | provenance |  |
 | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:253:48:253:60 | *call to GetBodyStream | provenance | Src:MaD:29  |
 | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:257:5:257:8 | *resp | provenance |  |
 | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:262:5:262:8 | *resp | provenance |  |
 | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:266:38:266:41 | *resp | provenance |  |
 | azure.cpp:257:5:257:8 | *resp | azure.cpp:113:16:113:19 | [summary param] this in Read | provenance |  |
-| azure.cpp:257:5:257:8 | *resp | azure.cpp:257:16:257:21 | Read output argument | provenance | MaD:53 |
+| azure.cpp:257:5:257:8 | *resp | azure.cpp:257:16:257:21 | Read output argument | provenance | MaD:56 |
 | azure.cpp:257:16:257:21 | Read output argument | azure.cpp:258:10:258:16 | * ... | provenance |  |
 | azure.cpp:262:5:262:8 | *resp | azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | provenance |  |
-| azure.cpp:262:5:262:8 | *resp | azure.cpp:262:23:262:28 | ReadToCount output argument | provenance | MaD:54 |
+| azure.cpp:262:5:262:8 | *resp | azure.cpp:262:23:262:28 | ReadToCount output argument | provenance | MaD:57 |
 | azure.cpp:262:23:262:28 | ReadToCount output argument | azure.cpp:263:10:263:16 | * ... | provenance |  |
 | azure.cpp:266:38:266:41 | *resp | azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | provenance |  |
-| azure.cpp:266:38:266:41 | *resp | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance | MaD:55 |
+| azure.cpp:266:38:266:41 | *resp | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance | MaD:58 |
 | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance |  |
 | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | azure.cpp:267:10:267:12 | vec [element] | provenance |  |
 | azure.cpp:267:10:267:12 | vec [element] | azure.cpp:267:10:267:12 | vec | provenance |  |
@@ -100,11 +103,11 @@ edges
 | azure.cpp:281:68:281:84 | *call to ExtractBodyStream | azure.cpp:281:68:281:84 | *call to ExtractBodyStream | provenance | Src:MaD:26  |
 | azure.cpp:281:68:281:84 | *call to ExtractBodyStream | azure.cpp:282:21:282:23 | *call to get | provenance |  |
 | azure.cpp:282:21:282:23 | *call to get | azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | provenance |  |
-| azure.cpp:282:21:282:23 | *call to get | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance | MaD:55 |
+| azure.cpp:282:21:282:23 | *call to get | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance | MaD:58 |
 | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | azure.cpp:282:10:282:38 | call to ReadToEnd | provenance |  |
 | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance |  |
 | azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:62:10:62:14 | [summary param] this in Value | provenance |  |
-| azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:289:63:289:65 | call to Value | provenance | MaD:56 |
+| azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:289:63:289:65 | call to Value | provenance | MaD:59 |
 | azure.cpp:289:32:289:40 | call to GetHeader | azure.cpp:289:24:289:56 | call to GetHeader | provenance |  |
 | azure.cpp:289:32:289:40 | call to GetHeader | azure.cpp:289:32:289:40 | call to GetHeader | provenance | Src:MaD:30  |
 | azure.cpp:289:63:289:65 | call to Value | azure.cpp:289:63:289:65 | call to Value | provenance |  |
@@ -180,6 +183,39 @@ edges
 | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | test.cpp:119:10:119:11 | y2 | provenance | Sink:MaD:1 |
 | test.cpp:118:44:118:44 | *x | test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | provenance |  |
 | test.cpp:118:44:118:44 | *x | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | provenance | MaD:48 |
+| test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | test.cpp:125:5:125:20 | [summary] to write: ReturnValue in templateFunction | provenance | MaD:54 |
+| test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | test.cpp:128:5:128:21 | [summary] to write: ReturnValue in templateFunction2 | provenance | MaD:53 |
+| test.cpp:133:10:133:18 | call to ymlSource | test.cpp:133:10:133:18 | call to ymlSource | provenance | Src:MaD:25  |
+| test.cpp:133:10:133:18 | call to ymlSource | test.cpp:134:45:134:45 | x | provenance |  |
+| test.cpp:134:13:134:43 | call to templateFunction | test.cpp:134:13:134:43 | call to templateFunction | provenance |  |
+| test.cpp:134:13:134:43 | call to templateFunction | test.cpp:135:10:135:10 | y | provenance | Sink:MaD:1 |
+| test.cpp:134:45:134:45 | x | test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | provenance |  |
+| test.cpp:134:45:134:45 | x | test.cpp:134:13:134:43 | call to templateFunction | provenance | MaD:54 |
+| test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | provenance | MaD:55 |
+| test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | provenance | MaD:55 |
+| test.cpp:146:10:146:18 | call to ymlSource | test.cpp:146:10:146:18 | call to ymlSource | provenance | Src:MaD:25  |
+| test.cpp:146:10:146:18 | call to ymlSource | test.cpp:148:26:148:26 | x | provenance |  |
+| test.cpp:148:10:148:27 | call to function | test.cpp:148:10:148:27 | call to function | provenance |  |
+| test.cpp:148:10:148:27 | call to function | test.cpp:149:10:149:10 | z | provenance | Sink:MaD:1 |
+| test.cpp:148:26:148:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | provenance |  |
+| test.cpp:148:26:148:26 | x | test.cpp:148:10:148:27 | call to function | provenance | MaD:55 |
+| test.cpp:155:10:155:18 | call to ymlSource | test.cpp:155:10:155:18 | call to ymlSource | provenance | Src:MaD:25  |
+| test.cpp:155:10:155:18 | call to ymlSource | test.cpp:157:26:157:26 | x | provenance |  |
+| test.cpp:157:13:157:20 | call to function | test.cpp:157:13:157:20 | call to function | provenance |  |
+| test.cpp:157:13:157:20 | call to function | test.cpp:158:10:158:10 | z | provenance | Sink:MaD:1 |
+| test.cpp:157:26:157:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | provenance |  |
+| test.cpp:157:26:157:26 | x | test.cpp:157:13:157:20 | call to function | provenance | MaD:55 |
+| test.cpp:164:34:164:34 | x | test.cpp:165:69:165:69 | x | provenance |  |
+| test.cpp:165:12:165:64 | call to templateFunction2 | test.cpp:164:7:164:7 | *templateFunction3 | provenance |  |
+| test.cpp:165:12:165:64 | call to templateFunction2 | test.cpp:165:12:165:64 | call to templateFunction2 | provenance |  |
+| test.cpp:165:69:165:69 | x | test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | provenance |  |
+| test.cpp:165:69:165:69 | x | test.cpp:165:12:165:64 | call to templateFunction2 | provenance | MaD:53 |
+| test.cpp:170:10:170:18 | call to ymlSource | test.cpp:170:10:170:18 | call to ymlSource | provenance | Src:MaD:25  |
+| test.cpp:170:10:170:18 | call to ymlSource | test.cpp:172:51:172:51 | x | provenance |  |
+| test.cpp:172:13:172:44 | call to templateFunction3 | test.cpp:172:13:172:44 | call to templateFunction3 | provenance |  |
+| test.cpp:172:13:172:44 | call to templateFunction3 | test.cpp:173:10:173:10 | y | provenance | Sink:MaD:1 |
+| test.cpp:172:51:172:51 | x | test.cpp:164:34:164:34 | x | provenance |  |
+| test.cpp:172:51:172:51 | x | test.cpp:172:13:172:44 | call to templateFunction3 | provenance | MaD:53 |
 | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | provenance | MaD:33 |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:22:15:22:29 | *call to GetCommandLineA | provenance | Src:MaD:3  |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:24:8:24:11 | * ... | provenance |  |
@@ -483,6 +519,43 @@ nodes
 | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | semmle.label | call to callWithNonTypeTemplate |
 | test.cpp:118:44:118:44 | *x | semmle.label | *x |
 | test.cpp:119:10:119:11 | y2 | semmle.label | y2 |
+| test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | semmle.label | [summary param] 0 in templateFunction |
+| test.cpp:125:5:125:20 | [summary] to write: ReturnValue in templateFunction | semmle.label | [summary] to write: ReturnValue in templateFunction |
+| test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | semmle.label | [summary param] 1 in templateFunction2 |
+| test.cpp:128:5:128:21 | [summary] to write: ReturnValue in templateFunction2 | semmle.label | [summary] to write: ReturnValue in templateFunction2 |
+| test.cpp:133:10:133:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:133:10:133:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:134:13:134:43 | call to templateFunction | semmle.label | call to templateFunction |
+| test.cpp:134:13:134:43 | call to templateFunction | semmle.label | call to templateFunction |
+| test.cpp:134:45:134:45 | x | semmle.label | x |
+| test.cpp:135:10:135:10 | y | semmle.label | y |
+| test.cpp:140:4:140:11 | [summary param] 1 in function | semmle.label | [summary param] 1 in function |
+| test.cpp:140:4:140:11 | [summary param] 1 in function | semmle.label | [summary param] 1 in function |
+| test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | semmle.label | [summary] to write: ReturnValue in function |
+| test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | semmle.label | [summary] to write: ReturnValue in function |
+| test.cpp:146:10:146:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:146:10:146:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:148:10:148:27 | call to function | semmle.label | call to function |
+| test.cpp:148:10:148:27 | call to function | semmle.label | call to function |
+| test.cpp:148:26:148:26 | x | semmle.label | x |
+| test.cpp:149:10:149:10 | z | semmle.label | z |
+| test.cpp:155:10:155:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:155:10:155:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:157:13:157:20 | call to function | semmle.label | call to function |
+| test.cpp:157:13:157:20 | call to function | semmle.label | call to function |
+| test.cpp:157:26:157:26 | x | semmle.label | x |
+| test.cpp:158:10:158:10 | z | semmle.label | z |
+| test.cpp:164:7:164:7 | *templateFunction3 | semmle.label | *templateFunction3 |
+| test.cpp:164:34:164:34 | x | semmle.label | x |
+| test.cpp:165:12:165:64 | call to templateFunction2 | semmle.label | call to templateFunction2 |
+| test.cpp:165:12:165:64 | call to templateFunction2 | semmle.label | call to templateFunction2 |
+| test.cpp:165:69:165:69 | x | semmle.label | x |
+| test.cpp:170:10:170:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:170:10:170:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:172:13:172:44 | call to templateFunction3 | semmle.label | call to templateFunction3 |
+| test.cpp:172:13:172:44 | call to templateFunction3 | semmle.label | call to templateFunction3 |
+| test.cpp:172:51:172:51 | x | semmle.label | x |
+| test.cpp:173:10:173:10 | y | semmle.label | y |
 | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | semmle.label | [summary param] *0 in CommandLineToArgvA |
 | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | semmle.label | [summary] to write: ReturnValue[**] in CommandLineToArgvA |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | semmle.label | *call to GetCommandLineA |
@@ -688,6 +761,11 @@ subpaths
 | test.cpp:25:35:25:35 | x | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | test.cpp:25:11:25:33 | call to ymlStepManual_with_body |
 | test.cpp:32:41:32:41 | x | test.cpp:7:47:7:52 | value2 | test.cpp:7:5:7:30 | *ymlStepGenerated_with_body | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body |
 | test.cpp:118:44:118:44 | *x | test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | test.cpp:111:3:111:25 | [summary] to write: ReturnValue in callWithNonTypeTemplate | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate |
+| test.cpp:134:45:134:45 | x | test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | test.cpp:125:5:125:20 | [summary] to write: ReturnValue in templateFunction | test.cpp:134:13:134:43 | call to templateFunction |
+| test.cpp:148:26:148:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | test.cpp:148:10:148:27 | call to function |
+| test.cpp:157:26:157:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | test.cpp:157:13:157:20 | call to function |
+| test.cpp:165:69:165:69 | x | test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | test.cpp:128:5:128:21 | [summary] to write: ReturnValue in templateFunction2 | test.cpp:165:12:165:64 | call to templateFunction2 |
+| test.cpp:172:51:172:51 | x | test.cpp:164:34:164:34 | x | test.cpp:164:7:164:7 | *templateFunction3 | test.cpp:172:13:172:44 | call to templateFunction3 |
 | windows.cpp:27:36:27:38 | *cmd | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA |
 | windows.cpp:537:40:537:41 | *& ... | windows.cpp:473:17:473:37 | [summary param] *1 in RtlCopyVolatileMemory | windows.cpp:473:17:473:37 | [summary param] *0 in RtlCopyVolatileMemory [Return] | windows.cpp:537:27:537:37 | RtlCopyVolatileMemory output argument |
 | windows.cpp:542:38:542:39 | *& ... | windows.cpp:479:17:479:35 | [summary param] *1 in RtlCopyDeviceMemory | windows.cpp:479:17:479:35 | [summary param] *0 in RtlCopyDeviceMemory [Return] | windows.cpp:542:25:542:35 | RtlCopyDeviceMemory output argument |

cpp/ql/test/library-tests/dataflow/external-models/flow.ext.yml

@@ -18,4 +18,7 @@ extensions:
       - ["", "", False, "ymlStepManual_with_body", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["", "", False, "ymlStepGenerated_with_body", "", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
       - ["", "", False, "callWithArgument", "", "", "Argument[1]", "Argument[0].Parameter[0]", "value", "manual"]
-      - ["", "", False, "callWithNonTypeTemplate<T>", "(const T &)", "", "Argument[*0]", "ReturnValue", "value", "manual"]
+      - ["", "", False, "callWithNonTypeTemplate<T>", "(const T &)", "", "Argument[*0]", "ReturnValue", "value", "manual"]
+      - ["", "TemplateClass1<T>", False, "templateFunction<U>", "(T,U)", "", "Argument[0]", "ReturnValue", "value", "manual"]
+      - ["", "TemplateClass1", True, "templateFunction2<U,V>", "(U,V)", "", "Argument[1]", "ReturnValue", "value", "manual"]
+      - ["", "TemplateClass2<T,U>", True, "function", "(U,T)", "", "Argument[1]", "ReturnValue", "value", "manual"]

cpp/ql/test/library-tests/dataflow/external-models/sinks.expected

@@ -15,3 +15,7 @@
 | test.cpp:89:11:89:11 | y | test-sink |
 | test.cpp:116:10:116:11 | y1 | test-sink |
 | test.cpp:119:10:119:11 | y2 | test-sink |
+| test.cpp:135:10:135:10 | y | test-sink |
+| test.cpp:149:10:149:10 | z | test-sink |
+| test.cpp:158:10:158:10 | z | test-sink |
+| test.cpp:173:10:173:10 | y | test-sink |

cpp/ql/test/library-tests/dataflow/external-models/sources.expected

@@ -9,6 +9,10 @@
 | test.cpp:56:8:56:16 | call to ymlSource | local |
 | test.cpp:94:10:94:18 | call to ymlSource | local |
 | test.cpp:114:10:114:18 | call to ymlSource | local |
+| test.cpp:133:10:133:18 | call to ymlSource | local |
+| test.cpp:146:10:146:18 | call to ymlSource | local |
+| test.cpp:155:10:155:18 | call to ymlSource | local |
+| test.cpp:170:10:170:18 | call to ymlSource | local |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | local |
 | windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | local |
 | windows.cpp:39:36:39:38 | GetEnvironmentVariableA output argument | local |

cpp/ql/test/library-tests/dataflow/external-models/test.cpp

@@ -118,3 +118,57 @@ void test_callWithNonTypeTemplate() {
 	int y2 = callWithNonTypeTemplate<int, 10>(x);
 	ymlSink(y2); // $ ir
 }
+
+template<class T>
+struct TemplateClass1 {
+  template<class U>
+  U templateFunction(T, U);
+
+	template<class U, class V>
+  V templateFunction2(U, V);
+};
+
+void test_template_function_in_template_class() {
+	TemplateClass1<int> b;
+	int x = ymlSource();
+	auto y = b.templateFunction<unsigned long>(x, 0UL);
+	ymlSink(y); // $ ir
+}
+
+template<class S, class T>
+struct TemplateClass2 {
+	T function(T, S);
+};
+
+template<class V> using PartialInstantiationOfTemplateClass2 = TemplateClass2<int, V>;
+
+void test_partial_class_instantiation() {
+	int x = ymlSource();
+	PartialInstantiationOfTemplateClass2<unsigned long> y;
+	int z = y.function(0UL, x);
+	ymlSink(z); // $ ir
+}
+
+template<class V> struct DeriveFromFromPartialTemplateInstantiation : TemplateClass2<int, V> { };
+
+void test_inheritance() {
+	int x = ymlSource();
+	DeriveFromFromPartialTemplateInstantiation<long> y;
+	auto z = y.function(0L, x);
+	ymlSink(z); // $ ir
+}
+
+template<class T>
+struct Class1 : TemplateClass1<T> {
+  template<class U>
+  int templateFunction3(U u, int x) {
+    return TemplateClass1<T>::template templateFunction2<U, int>(u, x);
+  }
+};
+
+void test_class1() {
+	int x = ymlSource();
+	Class1<int> c;
+	auto y = c.templateFunction3<unsigned long>(0UL, x);
+	ymlSink(y); // $ ir
+}

cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected

@@ -27383,54 +27383,55 @@ getParameterTypeName
 | stl.h:91:24:91:33 | operator++ | 0 | int |
 | stl.h:95:44:95:44 | back_inserter | 0 | func:0 & |
 | stl.h:95:44:95:44 | back_inserter | 0 | func:0 & |
-| stl.h:148:3:148:14 | basic_string | 0 | const class:2 & |
-| stl.h:149:33:149:44 | basic_string | 0 | const class:0 * |
-| stl.h:149:33:149:44 | basic_string | 1 | const class:2 & |
-| stl.h:151:16:151:20 | c_str | 0 | func:0 |
-| stl.h:151:16:151:20 | c_str | 1 | func:0 |
-| stl.h:151:16:151:20 | c_str | 2 | const class:2 & |
+| stl.h:147:12:147:23 | basic_string | 0 | const class:2 & |
+| stl.h:148:3:148:14 | basic_string | 0 | const class:0 * |
+| stl.h:148:3:148:14 | basic_string | 1 | const class:2 & |
+| stl.h:149:33:149:44 | basic_string | 0 | func:0 |
+| stl.h:149:33:149:44 | basic_string | 1 | func:0 |
+| stl.h:149:33:149:44 | basic_string | 2 | const class:2 & |
+| stl.h:165:8:165:16 | push_back | 0 | class:0 |
 | stl.h:173:13:173:22 | operator[] | 0 | size_type |
 | stl.h:175:13:175:14 | at | 0 | size_type |
-| stl.h:176:35:176:44 | operator+= | 0 | size_type |
-| stl.h:176:35:176:44 | operator+= | 0 | size_type |
-| stl.h:177:17:177:26 | operator+= | 0 | const func:0 & |
-| stl.h:178:17:178:22 | append | 0 | const class:0 * |
-| stl.h:179:17:179:22 | append | 0 | const basic_string & |
-| stl.h:180:17:180:22 | append | 0 | const class:0 * |
-| stl.h:181:47:181:52 | append | 0 | size_type |
-| stl.h:181:47:181:52 | append | 1 | class:0 |
-| stl.h:182:17:182:22 | assign | 0 | func:0 |
-| stl.h:182:17:182:22 | assign | 1 | func:0 |
-| stl.h:183:17:183:22 | assign | 0 | const basic_string & |
-| stl.h:184:47:184:52 | assign | 0 | size_type |
-| stl.h:184:47:184:52 | assign | 1 | class:0 |
-| stl.h:185:17:185:22 | insert | 0 | func:0 |
-| stl.h:185:17:185:22 | insert | 1 | func:0 |
+| stl.h:176:35:176:44 | operator+= | 0 | const func:0 & |
+| stl.h:176:35:176:44 | operator+= | 0 | const func:0 & |
+| stl.h:177:17:177:26 | operator+= | 0 | const class:0 * |
+| stl.h:178:17:178:22 | append | 0 | const basic_string & |
+| stl.h:179:17:179:22 | append | 0 | const class:0 * |
+| stl.h:180:17:180:22 | append | 0 | size_type |
+| stl.h:180:17:180:22 | append | 1 | class:0 |
+| stl.h:181:47:181:52 | append | 0 | func:0 |
+| stl.h:181:47:181:52 | append | 1 | func:0 |
+| stl.h:182:17:182:22 | assign | 0 | const basic_string & |
+| stl.h:183:17:183:22 | assign | 0 | size_type |
+| stl.h:183:17:183:22 | assign | 1 | class:0 |
+| stl.h:184:47:184:52 | assign | 0 | func:0 |
+| stl.h:184:47:184:52 | assign | 1 | func:0 |
+| stl.h:185:17:185:22 | insert | 0 | size_type |
+| stl.h:185:17:185:22 | insert | 1 | const basic_string & |
 | stl.h:186:17:186:22 | insert | 0 | size_type |
-| stl.h:186:17:186:22 | insert | 1 | const basic_string & |
+| stl.h:186:17:186:22 | insert | 1 | size_type |
+| stl.h:186:17:186:22 | insert | 2 | class:0 |
 | stl.h:187:17:187:22 | insert | 0 | size_type |
-| stl.h:187:17:187:22 | insert | 1 | size_type |
-| stl.h:187:17:187:22 | insert | 2 | class:0 |
-| stl.h:188:12:188:17 | insert | 0 | size_type |
-| stl.h:188:12:188:17 | insert | 1 | const class:0 * |
+| stl.h:187:17:187:22 | insert | 1 | const class:0 * |
+| stl.h:188:12:188:17 | insert | 0 | const_iterator |
+| stl.h:188:12:188:17 | insert | 1 | size_type |
+| stl.h:188:12:188:17 | insert | 2 | class:0 |
 | stl.h:189:42:189:47 | insert | 0 | const_iterator |
-| stl.h:189:42:189:47 | insert | 1 | size_type |
-| stl.h:189:42:189:47 | insert | 2 | class:0 |
-| stl.h:190:17:190:23 | replace | 0 | const_iterator |
-| stl.h:190:17:190:23 | replace | 1 | func:0 |
-| stl.h:190:17:190:23 | replace | 2 | func:0 |
+| stl.h:189:42:189:47 | insert | 1 | func:0 |
+| stl.h:189:42:189:47 | insert | 2 | func:0 |
+| stl.h:190:17:190:23 | replace | 0 | size_type |
+| stl.h:190:17:190:23 | replace | 1 | size_type |
+| stl.h:190:17:190:23 | replace | 2 | const basic_string & |
 | stl.h:191:17:191:23 | replace | 0 | size_type |
 | stl.h:191:17:191:23 | replace | 1 | size_type |
-| stl.h:191:17:191:23 | replace | 2 | const basic_string & |
-| stl.h:192:13:192:16 | copy | 0 | size_type |
+| stl.h:191:17:191:23 | replace | 2 | size_type |
+| stl.h:191:17:191:23 | replace | 3 | class:0 |
+| stl.h:192:13:192:16 | copy | 0 | class:0 * |
 | stl.h:192:13:192:16 | copy | 1 | size_type |
 | stl.h:192:13:192:16 | copy | 2 | size_type |
-| stl.h:192:13:192:16 | copy | 3 | class:0 |
-| stl.h:193:8:193:12 | clear | 0 | class:0 * |
-| stl.h:193:8:193:12 | clear | 1 | size_type |
-| stl.h:193:8:193:12 | clear | 2 | size_type |
-| stl.h:195:8:195:11 | swap | 0 | size_type |
-| stl.h:195:8:195:11 | swap | 1 | size_type |
+| stl.h:194:16:194:21 | substr | 0 | size_type |
+| stl.h:194:16:194:21 | substr | 1 | size_type |
+| stl.h:195:8:195:11 | swap | 0 | basic_string & |
 | stl.h:198:94:198:102 | operator+ | 0 | const basic_string & |
 | stl.h:198:94:198:102 | operator+ | 1 | const basic_string & |
 | stl.h:199:94:199:102 | operator+ | 0 | const basic_string & |

cpp/ql/test/library-tests/friends/loop/friends.expected

@@ -1,14 +1,14 @@
-| file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:26 | E<D> |
 | file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:26 | E<T> |
-| file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:26 | F<D> |
+| file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:29 | E<D> |
 | file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:26 | F<T> |
-| file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:26 | E<C> |
+| file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:29 | F<D> |
 | file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:26 | E<T> |
-| file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:26 | F<D> |
+| file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:29 | E<C> |
 | file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:26 | F<T> |
-| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<C> |
-| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<D> |
+| file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:29 | F<D> |
 | file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<T> |
+| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:29 | E<C> |
+| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:29 | E<D> |
 | loop.cpp:6:5:6:5 | E<T>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | loop.cpp:7:5:7:5 | E<T>'s friend | loop.cpp:7:36:7:36 | F<U> |
 | loop.cpp:11:5:11:5 | F<T>'s friend | loop.cpp:11:36:11:36 | E<U> |

csharp/extractor/Semmle.Extraction.CSharp/CodeAnalysisExtensions/SymbolExtensions.cs

@@ -664,7 +664,7 @@ namespace Semmle.Extraction.CSharp
                 // Find the (possibly unbound) original extension method that maps to this implementation (if any).
                 var unboundDeclaration = extensions.SelectMany(e => e.GetMembers())
                     .OfType<IMethodSymbol>()
-                    .FirstOrDefault(m => SymbolEqualityComparer.Default.Equals(m.AssociatedExtensionImplementation, method.ConstructedFrom));
+                    .FirstOrDefault(m => SymbolEqualityComparer.Default.Equals(m.AssociatedExtensionImplementation?.ConstructedFrom, method.ConstructedFrom));
 
                 var isFullyConstructed = method.IsBoundGenericMethod();
                 if (isFullyConstructed && unboundDeclaration?.ContainingType is INamedTypeSymbol extensionType)

csharp/extractor/Semmle.Extraction.CSharp/Entities/Accessor.cs

@@ -69,6 +69,7 @@ namespace Semmle.Extraction.CSharp.Entities
             }
 
             Overrides(trapFile);
+            ExtractRefReturn(trapFile, Symbol, this);
 
             if (Symbol.FromSource() && !HasBody)
             {

csharp/paket.dependencies

@@ -4,7 +4,7 @@ source https://api.nuget.org/v3/index.json
 # behave like nuget in choosing transitive dependency versions
 strategy: max
 
-nuget Basic.CompilerLog.Util 0.9.25
+nuget Basic.CompilerLog.Util 0.9.39
 nuget Mono.Posix.NETStandard
 nuget Newtonsoft.Json
 nuget NuGet.Versioning
@@ -12,7 +12,7 @@ nuget xunit
 nuget xunit.runner.visualstudio
 nuget xunit.runner.utility
 nuget Microsoft.NET.Test.Sdk
-nuget Microsoft.CodeAnalysis.CSharp 5.0.0
-nuget Microsoft.CodeAnalysis 5.0.0
-nuget Microsoft.Build 18.0.2
+nuget Microsoft.CodeAnalysis.CSharp 5.3.0
+nuget Microsoft.CodeAnalysis 5.3.0
+nuget Microsoft.Build 18.6.3
 nuget Microsoft.VisualStudio.SolutionPersistence

csharp/paket.lock

@@ -3,45 +3,42 @@ STRATEGY: MAX
 RESTRICTION: == net10.0
 NUGET
   remote: https://api.nuget.org/v3/index.json
-    Basic.CompilerLog.Util (0.9.25)
+    Basic.CompilerLog.Util (0.9.39)
       MessagePack (>= 3.1.4)
-      Microsoft.Bcl.Memory (>= 9.0.10)
+      Microsoft.Bcl.Memory (>= 10.0.7)
       Microsoft.CodeAnalysis (>= 4.8)
       Microsoft.CodeAnalysis.CSharp (>= 4.8)
       Microsoft.CodeAnalysis.VisualBasic (>= 4.8)
-      Microsoft.Extensions.ObjectPool (>= 9.0.10)
-      MSBuild.StructuredLogger (>= 2.3.71)
-      NaturalSort.Extension (>= 4.4)
-      NuGet.Versioning (>= 6.14)
+      Microsoft.Extensions.ObjectPool (>= 10.0.7)
+      MSBuild.StructuredLogger (>= 2.3.178)
     Humanizer.Core (3.0.10)
-    MessagePack (3.1.4)
-      MessagePack.Annotations (>= 3.1.4)
-      MessagePackAnalyzer (>= 3.1.4)
+    MessagePack (3.1.6)
+      MessagePack.Annotations (>= 3.1.6)
+      MessagePackAnalyzer (>= 3.1.6)
       Microsoft.NET.StringTools (>= 17.11.4)
-    MessagePack.Annotations (3.1.4)
-    MessagePackAnalyzer (3.1.4)
+    MessagePack.Annotations (3.1.6)
+    MessagePackAnalyzer (3.1.6)
     Microsoft.Bcl.AsyncInterfaces (10.0.8)
     Microsoft.Bcl.Memory (10.0.8)
-    Microsoft.Build (18.0.2)
-      Microsoft.Build.Framework (>= 18.0.2)
-      Microsoft.NET.StringTools (>= 18.0.2)
-      System.Configuration.ConfigurationManager (>= 9.0)
-      System.Diagnostics.EventLog (>= 9.0)
-      System.Reflection.MetadataLoadContext (>= 9.0)
-      System.Security.Cryptography.ProtectedData (>= 9.0.6)
-    Microsoft.Build.Framework (18.4)
-    Microsoft.Build.Utilities.Core (18.4)
-      Microsoft.Build.Framework (>= 18.4)
-      Microsoft.NET.StringTools (>= 18.4)
-      System.Configuration.ConfigurationManager (>= 10.0.1)
-      System.Diagnostics.EventLog (>= 10.0.1)
-      System.Security.Cryptography.ProtectedData (>= 10.0.1)
-    Microsoft.CodeAnalysis (5.0)
+    Microsoft.Build (18.6.3)
+      Microsoft.Build.Framework (>= 18.6.3)
+      System.Configuration.ConfigurationManager (>= 10.0.3)
+      System.Diagnostics.EventLog (>= 10.0.3)
+      System.Reflection.MetadataLoadContext (>= 10.0.3)
+      System.Security.Cryptography.ProtectedData (>= 10.0.3)
+    Microsoft.Build.Framework (18.6.3)
+      Microsoft.NET.StringTools (>= 18.6.3)
+    Microsoft.Build.Utilities.Core (18.6.3)
+      Microsoft.Build.Framework (>= 18.6.3)
+      System.Configuration.ConfigurationManager (>= 10.0.3)
+      System.Diagnostics.EventLog (>= 10.0.3)
+      System.Security.Cryptography.ProtectedData (>= 10.0.3)
+    Microsoft.CodeAnalysis (5.3)
       Humanizer.Core (>= 2.14.1)
       Microsoft.Bcl.AsyncInterfaces (>= 9.0)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
-      Microsoft.CodeAnalysis.CSharp.Workspaces (5.0)
-      Microsoft.CodeAnalysis.VisualBasic.Workspaces (5.0)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
+      Microsoft.CodeAnalysis.CSharp.Workspaces (5.3)
+      Microsoft.CodeAnalysis.VisualBasic.Workspaces (5.3)
       System.Buffers (>= 4.6)
       System.Collections.Immutable (>= 9.0)
       System.Composition (>= 9.0)
@@ -54,36 +51,36 @@ NUGET
       System.Threading.Channels (>= 8.0)
       System.Threading.Tasks.Extensions (>= 4.6)
     Microsoft.CodeAnalysis.Analyzers (5.3)
-    Microsoft.CodeAnalysis.Common (5.0)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
-    Microsoft.CodeAnalysis.CSharp (5.0)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
-      Microsoft.CodeAnalysis.Common (5.0)
-    Microsoft.CodeAnalysis.CSharp.Workspaces (5.0)
+    Microsoft.CodeAnalysis.Common (5.3)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
+    Microsoft.CodeAnalysis.CSharp (5.3)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
+      Microsoft.CodeAnalysis.Common (5.3)
+    Microsoft.CodeAnalysis.CSharp.Workspaces (5.3)
       Humanizer.Core (>= 2.14.1)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
-      Microsoft.CodeAnalysis.Common (5.0)
-      Microsoft.CodeAnalysis.CSharp (5.0)
-      Microsoft.CodeAnalysis.Workspaces.Common (5.0)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
+      Microsoft.CodeAnalysis.Common (5.3)
+      Microsoft.CodeAnalysis.CSharp (5.3)
+      Microsoft.CodeAnalysis.Workspaces.Common (5.3)
       System.Composition (>= 9.0)
-    Microsoft.CodeAnalysis.VisualBasic (5.0)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
-      Microsoft.CodeAnalysis.Common (5.0)
-    Microsoft.CodeAnalysis.VisualBasic.Workspaces (5.0)
+    Microsoft.CodeAnalysis.VisualBasic (5.3)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
+      Microsoft.CodeAnalysis.Common (5.3)
+    Microsoft.CodeAnalysis.VisualBasic.Workspaces (5.3)
       Humanizer.Core (>= 2.14.1)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
-      Microsoft.CodeAnalysis.Common (5.0)
-      Microsoft.CodeAnalysis.VisualBasic (5.0)
-      Microsoft.CodeAnalysis.Workspaces.Common (5.0)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
+      Microsoft.CodeAnalysis.Common (5.3)
+      Microsoft.CodeAnalysis.VisualBasic (5.3)
+      Microsoft.CodeAnalysis.Workspaces.Common (5.3)
       System.Composition (>= 9.0)
-    Microsoft.CodeAnalysis.Workspaces.Common (5.0)
+    Microsoft.CodeAnalysis.Workspaces.Common (5.3)
       Humanizer.Core (>= 2.14.1)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
-      Microsoft.CodeAnalysis.Common (5.0)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
+      Microsoft.CodeAnalysis.Common (5.3)
       System.Composition (>= 9.0)
     Microsoft.CodeCoverage (18.5.1)
     Microsoft.Extensions.ObjectPool (10.0.8)
-    Microsoft.NET.StringTools (18.4)
+    Microsoft.NET.StringTools (18.6.3)
     Microsoft.NET.Test.Sdk (18.5.1)
       Microsoft.CodeCoverage (>= 18.5.1)
       Microsoft.TestPlatform.TestHost (>= 18.5.1)
@@ -97,7 +94,6 @@ NUGET
     MSBuild.StructuredLogger (2.3.204)
       Microsoft.Build.Framework (>= 17.5)
       Microsoft.Build.Utilities.Core (>= 17.5)
-    NaturalSort.Extension (4.4.1)
     Newtonsoft.Json (13.0.4)
     NuGet.Versioning (7.6)
     System.Buffers (4.6.1)

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.68
+version: 1.7.69-dev
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.68
+version: 1.7.69-dev
 groups:
   - csharp
   - solorigate

csharp/ql/integration-tests/posix/standalone_dependencies_executing_runtime/Assemblies.expected

@@ -22,7 +22,6 @@
 | [...]/csharp/tools/[...]/Microsoft.Win32.Primitives.dll |
 | [...]/csharp/tools/[...]/Microsoft.Win32.Registry.dll |
 | [...]/csharp/tools/[...]/Mono.Posix.NETStandard.dll |
-| [...]/csharp/tools/[...]/NaturalSort.Extension.dll |
 | [...]/csharp/tools/[...]/Newtonsoft.Json.dll |
 | [...]/csharp/tools/[...]/NuGet.Versioning.dll |
 | [...]/csharp/tools/[...]/StructuredLogger.dll |

csharp/ql/lib/change-notes/2026-05-19-properties-indexers-refreturn.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved call target resolution for ref-return properties and indexers.

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 6.0.2
+version: 6.0.3-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/lib/semmle/code/csharp/exprs/Call.qll

@@ -766,7 +766,16 @@ class PropertyCall extends AccessorCall, PropertyAccessExpr {
   }
 
   override Accessor getWriteTarget() {
-    this instanceof AssignableWrite and result = this.getProperty().getSetter()
+    this instanceof AssignableWrite and
+    exists(Property p | p = this.getProperty() |
+      result = p.getSetter()
+      or
+      result =
+        any(Getter g |
+          g = p.getGetter() and
+          g.getAnnotatedReturnType().isRef()
+        )
+    )
   }
 
   override Expr getArgument(int i) {
@@ -801,7 +810,16 @@ class IndexerCall extends AccessorCall, IndexerAccessExpr {
   }
 
   override Accessor getWriteTarget() {
-    this instanceof AssignableWrite and result = this.getIndexer().getSetter()
+    this instanceof AssignableWrite and
+    exists(Indexer i | i = this.getIndexer() |
+      result = i.getSetter()
+      or
+      result =
+        any(Getter g |
+          g = i.getGetter() and
+          g.getAnnotatedReturnType().isRef()
+        )
+    )
   }
 
   override Expr getArgument(int i) {

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.7.4
+version: 1.7.5-dev
 groups:
   - csharp
   - queries

csharp/ql/test/library-tests/csharp8/NullableRefTypes.expected

@@ -227,7 +227,7 @@ returnTypes
 | NullableRefTypes.cs:107:26:107:36 | ReturnsRef5 | readonly MyClass! |
 | NullableRefTypes.cs:108:26:108:36 | ReturnsRef6 | readonly MyClass! |
 | NullableRefTypes.cs:110:10:110:20 | Parameters1 | Void! |
-| NullableRefTypes.cs:113:32:113:44 | get_RefProperty | MyClass! |
+| NullableRefTypes.cs:113:32:113:44 | get_RefProperty | ref MyClass! |
 | NullableRefTypes.cs:116:7:116:23 | <object initializer> | Void |
 | NullableRefTypes.cs:116:7:116:23 | ToStringWithTypes | Void! |
 | NullableRefTypes.cs:136:7:136:24 | <object initializer> | Void |

csharp/ql/test/library-tests/encoding/SBCS.cs

@@ -1,4 +1,4 @@
-class SBCS
+class SBCS
 {
-    string sbcs = "<22>";
+    string sbcs = "<22>";
 }

csharp/ql/test/library-tests/indexers/Indexers13.expected

@@ -0,0 +1,4 @@
+| indexers.cs:24:21:24:24 | Item | indexers.cs:62:22:62:29 | access to indexer | indexers.cs:26:13:26:15 | get_Item |
+| indexers.cs:24:21:24:24 | Item | indexers.cs:65:25:65:32 | access to indexer | indexers.cs:34:13:34:15 | set_Item |
+| indexers.cs:143:24:143:27 | Item | indexers.cs:156:13:156:16 | access to indexer | indexers.cs:145:13:145:15 | get_Item |
+| indexers.cs:143:24:143:27 | Item | indexers.cs:157:21:157:24 | access to indexer | indexers.cs:145:13:145:15 | get_Item |

csharp/ql/test/library-tests/indexers/Indexers13.ql

@@ -0,0 +1,8 @@
+import csharp
+
+from IndexerCall ic, Indexer i, Accessor target
+where
+  ic.getIndexer() = i and
+  ic.getTarget() = target and
+  i.fromSource()
+select i, ic, target

csharp/ql/test/library-tests/indexers/PrintAst.expected

@@ -360,3 +360,57 @@ indexers.cs:
 #  130|         4: [BlockStmt] {...}
 #  130|           0: [ReturnStmt] return ...;
 #  130|             0: [IntLiteral] 0
+#  134|   5: [RefStruct] S
+#  136|     6: [Field] x
+#  136|       -1: [TypeMention] int
+#  138|     7: [InstanceConstructor] S
+#-----|       2: (Parameters)
+#  138|         0: [Parameter] v
+#  138|           -1: [TypeMention] int
+#  139|       4: [BlockStmt] {...}
+#  140|         0: [ExprStmt] ...;
+#  140|           0: [AssignExpr] ... = ...
+#  140|             0: [FieldAccess] access to field x
+#  140|             1: [RefExpr] ref ...
+#  140|               0: [ParameterAccess] access to parameter v
+#  143|     8: [Indexer] Item
+#  143|       -1: [TypeMention] int
+#-----|       1: (Parameters)
+#  143|         0: [Parameter] i
+#  143|           -1: [TypeMention] int
+#  145|       3: [Getter] get_Item
+#-----|         2: (Parameters)
+#  143|           0: [Parameter] i
+#  145|         4: [BlockStmt] {...}
+#  145|           0: [ReturnStmt] return ...;
+#  145|             0: [RefExpr] ref ...
+#  145|               0: [FieldAccess] access to field x
+#  149|   6: [Class] TestRefReturns
+#  151|     6: [Method] M
+#  151|       -1: [TypeMention] Void
+#  152|       4: [BlockStmt] {...}
+#  153|         0: [LocalVariableDeclStmt] ... ...;
+#  153|           0: [LocalVariableDeclAndInitExpr] Int32 a = ...
+#  153|             -1: [TypeMention] int
+#  153|             0: [LocalVariableAccess] access to local variable a
+#  153|             1: [IntLiteral] 0
+#  155|         1: [LocalVariableDeclStmt] ... ...;
+#  155|           0: [LocalVariableDeclAndInitExpr] S s = ...
+#  155|             -1: [TypeMention] S
+#  155|             0: [LocalVariableAccess] access to local variable s
+#  155|             1: [ObjectCreation] object creation of type S
+#  155|               -1: [TypeMention] S
+#  155|               0: [LocalVariableAccess] access to local variable a
+#  156|         2: [ExprStmt] ...;
+#  156|           0: [AssignExpr] ... = ...
+#  156|             0: [IndexerCall] access to indexer
+#  156|               -1: [LocalVariableAccess] access to local variable s
+#  156|               0: [IntLiteral] 0
+#  156|             1: [IntLiteral] 1
+#  157|         3: [LocalVariableDeclStmt] ... ...;
+#  157|           0: [LocalVariableDeclAndInitExpr] Int32 x = ...
+#  157|             -1: [TypeMention] int
+#  157|             0: [LocalVariableAccess] access to local variable x
+#  157|             1: [IndexerCall] access to indexer
+#  157|               -1: [LocalVariableAccess] access to local variable s
+#  157|               0: [IntLiteral] 0

csharp/ql/test/library-tests/indexers/indexers.cs

@@ -130,4 +130,31 @@ namespace Indexers
             get { return 0; }
         }
     }
+
+    public ref struct S
+    {
+        private ref int x;
+
+        public S(ref int v)
+        {
+            x = ref v;
+        }
+
+        public ref int this[int i]
+        {
+            get { return ref x; }
+        }
+    }
+
+    public class TestRefReturns
+    {
+        public void M()
+        {
+            int a = 0;
+
+            S s = new S(ref a);
+            s[0] = 1;
+            var x = s[0];
+        }
+    }
 }

csharp/ql/test/library-tests/properties/PrintAst.expected

@@ -246,3 +246,50 @@ properties.cs:
 #  133|               0: [FieldAccess] access to field Prop.field
 #  133|               1: [ParameterAccess] access to parameter value
 #  130|     7: [Field] Prop.field
+#  137|   11: [RefStruct] S
+#  139|     6: [Field] x
+#  139|       -1: [TypeMention] int
+#  141|     7: [InstanceConstructor] S
+#-----|       2: (Parameters)
+#  141|         0: [Parameter] v
+#  141|           -1: [TypeMention] int
+#  142|       4: [BlockStmt] {...}
+#  143|         0: [ExprStmt] ...;
+#  143|           0: [AssignExpr] ... = ...
+#  143|             0: [FieldAccess] access to field x
+#  143|             1: [RefExpr] ref ...
+#  143|               0: [ParameterAccess] access to parameter v
+#  146|     8: [Property] Prop
+#  146|       -1: [TypeMention] int
+#  148|       3: [Getter] get_Prop
+#  148|         4: [BlockStmt] {...}
+#  148|           0: [ReturnStmt] return ...;
+#  148|             0: [RefExpr] ref ...
+#  148|               0: [FieldAccess] access to field x
+#  152|   12: [Class] TestRefReturns
+#  154|     6: [Method] M
+#  154|       -1: [TypeMention] Void
+#  155|       4: [BlockStmt] {...}
+#  156|         0: [LocalVariableDeclStmt] ... ...;
+#  156|           0: [LocalVariableDeclAndInitExpr] Int32 a = ...
+#  156|             -1: [TypeMention] int
+#  156|             0: [LocalVariableAccess] access to local variable a
+#  156|             1: [IntLiteral] 0
+#  158|         1: [LocalVariableDeclStmt] ... ...;
+#  158|           0: [LocalVariableDeclAndInitExpr] S s = ...
+#  158|             -1: [TypeMention] S
+#  158|             0: [LocalVariableAccess] access to local variable s
+#  158|             1: [ObjectCreation] object creation of type S
+#  158|               -1: [TypeMention] S
+#  158|               0: [LocalVariableAccess] access to local variable a
+#  159|         2: [ExprStmt] ...;
+#  159|           0: [AssignExpr] ... = ...
+#  159|             0: [PropertyCall] access to property Prop
+#  159|               -1: [LocalVariableAccess] access to local variable s
+#  159|             1: [IntLiteral] 1
+#  160|         3: [LocalVariableDeclStmt] ... ...;
+#  160|           0: [LocalVariableDeclAndInitExpr] Int32 x = ...
+#  160|             -1: [TypeMention] int
+#  160|             0: [LocalVariableAccess] access to local variable x
+#  160|             1: [PropertyCall] access to property Prop
+#  160|               -1: [LocalVariableAccess] access to local variable s

csharp/ql/test/library-tests/properties/Properties17.expected

@@ -1,5 +1,6 @@
 | Prop.field |
 | caption |
 | next |
+| x |
 | y |
 | z |

csharp/ql/test/library-tests/properties/Properties19.expected

@@ -0,0 +1,8 @@
+| properties.cs:12:23:12:29 | Caption | properties.cs:29:13:29:28 | access to property Caption | properties.cs:17:13:17:15 | set_Caption |
+| properties.cs:12:23:12:29 | Caption | properties.cs:30:24:30:39 | access to property Caption | properties.cs:15:13:15:15 | get_Caption |
+| properties.cs:57:20:57:20 | X | properties.cs:61:13:61:13 | access to property X | properties.cs:57:37:57:39 | set_X |
+| properties.cs:58:20:58:20 | Y | properties.cs:62:13:62:13 | access to property Y | properties.cs:58:37:58:39 | set_Y |
+| properties.cs:70:28:70:28 | X | properties.cs:82:46:82:51 | access to property X | properties.cs:70:32:70:34 | get_X |
+| properties.cs:71:28:71:28 | Y | properties.cs:83:39:83:44 | access to property Y | properties.cs:74:13:74:15 | set_Y |
+| properties.cs:146:24:146:27 | Prop | properties.cs:159:13:159:18 | access to property Prop | properties.cs:148:13:148:15 | get_Prop |
+| properties.cs:146:24:146:27 | Prop | properties.cs:160:21:160:26 | access to property Prop | properties.cs:148:13:148:15 | get_Prop |

csharp/ql/test/library-tests/properties/Properties19.ql

@@ -0,0 +1,8 @@
+import csharp
+
+from PropertyCall pc, Property p, Accessor target
+where
+  pc.getProperty() = p and
+  pc.getTarget() = target and
+  p.fromSource()
+select p, pc, target

csharp/ql/test/library-tests/properties/properties.cs

@@ -133,4 +133,31 @@ namespace Properties
             set { field = value; }
         }
     }
+
+    public ref struct S
+    {
+        private ref int x;
+
+        public S(ref int v)
+        {
+            x = ref v;
+        }
+
+        public ref int Prop
+        {
+            get { return ref x; }
+        }
+    }
+
+    public class TestRefReturns
+    {
+        public void M()
+        {
+            int a = 0;
+
+            S s = new S(ref a);
+            s.Prop = 1;
+            var x = s.Prop;
+        }
+    }
 }

csharp/ql/test/query-tests/Telemetry/DatabaseQuality/IsNotOkayCall.expected

@@ -1,3 +1,2 @@
 | Quality.cs:26:19:26:26 | access to indexer | Call without target $@. | Quality.cs:26:19:26:26 | access to indexer | access to indexer |
 | Quality.cs:29:21:29:27 | access to indexer | Call without target $@. | Quality.cs:29:21:29:27 | access to indexer | access to indexer |
-| Quality.cs:32:9:32:21 | access to indexer | Call without target $@. | Quality.cs:32:9:32:21 | access to indexer | access to indexer |

csharp/ql/test/query-tests/Telemetry/DatabaseQuality/NoTarget.expected

@@ -9,6 +9,5 @@
 | Quality.cs:23:9:23:30 | delegate call | Call without target $@. | Quality.cs:23:9:23:30 | delegate call | delegate call |
 | Quality.cs:26:19:26:26 | access to indexer | Call without target $@. | Quality.cs:26:19:26:26 | access to indexer | access to indexer |
 | Quality.cs:29:21:29:27 | access to indexer | Call without target $@. | Quality.cs:29:21:29:27 | access to indexer | access to indexer |
-| Quality.cs:32:9:32:21 | access to indexer | Call without target $@. | Quality.cs:32:9:32:21 | access to indexer | access to indexer |
 | Quality.cs:38:16:38:26 | access to property MyProperty2 | Call without target $@. | Quality.cs:38:16:38:26 | access to property MyProperty2 | access to property MyProperty2 |
 | Quality.cs:50:20:50:26 | object creation of type T | Call without target $@. | Quality.cs:50:20:50:26 | object creation of type T | object creation of type T |

csharp/ql/test/query-tests/Telemetry/DatabaseQuality/Quality.cs

@@ -29,7 +29,7 @@ public class Test
         var slice = sp[..3];        // TODO: this is not an indexer call, but rather a `sp.Slice(0, 3)` call.
 
         Span<byte> guidBytes = stackalloc byte[16];
-        guidBytes[08] = 1;          // TODO: this indexer call has no target, because the target is a `ref` returning getter.
+        guidBytes[08] = 1;
 
         new MyList([new(), new Test()]);
     }

go/ql/consistency-queries/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.51
+version: 1.0.52-dev
 groups:
   - go
   - queries

go/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 7.1.2
+version: 7.1.3-dev
 groups: go
 dbscheme: go.dbscheme
 extractor: go

go/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.6.4
+version: 1.6.5-dev
 groups:
   - go
   - queries

java/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 9.1.2
+version: 9.1.3-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java

java/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.11.4
+version: 1.11.5-dev
 groups:
   - java
   - queries

javascript/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 2.7.2
+version: 2.7.3-dev
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript

javascript/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 2.3.11
+version: 2.3.12-dev
 groups:
   - javascript
   - queries

misc/suite-helpers/qlpack.yml

@@ -1,4 +1,4 @@
 name: codeql/suite-helpers
-version: 1.0.51
+version: 1.0.52-dev
 groups: shared
 warnOnImplicitThis: true

python/ql/lib/change-notes/2026-06-01-decorator-predicate-simplification.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Simplified the internal predicates that detect `@staticmethod`, `@classmethod` and `@property` decorators to match the decorator's AST `Name` directly, rather than going through the CFG and requiring the name to resolve globally. Code that shadows these three builtin decorators at the module-scope will now be classified by the decorator name alone; in practice, shadowing these names is extremely rare and the call-graph results are unchanged.

python/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/python-all
-version: 7.1.2
+version: 7.1.3-dev
 groups: python
 dbscheme: semmlecode.python.dbscheme
 extractor: python

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll

@@ -256,9 +256,12 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
  */
 overlay[local]
 predicate isStaticmethod(Function func) {
-  exists(NameNode id | id.getId() = "staticmethod" and id.isGlobal() |
-    func.getADecorator() = id.getNode()
-  )
+  // The decorator is *syntactically* a `Name` "staticmethod" — we don't
+  // care which variable it resolves to. `staticmethod` is a builtin and
+  // is almost never shadowed in a module-level scope; even if a class
+  // redefines `staticmethod` in its body, the class body has not started
+  // executing yet at the decorator position, so Python uses the builtin.
+  func.getADecorator().(Name).getId() = "staticmethod"
 }
 
 /**
@@ -268,9 +271,9 @@ predicate isStaticmethod(Function func) {
  */
 overlay[local]
 predicate isClassmethod(Function func) {
-  exists(NameNode id | id.getId() = "classmethod" and id.isGlobal() |
-    func.getADecorator() = id.getNode()
-  )
+  // See `isStaticmethod` for the rationale for matching on the AST `Name`
+  // rather than going via the CFG and `isGlobal()`.
+  func.getADecorator().(Name).getId() = "classmethod"
   or
   exists(Class cls |
     cls.getAMethod() = func and
@@ -285,9 +288,8 @@ predicate isClassmethod(Function func) {
 /** Holds if the function `func` has a `property` decorator. */
 overlay[local]
 predicate hasPropertyDecorator(Function func) {
-  exists(NameNode id | id.getId() = "property" and id.isGlobal() |
-    func.getADecorator() = id.getNode()
-  )
+  // See `isStaticmethod` for the rationale for matching on the AST `Name`.
+  func.getADecorator().(Name).getId() = "property"
 }
 
 /**

python/ql/lib/semmle/python/dataflow/new/internal/ImportResolution.qll

@@ -9,7 +9,19 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.internal.ImportStar
 private import semmle.python.dataflow.new.TypeTracking
 private import semmle.python.dataflow.new.internal.DataFlowPrivate
-private import semmle.python.essa.SsaDefinitions
+
+/**
+ * Holds if `init` is a package's `__init__.py` and `var` is a global variable in
+ * `init` whose name matches a submodule of the package.
+ *
+ * Inlined from `SsaSource::init_module_submodule_defn` to avoid pulling
+ * `semmle.python.essa.SsaDefinitions` into the new dataflow stack.
+ */
+private predicate initModuleSubmoduleDefn(GlobalVariable var, Module init) {
+  init.isPackageInit() and
+  exists(init.getPackage().getSubModule(var.getId())) and
+  var.getScope() = init
+}
 
 /**
  * Python modules and the way imports are resolved are... complicated. Here's a crash course in how
@@ -326,7 +338,7 @@ module ImportResolution {
     // imported yet.
     exists(string submodule, Module package, EssaVariable var |
       submodule = var.getName() and
-      SsaSource::init_module_submodule_defn(var.getSourceVariable(), package.getEntryNode()) and
+      initModuleSubmoduleDefn(var.getSourceVariable(), package) and
       m = getModuleFromName(package.getPackageName() + "." + submodule) and
       result.asCfgNode() = var.getDefinition().(EssaNodeDefinition).getDefiningNode()
     )

python/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/python-queries
-version: 1.8.4
+version: 1.8.5-dev
 groups:
   - python
   - queries

python/ql/test/library-tests/ControlFlow/evaluation-order/AllLiveReachable.ql

@@ -0,0 +1,17 @@
+/**
+ * Checks that every live (non-dead) annotation in the test function's
+ * own scope is reachable from the function entry in the CFG.
+ * Annotations in nested scopes (generators, async, lambdas, comprehensions)
+ * have separate CFGs and are excluded from this check.
+ */
+
+import OldCfgImpl
+
+private module Utils = EvalOrderCfgUtils<OldCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, TestFunction f
+where allLiveReachable(a, f)
+select a, "Unreachable live annotation; entry of $@ does not reach this node", f, f.getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/AnnotationHasCfgNode.expected

@@ -0,0 +1 @@
+

python/ql/test/library-tests/ControlFlow/evaluation-order/AnnotationHasCfgNode.ql

@@ -0,0 +1,14 @@
+/**
+ * Checks that every timer annotation has a corresponding CFG node.
+ */
+
+import OldCfgImpl
+
+private module Utils = EvalOrderCfgUtils<OldCfg>;
+
+private import Utils::CfgTests
+
+from TimerAnnotation ann
+where annotationWithoutCfgNode(ann)
+select ann, "Annotation in $@ has no CFG node", ann.getTestFunction(),
+  ann.getTestFunction().getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/BasicBlockAnnotationGap.ql

@@ -0,0 +1,21 @@
+/**
+ * Checks that within a basic block, if a node is annotated then its
+ * successor is also annotated (or excluded). A gap in annotations
+ * within a basic block indicates a missing annotation, since there
+ * are no branches to justify the gap.
+ *
+ * Nodes with exceptional successors are excluded, as the exception
+ * edge leaves the basic block and the normal successor may be dead.
+ */
+
+import OldCfgImpl
+
+private module Utils = EvalOrderCfgUtils<OldCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, CfgNode succ
+where basicBlockAnnotationGap(a, succ)
+select a, "Annotated node followed by unannotated $@ in the same basic block", succ,
+  succ.getNode().toString()

python/ql/test/library-tests/ControlFlow/evaluation-order/BasicBlockOrdering.expected

@@ -0,0 +1,14 @@
+| test_boolean.py:9:10:9:43 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:9:59:9:59 | IntegerLiteral | timestamp 2 | test_boolean.py:9:19:9:19 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:15:10:15:43 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:15:50:15:50 | IntegerLiteral | timestamp 1 | test_boolean.py:15:20:15:20 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:21:10:21:42 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:21:49:21:49 | IntegerLiteral | timestamp 1 | test_boolean.py:21:19:21:19 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:27:10:27:34 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:27:50:27:50 | IntegerLiteral | timestamp 2 | test_boolean.py:27:20:27:20 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:40:10:40:61 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:40:86:40:86 | IntegerLiteral | timestamp 3 | test_boolean.py:40:16:40:16 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:46:10:46:61 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:46:86:46:86 | IntegerLiteral | timestamp 3 | test_boolean.py:46:16:46:16 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:52:10:52:95 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:52:120:52:120 | IntegerLiteral | timestamp 4 | test_boolean.py:52:20:52:20 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:52:10:52:95 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:52:120:52:120 | IntegerLiteral | timestamp 4 | test_boolean.py:52:63:52:63 | IntegerLiteral | timestamp 2 |
+| test_boolean.py:52:11:52:47 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:52:63:52:63 | IntegerLiteral | timestamp 2 | test_boolean.py:52:20:52:20 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:64:10:64:52 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:64:59:64:59 | IntegerLiteral | timestamp 6 | test_boolean.py:64:17:64:17 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:64:10:64:52 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:64:59:64:59 | IntegerLiteral | timestamp 6 | test_boolean.py:64:27:64:27 | IntegerLiteral | timestamp 2 |
+| test_boolean.py:76:10:76:51 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:76:58:76:58 | IntegerLiteral | timestamp 6 | test_boolean.py:76:17:76:17 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:76:10:76:51 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:76:58:76:58 | IntegerLiteral | timestamp 6 | test_boolean.py:76:27:76:27 | IntegerLiteral | timestamp 2 |
+| test_if.py:96:9:96:29 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_if.py:96:36:96:36 | IntegerLiteral | timestamp 4 | test_if.py:96:15:96:15 | IntegerLiteral | timestamp 2 |

python/ql/test/library-tests/ControlFlow/evaluation-order/BasicBlockOrdering.ql

@@ -0,0 +1,16 @@
+/**
+ * Checks that within a single basic block, annotations appear in
+ * increasing minimum-timestamp order.
+ */
+
+import OldCfgImpl
+
+private module Utils = EvalOrderCfgUtils<OldCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, TimerCfgNode b, int minA, int minB
+where basicBlockOrdering(a, b, minA, minB)
+select a, "Basic block ordering: $@ appears before $@", a.getTimestampExpr(minA),
+  "timestamp " + minA, b.getTimestampExpr(minB), "timestamp " + minB

python/ql/test/library-tests/ControlFlow/evaluation-order/ConsecutiveTimestamps.expected

@@ -0,0 +1,12 @@
+| test_boolean.py:9:26:9:27 | IntegerLiteral | $@ in $@ has no consecutive successor (expected 2) | test_boolean.py:9:33:9:33 | IntegerLiteral | Timestamp 1 | test_boolean.py:7:1:7:27 | Function test_and_both_sides | test_and_both_sides |
+| test_boolean.py:15:10:15:14 | False | $@ in $@ has no consecutive successor (expected 1) | test_boolean.py:15:20:15:20 | IntegerLiteral | Timestamp 0 | test_boolean.py:13:1:13:30 | Function test_and_short_circuit | test_and_short_circuit |
+| test_boolean.py:21:10:21:13 | True | $@ in $@ has no consecutive successor (expected 1) | test_boolean.py:21:19:21:19 | IntegerLiteral | Timestamp 0 | test_boolean.py:19:1:19:29 | Function test_or_short_circuit | test_or_short_circuit |
+| test_boolean.py:27:26:27:27 | IntegerLiteral | $@ in $@ has no consecutive successor (expected 2) | test_boolean.py:27:33:27:33 | IntegerLiteral | Timestamp 1 | test_boolean.py:25:1:25:26 | Function test_or_both_sides | test_or_both_sides |
+| test_boolean.py:40:45:40:45 | IntegerLiteral | $@ in $@ has no consecutive successor (expected 3) | test_boolean.py:40:51:40:51 | IntegerLiteral | Timestamp 2 | test_boolean.py:38:1:38:24 | Function test_chained_and | test_chained_and |
+| test_boolean.py:46:44:46:45 | IntegerLiteral | $@ in $@ has no consecutive successor (expected 3) | test_boolean.py:46:51:46:51 | IntegerLiteral | Timestamp 2 | test_boolean.py:44:1:44:23 | Function test_chained_or | test_chained_or |
+| test_boolean.py:52:11:52:47 | BoolExpr | $@ in $@ has no consecutive successor (expected 3) | test_boolean.py:52:63:52:63 | IntegerLiteral | Timestamp 2 | test_boolean.py:50:1:50:25 | Function test_mixed_and_or | test_mixed_and_or |
+| test_boolean.py:52:27:52:31 | False | $@ in $@ has no consecutive successor (expected 2) | test_boolean.py:52:37:52:37 | IntegerLiteral | Timestamp 1 | test_boolean.py:50:1:50:25 | Function test_mixed_and_or | test_mixed_and_or |
+| test_boolean.py:52:78:52:79 | IntegerLiteral | $@ in $@ has no consecutive successor (expected 4) | test_boolean.py:52:85:52:85 | IntegerLiteral | Timestamp 3 | test_boolean.py:50:1:50:25 | Function test_mixed_and_or | test_mixed_and_or |
+| test_if.py:95:9:95:13 | False | $@ in $@ has no consecutive successor (expected 2) | test_if.py:95:19:95:19 | IntegerLiteral | Timestamp 1 | test_if.py:93:1:93:34 | Function test_if_compound_condition | test_if_compound_condition |
+| test_if.py:96:9:96:29 | BoolExpr | $@ in $@ has no consecutive successor (expected 5) | test_if.py:96:36:96:36 | IntegerLiteral | Timestamp 4 | test_if.py:93:1:93:34 | Function test_if_compound_condition | test_if_compound_condition |
+| test_if.py:96:22:96:22 | y | $@ in $@ has no consecutive successor (expected 4) | test_if.py:96:28:96:28 | IntegerLiteral | Timestamp 3 | test_if.py:93:1:93:34 | Function test_if_compound_condition | test_if_compound_condition |

python/ql/test/library-tests/ControlFlow/evaluation-order/ConsecutiveTimestamps.ql

@@ -0,0 +1,24 @@
+/**
+ * Checks that consecutive annotated nodes have consecutive timestamps:
+ * for each annotation with timestamp `a`, some CFG node for that annotation
+ * must have a next annotation containing `a + 1`.
+ *
+ * Handles CFG splitting (e.g., finally blocks duplicated for normal/exceptional
+ * flow) by checking that at least one split has the required successor.
+ *
+ * Only applies to functions where all annotations are in the function's
+ * own scope (excludes tests with generators, async, comprehensions, or
+ * lambdas that have annotations in nested scopes).
+ */
+
+import OldCfgImpl
+
+private module Utils = EvalOrderCfgUtils<OldCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerAnnotation ann, int a
+where consecutiveTimestamps(ann, a)
+select ann, "$@ in $@ has no consecutive successor (expected " + (a + 1) + ")",
+  ann.getTimestampExpr(a), "Timestamp " + a, ann.getTestFunction(), ann.getTestFunction().getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/ContiguousTimestamps.ql

@@ -0,0 +1,17 @@
+/**
+ * Checks that timestamps form a contiguous sequence {0, 1, ..., max}
+ * within each test function. Every integer in the range must appear
+ * in at least one annotation (live or dead).
+ */
+
+import TimerUtils
+
+from TestFunction f, int missing, int maxTs, TimerAnnotation maxAnn
+where
+  maxTs = max(TimerAnnotation a | a.getTestFunction() = f | a.getATimestamp()) and
+  maxAnn.getTestFunction() = f and
+  maxAnn.getATimestamp() = maxTs and
+  missing = [0 .. maxTs] and
+  not exists(TimerAnnotation a | a.getTestFunction() = f and a.getATimestamp() = missing)
+select f, "Missing timestamp " + missing + " (max is $@)", maxAnn.getTimestampExpr(maxTs),
+  maxTs.toString()

python/ql/test/library-tests/ControlFlow/evaluation-order/MissingAnnotations.ql

@@ -0,0 +1,15 @@
+/**
+ * Finds expressions in test functions that lack a timer annotation
+ * and are not part of the timer mechanism or otherwise excluded.
+ * An empty result means every annotatable expression is covered.
+ */
+
+import python
+import TimerUtils
+
+from TestFunction f, Expr e
+where
+  e.getScope().getEnclosingScope*() = f and
+  not isTimerMechanism(e, f) and
+  not isUnannotatable(e)
+select e, "Missing annotation in $@", f, f.getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/NeverReachable.expected

@@ -0,0 +1,2 @@
+| test_match.py:159:13:159:13 | IntegerLiteral | Node annotated with t.never is reachable in $@ | test_match.py:151:1:151:42 | Function test_match_exhaustive_return_first | test_match_exhaustive_return_first |
+| test_match.py:172:13:172:13 | IntegerLiteral | Node annotated with t.never is reachable in $@ | test_match.py:164:1:164:45 | Function test_match_exhaustive_return_wildcard | test_match_exhaustive_return_wildcard |

python/ql/test/library-tests/ControlFlow/evaluation-order/NeverReachable.ql

@@ -0,0 +1,16 @@
+/**
+ * Checks that expressions annotated with `t.never` either have no CFG
+ * node, or if they do, that the node is not reachable from its scope's
+ * entry (including within the same basic block).
+ */
+
+import OldCfgImpl
+
+private module Utils = EvalOrderCfgUtils<OldCfg>;
+
+private import Utils::CfgTests
+
+from TimerAnnotation ann
+where neverReachable(ann)
+select ann, "Node annotated with t.never is reachable in $@", ann.getTestFunction(),
+  ann.getTestFunction().getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/NoBackwardFlow.expected

@@ -0,0 +1,11 @@
+| test_boolean.py:9:10:9:43 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:9:59:9:59 | IntegerLiteral | 2 | test_boolean.py:9:10:9:13 | ControlFlowNode for True | True | test_boolean.py:9:19:9:19 | IntegerLiteral | 0 |
+| test_boolean.py:15:10:15:43 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:15:50:15:50 | IntegerLiteral | 1 | test_boolean.py:15:10:15:14 | ControlFlowNode for False | False | test_boolean.py:15:20:15:20 | IntegerLiteral | 0 |
+| test_boolean.py:21:10:21:42 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:21:49:21:49 | IntegerLiteral | 1 | test_boolean.py:21:10:21:13 | ControlFlowNode for True | True | test_boolean.py:21:19:21:19 | IntegerLiteral | 0 |
+| test_boolean.py:27:10:27:34 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:27:50:27:50 | IntegerLiteral | 2 | test_boolean.py:27:10:27:14 | ControlFlowNode for False | False | test_boolean.py:27:20:27:20 | IntegerLiteral | 0 |
+| test_boolean.py:40:10:40:61 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:40:86:40:86 | IntegerLiteral | 3 | test_boolean.py:40:10:40:10 | ControlFlowNode for IntegerLiteral | IntegerLiteral | test_boolean.py:40:16:40:16 | IntegerLiteral | 0 |
+| test_boolean.py:46:10:46:61 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:46:86:46:86 | IntegerLiteral | 3 | test_boolean.py:46:10:46:10 | ControlFlowNode for IntegerLiteral | IntegerLiteral | test_boolean.py:46:16:46:16 | IntegerLiteral | 0 |
+| test_boolean.py:52:10:52:95 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:52:120:52:120 | IntegerLiteral | 4 | test_boolean.py:52:11:52:47 | ControlFlowNode for BoolExpr | BoolExpr | test_boolean.py:52:63:52:63 | IntegerLiteral | 2 |
+| test_boolean.py:52:11:52:47 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:52:63:52:63 | IntegerLiteral | 2 | test_boolean.py:52:11:52:14 | ControlFlowNode for True | True | test_boolean.py:52:20:52:20 | IntegerLiteral | 0 |
+| test_boolean.py:64:10:64:52 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:64:59:64:59 | IntegerLiteral | 6 | test_boolean.py:64:11:64:11 | ControlFlowNode for f | f | test_boolean.py:64:17:64:17 | IntegerLiteral | 0 |
+| test_boolean.py:76:10:76:51 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:76:58:76:58 | IntegerLiteral | 6 | test_boolean.py:76:11:76:11 | ControlFlowNode for f | f | test_boolean.py:76:17:76:17 | IntegerLiteral | 0 |
+| test_if.py:96:9:96:29 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_if.py:96:36:96:36 | IntegerLiteral | 4 | test_if.py:96:9:96:9 | ControlFlowNode for x | x | test_if.py:96:15:96:15 | IntegerLiteral | 2 |

python/ql/test/library-tests/ControlFlow/evaluation-order/NoBackwardFlow.ql

@@ -0,0 +1,17 @@
+/**
+ * Checks that time never flows backward between consecutive timer annotations
+ * in the CFG. For each pair of consecutive annotated nodes (A -> B), there must
+ * exist timestamps a in A and b in B with a < b.
+ */
+
+import OldCfgImpl
+
+private module Utils = EvalOrderCfgUtils<OldCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, TimerCfgNode b, int minA, int maxB
+where noBackwardFlow(a, b, minA, maxB)
+select a, "Backward flow: $@ flows to $@ (max timestamp $@)", a.getTimestampExpr(minA),
+  minA.toString(), b, b.getNode().toString(), b.getTimestampExpr(maxB), maxB.toString()

python/ql/test/library-tests/ControlFlow/evaluation-order/NoBasicBlock.expected

@@ -0,0 +1 @@
+

python/ql/test/library-tests/ControlFlow/evaluation-order/NoBasicBlock.ql

@@ -0,0 +1,14 @@
+/**
+ * Checks that every annotated CFG node belongs to a basic block.
+ */
+
+import OldCfgImpl
+
+private module Utils = EvalOrderCfgUtils<OldCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from CfgNode n, TestFunction f
+where noBasicBlock(n, f)
+select n, "CFG node in $@ does not belong to any basic block", f, f.getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/NoSharedReachable.ql

@@ -0,0 +1,16 @@
+/**
+ * Checks that two annotations sharing a timestamp value are on
+ * mutually exclusive CFG paths (neither can reach the other).
+ */
+
+import OldCfgImpl
+
+private module Utils = EvalOrderCfgUtils<OldCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, TimerCfgNode b, int ts
+where noSharedReachable(a, b, ts)
+select a, "Shared timestamp $@ but this node reaches $@", a.getTimestampExpr(ts), ts.toString(), b,
+  b.getNode().toString()

python/ql/test/library-tests/ControlFlow/evaluation-order/OldCfgImpl.qll

@@ -0,0 +1,16 @@
+/**
+ * Implementation of the evaluation-order CFG signature using the existing
+ * Python control flow graph.
+ */
+
+private import python as PY
+import TimerUtils
+
+/** Existing Python CFG implementation of the evaluation-order signature. */
+module OldCfg implements EvalOrderCfgSig {
+  class CfgNode = PY::ControlFlowNode;
+
+  class BasicBlock = PY::BasicBlock;
+
+  CfgNode scopeGetEntryNode(PY::Scope s) { result = s.getEntryNode() }
+}

python/ql/test/library-tests/ControlFlow/evaluation-order/StrictForward.expected

@@ -0,0 +1,11 @@
+| test_boolean.py:9:10:9:43 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:9:59:9:59 | IntegerLiteral | timestamp 2 | test_boolean.py:9:19:9:19 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:15:10:15:43 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:15:50:15:50 | IntegerLiteral | timestamp 1 | test_boolean.py:15:20:15:20 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:21:10:21:42 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:21:49:21:49 | IntegerLiteral | timestamp 1 | test_boolean.py:21:19:21:19 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:27:10:27:34 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:27:50:27:50 | IntegerLiteral | timestamp 2 | test_boolean.py:27:20:27:20 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:40:10:40:61 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:40:86:40:86 | IntegerLiteral | timestamp 3 | test_boolean.py:40:16:40:16 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:46:10:46:61 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:46:86:46:86 | IntegerLiteral | timestamp 3 | test_boolean.py:46:16:46:16 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:52:10:52:95 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:52:120:52:120 | IntegerLiteral | timestamp 4 | test_boolean.py:52:63:52:63 | IntegerLiteral | timestamp 2 |
+| test_boolean.py:52:11:52:47 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:52:63:52:63 | IntegerLiteral | timestamp 2 | test_boolean.py:52:20:52:20 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:64:10:64:52 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:64:59:64:59 | IntegerLiteral | timestamp 6 | test_boolean.py:64:17:64:17 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:76:10:76:51 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:76:58:76:58 | IntegerLiteral | timestamp 6 | test_boolean.py:76:17:76:17 | IntegerLiteral | timestamp 0 |
+| test_if.py:96:9:96:29 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_if.py:96:36:96:36 | IntegerLiteral | timestamp 4 | test_if.py:96:15:96:15 | IntegerLiteral | timestamp 2 |

python/ql/test/library-tests/ControlFlow/evaluation-order/StrictForward.ql

@@ -0,0 +1,17 @@
+/**
+ * Stronger version of NoBackwardFlow: for consecutive annotated nodes
+ * A -> B that both have a single timestamp (non-loop code) and B does
+ * NOT dominate A (forward edge), requires max(A) < min(B).
+ */
+
+import OldCfgImpl
+
+private module Utils = EvalOrderCfgUtils<OldCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, TimerCfgNode b, int maxA, int minB
+where strictForward(a, b, maxA, minB)
+select a, "Strict forward violation: $@ flows to $@", a.getTimestampExpr(maxA), "timestamp " + maxA,
+  b.getTimestampExpr(minB), "timestamp " + minB

python/ql/test/library-tests/ControlFlow/evaluation-order/TimerUtils.qll

@@ -0,0 +1,614 @@
+/**
+ * Utility library for identifying timer annotations in evaluation-order tests.
+ *
+ * Identifies `expr @ t[n]` (matmul) and `t(expr, n)` (call) patterns,
+ * including `dead(n)` and `never` markers within subscripts, extracts
+ * timestamp values, and provides predicates for traversing consecutive
+ * annotated CFG nodes.
+ */
+
+import python
+
+/**
+ * A function decorated with `@test` from the timer module.
+ * The first parameter is the timer object.
+ */
+class TestFunction extends Function {
+  TestFunction() {
+    this.getADecorator().(Name).getId() = "test" and
+    this.getPositionalParameterCount() >= 1
+  }
+
+  /** Gets the name of the timer parameter (first parameter). */
+  string getTimerParamName() { result = this.getArgName(0) }
+}
+
+/**
+ * Gets an element from a timestamp subscript index. Each element is either
+ * an `IntegerLiteral` (live), a `Call` to `dead` (dead), a `Name("never")`
+ * (never), or a tuple containing any mix of these.
+ */
+private Expr timestampElement(Expr timestamps) {
+  result = timestamps and not timestamps instanceof Tuple
+  or
+  result = timestamps.(Tuple).getAnElt()
+}
+
+/** Gets a live timestamp value from a subscript index expression. */
+private IntegerLiteral liveTimestampLiteral(Expr timestamps) {
+  result = timestampElement(timestamps) and
+  not result = any(Call c).getAnArg()
+}
+
+/** Gets a dead timestamp value from a subscript index expression. */
+private IntegerLiteral deadTimestampLiteral(Expr timestamps) {
+  exists(Call c |
+    c = timestampElement(timestamps) and
+    c.getFunc().(Name).getId() = "dead" and
+    result = c.getArg(0)
+  )
+}
+
+/** Holds if the subscript index contains `never`. */
+private predicate hasNever(Expr timestamps) {
+  timestampElement(timestamps).(Name).getId() = "never"
+}
+
+/** A timer annotation in the AST. */
+private newtype TTimerAnnotation =
+  /** `expr @ t[n]` or `expr @ t[n, m, ...]` or `expr @ t[dead(n), m, never]` */
+  TMatmulAnnotation(TestFunction func, Expr annotated, Expr timestamps) {
+    exists(BinaryExpr be |
+      be.getOp() instanceof MatMult and
+      be.getRight().(Subscript).getObject().(Name).getId() = func.getTimerParamName() and
+      be.getScope().getEnclosingScope*() = func and
+      annotated = be.getLeft() and
+      timestamps = be.getRight().(Subscript).getIndex()
+    )
+  } or
+  /** `t(expr, n)` */
+  TCallAnnotation(TestFunction func, Expr annotated, Expr timestamps) {
+    exists(Call call |
+      call.getFunc().(Name).getId() = func.getTimerParamName() and
+      call.getScope().getEnclosingScope*() = func and
+      annotated = call.getArg(0) and
+      timestamps = call.getArg(1)
+    )
+  }
+
+/** A timer annotation (wrapping the newtype for a clean API). */
+class TimerAnnotation extends TTimerAnnotation {
+  /** Gets a live timestamp value from this annotation. */
+  int getATimestamp() { exists(this.getTimestampExpr(result)) }
+
+  /** Gets the source expression for live timestamp value `ts`. */
+  IntegerLiteral getTimestampExpr(int ts) {
+    result = liveTimestampLiteral(this.getTimestampsExpr()) and
+    result.getValue() = ts
+  }
+
+  /** Gets a dead timestamp value from this annotation. */
+  int getADeadTimestamp() { exists(this.getDeadTimestampExpr(result)) }
+
+  /** Gets the source expression for dead timestamp value `ts`. */
+  IntegerLiteral getDeadTimestampExpr(int ts) {
+    result = deadTimestampLiteral(this.getTimestampsExpr()) and
+    result.getValue() = ts
+  }
+
+  /** Gets the raw timestamp expression (single element or tuple). */
+  abstract Expr getTimestampsExpr();
+
+  /** Gets the test function this annotation belongs to. */
+  abstract TestFunction getTestFunction();
+
+  /** Gets the annotated expression (the LHS of `@` or the first arg of `t(...)`). */
+  abstract Expr getAnnotatedExpr();
+
+  /** Gets the enclosing annotation expression (the `BinaryExpr` or `Call`). */
+  abstract Expr getTimerExpr();
+
+  /** Holds if timestamp `ts` is marked as dead in this annotation. */
+  predicate isDeadTimestamp(int ts) { ts = this.getADeadTimestamp() }
+
+  /** Holds if all timestamps in this annotation are dead (no live timestamps). */
+  predicate isDead() {
+    not exists(this.getATimestamp()) and
+    not this.isNever() and
+    exists(this.getADeadTimestamp())
+  }
+
+  /** Holds if this is a never-evaluated annotation (contains `never`). */
+  predicate isNever() { hasNever(this.getTimestampsExpr()) }
+
+  string toString() { result = this.getAnnotatedExpr().toString() }
+
+  Location getLocation() { result = this.getAnnotatedExpr().getLocation() }
+}
+
+/** A matmul-based timer annotation: `expr @ t[...]`. */
+class MatmulTimerAnnotation extends TMatmulAnnotation, TimerAnnotation {
+  TestFunction func;
+  Expr annotated;
+  Expr timestamps;
+
+  MatmulTimerAnnotation() { this = TMatmulAnnotation(func, annotated, timestamps) }
+
+  override Expr getTimestampsExpr() { result = timestamps }
+
+  override TestFunction getTestFunction() { result = func }
+
+  override Expr getAnnotatedExpr() { result = annotated }
+
+  override BinaryExpr getTimerExpr() { result.getLeft() = annotated }
+}
+
+/** A call-based timer annotation: `t(expr, n)`. */
+class CallTimerAnnotation extends TCallAnnotation, TimerAnnotation {
+  TestFunction func;
+  Expr annotated;
+  Expr timestamps;
+
+  CallTimerAnnotation() { this = TCallAnnotation(func, annotated, timestamps) }
+
+  override Expr getTimestampsExpr() { result = timestamps }
+
+  override TestFunction getTestFunction() { result = func }
+
+  override Expr getAnnotatedExpr() { result = annotated }
+
+  override Call getTimerExpr() { result.getArg(0) = annotated }
+}
+
+/**
+ * Signature module defining the CFG interface needed by evaluation-order tests.
+ * This allows the test utilities to be instantiated with different CFG implementations.
+ */
+signature module EvalOrderCfgSig {
+  /** A control flow node. */
+  class CfgNode {
+    /** Gets a textual representation of this node. */
+    string toString();
+
+    /** Gets the location of this node. */
+    Location getLocation();
+
+    /** Gets the AST node corresponding to this CFG node, if any. */
+    AstNode getNode();
+
+    /** Gets a successor of this CFG node (including exceptional). */
+    CfgNode getASuccessor();
+
+    /** Gets a true-branch successor of this CFG node, if any. */
+    CfgNode getATrueSuccessor();
+
+    /** Gets a false-branch successor of this CFG node, if any. */
+    CfgNode getAFalseSuccessor();
+
+    /** Gets an exceptional successor of this CFG node. */
+    CfgNode getAnExceptionalSuccessor();
+
+    /** Gets the scope containing this CFG node. */
+    Scope getScope();
+
+    /** Gets the basic block containing this CFG node. */
+    BasicBlock getBasicBlock();
+  }
+
+  /** A basic block in the control flow graph. */
+  class BasicBlock {
+    /** Gets the CFG node at position `n` in this basic block. */
+    CfgNode getNode(int n);
+
+    /** Holds if this basic block reaches `bb` (reflexive). */
+    predicate reaches(BasicBlock bb);
+
+    /** Holds if this basic block strictly reaches `bb` (non-reflexive). */
+    predicate strictlyReaches(BasicBlock bb);
+
+    /** Holds if this basic block strictly dominates `bb`. */
+    predicate strictlyDominates(BasicBlock bb);
+  }
+
+  /** Gets the entry CFG node for scope `s`. */
+  CfgNode scopeGetEntryNode(Scope s);
+}
+
+/**
+ * Parameterised module providing CFG-dependent utilities for evaluation-order tests.
+ * Instantiate with a specific CFG implementation to get `TimerCfgNode` and related predicates.
+ */
+module EvalOrderCfgUtils<EvalOrderCfgSig Input> {
+  /** The CFG node type from the underlying implementation. */
+  final class CfgNode = Input::CfgNode;
+
+  /** The basic block type from the underlying implementation (named to avoid clash with `python::BasicBlock`). */
+  final class CfgBasicBlock = Input::BasicBlock;
+
+  /** Gets the entry CFG node for scope `s`. */
+  CfgNode scopeGetEntryNode(Scope s) { result = Input::scopeGetEntryNode(s) }
+
+  /**
+   * A CFG node corresponding to a timer annotation.
+   */
+  class TimerCfgNode extends CfgNode {
+    private TimerAnnotation annot;
+
+    TimerCfgNode() { annot.getAnnotatedExpr() = this.getNode() }
+
+    /** Gets a timestamp value from this annotation. */
+    int getATimestamp() { result = annot.getATimestamp() }
+
+    /** Gets the source expression for timestamp value `ts`. */
+    IntegerLiteral getTimestampExpr(int ts) { result = annot.getTimestampExpr(ts) }
+
+    /** Gets the test function this annotation belongs to. */
+    TestFunction getTestFunction() { result = annot.getTestFunction() }
+
+    /** Holds if timestamp `ts` is marked as dead. */
+    predicate isDeadTimestamp(int ts) { annot.isDeadTimestamp(ts) }
+
+    /** Holds if all timestamps in this annotation are dead. */
+    predicate isDead() { annot.isDead() }
+
+    /** Holds if this is a never-evaluated annotation. */
+    predicate isNever() { annot.isNever() }
+  }
+
+  /**
+   * Holds if `next` is the next timer annotation reachable from `n` via
+   * CFG successors (both normal and exceptional), skipping non-annotated
+   * intermediaries within the same scope.
+   */
+  predicate nextTimerAnnotation(CfgNode n, TimerCfgNode next) {
+    next = n.getASuccessor() and
+    next.getScope() = n.getScope()
+    or
+    exists(CfgNode mid |
+      mid = n.getASuccessor() and
+      not mid instanceof TimerCfgNode and
+      mid.getScope() = n.getScope() and
+      nextTimerAnnotation(mid, next)
+    )
+  }
+
+  /**
+   * Holds if `next` is the next timer annotation reachable from `n` via
+   * the true branch, skipping non-annotated intermediaries and after-value
+   * nodes for the same AST node.
+   */
+  predicate nextTimerAnnotationFromTrue(CfgNode n, TimerCfgNode next) {
+    exists(CfgNode trueSucc |
+      trueSucc = n.getATrueSuccessor() and
+      trueSucc.getScope() = n.getScope()
+    |
+      // If the true successor is a different annotated node, use it
+      next = trueSucc and next.getNode() != n.getNode()
+      or
+      // Otherwise skip through it (it's an after-value node for the same expr)
+      nextTimerAnnotation(trueSucc, next)
+    )
+  }
+
+  /**
+   * Holds if `next` is the next timer annotation reachable from `n` via
+   * the false branch, skipping non-annotated intermediaries and after-value
+   * nodes for the same AST node.
+   */
+  predicate nextTimerAnnotationFromFalse(CfgNode n, TimerCfgNode next) {
+    exists(CfgNode falseSucc |
+      falseSucc = n.getAFalseSuccessor() and
+      falseSucc.getScope() = n.getScope()
+    |
+      // If the false successor is a different annotated node, use it
+      next = falseSucc and next.getNode() != n.getNode()
+      or
+      // Otherwise skip through it (it's an after-value node for the same expr)
+      nextTimerAnnotation(falseSucc, next)
+    )
+  }
+
+  /** CFG-dependent test predicates, one per evaluation-order query. */
+  module CfgTests {
+    /**
+     * Holds if live annotation `a` in function `f` is unreachable from
+     * the function entry in the CFG.
+     */
+    predicate allLiveReachable(TimerCfgNode a, TestFunction f) {
+      not a.isDead() and
+      f = a.getTestFunction() and
+      a.getScope() = f and
+      not scopeGetEntryNode(f).getBasicBlock().reaches(a.getBasicBlock())
+    }
+
+    /**
+     * Holds if annotated node `a` is followed by unannotated `succ` in the
+     * same basic block.
+     */
+    predicate basicBlockAnnotationGap(TimerCfgNode a, CfgNode succ) {
+      exists(CfgBasicBlock bb, int i |
+        a = bb.getNode(i) and
+        succ = bb.getNode(i + 1)
+      ) and
+      not succ instanceof TimerCfgNode and
+      not isUnannotatable(succ.getNode()) and
+      not isTimerMechanism(succ.getNode(), a.getTestFunction()) and
+      not exists(a.getAnExceptionalSuccessor()) and
+      succ.getNode() instanceof Expr
+    }
+
+    /**
+     * Holds if annotations `a` and `b` appear in the same basic block with
+     * `a` before `b`, but `a`'s minimum timestamp is not less than `b`'s.
+     */
+    predicate basicBlockOrdering(TimerCfgNode a, TimerCfgNode b, int minA, int minB) {
+      exists(CfgBasicBlock bb, int i, int j | a = bb.getNode(i) and b = bb.getNode(j) and i < j) and
+      minA = min(a.getATimestamp()) and
+      minB = min(b.getATimestamp()) and
+      minA >= minB
+    }
+
+    /**
+     * Holds if function `f` has an annotation in a nested scope
+     * (generator, async function, comprehension, lambda).
+     */
+    private predicate hasNestedScopeAnnotation(TestFunction f) {
+      exists(TimerAnnotation a |
+        a.getTestFunction() = f and
+        a.getAnnotatedExpr().getScope() != f
+      )
+    }
+
+    /**
+     * Holds if annotation `ann` with timestamp `a` has no consecutive
+     * successor (expected `a + 1`) in the CFG.
+     */
+    predicate consecutiveTimestamps(TimerAnnotation ann, int a) {
+      not hasNestedScopeAnnotation(ann.getTestFunction()) and
+      not ann.isDead() and
+      a = ann.getATimestamp() and
+      not exists(TimerCfgNode x, TimerCfgNode y |
+        ann.getAnnotatedExpr() = x.getNode() and
+        nextTimerAnnotation(x, y) and
+        (a + 1) = y.getATimestamp()
+      ) and
+      // Exclude the maximum timestamp in the function (it has no successor)
+      not a =
+        max(TimerAnnotation other |
+          other.getTestFunction() = ann.getTestFunction()
+        |
+          other.getATimestamp()
+        )
+    }
+
+    /**
+     * Holds if the expression annotated with `t.never` is reachable from
+     * its scope's entry.
+     */
+    predicate neverReachable(TimerAnnotation ann) {
+      ann.isNever() and
+      exists(CfgNode n, Scope s |
+        n.getNode() = ann.getAnnotatedExpr() and
+        s = n.getScope() and
+        (
+          // Reachable via inter-block path (includes same block)
+          scopeGetEntryNode(s).getBasicBlock().reaches(n.getBasicBlock())
+          or
+          // In same block as entry but at a later index
+          exists(CfgBasicBlock bb, int i, int j |
+            bb.getNode(i) = scopeGetEntryNode(s) and bb.getNode(j) = n and i < j
+          )
+        )
+      )
+    }
+
+    /**
+     * Holds if consecutive annotated nodes `a` -> `b` have backward time
+     * flow (`minA >= maxB`).
+     */
+    predicate noBackwardFlow(TimerCfgNode a, TimerCfgNode b, int minA, int maxB) {
+      nextTimerAnnotation(a, b) and
+      not a.isDead() and
+      not b.isDead() and
+      minA = min(a.getATimestamp()) and
+      maxB = max(b.getATimestamp()) and
+      minA >= maxB
+    }
+
+    /**
+     * Holds if annotations `a` and `b` share timestamp `ts` but `a`
+     * can reach `b` in the CFG.
+     */
+    predicate noSharedReachable(TimerCfgNode a, TimerCfgNode b, int ts) {
+      a != b and
+      not a.isDead() and
+      not b.isDead() and
+      a.getTestFunction() = b.getTestFunction() and
+      ts = a.getATimestamp() and
+      ts = b.getATimestamp() and
+      (
+        a.getBasicBlock().strictlyReaches(b.getBasicBlock())
+        or
+        exists(CfgBasicBlock bb, int i, int j | a = bb.getNode(i) and b = bb.getNode(j) and i < j)
+      )
+    }
+
+    /**
+     * Holds if consecutive single-timestamp annotations `a` -> `b` on a
+     * forward edge have `maxA >= minB`.
+     */
+    predicate strictForward(TimerCfgNode a, TimerCfgNode b, int maxA, int minB) {
+      nextTimerAnnotation(a, b) and
+      not a.isDead() and
+      not b.isDead() and
+      // Only apply to non-loop code (single timestamps on both sides)
+      strictcount(a.getATimestamp()) = 1 and
+      strictcount(b.getATimestamp()) = 1 and
+      // Forward edge: B does not strictly dominate A (excludes loop back-edges
+      // but still checks same-basic-block pairs)
+      not b.getBasicBlock().strictlyDominates(a.getBasicBlock()) and
+      maxA = max(a.getATimestamp()) and
+      minB = min(b.getATimestamp()) and
+      maxA >= minB
+    }
+
+    /**
+     * Holds if CFG node `n` in test function `f` does not belong to any basic block.
+     */
+    predicate noBasicBlock(CfgNode n, TestFunction f) {
+      n.getScope() = f and
+      not exists(n.getBasicBlock())
+    }
+
+    /**
+     * Holds if non-dead annotation `ann` has no corresponding CFG node.
+     */
+    predicate annotationWithoutCfgNode(TimerAnnotation ann) {
+      not ann.isDead() and
+      not ann.isNever() and
+      not exists(CfgNode n | n.getNode() = ann.getAnnotatedExpr())
+    }
+
+    predicate annotationWithCfgNode(TimerAnnotation ann) {
+      exists(CfgNode n | n.getNode() = ann.getAnnotatedExpr())
+    }
+
+    /**
+     * Holds if annotation `ann` with timestamp `a` has no consecutive
+     * predecessor (expected `a - 1`) in the CFG.
+     */
+    predicate consecutivePredecessorTimestamps(TimerAnnotation ann, int a) {
+      not hasNestedScopeAnnotation(ann.getTestFunction()) and
+      not ann.isDead() and
+      a = ann.getATimestamp() and
+      not exists(TimerCfgNode x, TimerCfgNode y |
+        ann.getAnnotatedExpr() = y.getNode() and
+        nextTimerAnnotation(x, y) and
+        (a - 1) = x.getATimestamp()
+      ) and
+      // Exclude the minimum timestamp in the function (it has no predecessor)
+      not a =
+        min(TimerAnnotation other |
+          other.getTestFunction() = ann.getTestFunction() and
+          not other.isDead()
+        |
+          other.getATimestamp()
+        )
+    }
+
+    /**
+     * Holds if `node` has both a true and false successor, but the true
+     * successor's timestamp `ts` is not marked as dead on the false
+     * successor (or vice versa).
+     *
+     * This checks that boolean branches are properly annotated: when a
+     * condition splits into true/false paths, the next annotated node
+     * on each side should account for the other side's timestamps as dead.
+     */
+    predicate missingBranchTimestamp(TimerCfgNode node, int ts, string branch) {
+      not hasNestedScopeAnnotation(node.getTestFunction()) and
+      exists(TimerCfgNode trueNext, TimerCfgNode falseNext |
+        nextTimerAnnotationFromTrue(node, trueNext) and
+        nextTimerAnnotationFromFalse(node, falseNext) and
+        trueNext != falseNext
+      |
+        // True successor has live timestamp ts, but false successor
+        // doesn't have it as dead
+        ts = trueNext.getATimestamp() and
+        not falseNext.isDeadTimestamp(ts) and
+        not ts = falseNext.getATimestamp() and
+        branch = "false"
+        or
+        // False successor has live timestamp ts, but true successor
+        // doesn't have it as dead
+        ts = falseNext.getATimestamp() and
+        not trueNext.isDeadTimestamp(ts) and
+        not ts = trueNext.getATimestamp() and
+        branch = "true"
+      )
+    }
+  }
+}
+
+/**
+ * Holds if `e` is part of the timer mechanism: a top-level timer
+ * expression or a (transitive) sub-expression of one.
+ */
+predicate isTimerMechanism(Expr e, TestFunction f) {
+  exists(TimerAnnotation a |
+    a.getTestFunction() = f and
+    e = a.getTimerExpr().getASubExpression*()
+  )
+}
+
+/**
+ * Holds if expression `e` cannot be annotated due to Python syntax
+ * limitations (e.g., it is a definition target, a pattern, or part
+ * of a decorator application).
+ */
+predicate isUnannotatable(Expr e) {
+  // Function/class definitions
+  e instanceof FunctionExpr
+  or
+  e instanceof ClassExpr
+  or
+  // Docstrings are string literals used as expression statements
+  e instanceof StringLiteral and e.getParent() instanceof ExprStmt
+  or
+  // Function parameters are bound by the call, not evaluated in the body
+  e instanceof Parameter
+  or
+  // Name nodes that are definitions or deletions (assignment targets, def/class
+  // name bindings, augmented assignment targets, for-loop targets, del targets)
+  e.(Name).isDefinition()
+  or
+  e.(Name).isDeletion()
+  or
+  // Tuple/List/Starred nodes in assignment or for-loop targets are
+  // structural unpack patterns, not evaluations
+  (e instanceof Tuple or e instanceof List or e instanceof Starred) and
+  e = any(AssignStmt a).getATarget().getASubExpression*()
+  or
+  (e instanceof Tuple or e instanceof List or e instanceof Starred) and
+  e = any(For f).getTarget().getASubExpression*()
+  or
+  // The decorator call node wrapping a function/class definition,
+  // and its sub-expressions (the decorator name itself)
+  e = any(FunctionExpr func).getADecoratorCall().getASubExpression*()
+  or
+  e = any(ClassExpr cls).getADecoratorCall().getASubExpression*()
+  or
+  // Augmented assignment (x += e): the implicit BinaryExpr for the operation
+  e = any(AugAssign aug).getOperation()
+  or
+  // with-statement `as` variables are bindings
+  (e instanceof Name or e instanceof Tuple or e instanceof List) and
+  e = any(With w).getOptionalVars().getASubExpression*()
+  or
+  // except-clause exception type and `as` variable are part of except syntax
+  exists(ExceptStmt ex | e = ex.getType() or e = ex.getName())
+  or
+  // match/case pattern expressions are part of pattern syntax
+  e.getParent+() instanceof Pattern
+  or
+  // Subscript/Attribute nodes on the LHS of an assignment are store
+  // operations, not value expressions (including nested ones like d["a"][1])
+  (e instanceof Subscript or e instanceof Attribute) and
+  e = any(AssignStmt a).getATarget().getASubExpression*()
+  or
+  // Match/case guard nodes are part of case syntax
+  e instanceof Guard
+  or
+  // Yield/YieldFrom in statement position — the return value is
+  // discarded and cannot be meaningfully annotated
+  (e instanceof Yield or e instanceof YieldFrom) and
+  e.getParent() instanceof ExprStmt
+  or
+  // Synthetic nodes inside desugared comprehensions
+  e.getScope() = any(Comp c).getFunction() and
+  (
+    e.(Name).getId() = ".0"
+    or
+    e instanceof Tuple and e.getParent() instanceof Yield
+  )
+}

python/ql/test/library-tests/ControlFlow/evaluation-order/test_assert_raise.py

@@ -0,0 +1,56 @@
+"""Assert and raise statement evaluation order."""
+
+from timer import test, dead
+
+
+@test
+def test_assert_true(t):
+    x = True @ t[0]
+    assert x @ t[1]
+    y = 1 @ t[2]
+
+
+@test
+def test_assert_true_with_message(t):
+    x = True @ t[0]
+    assert x @ t[1], "msg" @ t[dead(2)]
+    y = 1 @ t[2]
+
+
+@test
+def test_assert_false_caught(t):
+    try:
+        x = False @ t[0]
+        assert x @ t[1], "fail" @ t[2]
+    except AssertionError:
+        y = 1 @ t[3]
+
+
+@test
+def test_raise_caught(t):
+    try:
+        x = 1 @ t[0]
+        raise ((ValueError @ t[1])("test" @ t[2]) @ t[3])
+    except ValueError:
+        y = 2 @ t[4]
+
+
+@test
+def test_raise_from_caught(t):
+    try:
+        x = 1 @ t[0]
+        raise ((ValueError @ t[1])("test" @ t[2]) @ t[3]) from ((RuntimeError @ t[4])("cause" @ t[5]) @ t[6])
+    except ValueError:
+        y = 2 @ t[7]
+
+
+@test
+def test_bare_reraise(t):
+    try:
+        try:
+            raise ((ValueError @ t[0])("test" @ t[1]) @ t[2])
+        except ValueError:
+            x = 1 @ t[3]
+            raise
+    except ValueError:
+        y = 2 @ t[4]

python/ql/test/library-tests/ControlFlow/evaluation-order/test_async.py

@@ -0,0 +1,97 @@
+"""Async/await evaluation order tests.
+
+Coroutine bodies are lazy — like generators, the body runs only when
+awaited (or driven by the event loop).  asyncio.run() drives the
+coroutine to completion synchronously from the caller's perspective.
+"""
+
+import asyncio
+from contextlib import asynccontextmanager
+from timer import test
+
+
+@test
+def test_simple_async(t):
+    """Simple async function: body runs inside asyncio.run()."""
+    async def coro():
+        x = 1 @ t[4]
+        return x @ t[5]
+
+    result = ((asyncio @ t[0]).run @ t[1])((coro @ t[2])() @ t[3]) @ t[6]
+
+
+@test
+def test_await_expression(t):
+    """await suspends the caller until the inner coroutine completes."""
+    async def helper():
+        return 1 @ t[4]
+
+    async def main():
+        x = await helper() @ t[5]
+        return x @ t[6]
+
+    result = ((asyncio @ t[0]).run @ t[1])((main @ t[2])() @ t[3]) @ t[7]
+
+
+@test
+def test_async_for(t):
+    """async for iterates an async generator."""
+    async def agen():
+        yield 1 @ t[5]
+        yield 2 @ t[7]
+
+    async def main():
+        async for val in agen() @ t[4]:
+            val @ t[6, 8]
+
+    ((asyncio @ t[0]).run @ t[1])((main @ t[2])() @ t[3]) @ t[9]
+
+
+@test
+def test_async_with(t):
+    """async with enters/exits an async context manager."""
+    @asynccontextmanager
+    async def ctx():
+        yield 1 @ t[5]
+
+    async def main():
+        async with ctx() @ t[4] as val:
+            val @ t[6]
+
+    ((asyncio @ t[0]).run @ t[1])((main @ t[2])() @ t[3]) @ t[7]
+
+
+@test
+def test_multiple_awaits(t):
+    """Sequential awaits in one coroutine."""
+    async def task_a():
+        return 10 @ t[4]
+
+    async def task_b():
+        return 20 @ t[6]
+
+    async def main():
+        a = await task_a() @ t[5]
+        b = await task_b() @ t[7]
+        return (a @ t[8] + b @ t[9]) @ t[10]
+
+    result = ((asyncio @ t[0]).run @ t[1])((main @ t[2])() @ t[3]) @ t[11]
+
+
+@test
+def test_gather(t):
+    """asyncio.gather schedules coroutines as concurrent tasks."""
+    async def task_a():
+        return 1 @ t[6]
+
+    async def task_b():
+        return 2 @ t[7]
+
+    async def main():
+        results = await asyncio.gather(
+            task_a() @ t[4],
+            task_b() @ t[5],
+        ) @ t[8]
+        return results @ t[9]
+
+    result = ((asyncio @ t[0]).run @ t[1])((main @ t[2])() @ t[3]) @ t[10]

python/ql/test/library-tests/ControlFlow/evaluation-order/test_augassign.py

@@ -0,0 +1,53 @@
+"""Augmented assignment evaluation order."""
+
+from timer import test
+
+
+@test
+def test_plus_equals(t):
+    x = 1 @ t[0]
+    x += 2 @ t[1]
+    y = x @ t[2]
+
+
+@test
+def test_sub_mul_div(t):
+    x = 20 @ t[0]
+    x -= 5 @ t[1]
+    x *= 2 @ t[2]
+    x /= 6 @ t[3]
+    x = 17 @ t[4]
+    x //= 3 @ t[5]
+    x %= 3 @ t[6]
+    y = x @ t[7]
+
+
+@test
+def test_power_equals(t):
+    x = 2 @ t[0]
+    x **= 3 @ t[1]
+    y = x @ t[2]
+
+
+@test
+def test_bitwise_equals(t):
+    x = 0b1111 @ t[0]
+    x &= 0b1010 @ t[1]
+    x |= 0b0101 @ t[2]
+    x ^= 0b0011 @ t[3]
+    y = x @ t[4]
+
+
+@test
+def test_shift_equals(t):
+    x = 1 @ t[0]
+    x <<= 4 @ t[1]
+    x >>= 2 @ t[2]
+    y = x @ t[3]
+
+
+@test
+def test_list_extend(t):
+    x = [1 @ t[0], 2 @ t[1]] @ t[2]
+    x += [3 @ t[3], 4 @ t[4]] @ t[5]
+    y = x @ t[6]

python/ql/test/library-tests/ControlFlow/evaluation-order/test_basic.py

@@ -0,0 +1,223 @@
+"""Basic expression evaluation order.
+
+These tests verify that sub-expressions within a single expression
+are evaluated in the expected order (typically left to right for
+operands of binary operators, elements of collection literals, etc.)
+
+Every evaluated expression has a timestamp annotation, except the
+timer mechanism itself (t[n], t[dead(n)], t[never]).
+"""
+
+from timer import test, never
+
+
+@test
+def test_sequential_statements(t):
+    """Statements execute top to bottom."""
+    x = 1 @ t[0]
+    y = 2 @ t[1]
+    z = 3 @ t[2]
+
+
+@test
+def test_binary_add(t):
+    """In a + b, left operand evaluates before right."""
+    x = (1 @ t[0] + 2 @ t[1]) @ t[2]
+
+
+@test
+def test_binary_subtract(t):
+    """In a - b, left operand evaluates before right."""
+    x = (10 @ t[0] - 3 @ t[1]) @ t[2]
+
+
+@test
+def test_binary_multiply(t):
+    """In a * b, left operand evaluates before right."""
+    x = ((3 @ t[0]) * (4 @ t[1])) @ t[2]
+
+
+@test
+def test_nested_binary(t):
+    """Sub-expressions evaluate before their containing expression."""
+    x = ((1 @ t[0] + 2 @ t[1]) @ t[2] + (3 @ t[3] + 4 @ t[4]) @ t[5]) @ t[6]
+
+
+@test
+def test_chained_add(t):
+    """a + b + c is (a + b) + c: left to right."""
+    x = (1 @ t[0] + 2 @ t[1] + 3 @ t[2]) @ t[3]
+
+
+@test
+def test_mixed_precedence(t):
+    """In a + b * c, all operands still evaluate left to right."""
+    x = (1 @ t[0] + ((2 @ t[1]) * (3 @ t[2])) @ t[3]) @ t[4]
+
+
+@test
+def test_string_concat(t):
+    """String concatenation operands: left to right."""
+    x = ("hello" @ t[0] + " " @ t[1] + "world" @ t[2]) @ t[3]
+
+
+@test
+def test_comparison(t):
+    """In a < b, left operand evaluates before right."""
+    x = (1 @ t[0] < 2 @ t[1]) @ t[2]
+
+
+@test
+def test_chained_comparison(t):
+    """Chained a < b < c: all evaluated left to right (b only once)."""
+    x = (1 @ t[0] < 2 @ t[1] < 3 @ t[2]) @ t[3]
+
+
+@test
+def test_list_elements(t):
+    """List elements evaluate left to right."""
+    x = [1 @ t[0], 2 @ t[1], 3 @ t[2]] @ t[3]
+
+
+@test
+def test_dict_entries(t):
+    """Dict: key before value, entries left to right."""
+    d = {1 @ t[0]: "a" @ t[1], 2 @ t[2]: "b" @ t[3]} @ t[4]
+
+
+@test
+def test_tuple_elements(t):
+    """Tuple elements evaluate left to right."""
+    x = (1 @ t[0], 2 @ t[1], 3 @ t[2]) @ t[3]
+
+
+@test
+def test_set_elements(t):
+    """Set elements evaluate left to right."""
+    x = {1 @ t[0], 2 @ t[1], 3 @ t[2]} @ t[3]
+
+
+@test
+def test_subscript(t):
+    """In obj[idx], object evaluates before index."""
+    x = ([10 @ t[0], 20 @ t[1], 30 @ t[2]] @ t[3])[1 @ t[4]] @ t[5]
+
+
+@test
+def test_slice(t):
+    """Slice parameters: object, then start, then stop."""
+    x = ([1 @ t[0], 2 @ t[1], 3 @ t[2], 4 @ t[3], 5 @ t[4]] @ t[5])[1 @ t[6]:3 @ t[7]] @ t[8]
+
+
+@test
+def test_method_call(t):
+    """Object evaluated, then attribute lookup, then arguments left to right, then call."""
+    x = (("hello world" @ t[0]).replace @ t[1])("world" @ t[2], "there" @ t[3]) @ t[4]
+
+
+@test
+def test_method_chaining(t):
+    """Chained method calls: left to right."""
+    x = ((((" hello " @ t[0]).strip @ t[1])() @ t[2]).upper @ t[3])() @ t[4]
+
+
+@test
+def test_unary_not(t):
+    """Unary not: operand evaluated first."""
+    x = (not True @ t[0]) @ t[1]
+
+
+@test
+def test_unary_neg(t):
+    """Unary negation: operand evaluated first."""
+    x = (-(3 @ t[0])) @ t[1]
+
+
+@test
+def test_multiple_assignment(t):
+    """RHS evaluated once in x = y = expr."""
+    x = y = (1 @ t[0] + 2 @ t[1]) @ t[2]
+
+
+@test
+def test_callable_syntax(t):
+    """t(value, n) is equivalent to value @ t[n]."""
+    x = t(t(1, 0) + t(2, 1), 2)
+    y = t(t(x, 3) * t(3, 4), 5)
+
+
+@test
+def test_subscript_assign(t):
+    """In obj[idx] = val, value is evaluated before target sub-expressions."""
+    lst = [0 @ t[0], 0 @ t[1], 0 @ t[2]] @ t[3]
+    (lst @ t[5])[1 @ t[6]] = 42 @ t[4]
+    x = lst @ t[7]
+
+
+@test
+def test_attribute_assign(t):
+    """In obj.attr = val, value is evaluated before the object."""
+    class Obj:
+        pass
+    o = (Obj @ t[0])() @ t[1]
+    (o @ t[3]).x = 42 @ t[2]
+    y = (o @ t[4]).x @ t[5]
+
+
+@test
+def test_nested_subscript_assign(t):
+    """Nested subscript assignment: val, then outer obj, then keys."""
+    d = {"a" @ t[0]: [0 @ t[1], 0 @ t[2]] @ t[3]} @ t[4]
+    (d @ t[6])["a" @ t[7]][1 @ t[8]] = 99 @ t[5]
+    x = d @ t[9]
+
+
+@test
+def test_unreachable_after_return(t):
+    """Code after return has no CFG node."""
+    def f():
+        x = 1 @ t[1]
+        return x @ t[2]
+        y = 2 @ t[never]
+    result = (f @ t[0])() @ t[3]
+
+
+@test
+def test_none_literal(t):
+    """None is a name constant."""
+    x = None @ t[0]
+    y = (x @ t[1] is None @ t[2]) @ t[3]
+
+
+@test
+def test_delete(t):
+    """del statement removes a variable binding."""
+    x = 1 @ t[0]
+    del x
+    y = 2 @ t[1]
+
+
+@test
+def test_global(t):
+    """global statement allows writing to module-level variable."""
+    global _test_global_var
+    _test_global_var = 1 @ t[0]
+    x = _test_global_var @ t[1]
+
+
+@test
+def test_nonlocal(t):
+    """nonlocal statement allows inner function to rebind outer variable."""
+    x = 0 @ t[0]
+    def inner():
+        nonlocal x
+        x = 1 @ t[2]
+    (inner @ t[1])() @ t[3]
+    y = x @ t[4]
+
+
+@test
+def test_walrus(t):
+    """Walrus operator := evaluates the RHS and binds it."""
+    if (y := 1 @ t[0]) @ t[1]:
+        z = y @ t[2]

python/ql/test/library-tests/ControlFlow/evaluation-order/test_boolean.py

@@ -0,0 +1,76 @@
+"""Short-circuit boolean operators and evaluation order."""
+
+from timer import test, dead
+
+
+@test
+def test_and_both_sides(t):
+    # True and X — both operands evaluated, result is X
+    x = (True @ t[0] and 42 @ t[1, dead(2)]) @ t[dead(1), 2]
+
+
+@test
+def test_and_short_circuit(t):
+    # False and ... — right side never evaluated
+    x = (False @ t[0] and True @ t[dead(1)]) @ t[1, dead(2)]
+
+
+@test
+def test_or_short_circuit(t):
+    # True or ... — right side never evaluated
+    x = (True @ t[0] or False @ t[dead(1)]) @ t[1, dead(2)]
+
+
+@test
+def test_or_both_sides(t):
+    # False or X — both operands evaluated, result is X
+    x = (False @ t[0] or 42 @ t[1]) @ t[dead(1), 2]
+
+
+@test
+def test_not(t):
+    # not evaluates its operand, then negates
+    x = (not True @ t[0]) @ t[1]
+    y = (not False @ t[2]) @ t[3]
+
+
+@test
+def test_chained_and(t):
+    # 1 and 2 and 3 — all truthy, all evaluated left-to-right
+    x = (1 @ t[0] and 2 @ t[1, dead(3)] and 3 @ t[2, dead(3)]) @ t[dead(1), dead(2), 3]
+
+
+@test
+def test_chained_or(t):
+    # 0 or "" or 42 — first two falsy, all evaluated until truthy found
+    x = (0 @ t[0] or "" @ t[1, dead(3)] or 42 @ t[2, dead(3)]) @ t[dead(1), dead(2), 3]
+
+
+@test
+def test_mixed_and_or(t):
+    # True and False or 42 => (True and False) or 42 => False or 42 => 42
+    x = ((True @ t[0] and False @ t[1, dead(2)]) @ t[dead(1), 2, dead(4)] or 42 @ t[3, dead(4)]) @ t[dead(2), dead(3), 4]
+
+
+@test
+def test_and_side_effects(t):
+    # Both functions called when left side is truthy
+    def f():
+        return 10 @ t[1]
+
+    def g():
+        return 20 @ t[4]
+
+    x = ((f @ t[0])() @ t[2] and (g @ t[3])() @ t[5]) @ t[6]
+
+
+@test
+def test_or_side_effects(t):
+    # Both functions called when left side is falsy
+    def f():
+        return 0 @ t[1]
+
+    def g():
+        return 20 @ t[4]
+
+    x = ((f @ t[0])() @ t[2] or (g @ t[3])() @ t[5]) @ t[6]

python/ql/test/library-tests/ControlFlow/evaluation-order/test_classes.py

@@ -0,0 +1,74 @@
+"""Class definitions — evaluation order."""
+
+from timer import test
+
+
+@test
+def test_simple_class(t):
+    """Simple class definition and instantiation."""
+    class Foo:
+        pass
+    obj = (Foo @ t[0])() @ t[1]
+
+
+@test
+def test_class_with_bases(t):
+    """Base class expressions evaluated at class definition time."""
+    class Base:
+        pass
+    class Derived(Base @ t[0]):
+        pass
+    obj = (Derived @ t[1])() @ t[2]
+
+
+@test
+def test_class_with_methods(t):
+    """Object evaluated before method is called."""
+    class Foo:
+        def greet(self, name):
+            return ("hello " @ t[5] + name @ t[6]) @ t[7]
+    obj = (Foo @ t[0])() @ t[1]
+    msg = ((obj @ t[2]).greet @ t[3])("world" @ t[4]) @ t[8]
+
+
+@test
+def test_class_instantiation(t):
+    """Arguments to __init__ evaluate before instantiation completes."""
+    class Foo:
+        def __init__(self, x):
+            (self @ t[3]).x = x @ t[2]
+    obj = (Foo @ t[0])(42 @ t[1]) @ t[4]
+    val = (obj @ t[5]).x @ t[6]
+
+
+@test
+def test_method_call(t):
+    """Method arguments evaluate left-to-right before the call."""
+    class Calculator:
+        def __init__(self, value):
+            (self @ t[3]).value = value @ t[2]
+        def add(self, x):
+            return ((self @ t[8]).value @ t[9] + x @ t[10]) @ t[11]
+    calc = (Calculator @ t[0])(10 @ t[1]) @ t[4]
+    result = ((calc @ t[5]).add @ t[6])(5 @ t[7]) @ t[12]
+
+
+@test
+def test_class_level_attribute(t):
+    """Multiple attribute accesses in a single expression."""
+    class Config:
+        debug = True @ t[0]
+        version = 1 @ t[1]
+    x = ((Config @ t[2]).debug @ t[3], (Config @ t[4]).version @ t[5]) @ t[6]
+
+
+@test
+def test_class_decorator(t):
+    """Decorator expression evaluated, class defined, then decorator called."""
+    def add_marker(cls):
+        (cls @ t[2]).marked = True @ t[1]
+        return cls @ t[3]
+    @(add_marker @ t[0])
+    class Foo:
+        pass
+    result = (Foo @ t[4]).marked @ t[5]

python/ql/test/library-tests/ControlFlow/evaluation-order/test_comprehensions.py

@@ -0,0 +1,46 @@
+"""Evaluation order tests for comprehensions and generator expressions."""
+
+from timer import test
+
+
+@test
+def test_list_comprehension(t):
+    items = [1 @ t[0], 2 @ t[1], 3 @ t[2]] @ t[3]
+    result = [x @ t[5, 6, 7] for x in items @ t[4]] @ t[8]
+
+
+@test
+def test_filtered_comprehension(t):
+    items = [1 @ t[0], 2 @ t[1], 3 @ t[2], 4 @ t[3]] @ t[4]
+    result = [x @ t[14, 23] for x in items @ t[5] if (x @ t[6, 10, 15, 19] % 2 @ t[7, 11, 16, 20] == 0 @ t[8, 12, 17, 21]) @ t[9, 13, 18, 22]] @ t[24]
+
+
+@test
+def test_dict_comprehension(t):
+    items = [("a" @ t[0], 1 @ t[1]) @ t[2], ("b" @ t[3], 2 @ t[4]) @ t[5]] @ t[6]
+    result = {k @ t[8, 10]: v @ t[9, 11] for k, v in items @ t[7]} @ t[12]
+
+
+@test
+def test_set_comprehension(t):
+    items = [1 @ t[0], 2 @ t[1], 3 @ t[2]] @ t[3]
+    result = {x @ t[5, 6, 7] for x in items @ t[4]} @ t[8]
+
+
+@test
+def test_generator_expression(t):
+    items = [1 @ t[0], 2 @ t[1], 3 @ t[2]] @ t[3]
+    gen = (x @ t[8, 9, 10] for x in items @ t[4]) @ t[5]
+    result = (list @ t[6])(gen @ t[7]) @ t[11]
+
+
+@test
+def test_nested_comprehension(t):
+    matrix = [[1 @ t[0], 2 @ t[1]] @ t[2], [3 @ t[3], 4 @ t[4]] @ t[5]] @ t[6]
+    result = [x @ t[9, 10, 12, 13] for row in matrix @ t[7] for x in row @ t[8, 11]] @ t[14]
+
+
+@test
+def test_comprehension_with_call(t):
+    items = [1 @ t[0], 2 @ t[1], 3 @ t[2]] @ t[3]
+    result = [(str @ t[5, 8, 11])(x @ t[6, 9, 12]) @ t[7, 10, 13] for x in items @ t[4]] @ t[14]

python/ql/test/library-tests/ControlFlow/evaluation-order/test_conditional.py

@@ -0,0 +1,44 @@
+"""Ternary conditional expressions and evaluation order."""
+
+from timer import test, dead
+
+
+@test
+def test_ternary_true(t):
+    # Condition is True — consequent evaluated, alternative skipped
+    x = (1 @ t[1] if True @ t[0] else 2 @ t[dead(1)]) @ t[2]
+
+
+@test
+def test_ternary_false(t):
+    # Condition is False — alternative evaluated, consequent skipped
+    x = (1 @ t[dead(1)] if False @ t[0] else 2 @ t[1]) @ t[2]
+
+
+@test
+def test_ternary_nested(t):
+    # Nested: outer condition True, inner condition True
+    # ((10 if C1 else 20) if C2 else 30) — C2 first, then C1, then 10
+    x = ((10 @ t[2] if True @ t[1] else 20 @ t[dead(2)]) @ t[3] if True @ t[0] else 30 @ t[dead(1)]) @ t[4]
+
+
+@test
+def test_ternary_assignment(t):
+    # Ternary result assigned, then used in later expression
+    value = (100 @ t[1] if True @ t[0] else 200 @ t[dead(1)]) @ t[2]
+    result = (value @ t[3] + 1 @ t[4]) @ t[5]
+
+
+@test
+def test_ternary_complex_expressions(t):
+    # Complex sub-expressions in condition and consequent
+    x = ((1 @ t[3] + 2 @ t[4]) @ t[5] if (3 @ t[0] > 2 @ t[1]) @ t[2] else (4 @ t[dead(3)] + 5 @ t[dead(4)]) @ t[dead(5)]) @ t[6]
+
+
+@test
+def test_ternary_as_argument(t):
+    # Ternary used as a function argument
+    def f(a):
+        return a @ t[4]
+
+    result = (f @ t[0])((1 @ t[2] if True @ t[1] else 2 @ t[dead(2)]) @ t[3]) @ t[5]

python/ql/test/library-tests/ControlFlow/evaluation-order/test_fstring.py

@@ -0,0 +1,34 @@
+"""F-string evaluation order."""
+
+from timer import test
+
+
+@test
+def test_simple_fstring(t):
+    name = "world" @ t[0]
+    s = f"hello {name @ t[1]}" @ t[2]
+
+
+@test
+def test_multi_expr_fstring(t):
+    a = "hello" @ t[0]
+    b = "world" @ t[1]
+    s = f"{a @ t[2]} {b @ t[3]}" @ t[4]
+
+
+@test
+def test_nested_fstring(t):
+    inner = "world" @ t[0]
+    s = f"hello {f'dear {inner @ t[1]}' @ t[2]}" @ t[3]
+
+
+@test
+def test_format_spec(t):
+    x = 3.14159 @ t[0]
+    s = f"{x @ t[1]:.2f}" @ t[2]
+
+
+@test
+def test_method_in_fstring(t):
+    name = "world" @ t[0]
+    s = f"hello {((name @ t[1]).upper @ t[2])() @ t[3]}" @ t[4]

python/ql/test/library-tests/ControlFlow/evaluation-order/test_functions.py

@@ -0,0 +1,85 @@
+"""Function calls and definitions — evaluation order."""
+
+from timer import test
+
+
+@test
+def test_argument_order(t):
+    """Arguments evaluate left-to-right before the call."""
+    def add(a, b):
+        return (a @ t[3] + b @ t[4]) @ t[5]
+    result = (add @ t[0])(1 @ t[1], 2 @ t[2]) @ t[6]
+
+
+@test
+def test_multiple_arguments(t):
+    """All arguments left-to-right, then the call."""
+    def f(a, b, c):
+        return ((a @ t[4] + b @ t[5]) @ t[6] + c @ t[7]) @ t[8]
+    result = (f @ t[0])(1 @ t[1], 2 @ t[2], 3 @ t[3]) @ t[9]
+
+
+@test
+def test_default_arguments(t):
+    """Default expressions are evaluated at definition time."""
+    val = 5 @ t[0]
+    def f(a, b=val @ t[1]):
+        return (a @ t[4] + b @ t[5]) @ t[6]
+    result = (f @ t[2])(10 @ t[3]) @ t[7]
+
+
+@test
+def test_args_kwargs(t):
+    """*args and **kwargs — expressions evaluated before the call."""
+    def f(*args, **kwargs):
+        return ((sum @ t[9])(args @ t[10]) @ t[11] + (sum @ t[12])(((kwargs @ t[13]).values @ t[14])() @ t[15]) @ t[16]) @ t[17]
+    args = [1 @ t[0], 2 @ t[1]] @ t[2]
+    kwargs = {"c" @ t[3]: 3 @ t[4]} @ t[5]
+    result = (f @ t[6])(*args @ t[7], **kwargs @ t[8]) @ t[18]
+
+
+@test
+def test_nested_calls(t):
+    """Inner call completes before becoming an argument to outer call."""
+    def f(x):
+        return (x @ t[7] + 1 @ t[8]) @ t[9]
+    def g(x):
+        return (x @ t[3] * 2 @ t[4]) @ t[5]
+    result = (f @ t[0])((g @ t[1])(1 @ t[2]) @ t[6]) @ t[10]
+
+
+@test
+def test_function_as_argument(t):
+    """Function object is just another argument, evaluated left-to-right."""
+    def apply(fn, x):
+        return (fn @ t[3])(x @ t[4]) @ t[8]
+    def double(x):
+        return (x @ t[5] * 2 @ t[6]) @ t[7]
+    result = (apply @ t[0])(double @ t[1], 5 @ t[2]) @ t[9]
+
+
+@test
+def test_decorator(t):
+    """Decorator: expression evaluated, function defined, decorator called."""
+    def my_decorator(fn):
+        return fn @ t[1]
+    @(my_decorator @ t[0])
+    def f():
+        return 42 @ t[3]
+    result = (f @ t[2])() @ t[4]
+
+
+@test
+def test_keyword_arguments(t):
+    """Keyword argument values evaluate left-to-right."""
+    def f(a, b):
+        return (a @ t[3] + b @ t[4]) @ t[5]
+    result = (f @ t[0])(a=1 @ t[1], b=2 @ t[2]) @ t[6]
+
+
+@test
+def test_return_value(t):
+    """The return value is just the result of the call expression."""
+    def f(x):
+        return (x @ t[2] * 2 @ t[3]) @ t[4]
+    result = (f @ t[0])(3 @ t[1]) @ t[5]

python/ql/test/library-tests/ControlFlow/evaluation-order/test_if.py

@@ -0,0 +1,108 @@
+"""If/elif/else control flow evaluation order."""
+
+from timer import test, dead
+
+
+@test
+def test_if_true(t):
+    x = True @ t[0]
+    if x @ t[1]:
+        y = 1 @ t[2]
+    z = 0 @ t[3]
+
+
+@test
+def test_if_false(t):
+    x = False @ t[0]
+    if x @ t[1]:
+        y = 1 @ t[dead(2)]
+    z = 0 @ t[2]
+
+
+@test
+def test_if_else_true(t):
+    x = True @ t[0]
+    if x @ t[1]:
+        y = 1 @ t[2]
+    else:
+        y = 2 @ t[dead(2)]
+    z = 0 @ t[3]
+
+
+@test
+def test_if_else_false(t):
+    x = False @ t[0]
+    if x @ t[1]:
+        y = 1 @ t[dead(2)]
+    else:
+        y = 2 @ t[2]
+    z = 0 @ t[3]
+
+
+@test
+def test_if_elif_else_first(t):
+    x = 1 @ t[0]
+    if (x @ t[1] == 1 @ t[2]) @ t[3]:
+        y = "first" @ t[4]
+    elif (x @ t[dead(4)] == 2 @ t[dead(5)]) @ t[dead(6)]:
+        y = "second" @ t[dead(4)]
+    else:
+        y = "third" @ t[dead(4)]
+    z = 0 @ t[5]
+
+
+@test
+def test_if_elif_else_second(t):
+    x = 2 @ t[0]
+    if (x @ t[1] == 1 @ t[2]) @ t[3]:
+        y = "first" @ t[dead(7)]
+    elif (x @ t[4] == 2 @ t[5]) @ t[6]:
+        y = "second" @ t[7]
+    else:
+        y = "third" @ t[dead(7)]
+    z = 0 @ t[8]
+
+
+@test
+def test_if_elif_else_third(t):
+    x = 3 @ t[0]
+    if (x @ t[1] == 1 @ t[2]) @ t[3]:
+        y = "first" @ t[dead(7)]
+    elif (x @ t[4] == 2 @ t[5]) @ t[6]:
+        y = "second" @ t[dead(7)]
+    else:
+        y = "third" @ t[7]
+    z = 0 @ t[8]
+
+
+@test
+def test_nested_if_else(t):
+    x = True @ t[0]
+    y = True @ t[1]
+    if x @ t[2]:
+        if y @ t[3]:
+            z = 1 @ t[4]
+        else:
+            z = 2 @ t[dead(4)]
+    else:
+        z = 3 @ t[dead(4)]
+    w = 0 @ t[5]
+
+
+@test
+def test_if_compound_condition(t):
+    x = True @ t[0]
+    y = False @ t[1]
+    if (x @ t[2] and y @ t[3]) @ t[4]:
+        z = 1 @ t[dead(5)]
+    else:
+        z = 2 @ t[5]
+    w = 0 @ t[6]
+
+
+@test
+def test_if_pass(t):
+    x = True @ t[0]
+    if x @ t[1]:
+        pass
+    z = 0 @ t[2]

python/ql/test/library-tests/ControlFlow/evaluation-order/test_lambda.py

@@ -0,0 +1,46 @@
+"""Lambda expressions — evaluation order."""
+
+from timer import test
+
+
+@test
+def test_simple_lambda(t):
+    """Lambda creates a function object in one step."""
+    f = (lambda x: (x @ t[3] + 1 @ t[4]) @ t[5]) @ t[0]
+    result = (f @ t[1])(10 @ t[2]) @ t[6]
+
+
+@test
+def test_lambda_multiple_args(t):
+    """Lambda call: arguments evaluate left to right."""
+    f = (lambda a, b, c: ((a @ t[5] + b @ t[6]) @ t[7] + c @ t[8]) @ t[9]) @ t[0]
+    result = (f @ t[1])(1 @ t[2], 2 @ t[3], 3 @ t[4]) @ t[10]
+
+
+@test
+def test_lambda_default(t):
+    """Default argument evaluated at lambda creation time."""
+    val = 5 @ t[0]
+    f = (lambda x, y=val @ t[1]: (x @ t[5] + y @ t[6]) @ t[7]) @ t[2]
+    result = (f @ t[3])(10 @ t[4]) @ t[8]
+
+
+@test
+def test_lambda_map(t):
+    """Lambda body runs once per element when consumed by list(map(...))."""
+    f = (lambda x: (x @ t[9, 12, 15] * 2 @ t[10, 13, 16]) @ t[11, 14, 17]) @ t[0]
+    result = (list @ t[1])((map @ t[2])(f @ t[3], [1 @ t[4], 2 @ t[5], 3 @ t[6]] @ t[7]) @ t[8]) @ t[18]
+
+
+@test
+def test_immediately_invoked(t):
+    """Arguments evaluated, then immediately-invoked lambda called."""
+    result = ((lambda x: (x @ t[2] + 1 @ t[3]) @ t[4]) @ t[0])(10 @ t[1]) @ t[5]
+
+
+@test
+def test_lambda_closure(t):
+    """Lambda captures enclosing scope; body runs at call time."""
+    x = 10 @ t[0]
+    f = (lambda: x @ t[3]) @ t[1]
+    result = (f @ t[2])() @ t[4]

python/ql/test/library-tests/ControlFlow/evaluation-order/test_loops.py

@@ -0,0 +1,146 @@
+"""Loop control flow evaluation order tests."""
+
+from timer import test, dead
+
+
+# 1. Simple while loop (fixed iterations)
+@test
+def test_while_loop(t):
+    i = 0 @ t[0]
+    while (i @ t[1, 7, 13, 19] < 3 @ t[2, 8, 14, 20]) @ t[3, 9, 15, 21]:  # 4 checks: 3 true + 1 false
+        i = (i @ t[4, 10, 16] + 1 @ t[5, 11, 17]) @ t[6, 12, 18]
+    done = True @ t[22]
+
+
+# 2. While loop with break
+@test
+def test_while_break(t):
+    i = 0 @ t[0]
+    while (i @ t[1, 10, 19] < 5 @ t[2, 11, 20]) @ t[3, 12, 21]:
+        if (i @ t[4, 13, 22] == 2 @ t[5, 14, 23]) @ t[6, 15, 24]:
+            break
+        i = (i @ t[7, 16] + 1 @ t[8, 17]) @ t[9, 18]
+    done = True @ t[25]
+
+
+# 3. While loop with continue
+@test
+def test_while_continue(t):
+    i = 0 @ t[0]
+    total = 0 @ t[1]
+    while (i @ t[2, 14, 23, 35] < 3 @ t[3, 15, 24, 36]) @ t[4, 16, 25, 37]:
+        i = (i @ t[5, 17, 26] + 1 @ t[6, 18, 27]) @ t[7, 19, 28]
+        if (i @ t[8, 20, 29] == 2 @ t[9, 21, 30]) @ t[10, 22, 31]:
+            continue
+        total = (total @ t[11, 32] + i @ t[12, 33]) @ t[13, 34]
+    done = True @ t[38]
+
+
+# 4. While/else (no break — else executes)
+@test
+def test_while_else(t):
+    i = 0 @ t[0]
+    while (i @ t[1, 7, 13] < 2 @ t[2, 8, 14]) @ t[3, 9, 15]:
+        i = (i @ t[4, 10] + 1 @ t[5, 11]) @ t[6, 12]
+    else:
+        done = True @ t[16]
+
+
+# 5. While/else (with break — else skipped)
+@test
+def test_while_else_break(t):
+    i = 0 @ t[0]
+    while (i @ t[1, 10] < 5 @ t[2, 11]) @ t[3, 12]:
+        if (i @ t[4, 13] == 1 @ t[5, 14]) @ t[6, 15]:
+            break
+        i = (i @ t[7] + 1 @ t[8]) @ t[9]
+    else:
+        never = True @ t[dead(16)]
+    after = True @ t[16]
+
+
+# 6. Simple for loop over a list
+@test
+def test_for_list(t):
+    for x in [1 @ t[0], 2 @ t[1], 3 @ t[2]] @ t[3]:
+        x @ t[4, 5, 6]
+    done = True @ t[7]
+
+
+# 7. For loop with range
+@test
+def test_for_range(t):
+    for i in (range @ t[0])(3 @ t[1]) @ t[2]:
+        i @ t[3, 4, 5]
+    done = True @ t[6]
+
+
+# 8. For loop with break
+@test
+def test_for_break(t):
+    for x in [1 @ t[0], 2 @ t[1], 3 @ t[2], 4 @ t[3]] @ t[4]:
+        if (x @ t[5, 9, 13] == 3 @ t[6, 10, 14]) @ t[7, 11, 15]:
+            break
+        x @ t[8, 12]
+    done = True @ t[16]
+
+
+# 9. For loop with continue
+@test
+def test_for_continue(t):
+    total = 0 @ t[0]
+    for x in [1 @ t[1], 2 @ t[2], 3 @ t[3]] @ t[4]:
+        if (x @ t[5, 11, 14] == 2 @ t[6, 12, 15]) @ t[7, 13, 16]:
+            continue
+        total = (total @ t[8, 17] + x @ t[9, 18]) @ t[10, 19]
+    done = True @ t[20]
+
+
+# 10. For/else (no break — else executes)
+@test
+def test_for_else(t):
+    for x in [1 @ t[0], 2 @ t[1]] @ t[2]:
+        x @ t[3, 4]
+    else:
+        done = True @ t[5]
+
+
+# 11. For/else (with break — else skipped)
+@test
+def test_for_else_break(t):
+    for x in [1 @ t[0], 2 @ t[1], 3 @ t[2]] @ t[3]:
+        if (x @ t[4, 8] == 2 @ t[5, 9]) @ t[6, 10]:
+            break
+        x @ t[7]
+    else:
+        never = True @ t[dead(11)]
+    after = True @ t[11]
+
+
+# 12. Nested loops
+@test
+def test_nested_loops(t):
+    for i in [1 @ t[0], 2 @ t[1]] @ t[2]:
+        for j in [10 @ t[3, 12], 20 @ t[4, 13]] @ t[5, 14]:
+            (i @ t[6, 9, 15, 18, dead(21)] + j @ t[7, 10, 16, 19]) @ t[8, 11, 17, 20]
+    done = True @ t[dead(3), dead(6), dead(9), dead(12), dead(15), dead(18), 21]
+
+
+# 13. While True with conditional break
+@test
+def test_while_true_break(t):
+    i = 0 @ t[0]
+    while True @ t[1, 8, 15]:
+        i = (i @ t[2, 9, 16] + 1 @ t[3, 10, 17]) @ t[4, 11, 18]
+        if (i @ t[5, 12, 19] == 3 @ t[6, 13, 20]) @ t[7, 14, 21]:
+            break
+    done = True @ t[22]
+
+
+# 14. For with enumerate
+@test
+def test_for_enumerate(t):
+    for idx, val in (enumerate @ t[0])(["a" @ t[1], "b" @ t[2], "c" @ t[3]] @ t[4]) @ t[5]:
+        idx @ t[6, 8, 10]
+        val @ t[7, 9, 11]
+    done = True @ t[12]

python/ql/test/library-tests/ControlFlow/evaluation-order/test_match.py

@@ -0,0 +1,173 @@
+"""Evaluation order for match/case (structural pattern matching, Python 3.10+)."""
+
+import sys
+if sys.version_info < (3, 10):
+    print("Skipping match/case tests (requires Python 3.10+)")
+    print("---")
+    print("0/0 tests passed")
+    sys.exit(0)
+
+from timer import test, dead, never
+
+
+@test
+def test_match_literal(t):
+    x = 1 @ t[0]
+    match x @ t[1]:
+        case 1:
+            y = "one" @ t[2]
+        case 2:
+            y = "two" @ t[dead(2)]
+    z = y @ t[3]
+
+
+@test
+def test_match_literal_fallthrough(t):
+    x = 3 @ t[0]
+    match x @ t[1]:
+        case 1:
+            y = "one" @ t[dead(2)]
+        case 2:
+            y = "two" @ t[dead(2)]
+        case 3:
+            y = "three" @ t[2]
+    z = y @ t[3]
+
+
+@test
+def test_match_wildcard(t):
+    x = 42 @ t[0]
+    match x @ t[1]:
+        case 1:
+            y = "one" @ t[dead(2)]
+        case _:
+            y = "other" @ t[2]
+    z = y @ t[3]
+
+
+@test
+def test_match_capture(t):
+    x = 42 @ t[0]
+    match x @ t[1]:
+        case n:
+            y = n @ t[2]
+    z = y @ t[3]
+
+
+@test
+def test_match_or_pattern(t):
+    x = 2 @ t[0]
+    match x @ t[1]:
+        case 1 | 2:
+            y = "low" @ t[2]
+        case _:
+            y = "other" @ t[dead(2)]
+    z = y @ t[3]
+
+
+@test
+def test_match_guard(t):
+    x = 5 @ t[0]
+    match x @ t[1]:
+        case n if (n @ t[2] > 3 @ t[3]) @ t[4]:
+            y = n @ t[5]
+        case _:
+            y = 0 @ t[dead(5)]
+    z = y @ t[6]
+
+
+@test
+def test_match_class_pattern(t):
+    x = 42 @ t[0]
+    match x @ t[1]:
+        case int():
+            y = "integer" @ t[2]
+        case str():
+            y = "string" @ t[dead(2)]
+    z = y @ t[3]
+
+
+@test
+def test_match_sequence(t):
+    x = [1 @ t[0], 2 @ t[1]] @ t[2]
+    match x @ t[3]:
+        case [a, b]:
+            y = (a @ t[4] + b @ t[5]) @ t[6]
+        case _:
+            y = 0 @ t[dead(6)]
+    z = y @ t[7]
+
+
+@test
+def test_match_mapping(t):
+    x = {"key" @ t[0]: 42 @ t[1]} @ t[2]
+    match x @ t[3]:
+        case {"key": value}:
+            y = value @ t[4]
+        case _:
+            y = 0 @ t[dead(4)]
+    z = y @ t[5]
+
+
+@test
+def test_match_nested(t):
+    x = {"users" @ t[0]: [{"name" @ t[1]: "Alice" @ t[2]} @ t[3]] @ t[4]} @ t[5]
+    match x @ t[6]:
+        case {"users": [{"name": name}]}:
+            y = name @ t[7]
+        case _:
+            y = "unknown" @ t[dead(7)]
+    z = y @ t[8]
+
+
+@test
+def test_match_or_pattern_with_as(t):
+    """OR pattern with `as` binding and method call on the result."""
+    clause = "foo@bar" @ t[0]
+    match clause @ t[1]:
+        case (str() as uses) | {"uses": uses}:
+            result = ((uses @ t[2]).partition @ t[3])("@" @ t[4]) @ t[5]
+            x = (result @ t[6])[0 @ t[7]] @ t[8]
+        case _:
+            raise ((ValueError @ t[dead(2)])(clause @ t[dead(3)]) @ t[dead(4)])
+    y = x @ t[9]
+
+
+@test
+def test_match_wildcard_raise(t):
+    """Wildcard case that raises, with OR pattern on the other branch."""
+    clause = 42 @ t[0]
+    try:
+        match clause @ t[1]:
+            case (str() as uses) | {"uses": uses}:
+                result = uses @ t[dead(2)]
+            case _:
+                raise ((ValueError @ t[2])(f"Invalid: {clause @ t[3]}" @ t[4]) @ t[5])
+    except ValueError:
+        y = 0 @ t[6]
+
+
+@test
+def test_match_exhaustive_return_first(t):
+    """Every case returns; code after match is unreachable (first case taken)."""
+    def f(x):
+        match x @ t[2]:
+            case 1:
+                return "one" @ t[3]
+            case _:
+                return "other" @ t[dead(3)]
+        y = 0 @ t[never]
+    result = (f @ t[0])(1 @ t[1]) @ t[4]
+
+
+@test
+def test_match_exhaustive_return_wildcard(t):
+    """Every case returns; code after match is unreachable (wildcard taken)."""
+    def f(x):
+        match x @ t[2]:
+            case 1:
+                return "one" @ t[dead(3)]
+            case _:
+                return "other" @ t[3]
+        y = 0 @ t[never]
+    result = (f @ t[0])(99 @ t[1]) @ t[4]

python/ql/test/library-tests/ControlFlow/evaluation-order/test_try.py

@@ -0,0 +1,182 @@
+"""Exception handling control flow: try/except/else/finally evaluation order."""
+
+from timer import test, dead, never
+
+
+# 1. try/except — no exception raised (except block skipped)
+@test
+def test_try_no_exception(t):
+    try:
+        x = 1 @ t[0]
+        y = 2 @ t[1]
+    except ValueError:
+        z = 3 @ t[dead(2)]
+    after = 0 @ t[2]
+
+
+# 2. try/except — exception raised and caught
+@test
+def test_try_with_exception(t):
+    try:
+        x = 1 @ t[0]
+        raise ((ValueError @ t[1])() @ t[2])
+        y = 2 @ t[never]
+    except ValueError:
+        z = 3 @ t[3]
+    after = 0 @ t[4]
+
+
+# 3. try/except/else — no exception (else runs)
+@test
+def test_try_except_else_no_exception(t):
+    try:
+        x = 1 @ t[0]
+    except ValueError:
+        y = 2 @ t[dead(1)]
+    else:
+        z = 3 @ t[1]
+    after = 0 @ t[2]
+
+
+# 4. try/except/else — exception raised (else skipped)
+@test
+def test_try_except_else_with_exception(t):
+    try:
+        x = 1 @ t[0]
+        raise ((ValueError @ t[1])() @ t[2])
+    except ValueError:
+        y = 2 @ t[3]
+    else:
+        z = 3 @ t[dead(3)]
+    after = 0 @ t[4]
+
+
+# 5. try/finally — no exception
+@test
+def test_try_finally_no_exception(t):
+    try:
+        x = 1 @ t[0]
+        y = 2 @ t[1]
+    finally:
+        z = 3 @ t[2]
+    after = 0 @ t[3]
+
+
+# 6. try/finally — exception raised (finally runs, then exception propagates)
+@test
+def test_try_finally_exception(t):
+    try:
+        try:
+            x = 1 @ t[0]
+            raise ((ValueError @ t[1])() @ t[2])
+        finally:
+            y = 2 @ t[3]
+    except ValueError:
+        z = 3 @ t[4]
+
+
+# 7. try/except/finally — no exception
+@test
+def test_try_except_finally_no_exception(t):
+    try:
+        x = 1 @ t[0]
+    except ValueError:
+        y = 2 @ t[dead(1)]
+    finally:
+        z = 3 @ t[1]
+    after = 0 @ t[2]
+
+
+# 8. try/except/finally — exception caught
+@test
+def test_try_except_finally_exception(t):
+    try:
+        x = 1 @ t[0]
+        raise ((ValueError @ t[1])() @ t[2])
+    except ValueError:
+        y = 2 @ t[3]
+    finally:
+        z = 3 @ t[4]
+    after = 0 @ t[5]
+
+
+# 9. Multiple except clauses — first matching
+@test
+def test_multiple_except_first(t):
+    try:
+        x = 1 @ t[0]
+        raise ((ValueError @ t[1])() @ t[2])
+    except ValueError:
+        y = 2 @ t[3]
+    except TypeError:
+        z = 3 @ t[dead(3)]
+    after = 0 @ t[4]
+
+
+# 10. Multiple except clauses — second matching
+@test
+def test_multiple_except_second(t):
+    try:
+        x = 1 @ t[0]
+        raise ((TypeError @ t[1])() @ t[2])
+    except ValueError:
+        y = 2 @ t[dead(3)]
+    except TypeError:
+        z = 3 @ t[3]
+    after = 0 @ t[4]
+
+
+# 11. except with `as` binding
+@test
+def test_except_as_binding(t):
+    try:
+        x = 1 @ t[0]
+        raise ((ValueError @ t[1])("msg" @ t[2]) @ t[3])
+    except ValueError as e:
+        y = (str @ t[4])(e @ t[5]) @ t[6]
+    after = 0 @ t[7]
+
+
+# 12. Nested try/except
+@test
+def test_nested_try_except(t):
+    try:
+        x = 1 @ t[0]
+        try:
+            y = 2 @ t[1]
+            raise ((ValueError @ t[2])() @ t[3])
+        except ValueError:
+            z = 3 @ t[4]
+        w = 4 @ t[5]
+    except TypeError:
+        v = 5 @ t[dead(6)]
+    after = 0 @ t[6]
+
+
+# 13. try/except in a loop
+@test
+def test_try_in_loop(t):
+    total = 0 @ t[0]
+    for i in (range @ t[1])(3 @ t[2]) @ t[3]:
+        try:
+            if (i @ t[4, 11, 20] == 1 @ t[5, 12, 21]) @ t[6, 13, 22]:
+                raise ((ValueError @ t[14])() @ t[15])
+            total = (total @ t[7, 23] + 1 @ t[8, 24]) @ t[9, 25]
+        except ValueError:
+            total = (total @ t[16] + 10 @ t[17]) @ t[18]
+        r = 0 @ t[10, 19, 26]
+
+
+# 14. Re-raise with bare `raise`
+@test
+def test_reraise(t):
+    try:
+        try:
+            x = 1 @ t[0]
+            raise ((ValueError @ t[1])() @ t[2])
+        except ValueError:
+            y = 2 @ t[3]
+            raise
+    except ValueError:
+        z = 3 @ t[4]
+    after = 0 @ t[5]